Download:
pdf |
pdfquestion question group
id
heading
3492
3493
3494
3495
3496
3497
3498
3499
3500
3501
3502
3503
3504
3505
3506
3507
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
original set
simple_question
name
C2M2_V11
Is there a documented cybersecurity risk management strategy?
C2M2_V11
Does the strategy provide an approach for risk prioritization, including consideration of
impact?
C2M2_V11
Are the organizational risk criteria defined and available?
C2M2_V11
C2M2_V11
Do you periodically update your risk management strategy to reflect the current threat
environment?
Does the organization categorize and document risks and is it used in risk management
activities?
C2M2_V11
Have cybersecurity risks been identified?
C2M2_V11
Are identified risks mitigated, accepted, tolerated, or transferred?
C2M2_V11
Are risk assessments performed to identify risks in accordance with the risk management
strategy?
C2M2_V11
Are identified risks documented?
C2M2_V11
Are identified risks analyzed to prioritize response activities in accordance with the risk
management strategy?
C2M2_V11
Are identified risks monitored in accordance with the risk management strategy?
C2M2_V11
C2M2_V11
Does the risk analysis process use information provided by network (IT and/or OT)
architecture?
Does your risk management program define and use policies and procedures that
implement the risk management strategy?
C2M2_V11
Is a recent cybersecurity architecture used to inform risk analysis?
C2M2_V11
Is a risk register (repository of identified risks) used to support risk management
activities?
C2M2_V11
Are documented practices followed for risk management activities?
�3508
3509
3510
3511
3512
3513
3514
3515
3516
3517
3518
3519
3520
3521
3522
3523
3524
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
C2M2_V11
Are stakeholders for risk management activities identified and involved?
C2M2_V11
Are adequate resources (people, funding, and tools) provided to support risk
management activities?
C2M2_V11
Have standards and/or guidelines been identified to inform risk management activities?
C2M2_V11
C2M2_V11
C2M2_V11
C2M2_V11
C2M2_V11
C2M2_V11
C2M2_V11
C2M2_V11
C2M2_V11
C2M2_V11
Are risk management activities guided by documented policies or other organizational
directives?
Do risk management policies include compliance requirements for specified standards
and/or guidelines?
Are risk management activities periodically reviewed to ensure conformance with policy?
Are responsibility and authority for the performance of risk management activities
assigned to personnel?
Do personnel performing risk management activities have the skills and knowledge
needed to perform their assigned responsibilities?
Is there an inventory of operations technology (OT) and information technology (IT)
assets that are important to the delivery of the function?
Is there an inventory of information assets that are important to the delivery of the
function?
When building an inventory of assets are information attributes to support cybersecurity
strategy included?
Are inventoried assets prioritized based on their importance to the delivery of the
function?
Is there an inventory for all connected information technology (IT) and operations
technology (OT) assets related to the delivery of the function?
C2M2_V11
Is the asset inventory current and complete?
C2M2_V11
When it is desirable to ensure that multiple inventoried assets are configured similarly,
are configuration baselines established?
C2M2_V11
Are configuration baselines used to configure assets at deployment?
C2M2_V11
Does the design of configuration baselines include cybersecurity objectives?
�3525
3526
3527
3528
3529
3530
3531
3532
3533
3534
3535
3536
3537
3538
3539
3540
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
C2M2_V11
C2M2_V11
Is the configuration monitored for consistency with its baselines throughout the assets'
life cycle?
Are configuration baselines reviewed and updated at an organizationally-defined
frequency?
C2M2_V11
Are changes to inventoried assets evaluated before being implemented?
C2M2_V11
Are changes to inventoried assets logged?
C2M2_V11
Are changes to assets tested prior to being deployed, whenever possible?
C2M2_V11
Do change management practices address the full life cycle of assets?
C2M2_V11
Are changes to assets tested for cybersecurity impact prior to being deployed?
C2M2_V11
C2M2_V11
C2M2_V11
C2M2_V11
C2M2_V11
C2M2_V11
C2M2_V11
C2M2_V11
C2M2_V11
Do change logs include information about modifications that impact the cybersecurity
requirements of assets?
Are documented practices followed for asset inventory, configuration, and change
management activities?
Are stakeholders involved in activities such as asset inventory, configuration, and change
management?
Are adequate resources (people, funding, and tools) provided to support asset inventory,
configuration, and change management activities?
Have standards and/or guidelines been identified to inform asset inventory,
configuration, and change management activities?
Are asset inventory, configuration, and change management activities guided by
documented policies or other organizational directives?
Are asset inventory, configuration, and change management policies included in
compliance requirements for specified standards and/or guidelines?
Are asset inventory, configuration, and change management activities periodically
reviewed to ensure conformance with the policy?
Are responsibility and authority for the performance of asset inventory, configuration,
and change management activities assigned to personnel?
�3541
Configuration
Management
C2M2_V11
Do personnel performing asset inventory, configuration, and change management
activities have the skills and knowledge needed to perform their assigned responsibilities?
3542
Account Management
C2M2_V11
3543
Account Management
C2M2_V11
3544
Account Management
C2M2_V11
3545
Account Management
C2M2_V11
3546
Account Management
C2M2_V11
3547
Account Management
C2M2_V11
3548
Account Management
C2M2_V11
3549
Account Management
C2M2_V11
Are access requirements determined (including those for remote access)?
3550
Account Management
C2M2_V11
Is access granted to identities based on requirements?
3551
Account Management
C2M2_V11
Is access revoked when no longer required?
3552
Account Management
C2M2_V11
Do your access requirements incorporate least privilege and separation of duties
principles?
3553
Account Management
C2M2_V11
Are access requests reviewed and approved by the asset owner?
3554
Account Management
C2M2_V11
3555
Account Management
C2M2_V11
3556
Account Management
C2M2_V11
Are identities provisioned for personnel and other entities (e.g., services, devices) who
require access to assets? (note that this does not preclude shared identities)
Are credentials issued for personnel and other entities that require access to assets? (e.g.,
passwords, smart cards, certificates, keys)
Are identities removed when no longer required?
Are identity repositories periodically reviewed and updated to ensure validity? (i.e., to
ensure that the identities still need access)
Are credentials periodically reviewed to ensure that they are associated with the correct
person or entity?
Are identities deprovisioned within organizationally defined time thresholds when no
longer required?
Are requirements or credentials informed by the organization's risk criteria? (e.g.,
multifactor credentials for higher risk access)
Do root privileges, administrative access, emergency access, and shared accounts receive
additional scrutiny and monitoring?
Are access privileges reviewed and updated to ensure validity, at an organizationally
defined frequency?
Is access to assets granted by the asset owner based on risk to the function?
�3557
Account Management
C2M2_V11
Are anomalous access attempts monitored as indicators of cybersecurity events?
3558
Access Control
C2M2_V11
Are documented practices followed to establish and maintain identities and control
access?
3559
Access Control
C2M2_V11
Are stakeholders identified and involved in access and identity management activities?
3560
Access Control
C2M2_V11
3561
Access Control
C2M2_V11
3562
Access Control
C2M2_V11
3563
Access Control
C2M2_V11
3564
Access Control
C2M2_V11
3565
Access Control
C2M2_V11
3566
Access Control
C2M2_V11
3567
System Integrity
C2M2_V11
3568
System Integrity
C2M2_V11
3569
System Integrity
C2M2_V11
3570
System Integrity
C2M2_V11
3571
System Integrity
C2M2_V11
3572
3573
System Integrity
System Integrity
C2M2_V11
C2M2_V11
Are adequate resources (people, funding, and tools) provided to support access and
identity management activities?
Have standards and/or guidelines been identified to inform access and identity
management activities?
Are access and identity management activities guided by documented policies or other
organizational directives?
Do access and identity management policies include compliance requirements for
specified standards and/or guidelines?
Are access and identity management activities periodically reviewed to ensure
conformance with policy?
Do personnel have responsibility and authority for the performance of access and identity
management activities assigned to them?
Do personnel that are performing access and identity management activities have the
skills and knowledge needed to perform their assigned responsibilities?
Are information sources to support threat management activities identified? (e.g., USCERT, ISACs, ICS-CERT, industry associations, vendors, federal briefings)
Is cybersecurity threat information gathered and interpreted for the function?
Are threats that are considered important to the function addressed? (e.g., implement
mitigating controls, monitor threat status)
Is a threat profile for the function established that includes characterization of likely
intent, capability, and target of threats?
Are threat information sources that address all components of the threat profile
prioritized and monitored?
Are identified threats analyzed and prioritized?
Are threats addressed according to the assigned priority?
3574
System Integrity
C2M2_V11
Is the threat profile for the function validated at an organizationally-defined frequency?
�3575
System Integrity
C2M2_V11
3576
System Integrity
C2M2_V11
3577
System Integrity
C2M2_V11
3578
System Integrity
C2M2_V11
3579
System Integrity
C2M2_V11
3580
System Integrity
C2M2_V11
3581
System Integrity
C2M2_V11
3582
System Integrity
C2M2_V11
3583
System Integrity
C2M2_V11
Are analysis and prioritization of threats informed by the function's or organization's risk
criteria?
Is threat information added to the risk register?
Are information sources to support cybersecurity vulnerability discovery identified? (e.g.,
US-CERT, ISACs, ICS-CERT, industry associations, vendors, federal briefings, internal
assessments)
Is cybersecurity vulnerability information gathered and interpreted for the function?
Are cybersecurity vulnerabilities which are considered important to the function
addressed? (e.g., implement mitigating controls, apply cybersecurity patches)
Are cybersecurity vulnerability information sources that address all assets important to
the function monitored?
Are cybersecurity vulnerability assessments performed? (e.g., architectural reviews,
penetration testing, cybersecurity exercises, vulnerability identification tools)
Are identified cybersecurity vulnerabilities analyzed and prioritized? (e.g., NIST Common
Vulnerability Scoring System could be used for patches)
Are cybersecurity vulnerabilities addressed according to the assigned priority?
3584
System Integrity
C2M2_V11
Is operational impact to the function evaluated prior to deploying cybersecurity patches?
3585
3586
3587
3588
3589
3590
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
C2M2_V11
C2M2_V11
C2M2_V11
C2M2_V11
Are cybersecurity vulnerability assessments performed for all assets important to the
delivery of the function, at an organization-defined frequency?
Are cybersecurity vulnerability assessments informed by the function's (or organization's)
risk criteria?
Are cybersecurity vulnerability assessments performed by parties that are independent of
the operations of the function?
Are analysis and prioritization of cybersecurity vulnerabilities informed by the function's
(or organization's) risk criteria?
C2M2_V11
Is cybersecurity vulnerability information added to the risk register?
C2M2_V11
Do risk monitoring activities validate the responses to cybersecurity vulnerabilities? (e.g.,
deployment of patches or other activities)
3591
System Integrity
C2M2_V11
Are documented practices followed for threat and vulnerability management activities?
3592
System Integrity
C2M2_V11
Do stakeholders identify and are they involved with threat and vulnerability management
activities?
�3593
System Integrity
C2M2_V11
3594
System Integrity
C2M2_V11
3595
Monitoring & Malware C2M2_V11
3596
Monitoring & Malware C2M2_V11
3597
Monitoring & Malware C2M2_V11
3598
Monitoring & Malware C2M2_V11
3599
Monitoring & Malware C2M2_V11
3600
Audit and
Accountability
3601
Audit and
Accountability
3602
3603
3604
3605
3606
3607
3608
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Are adequate resources (people, funding, and tools) are provided to support threat and
vulnerability management activities?
Have standards and/or guidelines been identified to inform threat and vulnerability
management activities?
Are threat and vulnerability management activities guided by documented policies or
other organizational directives?
Do threat and vulnerability management policies include compliance requirements for
specified standards and/or guidelines?
Are threat and vulnerability management activities periodically reviewed to ensure
conformance with policy?
Are responsibility and authority for the performance of threat and vulnerability
management activities assigned to personnel?
Do personnel performing threat and vulnerability management activities have the skills
and knowledge needed to perform their assigned responsibilities?
C2M2_V11
Are logs being generated for assets important to the function where possible?
C2M2_V11
Have logging requirements been defined for all assets important to the function? (e.g.,
scope of activity and coverage of assets, cybersecurity requirements [confidentiality,
integrity, availability])
C2M2_V11
Are log data being aggregated within the function?
C2M2_V11
Are logging requirements based on risk to the function?
C2M2_V11
Does log data support other business and security processes? (e.g., incident response,
asset management)
C2M2_V11
Are cybersecurity monitoring activities performed? (e.g., periodic reviews of log data)
C2M2_V11
C2M2_V11
C2M2_V11
Are operational environments monitored for anomalous behavior that may indicate a
cybersecurity event?
Have monitoring and analysis requirements been defined for the function and address
timely review of event data?
Are alarms and alerts configured to aid in the identification of cybersecurity events?
�3609
3610
3611
3612
3613
3614
3615
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
C2M2_V11
Have indicators of anomalous activity been defined and are monitored across the
operational environment?
C2M2_V11
Are monitoring activities aligned with the function's threat profile?
C2M2_V11
Are monitoring requirements based on the risk to the function?
C2M2_V11
C2M2_V11
C2M2_V11
C2M2_V11
3616
System Integrity
C2M2_V11
3617
System Integrity
C2M2_V11
3618
System Integrity
C2M2_V11
3619
System Integrity
C2M2_V11
3620
System Integrity
C2M2_V11
3621
System Integrity
C2M2_V11
3622
System Integrity
C2M2_V11
3623
System Integrity
C2M2_V11
3624
System Integrity
C2M2_V11
Is monitoring integrated with other business and security processes? (e.g., incident
response, asset management)
Is continuous monitoring performed across the operational environment to identify
anomalous activity?
Is risk register (a structured repository of identified risks. See RM-2j) content used to
identify indicators of anomalous activity?
Are alarms and alerts configured according to indicators of anomalous activity?
Are methods of communicating the current cybersecurity state for the function
established and maintained?
Are monitoring data aggregated to provide an understanding of the operational state of
the function? (i.e., a common operating picture (COP) which may or may not include
visualization or be presented graphically)
Is information from across the organization available to enhance the common operating
picture?
Are aggregated monitoring data used to provide near-real-time understanding of the
cybersecurity state for the function in order to enhance the common operating picture?
Is information from outside the organization collected to enhance the common operating
picture?
Are predefined states of operation defined and invoked (manual or automated) based on
the common operating picture?
Are documented practices followed for logging, monitoring, and COP activities?
Are stakeholders identified and become involved in logging, monitoring, and COP
activities?
Are adequate resources (people, funding, and tools) provided to support logging,
monitoring, and COP activities?
�3625
System Integrity
C2M2_V11
3626
System Integrity
C2M2_V11
3627
System Integrity
C2M2_V11
3628
System Integrity
C2M2_V11
3629
System Integrity
C2M2_V11
3630
System Integrity
C2M2_V11
3631
System Integrity
C2M2_V11
3632
System Integrity
C2M2_V11
3633
System Integrity
C2M2_V11
3634
System Integrity
C2M2_V11
3635
System Integrity
C2M2_V11
3636
System Integrity
C2M2_V11
3637
System Integrity
C2M2_V11
3638
System Integrity
C2M2_V11
3639
System Integrity
C2M2_V11
3640
System Integrity
C2M2_V11
3641
System Integrity
C2M2_V11
3642
System Integrity
C2M2_V11
Have standards and/or guidelines been identified to inform logging, monitoring, and COP
activities?
Are logging, monitoring, and COP activities guided by documented policies or other
organizational directives?
Do logging, monitoring, and COP policies include compliance requirements for specified
standards and/or guidelines?
Are logging, monitoring, and COP activities periodically reviewed to ensure conformance
with policy?
Are responsibility and authority for the performance of logging, monitoring, and COP
activities assigned to personnel?
Do personnel performing logging, monitoring, and COP activities have the skills and
knowledge needed to perform their assigned responsibilities?
Is information collected from and provided to selected individuals and/or organizations?
Is the responsibility for cybersecurity reporting assigned to personnel? (e.g., internal
reporting, ICS-CERT, law enforcement)
Are information-sharing stakeholders identified based on their relevance to the continued
operation of the function? (e.g., connected organizations, vendors, sector organizations,
regulators, internal entities)
Is information collected from and provided to identified information-sharing
stakeholders?
Are technical sources identified that can be consulted on cybersecurity issues?
Are provisions established and maintained to enable secure sharing of sensitive or
classified information?
Do information-sharing practices address standard and emergency operations?
Are information-sharing stakeholders identified based on shared interest and risk to
critical infrastructure?
Does the function or the organization participate with information sharing and analysis
centers?
Have information-sharing requirements and the timely dissemination of cybersecurity
information for the function been defined and addressed?
Are procedures in place to analyze and coordinate received information?
Have a network of internal and external trust relationships (formal and/or informal) been
established to vet and validate cyber events?
�3643
3644
System Integrity
System Integrity
C2M2_V11
C2M2_V11
3645
System Integrity
C2M2_V11
3646
System Integrity
C2M2_V11
3647
System Integrity
C2M2_V11
3648
System Integrity
C2M2_V11
3649
System Integrity
C2M2_V11
3650
System Integrity
C2M2_V11
3651
System Integrity
C2M2_V11
3652
System Integrity
C2M2_V11
3653
Incident Response
C2M2_V11
3654
3655
Incident Response
Incident Response
C2M2_V11
C2M2_V11
3656
Incident Response
C2M2_V11
3657
Incident Response
C2M2_V11
3658
Incident Response
C2M2_V11
3659
Incident Response
C2M2_V11
Are documented practices followed for information-sharing activities?
Are stakeholders for information-sharing activities identified and involved?
Are adequate resources (people, funding, and tools) provided to support informationsharing activities?
Have standards and/or guidelines been identified to inform information-sharing
activities?
Are information-sharing activities guided by documented policies or other organizational
directives?
Do information-sharing policies include compliance requirements for specified standards
and/or guidelines?
Are information-sharing activities periodically reviewed to ensure conformance with
policy?
Are responsibility and authority for the performance of information-sharing activities
assigned to personnel?
Do personnel performing information-sharing activities have the skills and knowledge
needed to perform their assigned responsibilities?
Do information-sharing policies address protected information and ethical use and
sharing of information, including sensitive and classified information as appropriate?
Is there a point of contact (person or role) to whom cybersecurity events could be
reported?
Are detected cybersecurity events reported?
Are cybersecurity events logged and tracked?
Are criteria established for cybersecurity event detection? (e.g., what constitutes an
event, where to look for events)
Is there a repository where cybersecurity events are logged based on the established
criteria?
Is event information correlated to support incident analysis by identifying patterns,
trends, and other common features?
Are cybersecurity event detection activities adjusted based on information from the
organization's risk register (a structured repository of identified risks, see RM-2j) and
threat profile (including characterization of likely intent, capability, and target of threats
to the function, see TVM-1d) to help detect known threats and monitor for identified
risks?
�3660
Incident Response
C2M2_V11
3661
Incident Response
C2M2_V11
3662
Incident Response
C2M2_V11
3663
Incident Response
C2M2_V11
3664
Incident Response
C2M2_V11
3665
Incident Response
C2M2_V11
3666
Incident Response
C2M2_V11
3667
Incident Response
C2M2_V11
3668
Incident Response
C2M2_V11
3669
Incident Response
C2M2_V11
3670
Incident Response
C2M2_V11
3671
Incident Response
C2M2_V11
3672
Incident Response
C2M2_V11
3673
Incident Response
C2M2_V11
3674
Incident Response
C2M2_V11
3675
Incident Response
C2M2_V11
3676
Incident Response
C2M2_V11
Is the common operating picture for the function monitored to support the identification
of cybersecurity events?
Are criteria for cybersecurity event escalation established, including cybersecurity
incident declaration criteria?
Are cybersecurity events analyzed to support escalation and the declaration of
cybersecurity incidents?
Are escalated cybersecurity events and incidents logged and tracked?
Are criteria for cybersecurity event escalation (including cybersecurity incident criteria)
established based on the potential impact to the function?
Are criteria for cybersecurity event escalation (including cybersecurity incident
declaration criteria) updated at an organizationally-defined frequency?
Is there a repository where escalated cybersecurity events and incidents are logged and
tracked to closure?
Are criteria for cybersecurity event escalation (including cybersecurity incident
declaration criteria) adjusted according to information from the organization's risk
register (RM-2j) and threat profile (TVM-1d)?
Do escalated cybersecurity events and declared cybersecurity incidents inform the
common operating picture (COP) (SA-3a) for the function?
Are escalated cybersecurity events and declared incidents correlated to support the
discovery of patterns, trends, and other common features?
Are cybersecurity event and incident response personnel identified and roles assigned?
Are responses to escalated cybersecurity events and incidents implemented to limit
impact to the function and restore normal operations?
Is reporting of escalated cybersecurity events and incidents performed? (e.g., internal
reporting, ICS-CERT, relevant ISACs)
Is cybersecurity event and incident response performed according to defined procedures
that address all phases of the incident life cycle? (e.g., triage, handling, communication,
coordination, and closure)
Are cybersecurity event and incident response plans exercised at an organizationallydefined frequency?
Do cybersecurity event and incident response plans address information technology (IT)
and operations technology (OT) assets important to the delivery of the function?
Is training conducted for cybersecurity event and incident response teams?
�3677
Incident Response
C2M2_V11
3678
Incident Response
C2M2_V11
3679
Incident Response
C2M2_V11
3680
Incident Response
C2M2_V11
3681
Incident Response
C2M2_V11
3682
Incident Response
C2M2_V11
3683
Incident Response
C2M2_V11
3684
Incident Response
C2M2_V11
3685
Continuity
C2M2_V11
3686
Continuity
C2M2_V11
3687
3688
Continuity
Continuity
C2M2_V11
C2M2_V11
3689
Continuity
C2M2_V11
3690
3691
Continuity
Continuity
C2M2_V11
C2M2_V11
3692
Continuity
C2M2_V11
Are cybersecurity event and incident root-cause analysis and lessons-learned activities
performed, and corrective actions taken?
Are cybersecurity event and incident responses coordinated with law enforcement and
other government entities as appropriate, including support for evidence collection and
preservation?
Do cybersecurity event and incident response personnel participate in joint cybersecurity
exercises with other organizations? (e.g., table top, simulated incidents)
Are cybersecurity event and incident response plans reviewed and updated at an
organizationally-defined frequency?
Are cybersecurity event and incident response activities coordinated with relevant
external entities?
Are cybersecurity event and incident response plans aligned with the function's risk
criteria (RM-1c) and threat profile (TVM-1d)?
Do policies and procedures for reporting cybersecurity event and incident information to
designated authorities conform with applicable laws, regulations, and contractual
agreements?
Are restored assets configured appropriately and inventory information updated
following execution of response plans?
Are the necessary activities identified to sustain minimum operations of the function?
Is the sequence of necessary activities identified to return the function to normal
operation?
Are continuity plans developed to sustain and restore operation of the function?
Do business impact analyses inform the development of continuity plans?
Are recovery time objectives (RTO) and recovery point objectives (RPO) for the function
incorporated into continuity plans?
Are continuity plans evaluated and exercised?
Are business impact analyses periodically reviewed and updated?
Are recovery time objective (RTO) and recovery point objectives (RPO) aligned with the
function's risk criteria (objective criteria that the organization uses for evaluating,
categorizing, and prioritizing operational risks based on impact, tolerance for risk, and risk
response approaches, see RM-1c)?
�3693
Continuity
C2M2_V11
3694
Continuity
C2M2_V11
3695
Continuity
C2M2_V11
3696
Continuity
C2M2_V11
3697
Continuity
C2M2_V11
3698
Continuity
C2M2_V11
3699
Continuity
C2M2_V11
3700
Continuity
C2M2_V11
3701
Continuity
C2M2_V11
3702
Continuity
C2M2_V11
3703
Continuity
C2M2_V11
3704
Continuity
C2M2_V11
3705
System and Services
Acquisition
C2M2_V11
3706
3707
System and Services
Acquisition
System and Services
Acquisition
C2M2_V11
C2M2_V11
Are the results of continuity plan testing and/or activation compared to recovery
objectives, and plans are improved accordingly?
Are continuity plans periodically reviewed and updated?
Are restored assets configured appropriately and inventory information updated
following execution of the continuity plans?
Are documented practices followed for cybersecurity event and incident response as well
as continuity of operations activities?
Are stakeholders for cybersecurity event and incident response as well as continuity of
operations activities identified and involved?
Are adequate resources (people, funding, and tools) provided to support cybersecurity
event and incident response as well as continuity of operations activities?
Have standards and/or guidelines been identified to inform cybersecurity event and
incident response as well as continuity of operations activities?
Are cybersecurity event and incident response as well as continuity of operations
activities guided by documented policies or other organizational directives?
Do cybersecurity event and incident response as well as continuity of operations policies
include compliance requirements for specified standards and/or guidelines?
Are cybersecurity event and incident response as well as continuity of operations
activities periodically reviewed to ensure conformance with policy?
Are responsibility and authority for the performance of cybersecurity event and incident
response as well as continuity of operations activities assigned to personnel?
Do personnel performing cybersecurity event and incident response as well as continuity
of operations activities have the skills and knowledge needed to perform their assigned
responsibilities?
Are important information technology (IT) and operations technology (OT) supplier
dependencies identified? (e.g., external parties on which the delivery of the function
depend, including operating partners)
Are important customer dependencies identified? (e.g., external parties that are
dependent on the delivery of the function, including operating partners)
Are supplier dependencies identified according to established criteria?
�3708
3709
3710
3711
3712
3713
3714
3715
3716
3717
3718
3719
3720
3721
3722
3723
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
C2M2_V11
Are customer dependencies identified according to established criteria?
C2M2_V11
Are single source and other essential dependencies identified?
C2M2_V11
Are dependencies prioritized?
C2M2_V11
C2M2_V11
C2M2_V11
Is dependency prioritization and identification based on the function's or organization's
risk criteria (RM-1c)?
Are significant cybersecurity risks due to suppliers and other dependencies identified and
addressed?
Are cybersecurity requirements considered when establishing relationships with suppliers
and other third parties?
C2M2_V11
Are identified cybersecurity dependency risks entered into the risk register (RM-2j)?
C2M2_V11
Do contracts and agreements with third parties incorporate sharing of cybersecurity
threat information?
C2M2_V11
Are cybersecurity requirements established for suppliers according to a defined practice,
including requirements for secure software development practices where appropriate?
C2M2_V11
C2M2_V11
C2M2_V11
C2M2_V11
C2M2_V11
C2M2_V11
C2M2_V11
Do agreements with suppliers and other external entities include cybersecurity
requirements?
Do evaluation and selection of suppliers and other external entities include consideration
of their ability to meet cybersecurity requirements?
Do agreements with suppliers require notification of cybersecurity incidents related to
the delivery of the product or service?
Are suppliers and other external entities periodically reviewed for their ability to
continually meet the cybersecurity requirements?
Are cybersecurity risks due to external dependencies managed according to the
organization's risk management criteria and process?
Are cybersecurity requirements established for supplier dependencies based on the
organization's risk criteria (RM-1c)?
Do agreements with suppliers require notification of vulnerability-inducing product
defects throughout the intended life cycle of delivered products?
�3735
3736
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
Organizational
Organizational
3737
Organizational
C2M2_V11
3738
Organizational
C2M2_V11
3739
Organizational
C2M2_V11
3740
Organizational
C2M2_V11
3741
Organizational
C2M2_V11
3742
Personnel
C2M2_V11
3724
3725
3726
3727
3728
3729
3730
3731
3732
3733
3734
C2M2_V11
C2M2_V11
Does acceptance testing of procured assets include testing for cybersecurity
requirements?
Are information sources monitored to identify and avoid supply chain threats? (e.g.,
counterfeit parts, software, and services)
C2M2_V11
Are documented practices followed for managing dependency risk?
C2M2_V11
Are stakeholders for managing dependency risk identified and involved?
C2M2_V11
Are adequate resources (people, funding, and tools) provided to support dependency risk
management activities?
C2M2_V11
Have standards and/or guidelines been identified to inform managing dependency risk?
C2M2_V11
C2M2_V11
C2M2_V11
C2M2_V11
C2M2_V11
C2M2_V11
C2M2_V11
Are dependency risk management activities guided by documented policies or other
organizational directives?
Do dependency risk management policies include compliance requirements for specified
standards and/or guidelines?
Are dependency risk management activities periodically reviewed to ensure conformance
with policy?
Are responsibility and authority for the performance of dependency risk management
assigned to personnel?
Do personnel performing dependency risk management have the skills and knowledge
needed to perform their assigned responsibilities?
Are cybersecurity responsibilities for the function identified?
Are cybersecurity responsibilities assigned to specific people?
Are cybersecurity responsibilities assigned to specific roles, including external service
providers?
Are cybersecurity responsibilities documented? (e.g., in position descriptions)
Are cybersecurity responsibilities and job requirements reviewed and updated as
appropriate?
Are cybersecurity responsibilities included in job performance evaluation criteria?
Are assigned cybersecurity responsibilities managed to ensure adequacy and redundancy
of coverage?
Is personnel vetting (e.g., background checks, drug tests) performed at hire for positions
that have access to the assets required for delivery of the function?
�3743
Personnel
C2M2_V11
3744
Personnel
C2M2_V11
3745
Personnel
C2M2_V11
3746
Personnel
C2M2_V11
3747
Personnel
C2M2_V11
3748
Personnel
C2M2_V11
3749
Personnel
C2M2_V11
3750
Training
C2M2_V11
3751
3752
Training
Training
C2M2_V11
C2M2_V11
3753
Training
C2M2_V11
3754
Training
C2M2_V11
3755
Training
C2M2_V11
3756
Training
C2M2_V11
3757
Training
C2M2_V11
3758
Training
C2M2_V11
3759
3760
Training
Training
C2M2_V11
C2M2_V11
Do personnel termination procedures address cybersecurity?
Is personnel vetting performed at an organizationally-defined frequency for positions that
have access to the assets required for delivery of the function?
Do personnel transfer procedures address cybersecurity?
Are risk designations assigned to all positions that have access to the assets required for
delivery of the function?
Is vetting performed for all positions (including employees, vendors, and contractors) at a
level commensurate with position risk designation?
Is succession planning performed for personnel based on risk designation?
Is a formal accountability process (including disciplinary actions) implemented for
personnel who fail to comply with established security policies and procedures?
Is cybersecurity training made available to personnel with assigned cybersecurity
responsibilities?
Are cybersecurity knowledge, skill, and ability gaps identified?
Are identified gaps addressed through recruiting and/or training?
Is cybersecurity training provided as a prerequisite to granting access to assets that
support the delivery of the function? (e.g., new personnel training, personnel transfer
training)
Are cybersecurity workforce management objectives that support current and future
operational needs established and maintained?
Are recruiting and retention aligned to support cybersecurity workforce management
objectives?
Are training programs aligned to support cybersecurity workforce management
objectives?
Is the effectiveness of training programs evaluated at an organizationally-defined
frequency and are improvements made as appropriate?
Do training programs include continuing education and professional development
opportunities for personnel with significant cybersecurity responsibilities?
Do any cybersecurity awareness activities occur?
Are objectives for cybersecurity awareness activities established and maintained?
3761
Training
C2M2_V11
Is cybersecurity awareness content based on the organization's threat profile (TVM-1d)?
3762
Training
C2M2_V11
Are cybersecurity awareness activities aligned with the predefined states of operation (SA3f)?
�3763
Training
C2M2_V11
Is the effectiveness of cybersecurity awareness activities evaluated at an organizationallydefined frequency and are improvements made as appropriate?
3764
Incident Response
C2M2_V11
Are documented practices followed for cybersecurity workforce management activities?
3765
Incident Response
C2M2_V11
3766
Incident Response
C2M2_V11
3767
Incident Response
C2M2_V11
3768
Incident Response
C2M2_V11
3769
Incident Response
C2M2_V11
3770
Incident Response
C2M2_V11
3771
Incident Response
C2M2_V11
3772
Incident Response
C2M2_V11
3773
3774
3775
3776
3777
3778
3779
Policies & Procedures
General
Policies & Procedures
General
Policies & Procedures
General
Policies & Procedures
General
Policies & Procedures
General
Policies & Procedures
General
Policies & Procedures
General
C2M2_V11
C2M2_V11
C2M2_V11
C2M2_V11
C2M2_V11
Are stakeholders for cybersecurity workforce management activities identified and
involved?
Are adequate resources (people, funding, and tools) provided to support cybersecurity
workforce management activities?
Have standards and/or guidelines been identified to inform cybersecurity workforce
management activities?
Are cybersecurity workforce management activities guided by documented policies or
other organizational directives?
Do cybersecurity workforce management policies include compliance requirements for
specified standards and/or guidelines?
Are cybersecurity workforce management activities periodically reviewed to ensure
conformance with policy?
Are responsibility and authority for the performance of cybersecurity workforce
management activities assigned to personnel?
Do personnel performing cybersecurity workforce management activities have the skills
and knowledge needed to perform their assigned responsibilities?
Does the organization have a cybersecurity program strategy?
Does the cybersecurity program strategy define objectives for the organization's
cybersecurity activities?
Are the cybersecurity program strategy and priorities documented and aligned with the
organization's strategic objectives and risk to critical infrastructure?
Does the cybersecurity program strategy define the organization's approach to provide
program oversight and governance for cybersecurity activities?
Does the cybersecurity program strategy define the structure and organization of the
cybersecurity program?
C2M2_V11
Is the cybersecurity program strategy approved by senior management?
C2M2_V11
Is the cybersecurity program strategy updated to reflect business changes, changes in the
operating environment, and changes in the threat profile (TVM-1d)?
�3780
Organizational
C2M2_V11
3781
Organizational
C2M2_V11
3782
Organizational
C2M2_V11
3783
Organizational
C2M2_V11
3784
Organizational
C2M2_V11
3785
Organizational
C2M2_V11
3786
Organizational
C2M2_V11
Are resources (people, tools, and funding) provided to support the cybersecurity
program?
Does senior management provide sponsorship for the cybersecurity program?
Is the cybersecurity program established according to the cybersecurity program
strategy?
Are adequate funding and other resources (e.g., people and tools) provided to establish
and operate a cybersecurity program aligned with the program strategy?
Is senior management sponsorship for the cybersecurity program visible and active? (i.e.,
the importance and value of cybersecurity activities is regularly communicated by senior
management)
If the organization develops or procures software, are secure software development
practices sponsored as an element of the cybersecurity program?
Is the development and maintenance of cybersecurity policies sponsored?
3787
Organizational
C2M2_V11
Is responsibility for the cybersecurity program assigned to a role with requisite authority?
3788
Organizational
C2M2_V11
3789
Organizational
C2M2_V11
3790
Organizational
C2M2_V11
3791
Organizational
C2M2_V11
3792
Organizational
C2M2_V11
3793
System Protection
C2M2_V11
3794
System Protection
C2M2_V11
Is architectural segmentation and isolation maintained according to a documented plan?
3795
Organizational
C2M2_V11
3796
System Integrity
C2M2_V11
Is cybersecurity architecture updated at an organizationally-defined frequency?
Is software to be deployed on assets that are important to the delivery of the function
developed using secure software development practices?
Is the performance of the cybersecurity program monitored to ensure it aligns with the
cybersecurity program strategy?
Is the cybersecurity program independently reviewed for achievement of cybersecurity
program objectives? (i.e., by reviewers who are not in the program)
Does the cybersecurity program address and enable the achievement of regulatory
compliance as appropriate?
Does the cybersecurity program monitor and/or participate in selected industry
cybersecurity standards or initiatives?
Is a strategy to architecturally isolate the organization's IT systems from OT systems
implemented?
Is a cybersecurity architecture in place to enable segmentation, isolation, and other
requirements that support the cybersecurity strategy?
�3797
System Integrity
C2M2_V11
Do policies require that software that is to be deployed on assets that are important to
the delivery of the function be developed using secure software development practices?
3798
Organizational
C2M2_V11
Are documented practices followed for cybersecurity program management activities?
3799
Organizational
C2M2_V11
3800
Organizational
C2M2_V11
3801
Organizational
C2M2_V11
3802
Organizational
C2M2_V11
3803
Organizational
C2M2_V11
1259
Account Management
C800_53_R3
1260
Account Management
C800_53_R3
Is the normal time-of-day and duration usage for accounts determined?
1261
Account Management
C800_53_R3
Is the atypical usage of accounts monitored?
1262
Account Management
C800_53_R3
Is the atypical usage of accounts reported to designated officials?
1263
Account Management
C800_53_R3
Are user privileges and associated access authorizations dynamically managed?
1269
Account Management
C800_53_R3
Is the separation of duties documented?
1270
Access Control
C800_53_R3
1271
Access Control
C800_53_R3
1272
Access Control
C800_53_R3
Are stakeholders for cybersecurity program management activities identified and
involved?
Have standards and/or guidelines been identified to inform cybersecurity program
management activities?
Are cybersecurity program management activities guided by documented policies or
other organizational directives?
Are cybersecurity program management activities periodically reviewed to ensure
conformance with policy?
Do personnel performing cybersecurity program management activities have the skills
and knowledge needed to perform their assigned responsibilities?
Are users required to log out when a defined time-period of expected inactivity and/or
description of when to log out?
Is the authorization to super user accounts limited to designated system administration
personnel?
Is the privileged access to the system prohibited for nonorganizational users?
Does the system purge information from mobile devices after a defined number of
consecutive, unsuccessful login attempts to the device?
�1273
Portable/Mobile/Wirel
C800_53_R3
ess
Is the system monitored for unauthorized wireless connections? Does the monitoring
include scanning for unauthorized wireless access points on defined frequency, and is
appropriate action taken if an unauthorized connection is discovered?
1274
Portable/Mobile/Wirel
C800_53_R3
ess
Are wireless communications confined to organization-controlled boundaries?
1275
Training
C800_53_R3
1276
Training
C800_53_R3
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
C800_53_R3
C800_53_R3
C800_53_R3
C800_53_R3
C800_53_R3
C800_53_R3
C800_53_R3
C800_53_R3
C800_53_R3
C800_53_R3
C800_53_R3
Are employees provided with initial and periodic training in the employment and
operation of environmental controls?
Are employees provided with initial and periodic training in the employment and
operation of physical security controls?
Does the system shut down in the event of an audit failure, unless an alternative audit
capability exists?
Is information from audit records correlated with information from monitoring physical
access to identify suspicious, inappropriate, unusual, or malevolent activity?
Are the permitted actions specified for each authorized information system process, role,
and/or user in the audit and accountability policy?
Are automated mechanisms used to alert security personnel of a defined list of
inappropriate or unusual activities?
Is full-text analysis of privileged functions executed performed in a physically dedicated
system?
Are cryptographic mechanisms used to protect the integrity of audit information and
audit tools?
Is access to management of audit functionality authorized only to a limited subset of
privileged users? Are audit records of nonlocal accesses to privileged accounts and the
execution of privileged functions protected?
Does the system protect against an individual falsely denying having performed a
particular action?
Is the identity of the information producer associated with the information?
Does the system validate the binding of the information producer's identity to the
information?
Are reviewer/releaser identity and credentials maintained within the established chain of
custody for all information reviewed or released?
�1288
1289
1290
1291
1292
1293
1294
1295
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
C800_53_R3
Does the system validate the binding of the reviewer's identity to the information at the
transfer/release point prior to release/transfer from one security domain to another
security domain?
C800_53_R3
Is FIPS-validated or NSA-approved cryptography used to implement digital signatures?
C800_53_R3
Is a systemwide audit trail produced and composed of audit records in a standardized
format?
C800_53_R3
Are session audits initiated at system startup?
C800_53_R3
C800_53_R3
C800_53_R3
C800_53_R3
1296
Plans
C800_53_R3
1297
Organizational
Risk Management and
Assessment
Configuration
Management
C800_53_R3
1298
1299
C800_53_R3
C800_53_R3
1300
Configuration
Management
C800_53_R3
1301
Configuration
Management
C800_53_R3
1302
Configuration
Management
C800_53_R3
Does the security assessment plan describe the scope of the assessment and include the
security controls and control enhancements under assessment, the assessment
procedures to be used, the assessment environment, the assessment team, and
assessment roles and responsibilities?
Are the written results of the security control assessment provided to the authorizing
official or designated representative?
Is the direct connection of an unclassified national security system prohibited to an
external network?
Is the direct connection of a classified national security system prohibited to an external
network?
Are automated mechanisms used to help ensure that the plan of action and milestones
for the system are accurate, up to date, and readily available?
Is the security authorization updated on a defined frequency?
Does the continuous monitoring program include ongoing security control assessments in
accordance with the organizational continuous monitoring strategy?
Are older versions of baseline configurations retained as necessary to support rollback?
Is there a defined list of software programs not authorized to execute on the system? Is
the authorization policy an allow-all, deny-by-exception for software allowed to execute
on the system?
Are configuration-controlled changes to the system approved with explicit consideration
for security impact analyses?
Are configuration change control activities provided and coordinated through a defined
configuration change control element that convenes on a defined frequency or for
defined configuration change conditions?
�1303
Configuration
Management
1304
Configuration
Management
1305
1306
1307
1308
Configuration
Management
Configuration
Management
System Protection
Configuration
Management
C800_53_R3
Does the configuration change control element have a security representative member?
C800_53_R3
Are the security functions checked after any system changes to verify that the functions
are implemented correctly, operating as intended, and meeting the security requirements
for the system?
C800_53_R3
Are the privileges to change software resident within software libraries limited?
C800_53_R3
C800_53_R3
C800_53_R3
1309
Policies & Procedures
General
C800_53_R3
1310
Plans
C800_53_R3
1311
Plans
C800_53_R3
1312
Plans
C800_53_R3
1313
Plans
C800_53_R3
1314
Plans
C800_53_R3
1315
Continuity
C800_53_R3
1316
Continuity
C800_53_R3
1317
Continuity
C800_53_R3
Is conformance to security configuration guidance demonstrated prior to being
introduced into a production environment?
Are there defined registration requirements for ports, protocols, and services?
Is there an inventory of system components that is available for review and audit by
organizational officials?
Is there a formal, documented contingency planning policy that addresses purpose,
scope, roles, responsibilities, management commitment, coordination among
organizational entities, and compliance?
Is the contingency plan distributed to a defined list of key contingency personnel and
organizational elements?
Are contingency plan changes communicated to a defined list of key contingency
personnel and organizational elements?
Has capacity planning determined the necessary capacity for information processing,
telecommunications, and environmental support needed during contingency operations?
Is the resumption of essential missions and business functions planned for within a
defined time period of contingency plan activation?
Is a full recovery and reconstitution of the system to a known state included as part of
contingency plan testing?
Are the backups of system documentation, including security-related documentation,
done on a defined frequency consistent with recovery time and recovery point
objectives?
Is system backup information transferred to the alternate storage site on a defined time
period, and is the transfer rate consistent with the recovery time and recovery point
objectives?
Is a redundant secondary system that is not co-located used for system backup, and can it
be activated without loss of information or disruption to the operation?
�1318
1319
Access Control
Access Control
C800_53_R3
C800_53_R3
Is multifactor authentication used for network access to nonprivileged accounts?
Is multifactor authentication used for local access to nonprivileged accounts?
1320
Access Control
C800_53_R3
Is multifactor authentication used for network access to nonprivileged accounts where
one of the factors is provided by a device separate from the system being accessed?
1321
Access Control
C800_53_R3
1322
Access Control
C800_53_R3
1323
Access Control
C800_53_R3
1324
Account Management
C800_53_R3
1325
Account Management
C800_53_R3
Are identifiers, attributes, and associated access authorizations dynamically managed?
Are defined replay-resistant authentication mechanisms used for network access to
privileged accounts? (e.g., Kerberos, LDAP, etc.)
Are defined replay-resistant authentication mechanisms used for network access to
nonprivileged accounts?
Does the organization standardize, with regard to dynamic address allocation, Dynamic
Host Control Protocol (DHCP) lease information and the time assigned to devices, and
audit lease information when assigned to a device?
Do user identifiers uniquely identify the user by a defined characteristic identifying user
status?
1326
Account Management
C800_53_R3
Is there a minimum password complexity of defined requirements for case sensitivity,
number of characters, mix of upper case letters, lower case letters, numbers, and special
characters, including minimum requirements for each type?
1327
Account Management
C800_53_R3
Do new passwords require a defined number of changed characters?
1328
Account Management
C800_53_R3
Are passwords encrypted in storage and in transmission?
1329
Account Management
C800_53_R3
Is there a defined minimum and maximum lifetime restriction for passwords?
1330
Account Management
C800_53_R3
Is password reuse prohibited for a defined number of generations?
1331
Account Management
C800_53_R3
1332
Incident Response
C800_53_R3
1333
Incident Response
C800_53_R3
1334
Incident Response
C800_53_R3
Are defined measures taken to manage the risk of compromise due to individuals having
accounts on multiple systems?
Is the system dynamically reconfigured as part of the incident response capability?
Are classes of incidents identified, and are appropriate actions defined to ensure
continuation of organizational missions and business functions?
Are personnel required to report suspected security incidents to the organizational
incident response authority within a defined time-period?
�1335
1336
Maintenance
Maintenance
C800_53_R3
Are there procedures for the use of maintenance personnel that lack appropriate security
clearances or for non - U.S. citizens?
C800_53_R3
Are maintenance personnel who do not have needed access authorizations, clearances,
or formal access approvals escorted and supervised during the performance of
maintenance and diagnostic activities on the system by approved personnel who are fully
cleared, have appropriate access authorizations, and are technically qualified?
1337
Maintenance
C800_53_R3
1338
Maintenance
C800_53_R3
1339
Maintenance
C800_53_R3
1340
Maintenance
C800_53_R3
1341
Maintenance
C800_53_R3
1342
Maintenance
C800_53_R3
1343
Info Protection
C800_53_R3
1344
Info Protection
C800_53_R3
1345
Info Protection
C800_53_R3
1346
Info Protection
C800_53_R3
Are all volatile information storage components within the system sanitized, and are all
nonvolatile storage media removed or physically disconnected from the system and
secured before initiating maintenance or diagnostic activities by personnel who do not
have needed access authorizations, clearances or formal access approvals?
Are the procedures contained in the security plan for the system enforced when a system
component cannot be sanitized?
Are all personnel performing maintenance and diagnostic activities on a system
processing, storing, or transmitting classified information cleared for the highest level of
information on the system?
Are all personnel performing maintenance and diagnostic activities on a system
processing, storing, or transmitting classified information U.S. citizens?
Are cleared foreign nationals used to conduct maintenance and diagnostic activities on a
system only when the system is jointly owned and operated by the United States and
foreign allied governments, or owned and operated solely by foreign allied governments?
Are the approvals, consents, and detailed operational conditions regarding the use of
foreign nationals to conduct maintenance and diagnostic activities on a system fully
documented with a Memorandum of Agreement?
Are cryptographic mechanisms used to protect and restrict access to information on
portable digital media?
Are cryptographic mechanisms used to protect information in storage?
Are cryptographic mechanisms used to protect digital media during transport outside of
controlled areas?
Are the circumstances defined where portable, removable storage devices are required to
be sanitized prior to connection to the system?
�1347
Info Protection
C800_53_R3
1348
Info Protection
C800_53_R3
1349
Info Protection
C800_53_R3
1350
Physical Security
C800_53_R3
1351
Physical Security
C800_53_R3
1352
Physical Security
C800_53_R3
1353
Environmental Security C800_53_R3
1354
Environmental Security C800_53_R3
1355
Environmental Security C800_53_R3
1356
Continuity
C800_53_R3
1357
Communication
Protection
C800_53_R3
1358
Organizational
C800_53_R3
1359
1360
Organizational
Organizational
C800_53_R3
C800_53_R3
1361
Organizational
C800_53_R3
1362
Organizational
C800_53_R3
Is system media containing Controlled Unclassified Information (CUI) or other sensitive
information sanitized in accordance with applicable organizational and/or federal
standards and policies?
Is system media containing classified information sanitized in accordance with NSA
standards and policies?
Is system media that cannot be sanitized destroyed?
Is the physical access to the facility containing a system that processes classified
information restricted to authorized personnel with appropriate clearances and access
authorizations?
Is the physical tampering or alteration of hardware components within the system
detected or prevented?
The organization controls physical access to information system distribution and
transmission lines within organizational facilities.
Does the facility undergo fire marshal inspections on a defined frequency, and are
identified deficiencies promptly resolved?
Are automatic temperature and humidity controls used to prevent fluctuations
potentially harmful to the system?
Does temperature and humidity monitoring provide an alarm or notification of changes
potentially harmful to personnel or equipment?
Is the effectiveness of security controls at alternate work sites assessed?
Are system components, associated data communications, and networks protected in
accordance with National emissions and TEMPEST policies and procedures, and the
sensitivity of the information being transmitted?
Is there a security Concept of Operations for the system that contains the purpose of the
system, a description of the system architecture, the security authorization schedule, and
the security categorization and associated factors considered in determining the
categorization?
Is the Conduct of Operations reviewed and updated on a defined frequency?
Is there a functional architecture for the system?
Does the functional architecture define the external interfaces, the information being
exchanged across the interfaces, and the protection mechanisms associated with each
interface?
Does the functional architecture define the user roles and the access privileges assigned
to each role?
�1363
Organizational
C800_53_R3
Does the functional architecture define the unique security requirements?
Does the functional architecture define the types of information processed, stored, or
transmitted by the system and any specific protection needs in accordance with
applicable federal laws, executive orders, directives, policies, regulations, standards, and
guidance?
Does the functional architecture define the restoration priority of information or system
services?
Is a privacy impact assessment conducted on the system in accordance with Office of
Management and Budget policy?
Are the results of information security measures of performance monitored and
reported?
Are individuals designated to fulfill specific roles and responsibilities within the
organizational risk management process?
Are information protection needs determined, and are the processes revised as
necessary, until an achievable set is obtained?
Is every user accessing a system processing, storing, or transmitting classified information
cleared and indoctrinated to the highest classification level of the information on the
system?
Is every user accessing a system processing, storing, or transmitting types of classified
information which require formal indoctrination, formally indoctrinated for all the
relevant types of information on the system?
Is access to information with special protection measures granted only to individuals who
have a valid access authorization that is demonstrated by assigned official government
duties and that satisfy associated personnel security criteria?
Is access to classified information with special protection measures granted only to
individuals who have a valid access authorization that is demonstrated by assigned official
government duties?
1364
Organizational
C800_53_R3
1365
Organizational
C800_53_R3
1366
Organizational
C800_53_R3
1367
Info Protection
C800_53_R3
1368
Organizational
C800_53_R3
1369
Info Protection
C800_53_R3
1370
Personnel
C800_53_R3
1371
Personnel
C800_53_R3
1372
Personnel
C800_53_R3
1373
Personnel
C800_53_R3
1374
Personnel
C800_53_R3
Is access to classified information with special protection measures granted only to
individuals that satisfy associated personnel security criteria consistent with applicable
federal laws, executive orders, directives, policies, regulations, standards, and guidance?
1375
Personnel
C800_53_R3
Is access to classified information with special protection measures granted only to
individuals that have read, understand, and signed a nondisclosure agreement?
�1376
Monitoring & Malware C800_53_R3
1377
System and Services
Acquisition
C800_53_R3
1378
System and Services
Acquisition
C800_53_R3
1379
System and Services
Acquisition
C800_53_R3
1380
System and Services
Acquisition
C800_53_R3
1381
System and Services
Acquisition
C800_53_R3
1382
System and Services
Acquisition
C800_53_R3
1383
System and Services
Acquisition
C800_53_R3
1384
1385
1386
Information and
Document
Management
Information and
Document
Management
Information and
Document
Management
Are historic audit logs reviewed to determine if a vulnerability identified in the system has
been previously exploited?
Are software vendors/manufacturers required to demonstrate that their software
development processes employ state-of-the-practice software and security engineering
methods, quality control processes, and validation techniques to minimize flawed or
malformed software?
Is each system component acquired explicitly assigned to a system, and does the owner
of the system acknowledge the assignment?
Are system components required to be delivered in a secure documented configuration,
and is the secure configuration the default configuration for any software reinstalls or
upgrades?
Are only government off-the-shelf or commercial off-the-shelf information assurance (IA)
and IA-enabled information technology products employed that composes an NSAapproved solution to protect classified information when the networks used to transmit
the information at a lower classification level than the information being transmitted?
Have these products been evaluated and/or validated by the NSA or in accordance with
NSA-approved procedures?
Is the use of commercially provided information technology products limited to those
products that have been successfully evaluated against a validated U.S. Government
Protection Profile for a specific technology type?
Is it required that the cryptographic module be FIPS-validated if no U.S. Government
Protection Profile exists for a specific technology type but a commercially provided
information technology product relies on cryptographic functionality to enforce its
security policy?
C800_53_R3
Are attempts to obtain system documentation documented when such documentation is
either unavailable or nonexistent?
C800_53_R3
Is the source code for the system protected and made available to authorized personnel?
C800_53_R3
Is the use of binary or machine executable code prohibited from sources with limited or
no warranty without accompanying source code?
�1387
1388
1389
Information and
Document
Management
System and Services
Acquisition
System and Services
Acquisition
C800_53_R3
C800_53_R3
C800_53_R3
1390
System Protection
C800_53_R3
1391
System Protection
C800_53_R3
1392
System Protection
C800_53_R3
1393
System Protection
C800_53_R3
1394
System Protection
C800_53_R3
1395
1396
1397
1398
1399
1400
1401
1402
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
C800_53_R3
C800_53_R3
C800_53_R3
C800_53_R3
C800_53_R3
C800_53_R3
Are exceptions to the source code requirement provided only for compelling
mission/operational requirements when no alternative solutions are available and with
the express written consent of the authorizing official?
Is an organizational assessment of risk conducted prior to the acquisition or outsourcing
of dedicated information security services?
Is the acquisition or outsourcing of dedicated information security services approved by a
senior organizational official?
Is there a defined list of untrusted critical information system components that require reimplementation?
Are these untrusted information system components re-implemented or custom
developed?
Is user functionality separated from system management functionality?
Is the presentation of system management-related functionality prevented at an interface
for general users?
Are underlying hardware separation mechanisms used to facilitate security function
isolation?
Is the discovery of specific system components (or devices) composing a managed
interface prevented?
Are automated mechanisms used to enforce strict adherence to protocol format?
Are symmetric cryptographic keys using either NIST-approved or NSA-approved key
management technology and processes produced, controlled, and distributed?
Are symmetric and asymmetric cryptographic keys using NSA-approved key management
technology and processes produced, controlled, and distributed?
Are asymmetric cryptographic keys using approved PKI Class 3 certificates or
prepositioned keying material produced, controlled, and distributed?
Are asymmetric cryptographic keys using approved PKI Class 3 or Class 4 certificates and
hardware security tokens that protect the user's private key produced, controlled, and
distributed?
C800_53_R3
Is FIPS-validated cryptography used to protect unclassified information?
C800_53_R3
Is NSA-approved cryptography used to protect classified information?
�1403
1404
1405
1406
1407
1408
1409
1410
1411
Communication
Protection
Communication
Protection
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
C800_53_R3
C800_53_R3
C800_53_R3
Is FIPS-validated cryptography used to protect information that must be separated from
individuals who have the necessary clearances but lack the necessary access approvals?
Is either FIPS-validated or NSA-approved cryptography used to implement digital
signatures?
Does the acquisition, development, and/or use of mobile code to be deployed in the
system meet defined mobile code requirements?
C800_53_R3
Is the download and execution of prohibited mobile code prevented?
C800_53_R3
Is the automatic execution of mobile code prevented in defined software applications,
and are defined actions required prior to executing the code?
C800_53_R3
Are session identifiers invalidated upon user logout or other session termination?
C800_53_R3
C800_53_R3
C800_53_R3
1412
Monitoring & Malware C800_53_R3
1413
1414
Physical Security
Physical Security
C800_53_R3
C800_53_R3
1415
Physical Security
C800_53_R3
1416
Physical Security
C800_53_R3
1417
Physical Security
C800_53_R3
1418
Physical Security
C800_53_R3
1419
Physical Security
C800_53_R3
Is a readily observable logout capability provided whenever authentication is used to gain
access to Web pages?
Is a unique session identifier generated for each session, and are only system-generated
session identifiers recognized?
Are unique session identifiers generated with defined randomness requirements?
Are malicious code protection mechanisms tested on a defined frequency by introducing
a known benign, nonspreading test case into the system and verifying that both detection
of the test case and associated incident reporting occur?
Are the communications traffic/event patterns analyzed for the system?
Are profiles that represent the common traffic patterns and/or events developed?
Are the traffic/event profiles used in tuning the system-monitoring devices to reduce the
number of false positives and negatives to a defined measure?
Is a wireless intrusion detection system used to identify rogue wireless devices and to
detect attack attempts and potential compromises/breaches to the system?
Is an intrusion detection system used to monitor wireless communications traffic as the
traffic passes from wireless to wireline networks?
Is information from monitoring tools correlated to achieve organizationwide situational
awareness?
Are the results from monitoring physical, cyber, and supply chain activities correlated to
achieve integrated situational awareness?
�1420
System Integrity
C800_53_R3
1421
1831
Personnel
Access Control
C800_53_R3
C800_53_R4
1832
Access Control
C800_53_R4
1833
Access Control
C800_53_R4
1834
Access Control
C800_53_R4
1835
Access Control
C800_53_R4
1836
1837
1838
Access Control
Access Control
Access Control
Portable/Mobile/Wirel
ess
C800_53_R4
C800_53_R4
C800_53_R4
1839
1840
C800_53_R4
Portable/Mobile/Wirel
C800_53_R4
ess
1844
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
System Protection
1845
Access Control
C800_53_R4
1846
Access Control
C800_53_R4
1847
Monitoring & Malware C800_53_R4
1841
1842
1843
C800_53_R4
C800_53_R4
C800_53_R4
C800_53_R4
Is the result of security function verification reported to designated organizational
officials with information security responsibilities?
Is an exit interview conducted upon termination of employment?
Does the system allow authorized users to create and maintain security controls?
Does the system allow security attributes to be transmitted between distributed system
components?
Does the system use proven techniques or technology to protect security attributes?
Does the organization have a security attribute re-grading mechanism that has been
validated?
Does the system have authorized personnel to modify the security attributes on objects
or persons?
Does the system maintain security attributes with the information?
Does the system establish permitted security values in security attributes?
Does the system allow permitted security values for each security attribute?
Is the use of unclassified mobile device internal or external modem prohibited in a
classified environment?
Does the organization employ full-device encryption or container encryption to protect
the confidentiality and integrity of information on organization defined mobile devices?
Does the organization disable accounts of users found to be posing significant risk?
Does the organization only permit the use of shared/group accounts that meet
organization-defined conditions for establishing shared/group accounts?
Does the system have the capacity to terminate group account credentials if members
leave the group?
Does the organization detect and protect against data mining?
Does the information system transmit authorizations in a secure manner between
systems?
Does the information system enforce access control and ensure that user identity or
processes from a user are not disclosed based on security levels?
Does the information system implement a reference monitor process that checks for
access control permissions and has properties such as tamperproof, is always executing,
and has a small resource footprint?
�1848
Access Control
C800_53_R4
1849
Access Control
C800_53_R4
1850
Access Control
C800_53_R4
1851
1852
Communication
Protection
Communication
Protection
C800_53_R4
C800_53_R4
1853
Access Control
C800_53_R4
1854
Access Control
C800_53_R4
1855
Access Control
C800_53_R4
1857
1858
1859
1860
1861
1862
1863
1865
1866
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
C800_53_R4
C800_53_R4
Does the Discretionary Access Control (DAC) policy allow users to specify and control
sharing by named individuals or groups of individuals, or by both?
Does the Discretionary Access Control (DAC) policy limit propagation of access right?
Does the Discretionary Access Control (DAC) policy include or exclude access to the
granularity of a single user?
Does the system identify information flows by data type, specification, and usage when
transferring information between different security domains?
Does the system enforce security policies regarding information on interconnected
systems?
Does the system provide separate processing domains to enable finer-grained allocation
of user privileges?
Does the system prevent software from executing at higher privilege levels than the user?
Does the system display upon successful logon relevant organization information in
addition to date and time of last logon?
Does the system allow for changing the level of auditing to meet organizational
requirements?
Are automated mechanisms used to determine if organizational information has been
disclosed in an unauthorized manner?
C800_53_R4
Does the organization review social networking site information being monitored?
C800_53_R4
Does the organization monitor social networking sites for unauthorized disclosure of
organizational information?
C800_53_R4
Does the organization maintain user identity of cross-organization audit information?
C800_53_R4
C800_53_R4
Does the organization share services with other organizations and coordinate audit
information transmitted across organizational boundaries?
Does the information system contain a secondary authoritative time source located in a
different place than the primary time source?
C800_53_R4
Does the information system back up audit records daily onto a different system?
C800_53_R4
Does the organization enforce dual authorization to change or delete audit information?
�1867
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
Audit and
Accountability
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Software
C800_53_R4
C800_53_R4
C800_53_R4
Does the organization authorize read-only access to audit information for administrators?
Is the direct connection of a classified national security system prohibited to an external
network without a boundary protection device?
Does the organization use analysis techniques on continuous monitoring process data and
modifies the monitoring based on the results?
C800_53_R4
Does the organization establish target areas for a continuous monitoring program?
C800_53_R4
Does the organization continuously monitor security targets they have established?
C800_53_R4
Does the organization do a review of security information generated by continuous
monitoring program?
C800_53_R4
Does the organization have response actions to address results of a security review?
C800_53_R4
C800_53_R4
C800_53_R4
C800_53_R4
C800_53_R4
C800_53_R4
C800_53_R4
C800_53_R4
C800_53_R4
C800_53_R4
Does the organization do penetration testing on information system according to a
testing plan and defined frequency?
Does the system perform security compliance checks before establishing an internal
connection?
Does the organization authorize and document interconnection of company owned
information system?
Does the organization have cryptographic mechanisms under configuration management?
Does the system prevent the installation of software without verification of digital
signature that is recognized and approved?
Is there a defined list of software programs authorized to execute on the system? Is the
authorization policy a deny-all, permit-by-exception for software allowed to execute on
the system? Is it reviewed at least annually?
Does the organization store component information and send the component owner an
acknowledgment of this assignment?
Does the organization implement a configuration management plan that addresses roles,
responsibilities, and management process and procedures?
Does the organization protect the configuration management plan from unauthorized
disclosure and modification?
Is open source software usage restricted based on company policy?
�1885
1886
1887
1888
Software
Software
Software
Software
C800_53_R4
C800_53_R4
C800_53_R4
C800_53_R4
Does the organization enforce user software installation?
Does the organization monitor compliance of user installed software?
Does the system monitor and alert when users have installed unauthorized software?
Does the system prohibit users from installing software (e.g., least user privileges)?
Is there a formal, documented contingency planning policy for the information system
that addresses essential missions, business functions, and full system restoration despite
a system catastrophic failure. In addition, does the plan include restoration of security
safeguards and is the plan reviewed and approved by key personnel?
1889
Continuity
C800_53_R4
1890
Continuity
C800_53_R4
1891
Continuity
C800_53_R4
1892
Continuity
C800_53_R4
1893
Continuity
C800_53_R4
1894
Continuity
C800_53_R4
1895
Continuity
C800_53_R4
1896
Continuity
C800_53_R4
1897
Continuity
C800_53_R4
1898
Continuity
C800_53_R4
1899
Training
C800_53_R4
1900
Training
C800_53_R4
1901
Training
C800_53_R4
Is the information system contingency plan reviewed according to company policy time
period?
Is the information system contingency plan updated when changes occur in the company
or system?
Is the modified information system contingency plan distributed to contingency
personnel?
Is the information system contingency plan protected from unauthorized disclosure and
modification?
Does the organization identify critical information system assets?
Does the organization have a contingency plan for resumption of company business
functions within a company-defined time period?
Does the organization plan for recovery of essential missions and business functions
reducing loss of operation and sustains continuity until full system restoration at the
primary site?
Does the organization plan for transfer of essential missions and business functions to an
alternate site with little loss of operational continuity?
Does the organization coordinate its contingency plan with external service providers to
ensure contingency requirements can be satisfied?
Does the organization provide contingency training to system users of their contingency
role and responsibility in recovery? Also when contingency plans change and are they
done within a predetermined time allowance?
Does the organization use simulated events in contingency training to facilitate personnel
response?
Does the organization use automated mechanisms to make contingency training more
realistic?
�Does the organization test the contingency plan on a company-defined time interval and
frequency to determine the effectiveness of the plan?
Does the organization review the contingency plan test results and makes corrective
action changes if needed?
Does the organization coordinate contingency plan testing with groups responsible for
the design?
Does the organization test the continuity plan at the alternate processing site to gain
familiarity and to evaluate capabilities with the site?
Does the alternate site have equipment required to transfer business operations and are
contracts in place to support the transfer within a prescribed time frame?
Does the organization plan and prepare for situations where returning to normal
operations from the primary site is prevented?
Does the organization request Telecommunications Service Priority for all
telecommunication services used for national security emergency preparedness,
especially when primary and secondary providers are the same?
1902
Training
C800_53_R4
1903
Training
C800_53_R4
1904
Training
C800_53_R4
1905
Training
C800_53_R4
1906
Continuity
C800_53_R4
1907
Continuity
C800_53_R4
1908
Communication
Protection
C800_53_R4
1909
Communication
Protection
C800_53_R4
Does the organization test alternate telecommunication services at least annually?
1910
Continuity
C800_53_R4
Does the organization enforce dual authorization for destruction of backup media
containing data?
1911
Continuity
C800_53_R4
Does the organization protect backup and restoration hardware, firmware, and software?
1912
Continuity
C800_53_R4
1913
Continuity
C800_53_R4
1914
Continuity
C800_53_R4
1915
Access Control
C800_53_R4
1916
Access Control
C800_53_R4
1917
Access Control
C800_53_R4
Does the system provide alternate communication protocols in support of maintaining
continuity of operations?
Does the system enter a safe mode with operation restrictions when abnormal conditions
are detected?
Are there alternative security mechanisms available to provide system security when the
primary security functions fail or are compromised?
Is multifactor authentication used for remote access to privileged accounts where one of
the factors is provided by a device separate from the system being accessed?
Does the information system accept and electronically verify Personal Identity
Verification credentials?
Does the organization require user authentication even though a group authenticator is
available?
�1918
Access Control
C800_53_R4
1919
Access Control
C800_53_R4
1920
Access Control
C800_53_R4
1921
Account Management
C800_53_R4
1922
Account Management
C800_53_R4
1924
1925
Audit and
Accountability
Access Control
Access Control
1926
Access Control
C800_53_R4
1927
Access Control
C800_53_R4
1928
1929
1930
Access Control
Access Control
Access Control
C800_53_R4
C800_53_R4
C800_53_R4
1931
Access Control
C800_53_R4
1932
Access Control
C800_53_R4
1933
Access Control
C800_53_R4
1934
Access Control
C800_53_R4
1935
1936
Access Control
Access Control
C800_53_R4
C800_53_R4
1937
Access Control
C800_53_R4
1938
Access Control
C800_53_R4
1923
C800_53_R4
C800_53_R4
C800_53_R4
Is multifactor authentication used for network access to privileged accounts where one of
the factors is provided by a device separate from the system being accessed?
Is single sign-on capability available on the system?
Does the organization have a process to ensure that device identification and
authentication based on attestation is handled?
Are user or device identifiers disabled after a time period of inactivity (e.g., 30 days)?
Is the registration process to receive a user authenticator carried out in person before a
designated registration authority and require supervisor authorization?
Does the organization coordinate with external organizations for cross-organization
management of identifiers?
When changes to group accounts occur are password changes made as well?
Do hardware token-based authentication devices satisfy quality requirements?
Does the registration process require authenticators to be given in person by authorized
personnel?
Does the organization protect authenticators at the same level of security as the
information?
Are external organizations required to coordinate credentials?
Does the system dynamically provision identities (e.g., for smart card binding)?
Does the system prohibit the use of cached authenticators after a specified time?
Does the organization employ an organization-wide methodology for managing the
content of PKI trusted stores installed across all platforms including networks, operating
systems, browsers, and applications?
Does the organization use only FICAM approved path discovery and validation products
and services?
Does the system accept FICAM-approved credentials?
Does the organization employ only FICAM-approved information system components to
accept third-party credentials?
Does the system conform to FICAM-issued profiles?
Does the system accept and verifies PIV-I credentials?
Does the organization ensure that service providers receive, validate, and transmit
identification and authentication information?
Does accessing the system under special circumstances still require authentication?
�Does the user re-authenticate when circumstances require (e.g., when authenticators or
roles change, after time out)?
Are there incident handling capabilities for insider threats?
Are there coordinated incident handling capabilities for insider threats across the
organization?
1939
Access Control
C800_53_R4
1940
Incident Response
C800_53_R4
1941
Incident Response
C800_53_R4
1942
Incident Response
C800_53_R4
Do external organizations coordinate with and correlate shared incident information to
achieve a cross-organizational incident awareness and effective incident response?
1943
Incident Response
C800_53_R4
Does the organization use dynamic responses when responding to security incidences?
1944
Incident Response
C800_53_R4
1946
Incident Response
C800_53_R4
Does the organization coordinate incident handling activities which involve vendor supply
chain activities with other organizations involved in the supply chain?
Does the organization report security incident information to vendors of the system?
1947
Incident Response
C800_53_R4
Is the incident response plan protected from unauthorized disclosure and modification?
1948
Incident Response
C800_53_R4
Does the organization have a plan to respond to information spills that is comprehensive?
1949
Incident Response
C800_53_R4
1950
Incident Response
C800_53_R4
1951
Incident Response
C800_53_R4
1952
Incident Response
C800_53_R4
1953
Incident Response
C800_53_R4
1954
Maintenance
C800_53_R4
1955
Maintenance
C800_53_R4
1956
Info Protection
C800_53_R4
1957
Info Protection
C800_53_R4
1958
Info Protection
C800_53_R4
Are there personnel identified and responsible for responding to information spills?
Does the organization provide information spillage response training on a defined
frequency?
Does the organization have procedures that ensure continuity while the information spill
is active and undergoing corrective actions?
Does the organization inform personnel of responsibility associated with exposure to
information spillage?
Does the organization have an integrated team of forensic analysts, tool developers, and
real-time personnel established?
Is predictive maintenance used in your organization?
Does the organization employ automated mechanisms to transfer predictive maintenance
data to a computerized maintenance management system?
Does the organization restrict the use of system media that can't be sanitized?
Does the organization have an erasing process for digital media that is established
according to procedures?
Does the organization document the erase system media process?
�1959
Info Protection
C800_53_R4
1960
Info Protection
C800_53_R4
1961
Info Protection
C800_53_R4
1962
Access Control
C800_53_R4
1963
Access Control
C800_53_R4
1964
Access Control
C800_53_R4
1965
Access Control
C800_53_R4
1966
Access Control
C800_53_R4
1967
Physical Security
C800_53_R4
1968
Incident Response
C800_53_R4
1969
Organizational
C800_53_R4
1970
Organizational
C800_53_R4
1971
Organizational
C800_53_R4
1972
Organizational
C800_53_R4
Does the organization employs tests of media erasing equipment and procedures to verify
correct performance regularly?
Does the organization erase information system media, containing Controlled Unclassified
Information (CUI) prior to public release in accordance with applicable federal and
organizational standards and policies?
Does the organization erase information system media, containing classified information
prior to release to individuals without required access authorizations in accordance with
NSA standards and policies?
Does the organization control physical access to output devices (displays, printers) and
ensure only authorized users receive output from the device?
Do you control physical access and verify identity of the person receiving the output from
the device (e.g., pin or hardware tokens)?
Does the organization mark system output devices with the appropriate security marking
of the information permitted to be output from the device?
Does the organization employ automated mechanisms to recognize classes/types of
intrusions and initiate response actions?
Does the organization employ video surveillance of operational areas and retain video
recordings for a specified time period?
Does the organization employ and maintain fire suppression and detection
devices/systems for the information system that are supported by an independent energy
source?
Does the organization implement an insider threat program that includes a crossdiscipline insider threat incident handling team?
Does the organization establish an information security workforce development and
improvement program?
Does the organization have a process for conducting security testing, training, and
monitoring which are maintained and executed in a timely manner? Also, are periodic
reviews done on these plans for consistency and according to company policy?
Does the organization maintain contact with selected security groups to facilitate training
on current security practices, share security-related information?
Does the organization implement a threat awareness program that includes a crossorganization information-sharing capability?
�1973
1974
1975
1976
1977
1978
Personnel
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
System and Services
Acquisition
C800_53_R4
C800_53_R4
C800_53_R4
C800_53_R4
C800_53_R4
C800_53_R4
1979
System and Services
Acquisition
C800_53_R4
1980
System and Services
Acquisition
C800_53_R4
1981
System and Services
Acquisition
C800_53_R4
1982
System and Services
Acquisition
C800_53_R4
1983
1984
1985
1986
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
Communication
Protection
C800_53_R4
C800_53_R4
C800_53_R4
C800_53_R4
Does the organization notify terminated individuals of applicable, legally binding postemployment requirements for the protection of organizational information?
Does the organization update the information system vulnerabilities list when new
vulnerabilities are identified and reported?
Does the system implement privileged access authorization to system components for
selected vulnerability scanning activities?
Does the organization correlate the output from vulnerability scanning tools to determine
the presence of multi-vulnerability/multi-hop attack vectors?
Does the organization employ a technical surveillance countermeasure survey at least
once a year?
Does the organization restrict the location of information processing based on
requirements or conditions?
Does the organization approve, document, and control the use of live data in
development and test environments for the system, system component, or system
service?
Does the organization require the developer of the system to archive the system or
component to be released or delivered together with the corresponding evidence
supporting the final security review?
Does the organization require the developer of the system to provide training on the
correct use and operation of the implemented security functions, controls, and/or
mechanisms?
Does the organization require the developers of the system, system components, or
system services to structure security-relevant hardware, software, and firmware to
facilitate controlling access with least privilege principles?
Does the organization train personnel to detect counterfeit information system
components (including hardware, software, and firmware)?
Does the organization require that developers of the system are trustworthy and are able
to pass a personnel screening test?
Does the organization ensure that steps have been taken to verify the personnel
screening of those who performed work on the system?
Does the organization employ monitoring tools to detect indicators of denial of service
attacks against the information system and monitors system resources to determine if
sufficient resources exist to prevent effective denial-of-service attacks?
�1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
C800_53_R4
C800_53_R4
C800_53_R4
C800_53_R4
C800_53_R4
C800_53_R4
C800_53_R4
C800_53_R4
C800_53_R4
C800_53_R4
Does the organization allow execution of permitted mobile code only in confined virtual
machine environments?
Does the organization remove from online storage and stores off-line in a secure location
system information?
Does the organization employ realistic, but misleading information in the system with
regard to its security state or posture?
Does the organization employ techniques to hide or conceal information system
components?
Does the organization measure the bandwidth of a subset of identified covert channels in
the operational environment of the information system?
Does the organization distribute processing and storage across multiple physical
locations?
Does the organization employ polling techniques to identify potential faults, errors, or
compromises to distributed processing and storage components?
Does the organization employ out-of-band channels for the physical delivery or electronic
transmission of information, information system components, or devices to individuals or
information systems?
Does the information system maintain a separate execution domain for each executing
process?
Does the information system maintain a separate execution domain for each thread in
multi-threaded processing?
Does the information system implement cryptographic mechanisms to identify and reject
wireless transmissions that are deliberate attempts to achieve imitative or manipulative
communications deception based on signal parameters?
Does the information system implement cryptographic mechanisms to prevent the
identification of wireless transmitters by using the transmitter signal parameters?
Does the information system prohibit the remote activation of environmental sensing
capabilities except where remote activation of sensors is allowed and provides an explicit
indication of sensor use?
1997
Communication
Protection
C800_53_R4
1998
Communication
Protection
C800_53_R4
1999
Communication
Protection
C800_53_R4
2000
Communication
Protection
C800_53_R4
Does the organization ensure that the system is configured so that data or information
collected by the sensors is only reported to authorized individuals or roles?
2001
Communication
Protection
C800_53_R4
Does the organization use data or information collected only for authorized purposes?
�2002
Communication
Protection
C800_53_R4
2003
System Integrity
C800_53_R4
2004
System Integrity
C800_53_R4
2005
System Integrity
C800_53_R4
2006
2007
2008
System Integrity
System Integrity
System Integrity
C800_53_R4
C800_53_R4
C800_53_R4
2009
System Integrity
C800_53_R4
2010
System Integrity
C800_53_R4
2011
System Integrity
C800_53_R4
2012
System Integrity
C800_53_R4
2013
System Integrity
C800_53_R4
2014
System Integrity
C800_53_R4
2015
System Integrity
C800_53_R4
2016
System Integrity
C800_53_R4
Does the organization establishes usage restrictions and implementation guidance for
system components based on the potential to cause damage to the information system if
used maliciously? And does the organization authorize, monitor, and control the use of
such components within the information system?
Does the organization remove software and firmware components after updated versions
have been installed?
Does the information system implement nonsignature-based malicious code detection
mechanisms?
Does the organization implement additional monitoring of individuals who have been
identified by sources as posing an increased level of risk?
Does the organization implement additional monitoring of privileged users?
Does the system automatically shut down when integrity violations are discovered?
Does the system verify the integrity of the boot process of devices?
Does the organization require that user-installed software execute in a confined physical
or virtual machine environment with limited privileges?
Does the organization requires that the integrity of user-installed software be verified
prior to execution?
Does the organization allow execution of binary or machine-executable code obtained
from sources with limited or no warranty and without the provision of source code only in
confined physical or virtual machine environments and with explicit approval?
Does the organization prohibit the use of binary or machine-executable code from
sources with limited or no warranty and without the provision of source code and provide
exceptions to the source code requirement only for compelling mission/operational
requirements and with the approval of the authorizing official?
The information system implements cryptographic mechanisms to authenticate software
or firmware components prior to installation?
Does the information system implement cryptographic mechanisms to authenticate
software or firmware components prior to installation?
Does the information system implement spam protection mechanisms with a learning
capability to more effectively identify legitimate communications traffic?
Does the organization ensure that input validation errors are reviewed and resolved
within defined time period?
�2017
System Integrity
C800_53_R4
2018
System Integrity
C800_53_R4
2019
System Integrity
C800_53_R4
2020
System Integrity
C800_53_R4
2021
System Integrity
C800_53_R4
2022
System Integrity
C800_53_R4
2025
Access Control
C800_53_R4
2026
Physical Security
C800_53_R4
2028
Access Control
C800_53_R4
2801
Privacy
C800_53_R4_A
pp_J
2802
Privacy
C800_53_R4_A
pp_J
2803
Privacy
C800_53_R4_A
pp_J
2804
Privacy
2805
Privacy
2806
Privacy
C800_53_R4_A
pp_J
C800_53_R4_A
pp_J
C800_53_R4_A
pp_J
Does the information system behave in a predictable and documented manner that
reflects organizational and system objectives when invalid inputs are received?
Does the organization account for timing interactions among information system
components in determining appropriate responses for invalid inputs?
Does the organization restrict the use of information inputs to trusted sources and/or
formats?
Does the organization provide real-time failover capability for the system?
Does the organization implement non-persistent information system components and
services?
Does the information system implement security safeguards to protect its memory from
unauthorized code execution?
Does the information system have out-of-band authentication designed for use under
abnormal condition?
Does the organization employ automatic voltage controls for critical information system
components?
Are access privileges to protected information reviewed at least annually to confirm they
are correct and that they correspond to the organizations' needs and appropriate
personnel roles and responsibilities?
Does the organization determine and document the legal authority that permits the
collection, use, maintenance, and sharing of PII, in general or in support of a specific
program or information system need?
Does the organization document the purpose(s) for which PII is collected, used,
maintained, and shared in its privacy notices?
Does the organization appoint a Senior Agency Official for Privacy (SAOP) and a Chief
Privacy Officer (CPO) who are accountable for developing, implementing, and maintaining
an organization-wide governance and privacy program to ensure compliance with all
applicable laws and regulations regarding the collection, use, maintenance, sharing, and
disposal of PII by programs and information system?
Does the organization monitor federal privacy laws and policy for changes that affect the
privacy program?
Does the organization allocate appropriate level of funding and resources to implement
and operate the organization-wide privacy program?
Does the organization develop a privacy plan for implementing applicable privacy
controls, policies, and procedures?
�2807
Privacy
2808
Privacy
2809
Privacy
2810
Privacy
2811
Privacy
2812
Privacy
2813
Privacy
2814
Privacy
2815
Privacy
2816
Privacy
Does the organization develop, disseminate, and implement operational privacy policies
C800_53_R4_A
and procedures that govern the appropriate privacy and security controls for programs,
pp_J
information systems, or technologies involving PII?
C800_53_R4_A Does the organization update the privacy plan, policies, and procedures according to
pp_J
company-defined time period or at least biennially?
Does the organization document and implement a privacy risk management process that
C800_53_R4_A
assesses privacy risk to individuals resulting from collection, sharing, storing, transmitting,
pp_J
use, or disposal of PII?
Does the organization conduct Privacy Impact Assessments (PIAs) for information
C800_53_R4_A
systems, programs, or other activities that pose a privacy risk in accordance with
pp_J
applicable law, OMB policy, or any existing organizational policies and procedures?
C800_53_R4_A Does the organization establish privacy roles, responsibilities, and access requirements
pp_J
for contractors and service providers?
C800_53_R4_A Does the organization include privacy requirements in contracts and other acquisitionpp_J
related documents?
C800_53_R4_A Does the organization monitor and audit privacy controls and internal privacy policy
pp_J
according to company-defined time interval to ensure effective implementation?
C800_53_R4_A Does the organization develop, implement, and update comprehensive training and
pp_J
awareness for ensuring personnel understand privacy responsibilities and procedures?
Does the organization administer basic privacy training at least annually and targeted,
C800_53_R4_A
role-based privacy training for personnel having responsibility for PII or for activities that
pp_J
involve PII, and is this done at least annually?
C800_53_R4_A Does the organization ensure that personnel certify (manually or electronically)
pp_J
acceptance of responsibilities for privacy requirements at least annually?
2817
Privacy
Does the organization develop, distribute, and update reports to OMB, Congress, and
C800_53_R4_A other oversight bodies to demonstrate accountability with specific statutory and
pp_J
regulatory privacy program mandates, and to senior management and other personnel
with responsibility for monitoring privacy program progress and compliance?
2818
Privacy
C800_53_R4_A Does the organization design information systems to support privacy by automating
pp_J
privacy controls?
�2819
Privacy
2820
Privacy
2821
Privacy
2822
Privacy
2823
Privacy
2824
Privacy
2825
Privacy
2826
Privacy
2827
Privacy
2828
Privacy
2829
Privacy
2830
Privacy
2831
Privacy
2832
Privacy
C800_53_R4_A
pp_J
C800_53_R4_A
pp_J
C800_53_R4_A
pp_J
C800_53_R4_A
pp_J
C800_53_R4_A
pp_J
C800_53_R4_A
pp_J
C800_53_R4_A
pp_J
C800_53_R4_A
pp_J
Does the organization keep an accurate accounting of disclosures of information held in
each system of records under its control that includes the Date, nature, and purpose of
each disclosure of a record and name with the address of the person or agency to which
the disclosure was made?
Does the organization retain the accounting of disclosures for the life of the record or five
years after the disclosure is made, whichever is longer?
Does the organization make the accounting of disclosures available to the person named
in the record upon request?
Does the organization confirm upon collection or creation of PII, the accuracy, relevance,
timeliness, and completeness of that information?
Does the organization collect PII directly from the individual to the greatest extent
practical?
Does the organization check for, and correct, as necessary, any inaccurate or outdated PII
used by its programs or systems?
Does the organization issue guidelines ensuring and maximizing the quality, utility,
objectivity, and integrity of disseminated information?
Does the organization request that the individual or individual's authorized representative
validate PII during the collection process?
C800_53_R4_A Does the organization request that the individual or individual's authorized representative
pp_J
revalidate that PII collected is still accurate according to company policy?
C800_53_R4_A Does the organization document processes to ensure the integrity of PII through existing
pp_J
security controls?
Does the organization establish a Data Integrity Board when appropriate to oversee
C800_53_R4_A
organizational Computer Matching Agreements and to ensure that those agreements
pp_J
comply with the computer matching provisions of the Privacy Act?
C800_53_R4_A
Does the organization publish Computer Matching Agreements on its public Web site?
pp_J
C800_53_R4_A Does the organization identify the minimum PII elements that are relevant and necessary
pp_J
to accomplish the legally authorized purpose of collection?
Does the organization limit the collection and retention of PII to the minimum elements
C800_53_R4_A
identified for the purposes described in the notice and for which the individual has
pp_J
provided consent?
�Privacy
Does the organization conduct an initial evaluation of PII holdings and establish and
C800_53_R4_A follow a schedule for regularly reviewing those holdings at least annually to ensure that
only PII identified in the notice is collected and retained, and that the PII continues to be
pp_J
necessary to accomplish the legally authorized purpose?
2834
Privacy
Does the organization locate and remove or redact specified PII and/or uses
C800_53_R4_A
anonymization and de-identification techniques to permit use of the retained information
pp_J
while reducing its sensitivity and reducing the risk resulting from disclosure?
2835
Privacy
C800_53_R4_A Does the organization retain each collection of PII for company defined time period to
pp_J
fulfill the purpose(s) identified in the notice or as required by law?
2836
Privacy
Does the organization dispose of, destroy, erase, and/or anonymize the PII, regardless of
C800_53_R4_A
the method of storage, in accordance with a NARA-approved record retention schedule
pp_J
and in a manner that prevents loss, theft, misuse, or unauthorized access?
2837
Privacy
2838
Privacy
2839
Privacy
2840
Privacy
2841
Privacy
2842
Privacy
2843
Privacy
2844
Privacy
2833
C800_53_R4_A Does the organization use company-defined techniques or methods to ensure secure
pp_J
deletion or destruction of PII (including originals, copies, and archived records)?
Does the organization configure its information systems to record the date PII is collected,
C800_53_R4_A
created, or updated and when PII is to be deleted or archived under an approved record
pp_J
retention schedule?
C800_53_R4_A Does the organization develop policies and procedures that minimize the use of PII for
pp_J
testing, training, and research?
C800_53_R4_A Does the organization implement controls to protect PII used for testing, training, and
pp_J
research?
C800_53_R4_A Does the organization use techniques to minimize the risk to privacy of using PII for
pp_J
research, testing, or training?
C800_53_R4_A Does the organization provide means for individuals to authorize the collection, use,
pp_J
maintaining, and sharing of PII prior to its collection?
Does the organization provide appropriate means for individuals to understand the
C800_53_R4_A
consequences of decisions to approve or decline the authorization of the collection, use,
pp_J
dissemination, and retention of PII?
C800_53_R4_A Does the organization obtain consent from individuals prior to any new uses or disclosure
pp_J
of previously collected PII?
�2845
Privacy
2846
Privacy
2847
Privacy
2848
Privacy
2849
Privacy
2850
Privacy
2851
Privacy
2852
Privacy
2853
Privacy
2854
Privacy
2855
Privacy
2856
Privacy
2857
Privacy
Does the organization ensure that individuals are aware of and consent to all uses of PII
C800_53_R4_A
not initially described in the public notice that was in effect at the time the organization
pp_J
collected the PII?
C800_53_R4_A Does the organization implement mechanisms to support itemized or tiered consent for
pp_J
specific uses of data?
C800_53_R4_A Does the organization provide individuals the ability to have access to their PII maintained
pp_J
in its systems of records?
C800_53_R4_A Does the organization publish rules and regulations governing how individuals may
pp_J
request access to records maintained in a Privacy Act system of records?
C800_53_R4_A
Does the organization publish access procedures in System of Records Notices (SORNs)?
pp_J
C800_53_R4_A Does the organization adhere to Privacy Act requirements and OMB policies and guidance
pp_J
for the proper processing of Privacy Act requests?
C800_53_R4_A Does the organization provide a process for individuals to have inaccurate PII maintained
pp_J
by the organization corrected or amended, as appropriate?
Does the organization have an established process for disseminating corrections or
C800_53_R4_A amendments of the PII to other authorized users of the PII, such as external informationsharing partners and notifies affected individuals that their information has been
pp_J
corrected or amended?
C800_53_R4_A Does the organization implement a process for receiving and responding to complaints,
pp_J
concerns, or questions from individuals about the organizational privacy practices?
C800_53_R4_A Does the organization respond to complaints, concerns, or questions from individuals
pp_J
within the company defined time period?
Does the organization establish, maintain, and update according to company policy, an
C800_53_R4_A
inventory that contains a listing of all programs and information systems identified as
pp_J
collecting, using, maintaining, or sharing PII?
Does the organization provide each update of the PII inventory to the CIO or information
C800_53_R4_A security official, according to company time intervals, to support the establishment of
information security requirements for all new or modified information systems containing
pp_J
PII?
C800_53_R4_A
Does the organization develop and implement a Privacy Incident Response Plan?
pp_J
�2858
Privacy
2859
Privacy
C800_53_R4_A Does the organization provide an organized and effective response to privacy incidents in
pp_J
accordance with the organizational Privacy Incident Response Plan?
Does the organization provide effective notice to the public and to individuals regarding:
(i) its activities that impact privacy, including its collection, use, sharing, safeguarding,
C800_53_R4_A maintenance, and disposal of PII; (ii) authority for collecting PII; (iii) the choices, if any,
individuals may have regarding how the organization uses PII and the consequences of
pp_J
exercising or not exercising those choices; and (iv) the ability to access and have PII
amended or corrected if necessary?
2860
Privacy
Does the organization describe: (i) the PII the organization collects and the purpose(s) for
which it collects that information; (ii) how the organization uses PII internally; (iii)
C800_53_R4_A whether the organization shares PII with external entities, the categories of those
entities, and the purposes for such sharing; (iv) whether individuals have the ability to
pp_J
consent to specific uses or sharing of PII and how to exercise any such consent; (v) how
individuals may obtain access to PII; and (vi) how the PII will be protected?
2861
Privacy
C800_53_R4_A Does the organization revise its public notices to reflect changes in practice or policy that
pp_J
affect PII or changes in its activities that impact privacy, before or soon after the change?
2862
Privacy
2863
Privacy
2864
Privacy
2865
Privacy
2866
Privacy
2867
Privacy
2868
Privacy
C800_53_R4_A
pp_J
C800_53_R4_A
pp_J
C800_53_R4_A
pp_J
Does the organization provide real-time and/or a layered notice when it collects PII?
Does the organization publish System of Records Notices (SORNs) in the Federal Register,
subject to required oversight processes, for systems containing PII?
Does the organization keep System of Records Notices (SORNs) current?
Does the organization include Privacy Act Statements on its forms that collect PII, or on
C800_53_R4_A
separate forms that can be retained by individuals, to provide additional formal notice to
pp_J
individuals from whom the information is being collected?
C800_53_R4_A
Does the organization publish System of Records Notices (SORNs) on its public website?
pp_J
Does the organization ensure that the public has access to information about its privacy
C800_53_R4_A
activities and is able to communicate with its Senior Agency Official for Privacy
pp_J
(SAOP)/Chief Privacy Officer (CPO)?
C800_53_R4_A Does the organization ensure that its privacy practices are publicly available through
pp_J
organizational websites or otherwise?
�C800_53_R4_A Does the organization use PII internally only for the authorized purpose(s) identified in
pp_J
the Privacy Act and/or in public notices?
Does the organization share PII externally, only for the authorized purposes identified in
C800_53_R4_A
the Privacy Act and/or described in its notices or for a purpose that is compatible with
pp_J
those purposes?
Does the organization enter into Memoranda of Understanding, Memoranda of
C800_53_R4_A Agreement, Letters of Intent, Computer Matching Agreements, or similar agreements,
with third parties that specifically describe the PII covered and specifically enumerate the
pp_J
purposes for which the PII may be used?
C800_53_R4_A Does the organization monitor, audit, and train its staff on the authorized sharing of PII
pp_J
with third parties and on the consequences of unauthorized use or sharing of PII?
Does the organization evaluate any proposed new instances of sharing PII with third
C800_53_R4_A
parties to assess whether the sharing is authorized and whether additional or new public
pp_J
notice is required?
Is there a cross-functional cybersecurity team consisting of ICS personnel, IT personnel,
C800_82
and system vendors/system integrators that reports to and is accountable to
management?
Does the cybersecurity team consist of a member from the IT staff, a control engineer, a
C800_82
control system operator, a security subject matter expert, and a member of
management?
Does the cross-functional cybersecurity team, include network architecture and design
C800_82
personnel, security processes and practices personnel, and secure infrastructure design
and operation personnel?
Does the cybersecurity team have a charter defining the roles, responsibilities, and
C800_82
accountabilities?
Does the cybersecurity team report directly to site management or the company's
C800_82
CIO/CSO, who in turn, accepts complete responsibility and accountability for the
cybersecurity of the system?
2869
Privacy
2870
Privacy
2871
Privacy
2872
Privacy
2873
Privacy
1422
Organizational
1423
Organizational
1424
Organizational
1425
Organizational
1426
Organizational
1427
Policies & Procedures
General
C800_82
1428
Plans
C800_82
1429
System Protection
C800_82
Is the physical security organization aware of the locations of sensitive equipment?
Are interruptions to the recovery process defined and procedures in place to handle
them?
Are external incidents reviewed to determine if they are applicable?
�1430
Communication
Protection
C800_82
Are critical networks redundant?
1431
Training
C800_82
Does the awareness and training program cover the physical process being controlled?
1432
Plans
C800_82
1433
Plans
C800_82
1434
Plans
C800_82
1435
Plans
C800_82
1436
Continuity
C800_82
1437
Plans
C800_82
1438
Plans
C800_82
1439
System Integrity
C800_82
1440
System Integrity
C800_82
1441
Monitoring & Malware C800_82
Are the system performance metrics sent to appropriate stakeholders?
1442
Monitoring & Malware C800_82
Are system auditing utilities incorporated into new and existing projects?
1443
Monitoring & Malware C800_82
Are auditing utilities tested offline before being deployed on an operational system?
1444
System Integrity
C800_82
1445
System Integrity
C800_82
1446
1447
1448
System Integrity
System Integrity
System Integrity
C800_82
C800_82
C800_82
Does the disaster recovery plan include procedures for operating the system in manual
mode until secure conditions are restored?
Does the disaster recovery plan include a complete and up-to-date logical network
diagram?
Does the disaster recovery plan include a communication procedure and list of personnel
to contact in the case of an emergency?
Does the disaster recovery plan include the requirements for the timely replacement of
components in the case of an emergency?
Are critical replacements for hard-to-obtain components kept in inventory?
Does the contingency plan cover the full range of failures and problems caused by cyber
incidents?
Are the business continuity and disaster recovery plans closely related to the contingency
plans?
Are the security controls present during system validation testing, and are they still
installed and operating correctly in the production system?
Is the production system free from security compromises, and does it provide information
on the nature and extent of compromises, should they occur?
Is there an active test facility that replicates the existing system to a high degree, and are
changes tested on the test system before being deployed on the main system?
Is the system software regression tested to ensure that it meets the security
requirements of the current installation?
Are the built-in security capabilities of software and components used?
Are patches applied during planned ICS maintenance cycles?
Are there procedures to guide patch deployment testing and installation?
�1449
System Integrity
C800_82
Is OPC updated with patches to handle RPC/DCOM vulnerabilities?
Have single points of failure been evaluated when securing the network, and has a risk
assessment been performed to remediate those points found problematic?
Are critical components redundant to prevent single point failures?
1450
System Protection
C800_82
1451
System Protection
C800_82
1452
Environmental Security C800_82
Are components and systems shielded from RF signals?
1453
Environmental Security C800_82
Are unshielded twisted pair cables prohibited?
1454
Environmental Security C800_82
Are industrial RJ-45 connectors used for twisted pair connectors?
1455
Environmental Security C800_82
Are fiber optic and/or coax cables used to eliminate interference?
1456
Environmental Security C800_82
Are cables and connectors color coded and labeled to prevent cross connections?
1457
Environmental Security C800_82
Are cable runs installed to prevent unintended access?
1458
Environmental Security C800_82
Is equipment installed in locked cabinets with proper ventilation and air filtration?
1459
Physical Security
C800_82
1460
Account Management
C800_82
1461
Access Control
C800_82
1462
Access Control
C800_82
1463
1464
Access Control
Access Control
C800_82
C800_82
1465
Access Control
C800_82
1466
Access Control
C800_82
1467
Access Control
C800_82
Is a ringed layer of defense used for access to the facility?
Does access control take into account the special needs of personnel to access equipment
and perform their job duties?
Do passwords avoid predictable sequences of numbers, are not found in dictionaries, and
meet strength requirements?
Is the passwords administrator a trusted employee who is available during emergencies
and are copies of passwords stored securely?
Are the privileged user passwords more secure and changed frequently?
Is the authority to change master passwords limited to a trusted employee?
Is a password audit record, especially for master passwords, maintained separately from
the system?
Are network device passwords changed on a regular basis?
Are passwords used on system components and are they implemented to not interfere
with emergency actions?
�1468
Access Control
C800_82
1469
Access Control
C800_82
1470
Access Control
C800_82
1471
Access Control
C800_82
1472
Account Management
C800_82
1473
1474
Communication
Protection
Communication
Protection
C800_82
C800_82
Is PIV (Personal Identity Verification) used and does it conform to the requirements of
FIPS 201 and NIST SP 800-73 and employ either cryptographic verification or biometric
verification?
Is token-based access control with cryptographic verification used, and does it conform to
the requirements of NIST SP 800-78?
Is token-based access control that employs biometric verification used, and does it
conform to the requirements of NIST SP 800-76?
Is challenge/response authentication used whenever possible and practical?
Is biometric authentication used where it is most appropriate and are the issues
associated with biometric authentication understood?
Is HTTPS used instead of HTTP, and SFTP, or SCP instead of FTP for Web services on
control devices?
Is inbound FTP and email traffic blocked for control devices?
1475
Monitoring & Malware C800_82
Has the use of antivirus software on devices with real time dependent code been
evaluated and does the vendor support installation of antivirus code?
1476
Monitoring & Malware C800_82
Is malware protection software and definitions reviewed and thoroughly tested?
1477
Communication
Protection
C800_82
Are data flow controls tested to ensure they do not adversely impact the system?
1478
Maintenance
C800_82
1479
1480
1481
1482
1483
Portable/Mobile/Wirel
ess
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
C800_82
C800_82
C800_82
Are devices used for programming or maintenance/administrative functions secured in
the system environment?
Are laptops, portable engineering workstations, handhelds, and specialized devices
secured in the system environment?
Are multiple DMZs and intrusion detection systems used that apply different rule-sets to
each unique domain being monitored?
Are network-based IDS/IPS capabilities deployed between the control network and
corporate network with a firewall?
C800_82
Are host-based IDS/IPS capabilities used on appropriate devices?
C800_82
Is control system traffic given priority over any noncontrol system traffic?
�1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
C800_82
C800_82
C800_82
C800_82
C800_82
C800_82
C800_82
C800_82
C800_82
C800_82
Monitoring & Malware C800_82
Communication
Protection
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
C800_82
C800_82
C800_82
C800_82
C800_82
Is the system configured so IT network services provide maximum priority to all control
system traffic, and is the network analyzed to ensure control system traffic is not
dependent on IT network services (i.e., DNS services)?
Is network traffic secured from protocol analyzers and other utilities that could use the
information to craft traffic to manipulate system activity?
Is a properly configured DMZ or a VPN connection used between the control system and
the corporate network?
Are security servers placed directly in the DMZ (e.g., patch management, anti-virus, IDS,
etc.)?
Are the risks of a DMZ fully understood?
Is a DMZ with paired firewalls (from different vendors) deployed between the corporate
and control system networks?
Is a three-zone system used with two historians - one on the control system side synced
with one in the DMZ?
Are methods employed for handling packets that are undefined, poorly defined, or
contain unexpected field values?
Are passwords and device configurations secured when transmitted across media that are
susceptible to eavesdropping?
Is the use of vulnerability scanners prohibited or are they only used on test or insensitive
redundant systems?
Are network protocol integrity checks built-in or provided by other techniques for control
system traffic?
Are Faraday cages or other devices used to limit the wireless signal as required?
Are wireless users authenticated using IEEE 802.1X that authenticates users via
certificates or RADIUS servers?
Are wireless services located on a dedicated and isolated server with minimal connections
to the system network?
Are wireless access points configured to have a unique service set identifier (SSID),
disabled SSID broadcast, and enabled MAC filtering?
Are wireless devices configured into a separate organizational unit of the Windows
domain? (For a Microsoft Windows network)
�1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
C800_82
Is encryption done at OSI Layer 2 (data layer) to reduce latency?
C800_82
Are hardware accelerators used for encryption to reduce latency?
C800_82
Are DNS requests out of the control network prohibited and are DNS requests from the
control network to the DMZ reviewed and approved?
C800_82
Is HTTP prevented from crossing network boundaries?
C800_82
Do HTTP proxies block all inbound scripts and Java applications?
C800_82
Is HTTPS implemented if HTTP is required?
C800_82
Are all TFTP sessions blocked?
C800_82
Is FTP used when it is authenticated with a multifactor passcode and encrypted in a
tunnel?
C800_82
Are secure FTP and secure copy employed whenever possible?
C800_82
Is telnet prohibited or only used inbound from the corporate network with a token-based
multifactor password and encrypted tunnel?
C800_82
Are outbound telnet sessions allowed only over encrypted tunnels to specific devices?
C800_82
Is SMTP not used for inbound mail and only used for outbound alert messages?
C800_82
C800_82
C800_82
C800_82
C800_82
Is SNMP V1 or V2 used over a secured management network or is SNMP V3 used with the
security features built-in?
Is the DCOM protocol used only between the control network and the DMZ networks and
is the protocol between the DMZ and the corporate network explicitly blocked?
Are DCOM port ranges restricted by making registry modifications on devices using
DCOM?
Is MODBUS/TCP, Ethernet/IP or DNP317 only used within the control network and
explicitly not allowed on the corporate network?
Is the use of NAT carefully reviewed before deployment?
�1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
C800_82
Are multicast protocols with IGMP used when using multiple LANs?
C800_82
Are "loss of communications" and the appropriate fail-safe process defined?
C800_82
Is an appropriate fail-safe process executed upon the loss of communications?
C800_82
Is MAC address locking implemented to prevent man-in-the-middle attacks?
C800_82
Are statically coded ARP tables implemented on capable devices?
C800_82
Is the system monitored for ARP poisoning? (i.e., corrupting host tables.)
C800_82
Are VLANs effectively deployed, with each automation cell assigned to a single VLAN to
limit unnecessary traffic and allow network devices on the same VLAN to span multiple
switches?
C800_82
Are VLANs configured to prohibit VLAN hopping?
C800_82
Are modems used in the callback mode?
C800_82
Are modems physically identified for control room operators to monitor?
C800_82
C800_82
Are modems disconnected when not in use, and is there a timeout after a fixed period of
inactivity?
Do mesh networks use broadcast key versus public key management implemented at OSI
Layer 2 (data link)?
C800_82
Is asymmetric cryptography used to perform administrative functions, and is symmetric
encryption used to secure each data stream as well as network control traffic?
C800_82
Is an adaptive routing protocol used if the devices are used for wireless mobility?
C800_82
C800_82
Is the convergence time of the network as fast as possible supporting rapid network
recovery in the event of a failure or power loss?
Are VPN devices thoroughly tested to verify that the technology is compatible with
applications being used?
�1533
1534
Communication
Protection
Communication
Protection
C800_82
Are VPN devices tested to ensure they do not unacceptably affect network traffic?
C800_82
Are firewalls deployed between the control system and corporate network?
Do firewalls provide minimum connections to the corporate network such that the
control system network can be severed from the corporate network in times of serious
cyber incidents?
Are sophisticated security implementations used between the control system and
corporate networks?
Is a firewall used in front of a router to implement logical network separation from the
corporate network?
1535
Firewall
C800_82
1537
Firewall
C800_82
1538
Firewall
C800_82
1539
Firewall
C800_82
1540
Firewall
C800_82
1541
Firewall
C800_82
1542
Firewall
C800_82
1543
Firewall
C800_82
1544
Firewall
C800_82
1545
Firewall
C800_82
1546
Firewall
C800_82
1547
Firewall
C800_82
1548
Firewall
C800_82
Are outbound packets from the control network or DMZ allowed only if those packets
have a correct source IP address that is assigned to the control network or DMZ devices?
1549
Firewall
C800_82
Are control network devices prohibited to access the Internet?
Is there a DMZ with paired firewalls and are firewalls from different manufacturers used?
Have communications delays been thoroughly analyzed and accounted for with the
control system firewall implementation?
Are firewall operations monitored to ensure that the firewall is performing its data
collection tasks, and are the firewalls monitored on a real-time basis for rapid response to
cyber incidents?
Have all issues of firewall implementation been thoroughly considered such as the lack of
experience in design of rule sets and the configuration of management issues associated
with rule-set updates and deletions?
Do the firewall rules provide source and destination filtering in addition to TCP and UDP
port filtering and ICMP type and code filtering?
Are all "permit" rules both IP address and TCP/UDP port specific and stateful (e.g., deep
packet filtering and inspection), if appropriate?
Do all rules restrict traffic to a specific IP address or range of addresses?
Is any protocol allowed between the control network and DMZ explicitly prohibited
between the DMZ and corporate networks (and vice versa)?
Is all outbound traffic from the control network to the corporate network source and
destination restricted by service and port?
�1550
Firewall
C800_82
Is all firewall management traffic carried on either a separate, secured management
network or over an encrypted network with multifactor authentication?
1551
Firewall
C800_82
Is firewall management traffic restricted by IP address to specific management stations?
1552
Firewall
C800_82
1553
Firewall
C800_82
1554
Firewall
C800_82
1555
Firewall
C800_82
1556
Firewall
C800_82
1557
Firewall
C800_82
1558
Firewall
C800_82
1559
Access Control
C800_82
1560
1561
1562
1563
1564
1565
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Audit and
Accountability
C800_82
Are firewalls implemented to enforce security policy based on secure authentication of all
users or processes seeking to gain access to the ICS network?
Do firewalls enforce destination authorization based on user?
Do firewalls record information flow for traffic monitoring, analysis, and intrusion
detection?
Are firewalls used to implement operational policies such as prohibition of email and
permitted use of easy-to-remember usernames and group passwords?
Is a stateful firewall implemented between the control system network and the corporate
network and configured to deny all traffic except that which is explicitly authorized?
Do firewalls inspect packets at the application layer and filter traffic based on specific
application rules?
Are firewalls implemented to block all communications with the exception of specifically
enabled communications between devices on the unprotected LAN and protected control
system networks?
Are other cryptographic solutions such as cryptographic hashes considered in place of
storing encrypted user passwords and authentication tokens?
Is encryption at OSI Layer 2 (data link) considered/implemented rather than at Layer 3
(network) to reduce latency?
C800_82
Are record size increases considered with the use of encryption before deployment?
C800_82
Are key management issues considered before deployment of encryption?
C800_82
Are passwords encrypted in transit?
C800_82
Are the security auditors aware of the risks and consequences involved in testing the
control system?
Remote Access Control C800_82
Are users accessing the control network from remote networks required to authenticate
using an appropriately strong mechanism such as token-based authentication?
�1566
1567
1568
1569
1570
1571
Remote Access Control C800_82
Communication
Protection
Training
Communication
Protection
Policies & Procedures
General
Policies & Procedures
General
C800_82
Is the noncontrol network traffic kept to the absolute minimum on an ICS network?
C800_82
Is feedback from the security awareness training used in revising the security plan?
C800_82
Is encryption used for device to device communication?
Cfats
Are there documented and distributed cybersecurity policies, procedures, or plans?
Cfats
Are there documented and distributed change management policies, procedures, or
plans?
Is the sharing of accounts prohibited?
1572
Account Management
Cfats
1573
Account Management
Cfats
1574
Monitoring & Malware Cfats
1575
1576
1577
Audit and
Accountability
Audit and
Accountability
Incident Response
Are users required to authenticate a second time at the control network firewall using a
strong mechanism such as a token based multi-factor authentication scheme?
Are IT management, systems administration, and IT security duties divided among three
different individuals?
Are networks monitored in near real time for unauthorized access or the introduction of
malicious code?
Cfats
Are logs reviewed on a daily basis?
Cfats
Are alerts responded to in a timely manner?
Cfats
Is the cyber incident response capability 24 × 7 × 365?
Is the safety instrumented systems (SIS) in the facility with control systems configured so
that they have no unsecured remote access and cannot be compromised through direct
connections to the systems managing the processes they monitor?
1578
Safety Instrumented
System (SIS)
Cfats
1579
Configuration
Management
Cfats
1580
Audit and
Accountability
Cfats
1581
Audit and
Accountability
Cfats
Is there a cohesive set of network/system architecture diagrams and other
documentation including nodes, interfaces, and information flows?
Are audits conducted at periodic intervals to determine whether the security objectives,
measures, processes, and procedures conform to the identified information security
requirements?
Are audits conducted at periodic intervals to determine whether the security objectives,
measures, processes, and procedures are effectively implemented and maintained?
�1582
1583
Audit and
Accountability
Audit and
Accountability
Cfats
Cfats
1586
Account Management
1587
Management Practices Components
Are administrative default accounts, Administrator or root, renamed?
1588
Securing the
Component
Are all sample applications, toolkits, SDKs and unused virtual directories removed?
1589
Management Practices Components
1590
Securing Content
Components
1591
Logging
Components
1592
System Protection
Components
1593
Password
Securing the
Component
Components
1596
Logging
Components
1597
Management Practices Components
1598
Securing the
Component
1599
Management Practices Components
1600
1601
1602
Securing Content
Logging
Password
1603
Management Practices Components
1594
Components
Are audits conducted at periodic intervals to determine whether the security objectives,
measures, processes, and procedures perform as expected?
Are system audit records reviewed and analyzed on a periodic frequency, and are findings
reported to officials?
Components
Components
Components
Components
Components
Components
Are accounts locked after a defined number of failed login attempts?
Are all unused, accounts, groups, and sites removed, e.g., Guest, Guests?
Are code reviews performed by a change committee and/or peer group to ensure there
are no security or performance issues?
Are events, such as failed login attempts and failed file system actions, logged?
Are host-based Intrusion Detection Systems (IDSs) used to alert administrators of
anomalies?
Are password defaults changed?
Are portable media, such as CD-ROM drives, DVDs, floppy drives, or USBs, disabled or
limited for use only by system administrators?
Are system administrators automatically notified of potential security threats, e.g., failed
login attempts, failed file system activity, and malformed URL requests?
Are test and development servers located on a different network segment than the
production servers?
Are the OS and server located in separate logical or physical partitions from each other?
Are user and administrator account permissions/access based on least privilege
principles?
Do application errors return a generic message rather than a detailed error?
Do logs get archived securely on another host for offline analysis?
Does corporate policy support and enforce strong administrator and user passwords?
Does frequent and regular manual and/or automated security testing occur?
�1604
1605
1606
Password
Policies & Procedures
General
Policies & Procedures
General
Components
Does the company have and enforce a policy for altering user and administrator
passwords on a regular interval?
Components
Does the company have and enforce a policy for locking out inactive user sessions?
Components
Does the company have and enforce a policy for periodically applying security patches?
1607
Firewall
Components
1608
Firewall
Components
1609
User Authentication
Components
1610
Securing Content
Components
1612
Policies & Procedures
General
Firewall
1613
Firewall
Components
1614
Securing Content
Components
1615
Management Practices Components
1611
Components
Components
Does the firewall rule set include a whitelist of approved users access, e.g., IP address
restrictions, all others are refused?
Does the firewall support Denial of Service (DoS) protection?
Does the system utilize an authentication mechanism such as Active Directory, LDAP, or a
Kerberos server?
Has third-party code and applications been reviewed and approved by an authorized
manager or committee?
Have all folder/file shares been reviewed and removed if not needed for critical
processing?
Have default ports been reviewed and modified to restrict noncritical traffic?
Have open ports been reviewed and closed if they do not support critical business
communications?
Have web servers, not designed for confidential information, been audited to ensure that
business sensitive or personal information is not stored on the system?
Is an access banner displayed on computers providing notice that unauthorized use of the
equipment may result in disciplinary action?
1617
Policies & Procedures
General
Securing Content
1618
Physical Access
1619
Remote Access Control Components
1620
Remote Access Control Components
Is remote access user, access list, and where possible remote client restricted?
1621
1622
1623
Securing Content
Password
Securing the System
Is sensitive content isolated from other content?
Passwords are not allowed to be reused?
Does the device sync system time to an accurate and reliable clock?
1616
Components
Is anti-malware software installed, running, and updated based on corporate policy?
Components
Is delivery of business sensitive or personal information restricted to https only?
Are critical servers (domain controllers, application servers, PBX, video management
systems) physically secure from unauthorized access? (i.e. located in a locked room)
Is remote access restricted to secure means only, such as AD secured, SSH, or 802.1X, and
insecure methods such as VNC or telnet prohibited?
Components
Components
Components
Components
�1624
Securing Content
1625
Management Practices Components
Are all sample database, toolkits, and SDKs removed?
1626
Securing the
Component
Components
Are all services and processes not required by the application turned off, for example,
FTP, POP3, SMTP, and VNC?
1627
Account Management
Components
Are all unused, accounts, groups and databases removed, e.g., Guest, Guests?
1628
Access Control
Components
1629
Management Practices Components
1630
1631
1632
Securing Content
Securing Content
Access Control
Securing the
Component
Components
Components
Components
1634
Boundary Protection
Components
1635
Access Control
Components
1636
Management Practices Components
1637
1639
1640
1641
Securing Content
Securing the
Component
Firewall
Securing Content
User Authentication
1642
Management Practices Components
1643
Encryption
Communication
Protection
1633
1638
1644
1645
Components
Components
Components
Components
Components
Components
Components
Components
Components
Management Practices Components
Are ad hoc queries disabled on production systems?
Are application developers only given rights needed to develop applications and not full
administrative permissions?
Are audits performed on a regular basis as defined by corporate policy for potential
security and permission violations?
Are database backups stored securely, e.g., password protected and/or encrypted?
Are database communications secured, e.g., via SSL?
Are individual users denied Data Definition Language (DDL) permissions?
Are nonessential and unused administrative stored procedures, such an email or
command shell, disabled?
Are public facing servers placed in a DMZ? In other words, behind a firewall with an
additional firewall between that and any systems on the internal network?
Are stored procedure permissions granted to roles only, e.g., not users?
Are the OS, database, and logs located in separate logical or physical partitions from each
other?
Are unused link servers disabled?
Are passwords or other sensitive server information removed from scheduled jobs,
scripts, or queries? (particularly those in plain text format)
Have database ports been set to nonstandard values, e.g., not 1433, 1521, or 3306?
Have default accounts such as Guest or Public been denied object permissions?
Is authentication via secure means, SSL or SSH only?
Is the database hosted on a dedicated server? In other words, are file, print, or Web
servers capabilities hosted on separate physical or virtual servers?
Are components or services that use clear text turned off or uninstalled?
Are private VLANs, known as protected ports, used to secure sensitive communication
over public or unsecure circuits?
Are users required to take security training before accessing the system?
�1646
1649
1650
System Protection
Policies & Procedures
General
Securing the
Component
Securing Content
Encryption
1651
Management Practices Components
1652
Management Practices Components
1653
Boundary Protection
Policies & Procedures
General
Policies & Procedures
General
Components
Are all personal firewalls, those that are hosted on workstations and laptops, centrally
administered?
Are loose and strict source routing blocked and logged?
Components
Does the company have and enforce a policy for backing up firewall configurations?
1656
Boundary Protection
Components
1657
1658
Boundary Protection
Boundary Protection
Components
Components
1659
Boundary Protection
Components
1660
Boundary Protection
Components
Is direct external traffic, traffic from the Internet, to critical servers blocked by default?
1661
Boundary Protection
Components
Is traffic to your e-mail server only allowed via a specific protocol and port?
1662
Management Practices Components
Are annual audits performed to ensure that wireless devices have not been lost or stolen?
1663
Encryption
Securing the
Component
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Are device backups encrypted?
Are devices labeled with the company name, address, and phone number in case the
device is lost?
1647
1648
1654
1655
1664
1665
1666
Components
Do you employ an Intrusion Prevention System (IPS)?
Components
Does the company have and enforce a policy for backing up critical software and data?
Components
Components
Components
Components
Components
Components
Is a robust Uninterruptible Power Supply (UPS) utilized to minimize the impact of a power
loss?
Is access to internal Web sites restricted to https?
Are data communications to and from the node encrypted?
Does system access require two factor authentication?
Does the company have and enforce a policy for locking out inactive administrator
sessions?
Has the egress firewall rules for the outbound traffic from the control network been
reviewed and implemented?
Have rule sets been reviewed for appropriate order?
Have state tables been reviewed?
Is all incoming and outgoing ICMP traffic denied except where specifically permitted by
your organization?
Components
Are handheld devices stored in a secure location when not in use?
Components
Are IR and Bluetooth capabilities disabled?
�1668
Portable/Mobile/Wirel
Components
ess
Physical Access
Components
1669
Management Practices Components
Are users prohibited from storing sensitive information on handheld devices?
1670
Portable/Mobile/Wirel
Components
ess
Do handheld devices have a power on PIN code or password?
1671
Policies & Procedures
General
Components
Does the company have and enforce a policy for disposing of devices, which include
clearing permanent storage, such as hard drives, so that the data cannot be recovered?
1672
Management Practices Components
Does the company have and enforce a policy for performing periodic inventory checks?
1673
Management Practices Components
Does the organization keep a list of authorized device users?
1674
Management Practices Components
Does training include how to safely store devices when not in use?
1675
Management Practices Components
Does training include proper password selection?
1676
Management Practices Components
Does training include the approved uses for company devices?
1677
Management Practices Components
Does training include the type of information that the devices may store?
1678
Management Practices Components
Does training include the type of programs that can be installed?
1667
1679
1680
1681
1682
1683
Securing the
Component
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Securing the
Component
Are personal firewalls installed on handheld devices?
Are there physical access controls within buildings?
Components
Have the default “out-of-the-box” security settings been reviewed and modified?
Components
Is antivirus software installed on a handheld wireless device?
Components
Is business sensitive information stored on a handheld device encrypted?
Components
Is desktop application-mirroring software password protected?
Management Practices Components
Is there a disciplinary process that is enforced if a user misuses a device, and are users
made aware of this process during their security training?
�1684
Management Practices Components
1685
Management Practices Components
1686
1687
1688
1689
Securing the System
Securing the System
Securing the System
Securing the System
Components
Components
Components
Components
1690
Securing the System
Components
1691
Logging
Components
1692
1693
1694
1695
1696
1697
1698
1699
Securing the System
Securing the System
Securing the System
Securing the System
Securing the System
Securing the System
Securing the System
Securing the System
Components
Components
Components
Components
Components
Components
Components
Components
Is there a process to report lost or stolen devices, and are users made aware of this
process during their security training?
Is wireless security training required of users before being issued a company handheld
wireless device?
Are events logged and alerts issued if attack signatures are detected?
Are events logged and alerts issued if common attack profiles are detected?
Are events logged and alerts issued if protocol anomalies are detected?
Are events logged and alerts issued if tcp and udp port scans are detected?
Does administration, log transfers, and system updates to and from the device occur
using secure protocols, such as HTTPS, SSH, SFTP, SNMPv3, and are all unsecure, clear
text, communications disabled?
Does logging include, but is not limited to, critical host file changes, unauthorized and
authorized client connection activity, and ad-hoc network creation?
Does the IDS include anomaly-based detection capabilities?
Does the IDS include host-based intrusion detection (HIDS) capabilities?
Does the IDS include network intrusion detection (NIDS) capabilities?
Does the IDS include root kit detection and mitigation?
Does the IDS include Signature-Based detection capabilities?
Does the IDS include stack-based detection (SIDS) capabilities?
Does the IDS include the ability to stop or mitigate known attack types?
Does the IDS issue timely alerts if system anomalies occur?
1700
Securing the System
Components
Does the IDS monitor its health and performance and issue alerts if there are problems?
1701
Securing the System
Components
1702
1703
1704
1705
1706
1707
1708
Securing the System
Securing the System
Securing the System
Securing the System
Securing the System
Securing the System
Securing the System
Components
Components
Components
Components
Components
Components
Components
Does the wireless network include wireless intrusion detection system (WIDS)
capabilities?
Does the IPS include Anomaly Based prevention capabilities?
Does the IPS include host-based intrusion prevention (HIPS) capabilities?
Does the IPS include network behavior analysis (NBA) capabilities?
Does the IPS include network intrusion prevention (NIPS) capabilities?
Does the IPS include root kit prevention and mitigation?
Does the IPS include Signature-Based prevention capabilities?
Does the IPS include the ability to stop or mitigate known attack types?
1709
Securing the System
Components
Does the IPS monitor its health and performance and issue alerts if there are problems?
�1710
Securing the System
Components
1711
Securing the System
Components
1712
Management Practices Components
Are all login accounts except “root" removed?
1713
1714
Encryption
Encryption
Components
Components
1715
Encryption
Components
1716
Encryption
Securing the
Component
Components
Are cryptographic keys changed periodically?
Are cryptographic keys distributed according to recognized standards?
Are cryptographic keys generated in accordance with a specified algorithm and key size
using recognized standards?
Are cryptographic keys managed according to recognized standards?
Components
Are file transfers disabled?
1717
Does the IPS provide timely alerts if system anomalies occur?
Does the wireless network include wireless intrusion prevention system (WIPS)
capabilities?
1718
Management Practices Components
Does the company have and enforce a remote access policy which is verified through
assessments?
1720
Encryption
Components
Has the link encryption been confirmed to meet company or external security standards?
1721
Securing the
Component
Components
Is only confirmed trustworthy software allowed to be executed?
1722
Remote Access Control Components
Is remote command execution disabled?
1723
Remote Access Control Components
Is remote login disabled?
1724
Logging
Are all incoming connections logged?
1725
Management Practices Components
Are modems configured based on a corporate policy?
1726
Remote Access Control Components
Are modems, DSL, or other network backdoor access points for third party vendors or
partners disabled when not needed?
1727
Remote Access Control Components
Are remote dial access numbers periodically changed?
1728
Remote Access Control Components
Do you use a different range of phone numbers for the office than the IDS modem pool?
1729
Management Practices Components
Does the login screen display banner information according to corporate security
policies?
Components
�1730
Remote Access Control Components
Is a telecom firewall implemented?
1731
Remote Access Control Components
Is auto answer disabled on modems when not needed?
1732
Logging
Is the callback option enabled?
1733
Remote Access Control Components
Modems are not attached to any type of server?
1734
1735
Securing Content
Encryption
Securing the
Component
Communication
Protection
Securing Content
Are data removed from the printer disk or memory after a print operation?
Are network printer communications encrypted?
Are network printers, other than those required for continuous control system
operations, locked after a period of user inactivity?
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
Securing the
Component
Securing Content
Access Control
Securing the
Component
Securing the
Component
Securing Content
Securing the
Component
Physical Access
Securing the
Component
Securing Content
Firewall
Encryption
Management
Components
Components
Components
Components
Components
Are network protocols that aren't being used turned off?
Components
Components
Components
Are printer hard drives encrypted?
Are sensitive communications to the Network Printer protected via a trusted
communication path? NOTE: This also includes FAX ports on multifunction printers. The
FAX ports should be restricted to only FAX-related activities.
Has a job timeout been set?
Have access control lists been implemented?
Components
Have Internet print capabilities, e.g., IPP or FTP, been turned off?
Components
Have you implemented Denial of Service (DoS) protection?
Components
IF the capability exists, has a PIN system been implemented for print authorization?
Components
If the printer has a hard drive, is remote access to the drive disabled?
Components
Is access to internal printer hardware restricted?
Is the Network Printer capable of automatic restart after a service discontinuity, and is
the capability enabled?
On print error, is disk or memory dumped?
Are ports 80 and 443, http and https respectively, closed?
Are optical ring communications encrypted?
Are access rules added, modified, and deleted as business needs change?
Components
Components
Components
Components
Components
Components
�1752
Logging
1754
1755
1756
1757
Policies & Procedures
General
Securing the Router
Securing the Router
Securing the Router
Securing the Router
1758
Securing the Router
1753
1759
1760
1761
1762
1763
1764
1765
1766
Securing the
Component
Securing the
Component
Securing the Router
Password
Safety Instrumented
System (SIS)
Safety Instrumented
System (SIS)
Safety Instrumented
System (SIS)
Safety Instrumented
System (SIS)
Components
Components
Components
Components
Components
Components
Components
Are authentication and administrative events, including enabling and disabling logging,
recorded?
Are firmware patches reviewed and applied in a timely fashion as defined by the
corporate security policy?
Are IP directed broadcasts disallowed?
Are local user accounts disabled on the router?
Are TCP & UDP small services disallowed?
Are the device's incoming packets sourced with invalid addresses disallowed?
Do routers use an authentication service (i.e. TACACS+, Kerberos, LDAP) for all user
authentications?
Components
If SNMP is not used, are SNMP community strings erased and the service disabled?
Components
Is IP source routing disallowed?
Components
Components
Is remote access to routers restricted to SSH, e.g., no telnet?
Is the enabled password on the device kept in a secure encrypted format?
Does the Safety Instrument System (SIS) have its own inputs and actuators, separate from
the industrial control system (ICS)?
Components
Components
Has a hazard operations study to determine SIL (Safety Integrity Level) been performed?
Components
Has a review been conducted to ensure that all components are designed to the
determined SIL (Safety Integrity Level)?
Components
Is the SIS isolated from the process control network?
1767
Remote Access Control Components
Are terminal servers NOT installed on any type of domain controller?
1768
Remote Access Control Components
Has an approved application, e.g., white list, been established and implemented?
1769
1770
Management
Encryption
Is a single terminal server devoted to each shared application?
Is communication between clients and the terminal server encrypted?
1771
Remote Access Control Components
Is the terminal server remote control feature disabled?
1772
Securing the
Component
Is the unidirectional device employed certified to a rigorous and reliable standard, for
example, to CC EAL +7?
Components
Components
Components
�1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
Communication
Protection
Securing the
Component
Communication
Protection
Securing the
Component
Communication
Protection
Securing the
Component
Communication
Protection
Communication
Protection
Securing the
Component
Securing the
Component
Communication
Protection
Communication
Protection
Communication
Protection
Access Control
Securing the
Component
Securing the
Component
Securing the
Component
Components
Are local user accounts disabled on the VLAN router?
Components
Are MAC addresses security features implemented?
Components
Has a VLAN ID been dedicated for all trunk ports?
Components
Has Auto-trunking been disabled?
Components
Has Cisco Discovery Protocol (CDP) been disabled?
Components
Has Spanning Tree Attack (STP) mitigation been implemented?
Components
Have Address Resolution Protocol (ARP) security issues been mitigated?
Components
Have all disabled ports been put in an unused VLAN?
Components
Have all unused ports been disabled?
Components
Have dynamic trunk (virtual trunk) features been disabled?
Components
Have switch ports been isolated so that no traffic from other ports can be delivered to an
isolated or private VLAN port?
Components
Is VLAN 1 NOT used for anything?
Components
Is VLAN Trunk Protocol (VTP) used?
Components
Are common user accounts given limited privileges on company-owned computers?
Are email clients configured to prevent automatic loading of remote email images, limit
mobile code execution, default message is plain text, automatic previewing is disabled,
and spam filtering enabled?
Are Instant Messaging (IM) clients configured so that display of email addresses is
suppressed and file transfers are restricted?
Are office productivity suites configured so that macro use is restricted, personal
information is limited, and secured folders are used to store document files?
Components
Components
Components
�1790
1791
1792
1793
1794
1795
1796
Securing Content
Policies & Procedures
General
Policies & Procedures
General
Components
Are only company-owned PCs used for telework or remote access?
Components
Are personal computer firewalls enabled and configured according to company policy?
Components
Are remote access users required to re-authenticate their credentials as stipulated by the
corporate security policy.
Remote Access Control Components
Securing the
Component
Password
Physical Access
Components
Are unneeded networking features disabled?
Components
Components
Are user accounts protected with passwords?
Are user sessions protected from unauthorized physical access?
Are web browsers used for telework configured to restrict cookies, block popups, enable
anti-phishing, remove unneeded browser plug-ins, set a master password to protect
stored information, and run programs with the least privileges possible?
Before disposing of a telework client device or remote access server, does the
organization remove any sensitive data from it?
Does the organization regularly perform operational processes to maintain telework and
remote access security, including deploying updates, verifying clock synchronization,
reconfiguring access control as needed, and detecting and documenting anomalies within
the remote access infrastructure?
1797
Policies & Procedures
General
Components
1798
Policies & Procedures
General
Components
1799
Management Practices Components
1805
1806
1807
Policies & Procedures
General
Securing Content
Policies & Procedures
General
Policies & Procedures
General
Portable/Mobile/Wirel
ess
Management
Securing Content
Securing Content
1808
Access Control
1800
1801
1802
1803
1804
Are remote sessions disconnected after 30 minutes of inactivity?
Components
Is a different brand of Web browser used for telework?
Components
Is disk storage encrypted on the telework devices?
Components
Is remote access software configured according to the company's security policies?
Components
Is the use of remote access utilities stipulated and enforced based on the corporate
security policy?
Components
Is wireless networking configured to automatically connect to available networks?
Components
Components
Components
Is workstation content filtering software installed and enabled?
Are any folders given execute and write permissions?
Are CGI execute permissions restricted to only those folders that require them?
Are read/write permissions denied to files and folders that do not require these
permissions?
Components
�1809
1810
1811
Management
Securing the
Component
Policies & Procedures
General
Components
Are the Operating System (OS) and applications, data and database, and logs loaded on
separate logical or physical partitions?
Components
If there is no file extension, does the system return a 404 error?
Components
1812
Remote Access Control Components
1813
User Authentication
Components
1814
Securing Content
Components
1815
Communication
Protection
Components
1816
Management Practices Components
1817
Management Practices Components
1818
Securing Content
Components
1819
Securing Content
Components
1820
1821
Portable/Mobile/Wirel
Components
ess
Portable/Mobile/Wirel
Components
ess
1822
Communication
Protection
Components
1823
Securing Content
Components
1824
Management Practices Components
Is read/write ability restricted to only those services and processes that require this
access?
Is remote user access restricted, e.g., no remote root login, restricted remote access list,
and where possible restricted remote client?
Is Web-based authentication via SSL or TLS only?
Are “dual connected” devices, such as computers that have both wireless and hardwire
connectivity, prohibited?
Are Temporal Key Integrity Protocol (TKIP) or Advanced Encryption Standard (AES) used
with a minimum key length of 128 bits to secure wireless routers?
Are there standardized security configurations for client devices and access points?
Does the company have and enforce a policy for performing security assessments of the
organization’s wireless network on a regular basis?
For those “dual connected” devices that are approved, have software-based controls that
permit either wireless or wired network access, but not both simultaneously, been
installed?
For those devices that are not approved for wireless access, has the BIOS been configured
so that wireless connections are automatically terminated when a wired connection is
detected?
Has the default SSID wireless router name been changed?
Has the Service Set Identifier (SSID) broadcast been disabled on the wireless router?
Is either the Extensible Authentication Protocol-Fast Authentication via Secure Tunneling
(EAP-FAST), Protected Extensible Authentication Protocol (PEAP), or Extensible
Authentication Protocol-Translation Layer Security (EAP-TLS) used as the authentication
protocol?
Is interference between wireless access deployments avoided?
Is the wireless network installed, supported, and maintained by an approved support
team?
�1825
Securing Content
Components
Is there a separate wireless network for visitors to use?
Is wireless access based on a list of hardware addresses (MAC address) that can be
registered and tracked?
Is wireless security configuration implementation and maintenance standardized,
automated, and centralized?
1826
Securing Content
Components
1827
Management Practices Components
3443
Account Management
Components
Are Active Directory domains used to restrict or allow user or group permissions?
3444
Account Management
Components
Do you use Active Directory to enforce authentication policies? (e.g. password
complexity, lockout on failed attempts, password expiration)
3445
Remote Access Control Components
Have you audited and eliminated backdoor remote access connections?
3446
Account Management
Components
Have Active Directory DNS administrators groups been set up to manage DNS?
3447
Account Management
Components
3448
Boundary Protection
Components
3449
Account Management
Components
3451
Password
Components
3452
Account Management
Components
3455
Management Practices Components
3456
Management Practices Components
3457
Boundary Protection
Components
3458
Account Management
Components
3459
Management Practices Components
Are the DNS administrators groups and users placed into a designated Organizational Unit
(OU) with appropriate Group Policy applied?
Is the DNS server co-located with the AD server? (i.e., not across a WAN or slow-speed
link).
Are Active Directory permissions configured to be compatible ONLY with the version of
Windows used?
Are robust passwords (e.g., length, complexity) used to access administrator accounts?
Have domain administrators (members of the Domain Admins group and the built-in
Administrator account) been limited to a small, controlled group?
Is the Active Directory SYSKEY stored externally (i.e. USB, CD, etc.) rather than on the local
hard drive?
Is there a backup domain controller available if the primary domain controller fails?
Have separate Active Directory domains been created to separate security or
administrative functions (e.g. separate domains for corporate and ICS networks)?
Have all default user and computer objects been moved into OUs with the correct
permissions?
Have you implemented an Active Directory policy to log changes to security
configurations and failed attempts to access system resources?
�3460
System and
Communications
Protection
Components
3461
Recover
Components
3462
Password
Components
3463
System Integrity
Components
3467
Boundary Protection
Components
3468
Password
Components
3469
3470
3471
3473
3475
3476
3478
3480
3481
System and
Communications
Protection
Audit and
Accountability
Audit and
Accountability
Access Control
Configuration
Management
Communication
Protection
System and
Communications
Protection
Audit and
Accountability
System and
Communications
Protection
Has the network traffic for group policy object (GPO) refresh, password changes, and
time synchronization been evaluated for network loading?
Is there a current active directory object map to perform an authoritative restore in case
an object is maliciously deleted?
Has the Directory Services Restore Mode (DSRM) password been set utilizing robust
passwords (e.g., length, complexity)?
Are you using a DNS server?
Are system components (IP cameras, PBX, domain controllers, servers, modems,
switches, routers, etc.) protected from external networks by a firewall?
Have default user names and passwords for system components (IP cameras, PBX,
domain controllers, servers, modems, switches, routers, etc.) been changed utilizing
robust passwords (e.g., length, complexity)?
Components
Is security camera traffic properly secured when routed over an unsecured network (e.g.
Internet)?
Components
Is video storage protected from power interruptions?
Components
Are IP cameras included in the system component audit?
Components
Do you have any access agreements (formal or informal) for third party access to your
telephone (PBX) system?
Components
Is port security used on the VoIP Network particularly publicly accessible jacks?
Components
Are IP phones and PBX secured behind a VoIP ready firewall?
Components
Are voicemail messages and unified communications physically secure from unauthorized
access? (ex: located in a locked room with limited access.)
Components
Are VoIP handsets included in system audits?
Components
Is voice and data traffic separated?
�3482
Remote Access Control Components
Are VPN tunnels used to secure remote access connections outside of the facility?
3483
Encryption
Components
3484
System Integrity
Components
3485
Physical Access
Components
3486
Password
Components
3487
Encryption
Configuration
Management
Configuration
Management
Configuration
Management
System Integrity
Components
Does your VoIP system encrypt phone calls?
Do you deploy patches for your VoIP equipment, including firmware updates on the
handsets themselves?
Are critical network components (modems, switches, routers, firewalls) physically secure
from unauthorized access? (i.e. located in a locked room)
Have default user names and passwords for administration been changed utilizing robust
password guidelines (e.g., length, complexity)?
Has WPA2 been implemented as the encryption type?
Components
Has the default SSID been changed?
Components
Has MAC address filtering been enabled?
Components
Has SSID broadcasting been disabled according to company policy?
Components
Do you have procedures in place for patch deployment, including firmware updates?
Does the organization require the developer of the information system, system
component, or information system service to execute procedures for ensuring that
security-relevant hardware, software, and firmware updates distributed to the
organization exactly as specified by the master copies?
3488
3489
3490
3491
3841
System and Services
Acquisition
DODI_8510
3842
System and Services
Acquisition
DODI_8510
3843
3844
3845
3846
3847
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
DODI_8510
DODI_8510
DODI_8510
DODI_8510
DODI_8510
Does the organization use independence criteria to verify if an independent assessor has
implemented a correct assessment plan and collected related assessment evidence?
Does the organization require the developers of the system, system components, or
system services to test software against organizationally-defined criteria?
Does the organization require the developer of the system to perform attack surface
reviews?
Does the organization require the system developer to verify that the security testing
scope provides complete coverage and depth?
Does the organization conduct an assessment of the system prior to selection,
acceptance, or update?
Does the organization use all-source intelligence analysis of suppliers of the system,
system component, or system service?
�3848
3849
3850
3851
3852
3853
3854
3855
3856
3857
3858
3859
3860
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
DODI_8510
DODI_8510
DODI_8510
DODI_8510
DODI_8510
DODI_8510
DODI_8510
DODI_8510
DODI_8510
DODI_8510
DODI_8510
DODI_8510
DODI_8510
3861
System and Services
Acquisition
DODI_8510
3862
System and Services
Acquisition
DODI_8510
3863
System and Services
Acquisition
DODI_8510
Does the organization use Operations Security (OPSEC) safeguards to protect supply chainrelated information for the system, components, or services?
Does the organization implement security safeguards to validate that the system or
component is genuine?
Does the organization establish agreements and procedures with supply chain
organizations that provide systems, components, or services?
Does the organization employ security safeguards to ensure an adequate supply of
system components?
Does the organization establish identification of supply chain elements, processes, and
actors for system, components, or services?
Does the organization create a process to fix deficiencies in supply chain elements that
have been identified during an assessment?
Does the organization require the developer of the information system, component, or
service to define quality metrics at the beginning of the development process?
Does the organization require the developer of the system, component, or service to
validate quality metrics on a defined frequency or upon delivery?
Does the organization require the developer of the system to select and deploy a security
tracking tool for use during development?
Does the organization require the developer of the system to perform criticality analysis
in the system development life cycle?
Do developers perform threat modeling and vulnerability analysis for the system using
organizational parameters, tools, methods, and evidence?
Does the organization require the developer of the system to reduce attack surfaces to
company defined thresholds?
Does the organization require the developer of the system to implement an explicit
process to continuously improve the development process?
Does the organization require the developer of the system to perform automated
vulnerability analysis, determine exploitation potential, determine potential risk
mitigation, and deliver results to company defined roles?
Does the organization require the developer of the system to use threat modeling and
vulnerability analyses on similar systems as guidance for the current development
process?
Does the organization require the developer of the system to provide an incident
response plan?
�3864
System and Services
Acquisition
DODI_8510
3865
System and Services
Acquisition
DODI_8510
3866
System and Services
Acquisition
DODI_8510
3867
System and Services
Acquisition
DODI_8510
3868
System and Services
Acquisition
DODI_8510
3869
System and Services
Acquisition
DODI_8510
3870
System and Services
Acquisition
DODI_8510
3871
System and Services
Acquisition
DODI_8510
3872
System and Services
Acquisition
DODI_8510
3873
3874
3875
3876
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
DODI_8510
DODI_8510
DODI_8510
DODI_8510
Does the organization require the developer of the system to produce a formal security
policy model that is consistent and sufficient when elements are implemented?
Does the organization require the developer of the system to define security-relevant
elements and provide a rational that it is complete?
Does the organization require the developer of the system to produce formal
specifications for security-relevant interfaces to the system and provide proof that it is
consistent with the formal policy model?
Does the organization require the developer of the system to demonstrate that the
formal top-level specification completely covers the security-relevant interfaces and that
it is an accurate description?
Does the organization require the developer of the system to describe the securityrelevant elements not addressed in the formal top-level specification? (i.e. internal
security-relevant elements)
Does the organization require the developer of the system to produce informal
specifications for security-relevant interfaces to the system and that it is consistent with
the formal policy model?
Does the organization require the developer of the system to demonstrate that the
descriptive top-level specification completely covers the security-relevant interfaces and
that it is an accurate description?
Does the organization require the developer of the system to describe the securityrelevant elements not addressed in the formal top-level specification?
Does the organization require the developer of the system to structure security-relevant
hardware, software, and firmware to integrate simple protection mechanisms with fine
configuration granularity?
Does the organization require the developers of the system to structure security-relevant
elements to facilitate testing?
Does the organization implement a tamper protection program for the system?
Does the organization employ anti-tamper technologies and techniques throughout the
system development life cycle?
Does the organization inspect systems, components, or devices, regularly or at random in
order to detect tampering?
�3877
3878
3879
3880
3881
3882
3883
3884
3885
3886
3887
3888
System and Services
Acquisition
System and Services
Acquisition
System and
Communications
Protection
System and
Communications
Protection
System and
Communications
Protection
System and
Communications
Protection
System and
Communications
Protection
System and
Communications
Protection
System and
Communications
Protection
System and
Communications
Protection
System and
Communications
Protection
System and
Communications
Protection
DODI_8510
Does the organization have an anti-counterfeit policy and procedure and is it effective at
preventing counterfeit components from entering the system?
DODI_8510
Is justification provided for continued use of an unsupported component in the system?
DODI_8510
Does the system audit the identity of internal users associated with denied
communications?
DODI_8510
Does the organization prevent unauthorized physical connections across the boundary
protections?
DODI_8510
Does the system route all remote accesses through a managed interface for access
control and auditing?
DODI_8510
If the boundary protection device fails does the system fail in a secure mode?
DODI_8510
Does the system block both inbound and outbound traffic between all clients
independently configured by end users and external service providers?
DODI_8510
Does the system isolate or segregate organization defined system components from
other components of the system as needed?
DODI_8510
Does the organization use boundary protection mechanisms to separate system
components?
DODI_8510
Does the system obscure feedback of protocol format validation failures?
DODI_8510
Does the system employ techniques to randomize or conceal communication unless
otherwise protected by physical mechanisms?
DODI_8510
Does the system provide a trusted communication path that is identifiable from other
paths?
�3889
3890
3891
3892
3893
3894
3895
3896
3897
3898
3899
System and
Communications
Protection
System and
Communications
Protection
System and
Communications
Protection
System and
Communications
Protection
System and
Communications
Protection
System and
Communications
Protection
System and
Communications
Protection
System and
Communications
Protection
System and
Communications
Protection
System and
Communications
Protection
System and
Communications
Protection
DODI_8510
Are systems configured to prohibit remote activation of collaborative computing (e.g., IM,
video conferencing) and is there an indication of use to the local user?
DODI_8510
Does the system identify who is present in all VTC and IP based online meetings?
DODI_8510
Does the system prevent the download and execution of unacceptable mobile code as
defined by mobile code requirements?
DODI_8510
Does the system allow the use of certificate authorities for verification of the session?
DODI_8510
Does the system protect the confidentiality and integrity of all nonpublic information?
DODI_8510
Does the system implement cryptography to prevent disclosure and modification of all
information outside of organization facilities?
DODI_8510
Are concealment and misdirection techniques used to confuse and mislead adversaries
used in protecting the system at an organization defined time period?
DODI_8510
Are organizational techniques used to introduce randomness into organizational
operations and assets?
DODI_8510
Does the organization change location of processing and storage at organization defined
time intervals?
DODI_8510
Does the organization reduce bandwidth for identified covert channels or storage to
organizationally-defined values?
DODI_8510
Does the organization protect the integrity of information prior to and after storage on
read-only media?
�3900
3901
3902
3903
System and
Communications
Protection
System and
Communications
Protection
System and
Communications
Protection
System and
Communications
Protection
DODI_8510
Does the organization employ hardware based protection of system firmware
components?
DODI_8510
Does the organization ensure that only organization individuals or system can receive the
information, system components, or devices?
DODI_8510
Does the system use cryptographic mechanisms to protect from intentional
electromagnetic interference?
DODI_8510
Does the system use cryptographic mechanisms to reduce the detection potential of
wireless links?
3904
System and
Information Integrity
DODI_8510
Does the organization install security-relevant software and firmware updates within 30
days or according to organizational policy?
3905
System and
Information Integrity
DODI_8510
Does the system detect, audit, and prevent execution of unauthorized commands at a
console?
3906
System and
Information Integrity
DODI_8510
Does the system employ security measures to authenticate remote commands?
3907
System and
Information Integrity
DODI_8510
Does the organization use tools and techniques to analyze malicious code and uses the
results to enhance incident response and flaw remediation processes?
3908
System and
Information Integrity
DODI_8510
Does the organization analyze outbound communications at the boundary and interior of
the system to detect covert exfiltration?
3909
System and
Information Integrity
DODI_8510
Does the organization implement additional monitoring of new users?
3910
System and
Information Integrity
DODI_8510
Does the system monitor for unauthorized network services and alerts organization
defined personnel when found?
�3911
System and
Information Integrity
DODI_8510
Are host-based monitoring mechanisms at system components implemented?
3912
System and
Information Integrity
DODI_8510
Does the system perform integrity checks of software, firmware, and data at startup or at
intermediate states or security events on an organizationally-defined frequency?
3913
System and
Information Integrity
DODI_8510
Upon detection of an integrity violation, does the system perform actions to document
the event and notify organizational personnel?
3914
System and
Information Integrity
DODI_8510
Is the integrity of boot firmware in defined devices protected?
3915
System and
Information Integrity
DODI_8510
Is spam protection automatically updated by the system?
3916
System and
Information Integrity
DODI_8510
Does the system check all external facing application software inputs that might receive
an exploit? (e.g., web/application servers, database servers, etc)
3917
System and
Information Integrity
DODI_8510
Is there a manual override on the system that is restricted to authorized users, allows for
input validation and creates audit records when used?
3918
System and
Information Integrity
DODI_8510
Is mean time to failure of system components used in a failure prevention strategy?
3919
System and
Information Integrity
DODI_8510
Are software and data used by system components and services reloaded from
organizational defined sources?
3920
System and
Information Integrity
DODI_8510
Does the system validate information output from software to ensure that it is consistent
with the expected content?
2874
Risk Management and
Assessment
INGAA
Do you implement physical security according to the INGAA AGA document specifically as
it relates to 49 CFR Parts 192 and 193, and according to the pre-TSA document “Security
Practices Guidelines Natural Gas Industry Transmission and Distribution,” revised May
2008?
�2875
System Protection
INGAA
2876
Physical Security
Portable/Mobile/Wirel
ess
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
INGAA
2877
2878
2879
2880
INGAA
INGAA
INGAA
INGAA
Have you established personnel security requirements including security roles and
responsibilities for third-party providers?
Have you established a secure method of monitoring?
Do you audit the use, access, and necessity of these connections, and base its monitoring
and periodic review on company policy?
Is the network infrastructure secured to prevent the unauthorized installation of wireless
technology?
Is the wireless connectivity included in network documentation, policies, and procedures?
Do you, at a minimum, conduct an annual review, reassessment, and update of the
control systems cybersecurity plans in accordance with the operator’s policy?
Where the responsible entity cannot conform to its own cybersecurity policy, do you
document these instances as exceptions, and are they authorized according to company
policy?
Are the criticality classification of cyber assets as defined in Section 3.2 reviewed at least
every 18 months?
Is the methodology used to define critical assets, the classification of critical assets, and
the classification of critical cyber assets reviewed, approved, and documented according
to company policy?
Have you defined a cross-functional cybersecurity team and an operational framework to
ensure coordination, communication, and accountability for information security on and
between the control systems and enterprise networks?
Have you defined information and cybersecurity roles, responsibilities, and lines of
communication among the operations, IT, and business groups, as well as with
outsourcers, partners, and third-party contractors?
Have you established a system and services acquisition policy, procurement standards,
and a process by which potential acquisitions are evaluated against the standards,
including encouraging the vendor to follow software development standards for
trustworthy software throughout the development life cycle?
2881
Risk Management and
Assessment
INGAA
2882
Risk Management and
Assessment
INGAA
2883
Organizational
INGAA
2884
System and Services
Acquisition
INGAA
2885
System and Services
Acquisition
INGAA
2886
Configuration
Management
INGAA
2887
Configuration
Management
INGAA
Does the company develop and document a network security coordination process?
INGAA
Does the network security coordination process include a delineation of roles and
responsibilities associated with coordination, communication, and accountability of
information security on and between the control systems and enterprise networks?
2888
Policies
�Does the network security coordination process define information security coordination
requirements at every step of the systems development life cycle including strategic
planning, design, acquisition, testing, installation, configuration/change management, and
retirement?
Does the cybersecurity team establish and document a framework in accordance with
company policy that defines the security organization and the roles, responsibilities, and
accountabilities of the system owners and users?
2889
Plans
INGAA
2890
Plans
INGAA
2891
Plans
INGAA
2892
Plans
INGAA
2893
Access Control
INGAA
2894
Access Control
INGAA
2895
2896
2897
2898
2899
2900
System Integrity
System Integrity
System Integrity
System Integrity
System Integrity
System Integrity
INGAA
INGAA
INGAA
INGAA
INGAA
INGAA
2901
Configuration
Management
INGAA
Does your procurement standards require that providers of control system services
employ security controls in accordance with applicable laws, Executive Orders, directives,
policies, regulations, standards, guidance, and established service-level agreements?
2902
Continuity
INGAA
Does your procurement standards define oversight and user roles and responsibilities
with regard to external information system services?
2903
Monitoring & Malware INGAA
Does your procurement standards define oversight and user roles and responsibilities
with regard to monitors security control compliance by external service providers?
Does your company ensure the implementation of bi-directional lines of communication
no matter what structure is in place between the systems owners and users?
Are the lines of communication between system owners and users documented and
exercised to test and ensure their effectiveness?
Has the company established a control system and services acquisition policy,
procurement standards, and a process by which potential systems, components, and
service acquisitions are evaluated against the standards, in accordance with company
policy?
Does your company encourage the vendor to follow software development standards for
trustworthy software throughout the development life cycle.
Does your procurement standards include system hardening?
Does your procurement standards include perimeter protections?
Does your procurement standards include account management?
Does your procurement standards include coding practices?
Does your procurement standards include flaw remediation?
Does your procurement standards include malware detection and protection?
�Does the life cycle section of your cybersecurity plan address the incorporation of security
measures and controls into the cyber system design and operation for both new system
creation and legacy system modification?
Does the life cycle section of your cybersecurity plan address mitigation strategies for
security deficiencies found in control system components?
Does the life cycle section of your cybersecurity plan address the implementation of
policies and procedures for the assessment and maintenance of system status and
configuration information including tracking changes made to the control systems
network, and patching and upgrading operating systems and applications?
Does the life cycle section of your cybersecurity plan address the implementation of
policies and procedures for the secure disposal of equipment and associated media?
2904
Monitoring & Malware INGAA
2905
Configuration
Management
INGAA
2906
System Protection
INGAA
2907
Physical Security
INGAA
2908
System Integrity
INGAA
2909
System Integrity
INGAA
2910
Physical Security
INGAA
2911
Monitoring & Malware INGAA
Do all existing practices and procedures include appropriate cybersecurity considerations?
3168
Risk Management and
Assessment
INGAA
3169
Policies
INGAA
3170
Policies
INGAA
3171
Policies
INGAA
3172
Policies
INGAA
Has the organization completed a determination of cyber assets that are classified as
Critical Cyber Assets?
The control system security policy should prohibit the embedding of sensitive passwords
in source code, scripts, aliases, and short-cuts. If necessary, encryption techniques should
be used.
Do you secure your source code to prevent both its unauthorized viewing and
modification?
Are your control systems’ hosts and workstations only used for approved control system
activities?
Do you run any new protocol, application, or software proposed to be added to the
control system network in a test-bed or development environment to evaluate the
potential for impairing the performance of the control system?
Have you developed and documented the practices and procedures that would
incorporate cybersecurity into the control systems design, modification, and operation?
Is cybersecurity consideration part of the initial specification and design of new control
systems and all changes to existing systems?
Do all new control system operation practices and procedures incorporate cybersecurity
consideration?
�3173
Policies
INGAA
3174
Policies
INGAA
3175
Policies
INGAA
3178
Policies & Procedures
General
Policies & Procedures
General
Procedures
3179
Procedures
INGAA
3180
Procedures
INGAA
3181
Procedures
INGAA
3182
Procedures
INGAA
3183
Procedures
INGAA
3184
Procedures
INGAA
3185
Procedures
INGAA
3186
Procedures
INGAA
3187
Procedures
INGAA
3188
Procedures
INGAA
3189
Procedures
INGAA
3176
3177
INGAA
INGAA
INGAA
Do you only grant the minimum set of rights, privileges, or accesses required by users or
processes to perform any control system operation, maintenance, or monitoring task?
Do you enable audit logging for all devices that are capable?
Do you periodically review all rights, privileges, and accesses for all users or process to all
control system components and resources including but not limited to physical access, OS
services, files, disks, shared data, and networking resources to ensure that unauthorized
changes have not been made?
Do you review all control systems operational procedures to ensure cybersecurity policies
are maintained at design levels?
Do you have policies and procedures for addressing hardware and software security
deficiencies in control systems?
Do you have procedures for hardening all components used in control systems.
Do you have procedures for securing the configurations for all network devices such as
firewalls, routers, and switches and used to establish baseline configuration for these
devices?
Do you review the baseline system configurations including services and ports periodically
based on company policy to ensure that unauthorized changes have not been made?
Do you remove or disable the operating system services that are not used by the
production SCADA to reduce the risk of being exploited?
Do you review the enabled networking protocols on all networked devices and disable
unessential protocols should be disabled?
Do you document all required applications and open ports both for normal operation and
emergency operation?
Do you disable all port and applications not in use?
Do you perform a risk assessment on system services to see if the benefits of having them
running outweigh the potential for exploitation?
Do you only allow remote functions that an operating system provides when necessary
and only use secure versions?
Do you discourage the use of FTP on a SCADA system and strictly control it?
Do you disable or otherwise protect removable media devices (USB ports, CD/DVD drives,
and other removable media devices)?
Do you remove the guest accounts?
�3190
3191
3192
3193
3194
Procedures
Procedures
Procedures
Procedures
Procedures
INGAA
INGAA
INGAA
INGAA
INGAA
3195
Procedures
INGAA
3196
Procedures
INGAA
3197
Procedures
INGAA
3198
Procedures
INGAA
3199
Procedures
INGAA
3200
Procedures
INGAA
3201
Procedures
INGAA
3202
Procedures
INGAA
3203
Procedures
INGAA
3204
Procedures
INGAA
3205
Procedures
INGAA
3206
Procedures
INGAA
3207
Plans
INGAA
3208
Plans
INGAA
Do you change the default passwords?
Do you disallow unhardened devices on the network?
Do you use secure coding techniques when developing applications?
Do you strictly control administrative access to all control systems?
Do you require strong passwords for administrative accounts?
Do you change passwords periodically based on company policy and whenever personnel
changes dictate?
Do you have policies and procedures for management of software patches and updates,
antivirus software, and anti-malware software?
Do you apply all critical control system supplier approved operating system updates in
accordance with company policy?
Do you use antivirus, anti-malware, and other protection software in accordance with the
control system supplier’s recommendations?
Do you periodically inventory the software patch level of all systems on the network to be
aware of unpatched systems based on company policy?
Do you ensure that critical application and database security patches are applied in
accordance with the control system supplier recommendations?
Do your change control policies and procedure address any change that will impact the
pipeline control system whether permanent or temporary?
Do you use some type of document control?
Do you use a baseline change approach that fully documents the control system
configuration?
Do you have procedures to recover the baseline configuration in the event of unexpected
impacts or failures from the changes made to the baseline configuration?
Do you follow the process steps as outlined in Section 3.3.3.3?
Have you established policies and procedures for the secure disposal of equipment and
associated media and does it include the sanitization of information system media, both
digital and nondigital, prior to disposal or release for reuse?
Does your control system cybersecurity plans address plans and preparation for the
return to full service of unavailable, degraded, or compromised control systems in a
timely fashion as defined by the organization consistent with their availability and
recovery requirements?
Do you plan and prepare for the prompt restoration and recovery of a failed or
compromised SCADA system?
�3209
Plans
INGAA
3210
3211
3212
Procedures
Procedures
Procedures
INGAA
INGAA
INGAA
3213
Procedures
INGAA
3214
Procedures
INGAA
3215
Plans
INGAA
3216
Plans
INGAA
3217
Plans
INGAA
3218
Plans
INGAA
3219
Plans
INGAA
3220
Plans
INGAA
3221
Plans
INGAA
3222
Plans
INGAA
3223
Plans
INGAA
3224
Plans
INGAA
3225
Plans
INGAA
3226
3227
Policies
Policies
INGAA
INGAA
Do you have plans that include contingencies for cyber threats, natural disasters, and/or
equipment/software failures?
Do you have procedures for restoring systems from backups?
Does your employee training ensure familiarization with the contents of the plans?
Do your procedures define the roles and responsibilities of first responders?
Do you have communication procedures and a list of personnel to contact in the case of
an emergency, including control system vendors, network administrators, and control
system support personnel?
Do you have procedures for validating system backups?
Does the restoration and recovery plan include references to current configuration
information on all systems requiring restoration?
Does the restoration and recovery plan include specifications of recovery time objectives
and specific contingency plan objectives if recovery times are exceeded?
Does the restoration and recovery plan include a required response to events or
conditions of varying duration and severity that would activate the recovery plan?
Does the restoration and recovery plan include a personnel list for authorized physical
and cyber access to the control system?
Does the restoration and recovery plan include requirements for the timely replacement
of components in the case of an emergency?
Do you review the plan periodically according to company policy?
Do you make and secure backups of critical system software, including applications, data,
and configuration information, on a regular basis as defined by company policy consistent
with their availability and recovery requirements?
Do you keep Installation media and license information in a secure location?
Do you test the restoration and recovery process periodically according to company
policy, which includes executing it on a frequency according to company policy and
reviewing and refining as necessary according to company policy?
Does your CSP control system cybersecurity plan include the implementation of policies
and procedures for cyber intrusion monitoring, detection, incident handling, and
reporting?
Do you establish policies and procedures for cyber intrusion monitoring and detection as
well as incident handling and reporting?
Do your monitoring procedures include unexpected log file events?
Do your monitoring procedures include unusually heavy network traffic?
�Do your monitoring procedures include out of disk space or significantly reduced free disk
space?
Do your monitoring procedures include unusually high CPU usage?
Do your monitoring procedures include creation of new user accounts?
Do your monitoring procedures include attempted or actual use of administrator-level
accounts?
Do your monitoring procedures include locked-out accounts?
Do your monitoring procedures include account in-use when the user is not at work?
Do your monitoring procedures include cleared log files?
Do your monitoring procedures include full log files with unusually large number of
events?
Do your monitoring procedures include antivirus alerts?
Do your monitoring procedures include disabled antivirus software and other security
controls?
Do your monitoring procedures include unexpected patch changes?
Do your monitoring procedures include machines connecting to outside IP addresses?
Do your monitoring procedures include requests for information about the system (social
engineering attempts)?
3228
Policies
INGAA
3229
3230
Policies
Policies
INGAA
INGAA
3231
Policies
INGAA
3232
3233
3234
Policies
Policies
Policies
INGAA
INGAA
INGAA
3235
Policies
INGAA
3236
Policies
INGAA
3237
Policies
INGAA
3238
3239
Policies
Policies
INGAA
INGAA
3240
Policies
INGAA
3241
Policies
INGAA
Do your monitoring procedures include unexpected changes in configuration settings?
3242
3243
3244
3245
3246
Policies
Policies
Policies
Policies
Policies
INGAA
INGAA
INGAA
INGAA
INGAA
3247
System Protection
INGAA
3249
Physical Security
INGAA
3250
Access Control
INGAA
Do your monitoring procedures include unexpected system shutdown?
Does your organization have cyber incident handling and procedures?
Does your incident response plan include Roles and Responsibilities Definition?
Does your incident response plan include Declaration of Preparation?
Does your incident response plan include Incident Response Phases Definition?
Does the organization develop and enforce policies and procedures where control system
workstations are only used for approved activities?
Are non-critical facilities access controls implemented to the same protection standards
as the main facility?
Does the enhanced access control in the security plan include consideration of physical
and logical access, risk assessment of wireless implementation, and access to Critical
Cyber Assets?
�3251
3347
3348
Physical Security
Configuration
Management
Risk Management and
Assessment
INGAA
Does the organization implement physical access controls as specified in regulatory
sources? (i.e., INGAA Pipeline Security Practices Guidelines Natural Gas Pipeline Industry
Transmission and Distribution)
NCSF_V1
Is there a defined list of software programs authorized to execute on the system?
NCSF_V1
Does the organization map all communication and data flows?
3349
Remote Access Control NCSF_V1
3350
Plans
NCSF_V1
3351
Plans
NCSF_V1
3352
3353
3354
3355
3356
3357
3358
3359
3360
3361
3362
Policies
Policies
Policies
Access Control
Policies
Policies
Policies
Policies
Policies
Policies
Training
NCSF_V1
NCSF_V1
NCSF_V1
NCSF_V1
NCSF_V1
NCSF_V1
NCSF_V1
NCSF_V1
NCSF_V1
NCSF_V1
NCSF_V1
Are the organization's place in critical infrastructure and its industry sector identified and
communicated?
Does the organization have a plan for critical infrastructure recovery developed and
tested?
Does your organization have an Information and Document Management Policy?
Does your organization have a Media Protection Policy?
Does your organization have a System Security Policy?
Does your organization have an Access Control Policy?
Does your organization have an Audit and Accountability Policy?
Does your organization have a Cryptographic Policy?
Does your organization have an Identification and Authentication Policy?
Does your organization have a Monitoring and Review Policy?
Does your organization have a System and Communication Protection Policy?
Does your organization have a System and Services Acquisition Policy?
Do privileged users understand their roles and responsibilities in cybersecurity?
3363
Training
NCSF_V1
Do senior executives understand their roles and responsibilities with regard to security?
3364
Training
NCSF_V1
Do physical security personnel, through training and testing, understand their roles and
responsibilities in regard to cybersecurity?
NCSF_V1
Does your organization have a Configuration Management Plan?
NCSF_V1
Does the organization share with industry partners proven effective protection
technologies?
NCSF_V1
Does the continuity of operations plan include necessary notifications to stakeholders?
3365
3366
3367
Configuration
Management
Communication
Protection
Continuity
Are all external information systems catalogued?
�3368
Continuity
NCSF_V1
3369
Incident Response
NCSF_V1
3370
3371
3372
NCSF_V1
NCSF_V1
NCSF_V1
NCSF_V1
Are new vulnerabilities mitigated or documented as acceptable risks?
3374
Incident Response
Incident Response
Incident Response
Risk Management and
Assessment
Continuity
Does the organization understand the impact of the cyber incident?
Do personnel have knowledge of cyber forensics and execute them in accordance with
the incident response plan?
Are cybersecurity incidents categorized according to the incident response plan?
Are cybersecurity incidents contained according to the incident response plan?
Are cybersecurity incidents mitigated according to the incident response plan?
NCSF_V1
3375
Continuity
NCSF_V1
Are lessons learned incorporated into recovery plans?
Is the recovery plan reviewed and updated to address lessons learned, system,
organizational, and technology changes?
3376
Continuity
NCSF_V1
3373
3378
3379
3380
3381
3382
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
System and Services
Acquisition
NCSF_V1
NCSF_V1
NCSF_V1
NCSF_V1
NCSF_V1
3383
Incident Response
NCSF_V1
3384
Info Protection
NCSF_V1
3385
Environmental Security NCSF_V1
3386
Environmental Security NCSF_V1
3387
Continuity
NCSF_V1
3388
Continuity
NCSF_V1
Does the organization attempt to restore company reputation after an event is repaired?
Are risk management procedures developed, managed and distributed to the
organizational members?
Does the organization use risk information from similar industries to determine its own
risk tolerance?
Are information and systems categorized in accordance with business risk, policies,
regulations, standards, and guidance?
Are the security categorization results documented and prioritized in the system security
plan?
Is organization's place in critical infrastructure and its industry sector is identified and
communicated?
Have the organization's upstream and downstream dependencies been identified in the
supply chain?
Are organizational mission, objectives and activities determined and prioritized according
to organization time period?
Does the organization have critical services such as communications, internet provider, or
electrical power that are needed for critical functioning of the business?
Does the organization use UPS or generators as sources of alternate power to support
critical business processes?
Does the organization use an alternate telecommunications provider to provide critical
business services?
Does the organization test whether alternate critical functions are adequate?
�3389
Communication
Protection
NCSF_V1
3390
Continuity
NCSF_V1
3391
Plans
NCSF_V1
3392
Continuity
NCSF_V1
3393
Plans
Risk Management and
Assessment
NCSF_V1
3395
Policies
NCSF_V1
3396
Procedures
NCSF_V1
3397
Account Management
NCSF_V1
3398
Account Management
NCSF_V1
3399
Audit and
Accountability
NCSF_V1
3400
Plans
NCSF_V1
3401
Procedures
NCSF_V1
3402
Remote Access Control NCSF_V1
3403
Monitoring & Malware NCSF_V1
3404
Incident Response
3405
Monitoring & Malware NCSF_V1
3394
NCSF_V1
NCSF_V1
Does the organization have adequate supply of materials to continue to provide delivery
of critical business service?
Does the organization understand resilience as it applies toward re-establishing critical
services?
Has capacity planning determined the necessary capacity for information processing,
telecommunications, and environmental support needed during restoration operations?
Is there a formal, documented resilience planning policy for the system that addresses
critical services?
Are risk-reduction mitigation measures identified and prioritized?
Is there a detailed mitigation strategy for individual systems that addresses risk and is
there a comprehensive strategy?
Does the organization manage user names and credentials for each user or device
contained in the system?
Do you have procedures for issuing a name and password for each user in all systems?
Are system accounts authorized, established, activated, modified, disabled, and removed
according to the organization defined time period?
Is there a minimum password complexity of defined requirements for case sensitivity,
number of characters, mix of upper case letters, lower case letters, numbers, and special
characters, including minimum requirements for each type and are passwords required to
be changed in an organization-defined time period?
Is there sufficient storage capacity allocated to reduce the likelihood of such capacity
being exceeded?
Has capacity planning determined the necessary capacity for information processing,
telecommunications, and environmental support needed for daily operations?
Do you have a configuration change control plan?
Is cryptography used to protect the confidentiality and integrity of remote access
sessions? (See FIPS 140 for validated cryptographic modules)
Are automated tools used to support near real-time analysis of events and are these
events analyzed for after-the-fact examples of attack targets and methods?
Are system network security incidents tracked and used to correlate with other sensors
and system log files?
Are vulnerability scans performed on a defined frequency or randomly in accordance with
organizational policy?
�3406
3407
3408
Monitoring & Malware NCSF_V1
Risk Management and
Assessment
Risk Management and
Assessment
NCSF_V1
NCSF_V1
3409
Monitoring & Malware NCSF_V1
2912
Account Management
NEI_0809
2913
Account Management
NEI_0809
2914
Account Management
NEI_0809
2915
Access Control
NEI_0809
2916
Access Control
NEI_0809
2917
Access Control
NEI_0809
2918
Access Control
NEI_0809
2919
Access Control
NEI_0809
2920
Communication
Protection
NEI_0809
2921
Access Control
NEI_0809
If vulnerability scanning tools are unavailable, is the organization able to compensate
using passive monitoring tools?
Are the results of periodic, unannounced, in-depth monitoring or penetration testing used
to improve detection processes?
Are the results of system monitoring used as a basis for improving detection processes?
Are vulnerability scanning tools updated and improved?
Are CDA accounts managed and documented to include: authorizing, establishing,
activating, modifying, reviewing, disabling and removing accounts?
Are CDA accounts managed and reviewed against the access control list at least every 31
days?
Are computer automated mechanisms used to manage CDA accounts in activities such as
terminate, disable inactive accounts within 31 days, create and protect audit records, and
notify system administrator of account modifications?
Does the organization conduct reviews of job function changes to ensure account rights
remain limited to job function?
Does the organization define and document privileged functions and security relevant
information on the CDA?
Does the organization document and enforce access mechanisms (e.g. passwords) that
do not adversely impact the operational performance of CDAs and employs alternate
compensating security controls when access enforcement cannot be used?
When access enforcement mechanisms may adversely impact the performance of CDAs,
do you document and employ alternate security controls when access enforcement is
unavailable?
Does the organization restrict access to privileged functions and security information to
authorized personnel?
Does the organization document information flow control enforcement by using
protected processing level (e.g., defensive architecture) as a basis for flow control
decisions?
Does the organization enforce separation of CDA functions through assigned access
authorizations?
�2922
Access Control
NEI_0809
2923
Access Control
NEI_0809
2924
Access Control
NEI_0809
2925
Access Control
NEI_0809
2926
Access Control
NEI_0809
2927
Info Protection
NEI_0809
2928
Portable/Mobile/Wirel
NEI_0809
ess
2929
System Integrity
NEI_0809
2930
Portable/Mobile/Wirel
NEI_0809
ess
2931
Access Control
NEI_0809
2932
Audit and
Accountability
NEI_0809
2933
Audit and
Accountability
NEI_0809
Does the organization implement alternative controls and document the justification
where a CDA cannot support differentiation of roles and where a single individual must
perform all roles within the CDA?
Does the organization implement alternative controls and document the justification for
alternative controls/countermeasures for increased auditing where a CDA cannot support
the differentiation of privileges within the CDA and where an individual must perform all
roles within the CDA?
Does the organization document the justification and details for alternative
controls/countermeasures where a CDA cannot support account/node locking or delayed
login attempts?
Does the organization ensure that CDA "Use Notification" provides privacy and security
notices?
Does the organization implement alternative controls and document the justification for
alternative controls/countermeasures where a CDA cannot support session locks? And
ensures that the CDA is protected from unauthorized access, monitored, audited, and has
verification of qualified personnel access?
Does the organization identify and implement standard naming conventions for
identification of special dissemination, handling, or distribution instructions in compliance
with 10 CRF 2.390 and 10 CFR 73.21?
Does the organization disable wireless capabilities when not utilized?
Does the organization perform verification during deployment of CDAs, when changes or
modifications occur to CDAs, and every 31 days for accessible areas and that CDAs are
free of insecure connections such as vendor connections and modems?
Does the organization enforce and document that mobile device security and integrity are
maintained at a level consistent with the CDA they support?
Is information that could cause an adverse impact on SSEP functions or could assist an
adversary in carrying out an attack not released to the public?
Where a CDA cannot support the use of automated mechanisms to generate audit
records, are there alternative controls and documented justification for alternative
controls or countermeasures?
Does the organization coordinate security audit functions within the facility to enhance
mutual support and help guide the selection of auditable events?
�2934
2935
2936
2937
2938
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
NEI_0809
Does the CDA prevent users from altering or destroying audit records?
NEI_0809
Does the organization meet NRC record retention requirements?
NEI_0809
Does the CDA or security boundary device failover to a redundant CDA, where necessary,
to prevent adverse impact to safety, security or emergency preparedness functions?
NEI_0809
NEI_0809
2939
Audit and
Accountability
NEI_0809
2940
Audit and
Accountability
NEI_0809
2941
Audit and
Accountability
NEI_0809
2942
Communication
Protection
NEI_0809
2943
Communication
Protection
NEI_0809
2944
Communication
Protection
NEI_0809
2945
Communication
Protection
NEI_0809
Does the CDA or security boundary device, when necessary, respond during failure by
overwriting the oldest audit record or records?
Is the failure of audit processing capabilities attributed as a failure of the CDA or security
boundary device?
Does the organization review and analyze CDAs audit records every 31 days, for
indications of in appropriate or unusual activity, and report the findings to the designated
official?
Does the organization document the justification and details for alternate compensating
security controls where a CDA cannot support auditing reduction and report generation
by providing this capability through a separate system?
Does the organization ensure CDAs use a time source protected at an equal or greater
level than the CDAs or internal system clocks to generate time stamps for audit records,
and the time on CDAs are synchronized?
Does the organization document procedures that facilitate the implementation of the
CDA, system, and communications protection policy?
Does the organization implement alternative controls and document the justification for
alternative controls/countermeasures for individuals who have access to the CDA are
qualified, trustworthy, and reliable per 10 CFR 73.56?
Does the organization implement alternative controls and document the justification for
alternative controls/countermeasures for physically restricted access to the CDA and
timely detection and response to intrusions?
Does the organization implement alternative controls and document the justification for
alternative controls/countermeasures where a CDA cannot internally support
transmission confidentiality capabilities through ensuring that individuals who have
access to the CDA are qualified, trustworthy, and reliable per 10 CFR 73.56?
�2946
Communication
Protection
NEI_0809
2947
Communication
Protection
NEI_0809
2948
Communication
Protection
NEI_0809
2949
Communication
Protection
NEI_0809
2950
Physical Security
NEI_0809
2951
Access Control
NEI_0809
2952
Account Management
NEI_0809
2953
Account Management
NEI_0809
2954
Access Control
NEI_0809
2955
System Integrity
NEI_0809
2956
System Integrity
NEI_0809
2957
Info Protection
NEI_0809
2958
Info Protection
NEI_0809
Does the organization implement alternative controls and document the justification for
alternative controls/countermeasures where a CDA cannot internally support
transmission confidentiality capabilities through physical restrictions, monitoring, and
record physical access to the CDA?
Does the organization manage cryptographic keys using automated mechanisms with
supporting procedures or manual procedures when cryptography is required and
employed within the CDAs in accordance with NEI 0809 Rev 6 Appendix D Section 3.9
(NRC Regulatory Issue Summary (RIS) 2002-15, Revision 1)?
Are CDAs configured to provide physical disconnection of cameras and microphones in a
manner that supports ease of use except where these technologies are used to control
and monitor the CDA for security purposes?
Does the organization configure CDAs so they, upon receipt of data, perform data origin
authentication and data integrity verification on resolution responses whether or not
CDAs request this service?
Is physical access to CDAs restricted?
Does the organization implement the strongest possible challenge-response
authentication mechanism where domain-based authentication is not used?
Are passwords changed every 92 days and have length and complexity for the required
security?
On a CDA that cannot support device identification and authentication, are alternative
controls implemented and documented with justification for using alternative controls?
Does the organization ensure that CDAs authenticate cryptographic modules in
accordance with NEI 08-09 Rev 6 Appendix D Section 3.9 (NRC Regulatory Issue Summary
(RIS) 2002-15, Revision 1)?
Does the organization verify and document that CDAs are patched or mitigated in
accordance with the patch management process and security prioritization timelines?
Does the organization document the level of support for testing patch releases?
Does the media protection policy and procedures detail the purpose, scope, roles,
responsibilities, management commitment, coordination among entities, and compliance
for information categories as defined by the site policies?
Does the media protection procedures include the methodology that defines the purpose,
scope, roles, responsibilities, and management commitment in the areas of media
receipt, storage, handling, sanitization, removal, reuse, and disposal?
�2959
Info Protection
NEI_0809
2960
Personnel
NEI_0809
2961
Personnel
NEI_0809
2962
Personnel
NEI_0809
2963
System Integrity
NEI_0809
2964
System Integrity
NEI_0809
2965
Physical Security
NEI_0809
2966
Physical Security
NEI_0809
2967
Physical Security
NEI_0809
2968
Physical Security
NEI_0809
2969
Physical Security
NEI_0809
2970
Physical Security
NEI_0809
Is CDA testing with storage media verified every 92 days to ensure equipment and
procedures are functioning properly?
Does a certifying official grant access prior to an individual gaining access to CDAs or
communication systems?
Does the organization retrieve information (e.g. security-related and organizational)
formerly controlled by terminated or transferred individual?
Are qualified individuals proven to be trustworthy and reliable in accordance with 10 CFR
73.56?
Where a CDA cannot support the use of automated mechanisms for the management of
distributed security testing, is there justification and documentation for employing
alternative or compensating controls?
Does the organization perform scans to verify the integrity, operation and functions of
software and information every 92 days?
Does the organization develop, implement and document a plan for CDAs located outside
of the protected area in regard to physical security protection, roles, responsibilities and
management accountability, organization's staff, third-party contractors, and
environmental protection?
Does the organization include personnel security controls in acquisition-related contract
and agreement documents?
Does the organization implement physical security controls to limit access to CDAs and to
prevent degradation of the operational environment?
Does the organization control and document visitor access to CDAs by verifying the
identity and confirming access authorization prior to entry?
Does the organization employ secure management communications and encryption per
Appendix D of NEI 08-09, Rev 6?
Does the organization ensure that direct communications between digital assets at lower
security levels and digital assets at higher security levels are eliminated or restricted (e.g.
relating to defense-in-depth) with justification that explains that communication from a
lower security level to a higher security level verifies that a compromise of such
communication will not prevent or degrade the functions performed by the CDAs in the
higher security level?
�2971
Incident Response
NEI_0809
2972
Continuity
NEI_0809
2973
Organizational
NEI_0809
2974
2975
Configuration
Management
Configuration
Management
NEI_0809
NEI_0809
2976
Configuration
Management
NEI_0809
2977
System and Services
Acquisition
NEI_0809
2993
Access Control
NEI_0809
2994
Monitoring & Malware NEI_0809
2995
1180
1181
1182
1183
1184
1185
Audit and
Accountability
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Are the incident response team members identified and do they represent the following
organizations: Physical security, Cyber security team, Operations, Engineering,
Information Technology, Human resources, System support vendors, Management, Legal,
and Safety?
Are backups of CDAs tested at an interval of no less than 31 days?
Does the situational awareness training include understanding normal behavior of the
CDA so that abnormal behavior is recognized?
Does the organization establish configuration management security controls for CDAs
with the process described in Section 4.2 of Cyber Security Plan?
Are the up-to-date baseline configurations audited every 92 days?
Does the organization document the justification for alternate (compensating) security
controls where a CDA cannot support the use of automated mechanisms to centrally
manage, apply, and verify configuration settings?
Does the organization develop a formal, documented procedure to facilitate the
implementation of the system and services acquisition policy and associated system and
services acquisition controls?
Does the system authenticate devices before establishing connections to CDAs?
Is unauthorized use of CDAs identified? (e.g., log monitoring)
NEI_0809
Are changes to CDAs consistent with your configuration management program?
Nerc_Cip_R3
control centers and backup control centers?
Nerc_Cip_R3
transmission substations that support the reliable operation of the Bulk Electric System?
Nerc_Cip_R3
consider generation resources that support the reliable operation of the Bulk Electric
System?
Nerc_Cip_R3
systems and facilities critical to system restoration?
Nerc_Cip_R3
Nerc_Cip_R3
systems and facilities critical to automatic load shedding under a common control system
capable of shedding 300 MW or more?
Special Protection Systems that support the reliable operation of the Bulk Electric
System?
�1186
Risk Management and
Assessment
Nerc_Cip_R3
1187
System Protection
Nerc_Cip_R3
1188
Policies & Procedures
General
Nerc_Cip_R3
1189
Organizational
Nerc_Cip_R3
1190
Organizational
Nerc_Cip_R3
1191
Organizational
Nerc_Cip_R3
1192
1193
1194
1195
Policies & Procedures
General
Policies & Procedures
General
Policies & Procedures
General
Policies & Procedures
General
Nerc_Cip_R3
Nerc_Cip_R3
Nerc_Cip_R3
Nerc_Cip_R3
1196
Risk Management and
Assessment
Nerc_Cip_R3
1197
Info Protection
Nerc_Cip_R3
1198
Info Protection
Nerc_Cip_R3
1200
Info Protection
Nerc_Cip_R3
1201
Training
Nerc_Cip_R3
any additional assets that support the reliable operation of the Bulk Electric System?
Have the critical cyber assets been identified, reviewed, and updated on at least an
annual basis?
Has the control systems specific cybersecurity policy been disseminated to those with a
need to know?
Is the change in senior management leadership documented within 30 calendar days of
the effective date?
Does the senior manager delegate authority for specific actions to a named delegate or
delegates, and are the delegations documented by name, title, and date of designation
and approved by the senior manager?
Has the senior manager or delegate(s) authorized and documented any exception from
the requirements of the cybersecurity policy?
Have conformance issues with the cybersecurity policy been documented as exceptions
and authorized by the senior manager or delegate(s)?
Are exceptions to the cybersecurity policy documented within 30 days of senior manager
or delegate(s) approval?
Are exceptions to the cybersecurity policy documented with an explanation as to
necessity and any compensating measures?
Are exceptions to the cybersecurity policy reviewed and approved annually by the senior
manager or delegate(s) to ensure they are still valid and required?
Does the critical cyber asset information to be protected include operational procedures,
lists as required in Standard CIP-002-3, network topology, floor plans that contain critical
cyber assets, equipment layouts of critical cyber assets, disaster recovery plans, incident
response plans, and security configuration information?
Are personnel who authorize access to protected information identified by name, title,
and information for which they are responsible for authorizing access?
Is the list of personnel responsible for authorizing access to protected information
verified at least annually?
Are the processes for controlling access privileges to protected information assessed at
least annually?
Does training material include policies, access controls, and procedures for critical cyber
assets?
�1202
Training
Nerc_Cip_R3
Does training include the proper use of critical cyber assets, physical and electronic access
controls to critical cyber assets, the proper handling of critical cyber asset information,
and action plans and procedures to recover or re-establish critical cyber assets and access
following a cyber security incident?
1203
Personnel
Nerc_Cip_R3
Does the personnel assessment include an identity verification and 7-year criminal check?
1204
Personnel
Nerc_Cip_R3
1205
Personnel
Nerc_Cip_R3
1206
Communication
Protection
Nerc_Cip_R3
1207
Communication
Protection
Nerc_Cip_R3
1208
Communication
Protection
Nerc_Cip_R3
1209
Communication
Protection
Nerc_Cip_R3
1210
Communication
Protection
Nerc_Cip_R3
1211
Communication
Protection
Nerc_Cip_R3
1212
Monitoring & Malware Nerc_Cip_R3
Is there a documented monitoring process(es) at each dial-up access point device?
1213
Monitoring & Malware Nerc_Cip_R3
Does the vulnerability assessment include a document identifying the vulnerability
assessment process?
Are the results of personnel risk assessments documented, and are personnel risk
assessments of contractor and service vendor personnel conducted pursuant to Standard
CIP-004-3?
Is the list of personnel who have access to critical cyber assets reviewed quarterly, and is
the list updated within 7 calendar days of any change of personnel or any change in the
access rights?
Is there a defined electronic security perimeter for dial-up accessible critical cyber assets
that use nonroutable protocols?
Are end points of communication links connecting discrete electronic security perimeters
considered access points and included in the electronic security perimeter?
Are noncritical cyber assets within a defined electronic security perimeter identified and
protected pursuant to the requirements of Standard CIP-005-3?
Are access control and monitoring assets of the electronic security perimeter afforded
protective measures as specified in CIP-003-3, CIP-004-3 Requirement R3, CIP-005-3
Requirements R2 and R3, CIP-006-3 Requirements R2 and R3, CIP-007-3 Requirements R1
and R3 through R9, CIP-008-3, and CIP-009-3?
Is there documentation of electronic security perimeter(s), all interconnected critical and
noncritical cyber assets within the electronic security perimeter(s), all electronic access
points to the electronic security perimeter(s), and the cyber assets deployed for the
access control and monitoring of these access points?
Is there a procedure for securing dial-up access to the electronic security perimeter(s)?
�1214
Monitoring & Malware Nerc_Cip_R3
1215
Configuration
Management
Nerc_Cip_R3
1216
Access Control
Nerc_Cip_R3
1217
Plans
Nerc_Cip_R3
1218
Physical Security
Nerc_Cip_R3
1219
Plans
Nerc_Cip_R3
1220
Plans
Nerc_Cip_R3
1221
Physical Security
Nerc_Cip_R3
1222
Physical Security
Nerc_Cip_R3
1223
Physical Security
Nerc_Cip_R3
1224
Physical Security
Nerc_Cip_R3
1225
Physical Security
Nerc_Cip_R3
1226
Physical Security
Nerc_Cip_R3
Does the vulnerability assessment include a process of discovery for access points in the
electronic security perimeter?
Is the documentation updated to reflect the modification of the network or controls
within 90 calendar days of the change?
Are electronic access logs retained for at least 90 calendar days, and are logs related to
reportable incidents kept in accordance with the requirements of Standard CIP-008-3?
Is there a documented, implemented, and maintained physical security plan approved by
the senior manager or delegate(s)?
Do all cyber assets within an electronic security perimeter also reside in a physical
security perimeter OR are alternative measures deployed and documented to control
physical access to such cyber assets?
Does the physical security plan address update of the physical security plan within 30
calendar days of the completion of any physical security system redesign or
reconfiguration?
Does the physical security plan address annual review of the physical security plan?
Do cyber assets that authorize and/or log access to the physical security perimeter(s)
have the protective measures specified in Standard CIP-003-3; Standard CIP-004-3,
Requirement R3; Standard CIP-005-3, Requirements R2 and R3; Standard CIP-006-3,
Requirements R4 and R5; Standard CIP-007-3; Standard CIP-008-3; and Standard CIP-0093?
Do cyber assets used in the access control and/or monitoring of the electronic security
perimeter(s) reside within an identified physical security perimeter?
Does logging record sufficient information to uniquely identify individuals and the time of
access 24 hours a day, 7 days a week?
Are there documented technical and procedural mechanisms for logging physical entry at
all access points to the physical security perimeter(s)?
Are electronic physical access logs produced OR Is electronic capture of video images
used for logging physical access, and are they of sufficient quality to determine identity
OR Is manual logging of physical access used and maintained by security as specified in
Requirement R4?
Are physical access logs retained for at least 90 calendar days, and are logs related to
reportable incidents kept in accordance with the requirements of Standard CIP-008-3?
�1227
Physical Security
Nerc_Cip_R3
Is there a maintenance and testing program to ensure that all physical security systems
under Requirements R4, R5, and R6 function properly?
1228
Physical Security
Nerc_Cip_R3
Are all physical security systems tested and maintained on a cycle no longer than 3 years?
1229
Physical Security
Nerc_Cip_R3
1230
Physical Security
Nerc_Cip_R3
1231
System Protection
Nerc_Cip_R3
1232
System Integrity
Nerc_Cip_R3
1233
System Integrity
Nerc_Cip_R3
1234
System Integrity
Nerc_Cip_R3
1235
Monitoring & Malware Nerc_Cip_R3
1236
Account Management
Nerc_Cip_R3
1237
Account Management
Nerc_Cip_R3
1238
Account Management
Nerc_Cip_R3
1239
Account Management
Nerc_Cip_R3
Is there a policy to minimize and manage the scope and acceptable use of administrator,
shared, and other generic account privileges, including factory default accounts?
1240
Account Management
Nerc_Cip_R3
Are individuals with access to shared accounts identified?
1241
1242
Access Control
Info Protection
Risk Management and
Assessment
Nerc_Cip_R3
Nerc_Cip_R3
Are passwords changed at least annually?
Are data storage media erased prior to redeployment?
Nerc_Cip_R3
Is there a document identifying the vulnerability assessment process?
1243
Are all physical security systems testing and maintenance records retained for the cycle
identified in accordance with Requirement R8.1.
Are all physical security systems outage records regarding access controls, logging, and
monitoring retained for a minimum of 1 calendar year?
Is there a documented process to ensure that only those ports and services required for
normal and emergency operations are enabled?
Is the assessment of security patches and security upgrades for applicability documented
within 30 calendar days of availability of the patches or upgrades?
Is the implementation of security patches documented?
Are compensating measures applied to mitigate risk exposure documented when patches
are not installed?
Are antivirus and malware prevention tools documented and implemented?
Are user accounts implemented as approved by designated personnel per CIP-003-3
Requirement R5?
Are there methods, processes, and procedures that generate logs of sufficient detail to
create historical audit trails of individual user account access activity for a minimum of 90
days?
Are user accounts reviewed at least annually to verify access privileges are in accordance
with CIP-003-3 R5 and CIP-004-3 R4 requirements?
�1244
1245
Risk Management and
Assessment
Risk Management and
Assessment
Nerc_Cip_R3
Does the vulnerability assessment verify that only ports and services required for
operation of the cyber assets within the electronic security perimeter are enable?
Nerc_Cip_R3
Does the vulnerability assessment review the controls for default accounts?
1246
Risk Management and
Assessment
Nerc_Cip_R3
1247
Incident Response
Nerc_Cip_R3
1248
Incident Response
Nerc_Cip_R3
1249
Incident Response
Nerc_Cip_R3
1250
Continuity
Nerc_Cip_R3
1251
Risk Management and
Assessment
Nerc_Cip_R4
1252
Personnel
Nerc_Cip_R4
1253
Communication
Protection
Nerc_Cip_R4
1254
Communication
Protection
Nerc_Cip_R4
1255
Access Control
Nerc_Cip_R4
Is the documentation specified in Standard CIP-007-3 reviewed and updated at least
annually, including ensuring changes resulting from modifications to the systems or
controls are documented within 30 calendar days of the change?
Does the incident response plan include a process for reporting incidents to the Electricity
Sector Information Sharing and Analysis Center (ES-ISAC)?
Are all reportable cybersecurity incidents reported to the ES-ISAC either directly or
through an intermediary?
Is documentation related to cybersecurity incidents reportable per Requirement R1.1
retained for 3 calendar years?
Are updates to the recovery plan(s) communicated to personnel responsible for the
activation and implementation of the recovery plan(s) within 30 calendar days of the
change being completed?
Does the critical cyber asset information to be protected include operational procedures,
lists as required in Standard CIP-002-4, network topology, floor plans that contain critical
cyber assets, equipment layouts of critical cyber assets, disaster recovery plans, incident
response plans, and security configuration information?
Are the results of personnel risk assessments documented, and are personnel risk
assessments of contractor and service vendor personnel conducted pursuant to Standard
CIP-004-4?
Are noncritical cyber assets within a defined electronic security perimeter identified and
protected pursuant to the requirements of Standard CIP-005-4a?
Are access control and monitoring assets of the electronic security perimeter afforded
protective measures as specified in CIP-003-4, CIP-004-4 Requirement R3, CIP-005-4a
Requirements R2 and R3, CIP-006-4c Requirements R2 and R3, CIP-007-4 Requirements
R1 and R3 through R9, CIP-008-4, and CIP-009-4?
Are electronic access logs retained for at least 90 calendar days and are logs related to
reportable incidents kept in accordance with the requirements of Standard CIP-008-4?
�1256
Physical Security
Nerc_Cip_R4
Do cyber assets that authorize and/or log access to the physical security perimeter(s)
have the protective measures specified in Standard CIP-003-4; Standard CIP-004-4,
Requirement R3; Standard CIP-005-4a, Requirements R2 and R3; Standard CIP-006-4c,
Requirements R4 and R5; Standard CIP-007-4; Standard CIP-008-4; and Standard CIP-0094?
1257
Physical Security
Nerc_Cip_R4
Are physical access logs retained for at least 90 calendar days, and are logs related to
reportable incidents kept in accordance with the requirements of Standard CIP-008-4?
1258
Risk Management and
Assessment
Nerc_Cip_R4
3413
Configuration
Management
Nerc_Cip_R5
3414
Configuration
Management
Nerc_Cip_R5
Does the Responsible Entity review the identification Requirement R1 (CIP-002-5.1) and
update changes at least every 15 calendar months even if no changes are required?
Is the documentation specified in Standard CIP-007-4 reviewed and updated at least
annually, including ensuring changes resulting from modifications to the systems or
controls are documented within 30 calendar days of the change?
Has the Responsible Entity identified and classified high, medium and low impact BES
Cyber systems according to CIP-002-5 Attachment 1, Section 1?
3415
Organizational
Nerc_Cip_R5
Is there a review process for high and medium impact BES Cyber Systems and is it
updated at least once every 15 calendar months and does a CIP Senior manager approve
it?
3416
Organizational
Nerc_Cip_R5
Is there a documented review process for high and medium impact BES Cyber Systems
and does the process include topics addressed in CIP-003-5 Parts 1.1 through 1.9?
3417
Organizational
Nerc_Cip_R5
3418
Organizational
Nerc_Cip_R5
3419
Organizational
Nerc_Cip_R5
3420
Organizational
Nerc_Cip_R5
3421
Organizational
Nerc_Cip_R5
3422
Personnel
Nerc_Cip_R5
Are low impact BES Cyber Security Systems reviewed at least once every 15 calendar
months in a manner that identifies, assesses, and corrects deficiencies?
Does the review of low impact BES Cyber Systems address cyber security topics from CIP003-5 R2 Part 2.1 through Part 2.4 and is it approved by management?
Is the CIP Senior Manager identified by name and documented within 30 calendar days of
any change?
Are changes to the delegation of authority document approved by the CIP Senior
Manager and updated within 30 days?
Is the responsible CIP Senior Manager authority delegation process documented and
reviewed in a manner that identifies, assesses, and corrects deficiencies?
Is security awareness training given at least once each calendar quarter to users that have
electronic or physical access to the BES cyber system ?
�Does the Responsible Entity provide a cyber security awareness training that covers topics
listed in CIP-004-5.1 Parts 2.1.1 through 2.1.9?
Does the Responsible Entity have a Cyber Security Training program as specified in CIP004-5.1 R2 and is it offered at least once every 15 calendar months?
3423
Personnel
Nerc_Cip_R5
3424
Personnel
Nerc_Cip_R5
3425
Personnel
Nerc_Cip_R5
Are the results of personnel risk assessments documented, and are the risk assessments
of contractor and service vendor personnel conducted pursuant to Standard CIP-004-5?
3426
Personnel
Nerc_Cip_R5
Is appropriate personnel access, physical or electronic, to designated storage locations for
BES Cyber System Information verified at least once every 15 calendar months?
3427
Access Control
Nerc_Cip_R5
3428
Personnel
Communication
Protection
Nerc_Cip_R5
3430
Physical Security
Nerc_Cip_R5
3431
Physical Security
Nerc_Cip_R5
3432
System Integrity
Nerc_Cip_R5
3433
System Integrity
Nerc_Cip_R5
3434
System Integrity
Nerc_Cip_R5
3435
System Integrity
Nerc_Cip_R5
3436
Incident Response
Nerc_Cip_R5
3429
Nerc_Cip_R5
Is the Access Management Program documented, assessed, and if any deficiencies are
found they are corrected?
Does the Responsible Entity verify user accounts at least every 15 calendar months?
Does the Responsible Entity have a documented interactive remote access policy that
includes CIP-005-5 applicable requirements from Parts 2.1, 2.2, and 2.3?
Are physical access logs retained for at least 90 calendar days and are logs related to
reportable incidents kept in accordance with the requirements of CIP-006-5?
Is there a maintenance and testing program performed at least every 24 calendar months
to ensure that all physical security systems function properly?
Does the Responsible Entity implement, in a manner that identifies, assesses, and
corrects deficiencies, one or more documented processes from CIP-007-5 Table R3 Malicious Code Prevention?
Does the Responsible Entity implement, in a manner that identifies, assesses, and
corrects deficiencies, one or more documented processes from CIP-007-5 Table R4 –
Security Event Monitoring?
Are user accounts reviewed at least annually to verify access privileges are in accordance
with CIP-004-5 R4 requirements?
Are user accounts implemented as approved by designated personnel per CIP-004-5 R4
requirements?
Does the Responsible Entity implement and document processes from CIP-008-5 R1 for
one or more Cyber Security Incident response plans and where deficiencies are identified,
analyzed, and corrected?
�3437
Incident Response
Nerc_Cip_R5
3438
Incident Response
Nerc_Cip_R5
3439
Continuity
Nerc_Cip_R5
3440
Continuity
Nerc_Cip_R5
3441
Continuity
Nerc_Cip_R5
3442
Configuration
Management
Nerc_Cip_R5
2978
Access Control
NISTIR_7628
2979
Audit and
Accountability
NISTIR_7628
2980
2981
2982
2983
2984
2985
Risk Management and
Assessment
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Continuity
NISTIR_7628
NISTIR_7628
NISTIR_7628
NISTIR_7628
Has the Responsible Entity developed, documented and implemented a Cyber Security
Incident response implementation and testing plan from CIP-008-5 R2 for one or more
Cyber Security Incident response plans and where deficiencies are identified, analyzed,
and corrected?
Does the Responsible Entity maintain Cyber Security Incident response plans in a manner
that reviews, updates and communicates roles and responsibilities?
Does the Responsible Entity have a documented recovery plan and a process that
identifies and corrects deficiencies as described in CIP-009-5 R1?
Does the Responsible Entity implement one or more documented processes listed in CIP009-5 R2 for a recovery plan implementation and testing? And are deficiencies identified
and corrected?
Are updates to the recovery plans made and communicated to personnel responsible for
the activation and implementation of the recovery plans within 60 calendar days of the
change completion?
Does the organization monitor changes to the baseline configuration at least every 35
days?
Does the organization control the use of personally owned and removable media in the
Smart Grid system?
Is the Smart Grid system configured to synchronize with internal Smart Grid system clocks
on an organization-defined frequency using an organization-defined time source?
Does the organization report the security state of the Smart Grid system to management
authority according to company-defined policy?
Does the organization analyze changes to the Smart Grid system for potential security
impacts?
Does the organization establish terms and conditions for installing any hardware,
firmware, or software on Smart Grid system devices?
Is there an inventory of the components of the Smart Grid system that documents the
names or roles of the individuals responsible for administering those components?
NISTIR_7628
Are the factory default settings changed during maintenance?
NISTIR_7628
Are the continuity of operations security policy and the associated continuity of
operations protection requirements developed, implemented, and reviewed according to
company policy?
�2986
Continuity
NISTIR_7628
2987
Continuity
NISTIR_7628
2988
Continuity
NISTIR_7628
2989
2990
2991
2992
3804
3805
3806
3807
3808
3809
3810
Information and
Document
Management
Information and
Document
Management
NISTIR_7628
NISTIR_7628
Is the authorizing official or designated representative who reviews and approves the
continuity of operations plan specified?
Are individuals with continuity of operations roles and responsibilities identified?
Does the organization train personnel in their continuity of operations roles and
responsibilities?
Does the document management policy address the purpose of the document
management security program as it relates to protecting the organization's personnel and
assets?
Does the document management policy address the scope of the document management
security program as it applies to all organizational staff and third-party contractors?
Does the organization train personnel in their incident response roles and responsibilities
with respect to the Smart Grid system and receive refresher training defined by company
policy?
Are communications with Smart Grid information system components restricted to
specific components in the Smart Grid information system? Also are communications with
Communication
NISTIR_7628
Protection
any non-Smart Grid system denied unless separated by a controlled logical/physical
interface?
Does the organization ensure that the awareness and training security policy and
NISTIR_7628_R
Awareness and Training
procedures comply with applicable federal, state, local, tribal, and territorial laws and
1
regulations?
Audit and
NISTIR_7628_R Does the organization audit activities associated with configuration changes to the
Accountability
1
system?
Security Assessment
NISTIR_7628_R Does management commit to ensuring compliance with the organization's security
and Authorization
1
assessment and authorization security policy and other regulatory requirements?
Security Assessment
NISTIR_7628_R
Does a senior official sign and approve the security authorization to operate?
and Authorization
1
NISTIR_7628_R Are periodic reviews of compliance with the system security policy performed to ensure
Continuity
1
compliance with all applicable laws and regulatory requirements?
NISTIR_7628_R Does the continuity of operations security policy address protecting the organization's
Continuity
1
personnel and assets?
Has the organization identified circumstances that could inhibit the recovery of the
NISTIR_7628_R
Continuity
system to a known, secure state and established procedures to provide compensating
1
controls?
Incident Response
NISTIR_7628
�3811
Incident Response
3812
Incident Response
3813
Incident Response
3814
Maintenance
3815
3816
Physical and
Environmental
Protection
Physical and
Environmental
Protection
3817
Plans
3818
Plans
3819
Personnel
3820
3821
3822
3823
3824
3825
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
System and Services
Acquisition
System and Services
Acquisition
NISTIR_7628_R Are the incident handling procedures integrated with continuity of operations
1
procedures?
NISTIR_7628_R
Does the incident reporting procedure comply with applicable laws and regulations?
1
Is the incident reporting procedure written so that it includes what is a reportable
NISTIR_7628_R
incident, granularity of information necessary, who receives the report, and the process
1
for transmitting incident information?
NISTIR_7628_R Does the organization sanitize system components to be serviced both at removal and re1
installation?
NISTIR_7628_R Does the organization ensure that investigation of and response to detected physical
1
security incidents are part of the organization's incident response capability?
NISTIR_7628_R Does the organization authorize, monitor, control, and document and maintain records
1
for all system components entering and exiting the facility?
NISTIR_7628_R
1
NISTIR_7628_R
1
NISTIR_7628_R
1
NISTIR_7628_R
1
NISTIR_7628_R
1
NISTIR_7628_R
1
NISTIR_7628_R
1
NISTIR_7628_R
1
NISTIR_7628_R
1
Is a privacy impact assessment reviewed and approved by a management authority?
Does the organizational planning and coordination of security related activities include
both emergency and routine situations?
Does a formal accountability process comply with applicable regulatory requirements,
policies, standards, and guidance?
Are system and information security impact levels specified and documented in the
security plan for the system?
Does the organization review the system and information impact levels on a
organizationally-defined frequency?
Are assessments conducted to determine risk impacts from unauthorized access, use,
disclosure, disruption, modification, or destruction of information and systems?
Are risk assessments updated when significant changes occur to the system or on an
organizationally-defined frequency?
Are organization system acquisition contracts in compliance with applicable laws,
regulations, and organization-defined security policies?
Do the security engineering principles include a minimum standard for security and
privacy?
�3826
3827
3828
3829
3830
3831
3832
3833
3834
3835
3836
3837
3838
3839
3840
825
826
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
NISTIR_7628_R
1
NISTIR_7628_R
1
NISTIR_7628_R
1
System and Services
Acquisition
NISTIR_7628_R Do the security engineering principles include performance of a final security audit prior
1
to authorization to operate in order to confirm adherence to security requirements?
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
Communication
Protection
Communication
Protection
Communication
Protection
NISTIR_7628_R
1
NISTIR_7628_R
1
NISTIR_7628_R
1
NISTIR_7628_R
1
NISTIR_7628_R
1
NISTIR_7628_R
1
NISTIR_7628_R
1
NISTIR_7628_R
1
Communication
Protection
NISTIR_7628_R Are cryptography and other security functions (e.g. hashes, random number generators)
1
that are required for use in smart grid information systems, NIST (FIPS) approved?
Communication
Protection
Communication
Protection
Policies
Policies
NISTIR_7628_R
1
NISTIR_7628_R
1
Nrc_571
Nrc_571
Do the security engineering principles include creation of a threat model for the system?
Do the security engineering principles include updating product specifications to include
mitigations for threats discovered during threat modeling?
Do the security engineering principles include using secure coding practices?
Do the security engineering principles include creation of a documented and tested
security response plan in the event a vulnerability is discovered?
Do the security engineering principles include creation of a documented and tested
privacy response plan in the event a vulnerability is discovered?
Do the security engineering principles include performance of a root cause analysis to
understand the cause of identified vulnerabilities?
Do the security engineering principles include ongoing software security training
requirements for developers?
Do the system developers/integrators perform testing of developed security code only on
non-production systems?
Does the organization use cryptographic mechanisms to ensure information integrity?
Does the organization employ cryptographic mechanisms to prevent unauthorized
disclosure of information during transmission?
Does the system employ secure methods for the establishment and management of
cryptographic keys?
Has the organization developed a collaborative computing policy and do they update and
review it on a defined frequency?
Does the organization document, monitor, and manage the use of mobile code within the
system?
Does the access control policy address the management of CDAs?
Does the access control policy address the protection of password/key databases?
�Nrc_571
Does the access control policy address the auditing of CDAs annually or immediately upon
changes in personnel responsibilities or major changes in system configurations or
functionality?
Are all user rights and privileges on the CDA assigned consistent with the user
authorizations?
Are privileged functions for CDAs defined and documented?
Are there assigned authorizations for controlling the flow of information in near-real time,
within CDAs and between interconnected systems?
Have the types of permissible and impermissible information flow between CDAs, security
boundary devices, and boundaries been analyzed and addressed, and is the required level
of authorization implemented as defined in the defensive strategy?
Are CDAs configured so user credentials are not transmitted in clear text, and is this
documented in the access control policy?
Are the security functions restricted to the least number of users necessary?
Access Control
Nrc_571
Are physical notices installed for when a CDA cannot support system use notifications?
835
Access Control
Nrc_571
836
837
Access Control
Physical Security
Nrc_571
Nrc_571
Are all end users required to report any suspicious activity to the Cybersecurity Program
manager?
Are CDAs configured to allow users to directly initiate session lock mechanisms?
Is the use of access controls documented, supervised, and reviewed?
838
Info Protection
Nrc_571
Is the hard and soft copy information in storage, in process, and in transmission labeled?
839
Access Control
Nrc_571
Are CDAs secured through media access control address locking, physical or electrical
isolation, static tables, encryption, or monitoring?
Nrc_571
Are protocols prohibited from initiating commands except within the same boundary?
827
Policies
Nrc_571
828
Access Control
Nrc_571
829
Access Control
Communication
Protection
Nrc_571
830
831
Communication
Protection
833
Communication
Protection
Access Control
834
832
840
841
842
843
844
Communication
Protection
Communication
Protection
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Nrc_571
Nrc_571
Nrc_571
Nrc_571
Nrc_571
Nrc_571
Nrc_571
Are protocols prohibited from initiating commands that could change the state of the
CDA from a more secured posture to a less secured posture?
Is wireless access only allowed through a boundary security control device and are
wireless connections treated as outside of the security boundary?
Is the use of wireless technologies for CDAs associated with safety-related and importantto-safety functions prohibited?
Are mobile devices used only in one security level and mobile devices are not moved
between security levels?
�845
846
847
848
849
850
851
852
Communication
Protection
Communication
Protection
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Nrc_571
Nrc_571
Are alternative controls or countermeasures implemented to protect the CDAs from
cyber attack up to and including the design-basis threat (DBT) when proprietary protocols
that create a lack of visibility are used?
Do you ensure that external systems cannot be accessed from higher levels, such as
Levels 3 and 4?
Nrc_571
Are CDAs prevented from purging audit event records on restart?
Nrc_571
Are the justification and details for alternate compensating security controls documented
for those instances in which a CDA cannot respond to audit processing failures?
Nrc_571
Nrc_571
Nrc_571
Nrc_571
853
System Protection
Nrc_571
854
System Protection
Nrc_571
855
Monitoring & Malware Nrc_571
856
Monitoring & Malware Nrc_571
857
Monitoring & Malware Nrc_571
858
Communication
Protection
Nrc_571
859
Communication
Protection
Nrc_571
Does the response to audit failures include using an external system to provide these
capabilities?
Are methods of time synchronization used that do not introduce a vulnerability to cyber
attack and/or common-mode failure?
Is audit information protected at the same level as the device sources?
Are CDAs and audit records protected against an individual falsely denying they
performed a particular action?
Are CDAs configured to isolate security functions from nonsecurity functions including
control of access to and integrity of the hardware, software, and firmware performing
these security functions?
Are CDAs configured to use underlying hardware separation mechanisms to facilitate
security function isolation?
Are devices and ports locked via address locking to prevent MITM attacks and rogue
devices from being added to the network?
Is network access control used to prevent MITM attacks and rogue devices from being
added to the network?
Is the network monitored to detect MITM attacks and address resolution protocol
poisoning?
Are CDAs configured to prohibit remote activation of collaborative computing (e.g., IM,
video conferencing) and is there an indication of use to the local user?
Are systems that provide name/address resolution to CDAs configured to indicate the
security status of child subspaces and, if the child supports secure resolution services,
enabled verification of a chain of trust among parent and child domains?
�860
Communication
Protection
Nrc_571
861
Account Management
Nrc_571
862
Account Management
Nrc_571
863
Account Management
Nrc_571
864
865
866
867
868
869
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Do CDAs fail in a known-state so that SSEP functions are not adversely impacted by the
CDAs failure?
Do the identification and authentication policy and procedures ensure that the user
identifier is issued to the intended party?
Do the identification and authentication policy and procedures require the disabling of
user identifier after a maximum of 30 days of inactivity?
Do the identification and authentication policy and procedures require archiving of user
identifiers?
Nrc_571
Is secure domain-based authentication implemented?
Nrc_571
Are domain controllers within the given security level they service?
Nrc_571
Are domain controllers physically and logically secured?
Nrc_571
Are domain trust relationships between domains that of different security levels
prohibited?
Nrc_571
Are domain authentication protocols prohibited from being passed between boundaries?
Nrc_571
870
Access Control
Nrc_571
871
872
Access Control
Access Control
Nrc_571
Nrc_571
873
Physical Security
Nrc_571
874
Physical Security
Nrc_571
875
Account Management
Nrc_571
Is role-based access control used to restrict user privileges to only those required to
perform the task?
Are passwords not found in a dictionary, and do they not contain predictable sequences
of numbers or letters?
Are copies of master passwords stored in a secure location with limited access?
Is the authority to change master passwords limited to authorized personnel?
Do adequate physical security controls exist requiring operators be both authorized and
properly identified, and are they monitored so operator actions are audited and
recorded?
Is access to nonauthenticated human-machine interactions (NHMI) controlled so as to not
hamper HMI while maintaining security of the NHMI and ensuring that access to the
NHMI is limited to only authorized personnel?
Are SSEP functions not adversely affected by authentication, session lock, or session
termination controls?
�876
Audit and
Accountability
Nrc_571
Is the auditing capability implemented on NHMIs to ensure that all operator activity is
recorded and monitored by authorized and qualified personnel and are historical records
maintained?
877
Account Management
Nrc_571
Is the user identifier disabled after a maximum of 30 days of inactivity?
878
Account Management
Nrc_571
Is the initial authenticator content defined? (Such as defining password length and
composition, tokens, keys, and other means of authenticating)
879
Access Control
Nrc_571
Do CDA authentication mechanisms prevent information (e.g. debug information, system
banners) that an attacker could use to compromise authentication mechanisms?
880
System Integrity
Nrc_571
881
Maintenance
Nrc_571
882
883
884
885
886
Maintenance
System Integrity
System Integrity
System Integrity
System Integrity
Nrc_571
Nrc_571
Nrc_571
Nrc_571
Nrc_571
887
System Integrity
Nrc_571
888
889
System Integrity
System Integrity
Nrc_571
Nrc_571
890
System Integrity
Nrc_571
891
892
893
894
895
896
System Integrity
System Integrity
System Integrity
System Integrity
System Integrity
System Integrity
Communication
Protection
Nrc_571
Nrc_571
Nrc_571
Nrc_571
Nrc_571
Nrc_571
897
Nrc_571
Are the operating system and software patches documented to allow traceability, and is
there verification that no extra services are reinstalled or reactivated?
Are software components that are not required for the operation and maintenance
removed or disabled before incorporating the CDA into the production environment?
Are the components that were removed or disabled documented?
all unused network device drivers
unused peripherals
messaging services
servers or clients for unused services (e.g., ftp, smtp, telenet, outlook express)
software compilers in all user workstations and servers except for development
workstations and servers
compilers for languages that are not used in the control system
unused networking and communications protocols
unused administrative utilities, diagnostics, network management, and system
management functions
backups of files, databases, and programs used only during system development
all unused data and configuration files
sample programs and scripts
unused document processing utilities
unused removable media support
games
Does configuration of the host intrusion detection system (HIDS) include attributes to
enable detection of cyber attacks up to and including the DBT?
�906
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Configuration
Management
Access Control
907
Access Control
Nrc_571
908
Access Control
Nrc_571
909
System Integrity
Nrc_571
910
Configuration
Management
Nrc_571
911
Monitoring & Malware Nrc_571
898
899
900
901
902
903
904
905
912
913
914
915
Configuration
Management
Configuration
Management
Configuration
Management
Info Protection
Nrc_571
Nrc_571
Nrc_571
Is the HIDS configured to log system and user account connections to alert security
personnel if an abnormal situation occurs?
Is the HIDS configured so it does not adversely impact the CDA safety, security, and
emergency preparedness functions?
Are the security logging storage devices configured as "append only" to prevent alteration
of records on those storage devices?
Nrc_571
Are rules updates and patches to the HIDS implemented as security issues identified?
Nrc_571
Are the HIDS configuration documents secured to ensure that only authorized personnel
may access them?
Nrc_571
Are CDAs configured with the lowest privilege, data, commands, file, and account access?
Nrc_571
Are system services configured to execute at the lowest privilege level possible for that
service and is the configuration documented?
Nrc_571
Is the changing or disabling of access to files and functions documented?
Nrc_571
Is the BIOS password protected from unauthorized changes?
Are the mitigation measures documented when password protection of the BIOS is not
technically feasible documented?
Are network devices used to limit access to and from specific zones?
Is there documentation allowing the system administrators to reenable devices if the
devices are disabled by software and document the configuration?
Is there verification and documentation that replacement devices are configured in a
manner that is equal to or better than the original?
Are vulnerability notifications processed within 4 hours of receipt of the vulnerability
information?
Are updates or workarounds to the baseline authorized and documented before
implementation?
Are received cybersecurity updates tested on a nonproduction system/device for
validation before installing on production systems?
Nrc_571
Nrc_571
Nrc_571
Does the nonproduction system/device accurately replicate the production CDA?
Nrc_571
Are automated mechanisms used to restrict access to media storage areas, audit access
attempts, and grant accesses?
�916
Info Protection
Nrc_571
917
Info Protection
Nrc_571
918
Info Protection
Nrc_571
919
Info Protection
Nrc_571
920
Info Protection
Nrc_571
921
Personnel
Nrc_571
922
Personnel
Nrc_571
923
924
925
Procedures
Procedures
Procedures
Nrc_571
Nrc_571
Nrc_571
926
Procedures
Nrc_571
927
System Integrity
Nrc_571
928
Procedures
Nrc_571
929
930
Portable/Mobile/Wirel
Nrc_571
ess
Portable/Mobile/Wirel
Nrc_571
ess
931
System Integrity
Nrc_571
932
933
System Integrity
System Integrity
Nrc_571
Nrc_571
934
Access Control
Nrc_571
935
Access Control
Nrc_571
Are digital and nondigital media protected during transport outside of controlled areas
using defined security measures?
Is the guidance in NIST SP 800-88 followed to sanitize CDA media?
Is information destroyed by a method that precludes reconstruction by means available
to the DBT adversaries?
Is the CDA media requiring sanitization and the appropriate techniques and procedures to
be used in the process identified?
Is identified CDA media sanitized before disposal or release for reuse and is sanitization
consistent?
Are exit interviews conducted promptly upon termination or transfer of an individual's
employment?
Are appropriate personnel promptly informed of status change, transfer, or termination
of an individual's employment?
neutralizing malicious activity?
secure monitoring and management of security mechanisms?
time synchronization for all security-related devices?
that the physical and logical security of the monitoring network matches or exceeds, and
differs from, the systems or networks being monitored?
Are there procedures for correcting security flaws in CDAs?
Are there procedures for performing vulnerability scans and assessments of the CDA to
validate that the flaw has been eliminated before the CDA is put into production?
Are users not allowed to introduce unauthorized removable media onto the CDAs?
Are all media interfaces disabled that are not required for the operation of the CDA?
Is the need, severity, methods, and timeframes for implementing security directives
independently evaluated and determined?
Are hardware access controls used to prevent unauthorized software changes?
Are tamper evident packaging seals inspected on a regular basis?
Is information checked automatically for accuracy, completeness, validity, and
authenticity as close to the point of origin as possible?
Are inputs passed to interpreters prescreened to prevent the content from being
unintentionally interpreted as commands?
�936
Policies & Procedures
General
Nrc_571
937
Maintenance
Nrc_571
938
Physical Security
Nrc_571
939
940
Physical Security
Physical Security
Nrc_571
Nrc_571
941
Planning
Nrc_571
942
Planning
Nrc_571
943
Planning
Nrc_571
944
Planning
Nrc_571
945
Planning
Nrc_571
946
Defense in Depth
Nrc_571
947
948
949
Defense in Depth
Defense in Depth
Defense in Depth
Nrc_571
Nrc_571
Nrc_571
950
Defense in Depth
Nrc_571
951
Defense in Depth
Nrc_571
952
Defense in Depth
Nrc_571
953
Defense in Depth
Nrc_571
Do the system maintenance policy and procedures cover assets located in all security
boundaries?
Are there mechanisms implemented to detect unauthorized command execution by an
escorted individual OR are there personnel with required access authorization and
knowledge necessary designated to supervise escorted personnel?
Are officials designated to review and approve the access lists and authorization
credentials?
Is logical access controlled through the use of electronic devices and software?
Is there adequate lighting for access monitoring devices?
Does the defensive strategy include and identify the protective controls associated within
each security level?
Does the defensive model identify the logical boundaries for data transfer and associated
communication protocols?
Does the defensive model define the level of connectivity permitted between levels and
individual CDAs?
Are the elements of the defensive strategy incorporated into CDAs?
Are the security controls applied commensurate with the risk associated to perform the
function required?
Is the highest degree of cybersecurity protection allocated to CDAs that carry out safety,
important to safety, and security functions, and are they protected from lower defensive
levels?
Is remote access to CDAs located in the highest defensive level prevented?
Is spoofing of addresses from one security level to another prevented?
Is only one-way data flow from Level 4 to Level 3 and from Level 3 to Level 2 allowed?
Is the initiation of communications from digital assets at lower security levels to digital
assets at higher security levels prohibited?
Is bi-directional communication only allowed between CDAs in Level 4 within a security
Level 4?
Do nonsafety systems that have bi-directional communication to safety systems have the
same level of protection as the safety systems?
Does one-way data flow from one level to other levels only occur through a device that
enforces the security policy between each level and detects, prevents, delays, mitigates,
and recovers from a cyber attack coming from the lower security level?
�954
Defense in Depth
Nrc_571
955
Defense in Depth
Nrc_571
956
Defense in Depth
Nrc_571
957
Defense in Depth
Nrc_571
958
Defense in Depth
Nrc_571
959
Defense in Depth
Nrc_571
960
Defense in Depth
Nrc_571
961
Defense in Depth
Nrc_571
962
Defense in Depth
Nrc_571
963
Defense in Depth
Nrc_571
964
Defense in Depth
Nrc_571
965
Defense in Depth
Nrc_571
966
Defense in Depth
Nrc_571
967
Defense in Depth
Nrc_571
968
Defense in Depth
Nrc_571
Are data, software, firmware, and devices moved from lower levels of security to higher
levels of security using a documented validation process or procedure that is trustworthy
at or above the trust level of the device on which the data, code, information, or device
that will be installed or connected?
Are CDAs that provide safety, important-to-safety, security, or control functions allocated
defensive Level 4 protection?
Are CDAs that provide data acquisition functions allocated at least defensive Level 3
protection?
Do boundary control devices between higher and lower security levels physically and
logically secure and harden CDAs?
Do boundary control devices between higher and lower security levels employ secure
management communications and encryption in accordance with Appendix B to RG 5.71?
Do boundary control devices between higher and lower security levels provide logging
and alert capabilities?
Do boundary control devices between higher and lower security levels provide intrusion
detection and prevention capabilities?
Do boundary control devices between higher and lower security levels detect and prevent
malware from moving between boundaries?
Do boundary control devices between higher and lower security levels have the ability to
perform more than stateful inspection of the protocols used across the boundary?
Do boundary control devices between higher and lower security levels deny traffic, except
when explicitly authorized?
Do boundary control devices between higher and lower security levels provide protocol,
source, and destination filtering?
Do boundary control devices between higher and lower security levels base blocking on
source and destination address pairs, services, and ports?
Do boundary control devices between higher and lower security levels do not permit
either incoming or outgoing traffic by default?
Are boundary control devices between higher and lower security levels managed through
a direct connection to the firewall or through a dedicated interface?
Do boundary control devices between higher and lower security levels not permit direct
communication to the firewall from any of the managed interfaces?
�969
Defense in Depth
Nrc_571
970
Defense in Depth
Nrc_571
971
Defense in Depth
Nrc_571
972
Defense in Depth
Nrc_571
973
Defense in Depth
Nrc_571
974
Defense in Depth
Nrc_571
975
Defense in Depth
Nrc_571
976
Defense in Depth
Nrc_571
977
Defense in Depth
Nrc_571
978
Defense in Depth
Nrc_571
979
Defense in Depth
Nrc_571
980
Defense in Depth
Nrc_571
981
Defense in Depth
Nrc_571
Do boundary control devices between higher and lower security levels record information
on accepted and rejected connections, traffic monitoring, analysis, and intrusion
detection?
Do boundary control devices between higher and lower security levels forwards logs to a
centralized logging server?
Do boundary control devices between higher and lower security levels enforce
destination authorization and restricts users by allowing them to reach only the CDAs
necessary for their function?
Do boundary control devices between higher and lower security levels record information
flow for traffic monitoring, analysis, and intrusion detection?
Are boundary control devices between higher and lower security levels deployed and
maintained by authorized personnel trained in the technologies used?
Do boundary control devices between higher and lower security levels permit acquisition
and control networks to be severed from corporate networks in times of serious cyber
incidents or when directed by authorized personnel?
Do boundary control devices between higher and lower security levels contain a rule set
that is evaluated, analyzed, and tested before deployment and routinely upon
modification and updates to the operational software and firmware?
Do boundary control devices between higher and lower security levels receive time
synchronization from a trusted and dedicated source existing on the security network,
attached directly to the CDA or via SNTP and a trusted key management process?
Do boundary control devices between higher and lower security levels synchronize time
with CDAs?
Are boundary control devices between higher and lower security levels capable of
forwarding logging information in a standard format to a secure logging server or use an
external device?
Are boundary control devices between higher and lower security levels logs routinely
reviewed by personnel to detect malicious or anomalous activity?
Do boundary control devices between higher and lower security levels contain a rule set
that is updated quarterly?
Do security boundary control devices between higher security levels and lower security
levels use only physically and logically secured and hardened computing devices and flow
control?
�982
Defense in Depth
Nrc_571
983
Defense in Depth
Nrc_571
984
Incident Response
Nrc_571
985
Incident Response
Nrc_571
986
Incident Response
Nrc_571
987
Incident Response
Nrc_571
988
Incident Response
Nrc_571
989
Incident Response
Nrc_571
990
991
992
993
994
Incident Response
Incident Response
Incident Response
Incident Response
Incident Response
Nrc_571
Nrc_571
Nrc_571
Nrc_571
Nrc_571
995
Incident Response
Nrc_571
996
Incident Response
Nrc_571
997
Incident Response
Nrc_571
998
Incident Response
Nrc_571
Do boundary control devices between higher and lower security levels allow no
information to be transferred directly from networks, systems, or CDAs at a lower
security level to networks, systems, or CDAs at Level 4?
Do boundary control devices between higher and lower security levels prevent viruses or
other malicious or unwanted programs from propagating information between security
levels?
Do incident response procedures direct containment activities and provide for assisting
operations personnel in conducting and operability determination?
Do incident response procedures provide for isolating the affected CDA with approval by
shift superintendent operations and verifying that surrounding or interconnected CDAs,
networks, and support systems are not contaminated, degraded, or compromised?
Do eradication activities identify the attack and the compromised pathway?
Are incident response training exercises documented, and are personnel qualified and
trained?
Are drills of the incident response capability for CDAs tested and conducted at least
annually?
Are defined tests or drills or both used to update the incident response capability to
maintain its effectiveness?
Are the results of testing and drills documented?
Are there incident response testing and drill procedures?
Are automated mechanisms used to test or drill the incident response capability?
Are announced and unannounced tests and drills conducted and documented?
Is there an integrated cybersecurity incident response team (CSIRT)?
In the event of an unplanned incident that reduces the number of required cybersecurity
personnel, are other trained and qualified onsite cybersecurity personnel used, or are offduty personnel called in within 2 hours from the time of discovery?
Is the team provided with the technical skills and authority to effectively respond to a
potential cybersecurity event?
Are the processes, procedures, and controls documented that the team will employ upon
the discovery or identification of a potential or actual cybersecurity attack?
Is the identification of what constitutes a cybersecurity incident defined and
documented?
�999
Incident Response
Nrc_571
Is the identification of threat level classification for incidents defined and documented?
1000
Incident Response
Nrc_571
Is the description of actions to be taken for each component of the Incident Response &
Recovery (IR&R) process defined and documented?
1001
Incident Response
Nrc_571
Is the description of individual postulated classes or categories of incidents or attacks and
indicators and potential or planned methods of mitigation defined and documented?
1002
Incident Response
Nrc_571
Is the identification of defensive strategies that would assist in identifying and containing
a cyber attack defined and documented?
1003
Incident Response
Nrc_571
Is the description of the CSIRT incident notification process defined and documented?
1004
Incident Response
Nrc_571
Is the description of incident documentation requirements defined and documented?
1005
Incident Response
Nrc_571
1006
Incident Response
Nrc_571
1007
Incident Response
Nrc_571
1008
Incident Response
Nrc_571
1009
Incident Response
Nrc_571
1010
Incident Response
Nrc_571
1011
Incident Response
Nrc_571
1012
Plans
Nrc_571
1013
Plans
Nrc_571
1014
Continuity
Nrc_571
Is the establishment of coordinated and secure communication methods to be used
between local and remote CSIRT members and outside agencies defined and
documented?
Is the description of response escalation requirements defined and documented?
Is the following incident data collected: incident title, date of incident, reliability of report,
type of incident, entry point, perpetrator, type of system, hardware and software
impacted, brief description of incident, impact on organization, measures to prevent
recurrence, and references?
Does the CSIRT consist of individuals with knowledge and experience in information and
digital system technology?
Does the CSIRT consist of individuals with knowledge and experience in nuclear facility
operations, engineering, and safety?
Does the CSIRT consist of individuals with knowledge and experience in physical and
operational security?
Are the competent and trained incident response support personnel available year round,
24 hours per day to offer advice and assistance?
Does the incident response plan define the resources and management support needed
to effectively maintain and mature an incident response capability?
Is the incident response plan reviewed and approved by the Cybersecurity Program
Sponsor?
the required response to events or conditions that activate the recovery plan?
�1015
Continuity
Nrc_571
1016
1017
1018
Continuity
Continuity
Continuity
Nrc_571
Nrc_571
Nrc_571
procedures for operating the CDAs in manual mode, when external electronic
connections are severed, until secure conditions can be restored?
processes and procedures for the backup and secure storage of information?
complete and up-to-date logical diagrams depicting network connectivity?
Does it contain current configuration information for components?
1019
Continuity
Nrc_571
Does it contain a list of personnel authorized for physical and cyber access to the CDA?
1020
Continuity
Nrc_571
a communication procedure and list of personnel to contact in the case of an emergency?
1021
Continuity
Nrc_571
documented requirements for the replacement of components?
1022
Continuity
Nrc_571
Does the contingency plan maintain the SSEP functions by developing and disseminating
roles, responsibilities, and assigned individuals with contact information?
1023
Continuity
Nrc_571
1024
Continuity
Nrc_571
1025
Continuity
Nrc_571
1026
Continuity
Nrc_571
1027
Continuity
Nrc_571
1028
Continuity
Nrc_571
1029
Continuity
Nrc_571
1030
Continuity
Nrc_571
1031
Continuity
Nrc_571
Does the contingency plan maintain the SSEP functions by defining activities associated
with determining the effects of CDAs after a compromise, disruption, or failure and
restoring the CDAs?
Is the contingency plan development coordinated with organizations responsible for
related plans and requirements?
Are the required resources and capacity maintained to ensure that necessary information
processing, telecommunications, and environmental support exist during crisis situations?
Are the resources needed to ensure that the capacity necessary for information
processing, telecommunications, and environmental support exist during crisis situations
documented?
Do CDAs execute predetermined actions in the event of a loss of processing within a CDA
or a loss of communication with operational facilities?
Is recovery and reconstitution of CDAs included in contingency plan testing?
Are alternate controls established and documented for when the contingency plan cannot
be tested or exercised on production CDAs?
Are scheduled and unscheduled system maintenance activities used as an opportunity to
test or exercise the contingency plan?
Are personnel trained in their contingency roles and responsibilities with respect to the
CDAs?
�1032
Continuity
Nrc_571
1033
Continuity
Nrc_571
1034
Continuity
Nrc_571
1035
Continuity
Nrc_571
1036
Continuity
Nrc_571
1037
Continuity
Nrc_571
1038
Training
Nrc_571
1039
1040
Training
Training
Nrc_571
Nrc_571
1041
Training
Nrc_571
1042
Training
Nrc_571
1043
Training
Nrc_571
1044
Training
Nrc_571
1045
Training
Nrc_571
1046
Training
Nrc_571
1047
1048
Training
Training
Nrc_571
Nrc_571
1049
Training
Nrc_571
1050
Training
Nrc_571
Is refresher training provided at least annually or consistent with the overall contingency
program, whichever period is shorter?
Are there training procedures, and are training records of individuals documented?
Are training drills used to familiarize contingency personnel with the facility, CDAs, and
available resources and in evaluating the site's capabilities to support contingency
operations?
Are realistic test/drill scenarios and environments used that effectively stress the CDAs?
Is the timeframe established and documented when data or the CDA must be restored
and the frequency at which critical data and configurations are changing?
Are CDAs recovered and reconstituted to a known secure state following a disruption or
failure? (Which may include regression testing)
Are individuals trained to a level of cybersecurity knowledge appropriate to their assigned
responsibilities?
Are the requirements for cybersecurity awareness implemented and documented ?
Is the content of cybersecurity training based on assigned roles and responsibilities?
Is the content of cybersecurity training based on specific requirements identified by the
defensive strategy?
Is the content of cybersecurity training based on CDAs to which personnel have
authorized access?
Does the cybersecurity awareness training address the site-specific objectives,
management expectations, programmatic authority, roles and responsibilities, policies,
procedures, and consequences for noncompliance with the cybersecurity program?
Does the cybersecurity awareness training address the general attack methodologies,
appropriate, and inappropriate cybersecurity practices?
Does the cybersecurity awareness training address unusually heavy network traffic?
Does the cybersecurity awareness training address out of disk space or significantly
reduced free disk space?
Does the cybersecurity awareness training address unusually high CPU usage?
Does the cybersecurity awareness training address creation of new user accounts?
Does the cybersecurity awareness training address attempted or actual use of
administrator-level accounts?
Does the cybersecurity awareness training address locked-out accounts?
�1051
Training
Nrc_571
1052
Training
Nrc_571
1053
Training
Nrc_571
1054
Training
Nrc_571
1055
Training
Nrc_571
1056
Training
Nrc_571
1057
Training
Nrc_571
1058
Training
Nrc_571
1059
Training
Nrc_571
1060
Training
Nrc_571
Does the cybersecurity awareness training address account in-use when the user is not at
work?
Does the cybersecurity awareness training address cleared log files?
Does the cybersecurity awareness training address full log files with unusually large
number of events?
Does the cybersecurity awareness training address antivirus or IDS alerts?
Does the cybersecurity awareness training address disabled antivirus software and other
security controls?
Does the cybersecurity awareness training address unexpected patch changes?
Does the cybersecurity awareness training address machines connecting to outside IP
addresses?
Does the cybersecurity awareness training address requests for information about the
system?
Does the cybersecurity awareness training address unexpected changes in configuration
settings?
Does the cybersecurity awareness training address unexpected system shutdown?
1061
Training
Nrc_571
Does the cybersecurity awareness training address unusual activity from control devices?
1062
Training
Nrc_571
Does the cybersecurity awareness training address loss of signal from control devices?
1063
Training
Nrc_571
Does the cybersecurity awareness training address unusual equipment in secure areas?
1064
Training
Nrc_571
1065
Training
Nrc_571
1066
Training
Nrc_571
1067
Training
Nrc_571
1068
Training
Nrc_571
Does the cybersecurity awareness training address the contacts to whom to report
suspicious activity, incidents, and violations of cybersecurity policies, procedures, or
practices?
Does the cybersecurity awareness training explain why access and control methods are
required?
Does the cybersecurity awareness training address the measures users can employ to
reduce risks?
Does the cybersecurity awareness training address the impact on the organization if the
control methods are not incorporated?
Is there a training program for personnel performing, verifying, or managing activities
within the scope of the program to ensure that suitable proficiency is achieved and
maintained?
�1069
Training
Nrc_571
1070
Training
Nrc_571
1071
Training
Nrc_571
1072
Training
Nrc_571
1073
Training
Nrc_571
1074
Training
Nrc_571
1075
Training
Nrc_571
1076
Training
Nrc_571
1077
Training
Nrc_571
1078
Training
Nrc_571
1079
Training
Nrc_571
1080
Training
Nrc_571
Do individuals that have cybersecurity responsibilities related to programs, processes,
procedures, or individuals that are involved in the design, modification, and maintenance
of CDAs, receive technical training?
Is cybersecurity-related technical training provided to individuals before authorizing
access to CDAs or performing assigned duties?
Is cybersecurity-related technical training provided to individuals when required by policy
or procedure changes and plant modifications?
Is cybersecurity-related technical training provided to individuals annually or at an interval
as defined by the organization, whichever is shorter?
Is cybersecurity-related technical training provided to those individuals whose roles and
responsibilities involve designing, installing, operating, maintaining, or administering CDAs
or associated networks?
Does cybersecurity-related technical training include specific cybersecurity and
engineering procedures, practices, and technologies, including implementation methods
and design requirements?
Does cybersecurity-related technical training include general information on cyber
vulnerabilities, potential consequences to CDAs and networks of successful cyber attacks,
and cybersecurity risk reduction methods?
Are system managers, cybersecurity specialists, system owners, network administrators,
and other personnel having access to system-level software provided with securityrelated technical training to perform their assigned duties?
Do individuals who have programmatic and procedural cybersecurity authority and
require the necessary skills and knowledge to execute capabilities expected of a
cybersecurity specialist receive specialized cybersecurity training?
Are the requirements for advanced training for designated security experts or specialists?
Does advanced training include achievement and maintenance of the necessary up-todate skills and knowledge in core competencies of data security, operation system
security, application security, network security, security controls, intrusion analysis,
incident management and response, digital forensics, penetration testing, and plant
system functionality and operations?
Does advanced training include competency in the use of tools and techniques to
physically and logically harden CDAs and networks?
�1081
Training
Nrc_571
1082
Training
Nrc_571
1083
Training
Nrc_571
1084
Training
Nrc_571
1085
Training
Nrc_571
1086
Training
Nrc_571
1087
Training
Nrc_571
1088
Training
Nrc_571
1089
1090
Training
Training
Nrc_571
Nrc_571
1091
Training
Nrc_571
1092
Training
Nrc_571
1093
Training
Nrc_571
1094
Organizational
Nrc_571
1095
Organizational
Nrc_571
1097
1098
1099
1100
Organizational
Organizational
Organizational
Organizational
Nrc_571
Nrc_571
Nrc_571
Nrc_571
Does advanced training include the provision of cybersecurity guidance, assistance, and
training for other staff members?
Does advanced training include the review of programmatic and system-specific
cybersecurity plans and practices?
Does advanced training include the assessment of CDAs, networks, and assets for
compliance with cybersecurity policies?
Does advanced training include the design, acquisition, installation, operation,
maintenance, or administration of security controls?
Is there a cross-functional cybersecurity team (CST)?
Is there a program to share expertise and varied domain knowledge between members of
the CST?
Does the CST include a member of the information technology staff, an instrumentation
and control system engineer, a control system operator, a subject matter expert in
cybersecurity, and a member of the management staff?
Does the cybersecurity subject matter experts' skills include network architecture and
design, security processes and practices, and secure infrastructure design and operation?
Does the CST include the control system vendor or system integrator?
Does the CST periodically report directly to a specified group?
Does the security training describe the physical processes being controlled as well as the
associated CDAs and security controls?
Is there a feedback process for personnel and contractors to refine the cybersecurity
program and address identified training gaps?
Is contact with selected security groups maintained to remain informed of recommended
security practices, techniques, and technologies and to share current security-related
information?
Is the "Cyber Security Sponsor" staffed with a member of senior site management?
Does the "Cyber Security Sponsor" have overall responsibility and accountability for the
cybersecurity program, and do they provide the resources required for the development,
implementation, and sustenance of the cybersecurity program?
provide oversight of the plant cybersecurity operations?
function as a single point of contact for issues related to site cybersecurity?
provide oversight and direction on issues regarding nuclear plant cybersecurity?
initiate and coordinate CSIRT functions?
�1101
1102
Organizational
Organizational
Nrc_571
Nrc_571
1103
Organizational
Nrc_571
1104
Organizational
Nrc_571
1106
Organizational
Nrc_571
1107
Organizational
Nrc_571
1108
Organizational
Nrc_571
1109
Organizational
Nrc_571
1110
Organizational
Nrc_571
1111
Organizational
Nrc_571
1112
Organizational
Nrc_571
1114
Organizational
Nrc_571
1115
1116
1117
1118
Organizational
Organizational
Organizational
Organizational
Nrc_571
Nrc_571
Nrc_571
Nrc_571
1119
Configuration
Management
Nrc_571
1120
1121
1122
Configuration
Management
Configuration
Management
Configuration
Management
coordinate with the NRC during cybersecurity events?
oversee and approve the development and implementation of a cybersecurity plan?
ensure and approve the development and operation of the cybersecurity education,
awareness, and training program?
oversee and approve the development and implementation of cybersecurity policies and
procedures?
protects CDAs from cyber threat?
understand the cybersecurity implications surrounding the overall architecture of plant
networks, control systems, safety systems, operating systems, hardware platforms, plant
specific applications, and the services and protocols upon which those applications rely?
perform cybersecurity evaluations of digital plant systems?
Does the Cyber Security Specialist conduct security audits, network scans, and
penetration tests against CDAs as necessary?
conduct cybersecurity investigations involving compromise of CDAs?
preserve evidence collected during cybersecurity investigations to prevent loss of
evidentiary value?
maintain expert skill and knowledge level in the area of cybersecurity?
personnel have knowledge of cyber forensics and functions in accordance with the
incident response plan?
initiate emergency action when required to safeguard CDAs from compromise?
assist with the eventual recovery of compromised systems?
contain and mitigate incidents involving critical and other support systems?
restore compromised CDAs?
Do the baseline configurations include a current list of all components, configuration of
peripherals, version releases of current software, and switch settings of machine
components?
Nrc_571
Is the minimum physical and logical access defined for the modifications?
Nrc_571
Does the configuration management program address discovered deviations?
Nrc_571
Are white-list, black-list, and gray-list application control technologies used?
�1123
Configuration
Management
Nrc_571
1124
Configuration
Management
Nrc_571
1125
System and Services
Acquisition
Nrc_571
1126
1127
1128
1129
1130
1131
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
Nrc_571
Nrc_571
Nrc_571
Nrc_571
Nrc_571
Nrc_571
Is there an automated inventory of the components of CDAs used to detect the addition
of unauthorized components or devices into the environment, and does it disable access
by such components or devices or notify designated officials?
Is there an inventory of the components of CDAs that documents the names or roles of
the individuals responsible for administering those components?
Are all tools used to perform cybersecurity tasks or SSEP functions required to undergo a
commercial qualification process similar to that for software engineering tools that are
used to develop digital instrumentation and control systems?
Do new acquisitions contain security design information, capabilities or both to
implement security controls in Appendix B to RG 5.71?
Do the security capabilities include being cognizant of evolving cybersecurity threats and
vulnerabilities?
Do the security capabilities include being cognizant of advancements in cybersecurity
protective strategies and security controls?
Do the security capabilities include conducting analyses of the effects that each
advancement could have on the security, safety, and operation of critical assets, systems,
CDAs, and networks and implementing these advancements in a timely manner?
Do the security capabilities include replacing legacy systems as they reach end of life with
systems that incorporate security capabilities?
Are timeframes established to minimize the time it takes to deploy new and more
effective protective strategies and security controls?
1132
System Integrity
Nrc_571
Are weak, unproven, or nonstandard cryptographic modules identified and eliminated?
1133
System Integrity
Nrc_571
Are insecure network protocols for sensitive communications identified and eliminated?
1134
System Integrity
Nrc_571
1135
System Integrity
Nrc_571
1136
System Integrity
Nrc_571
1137
1138
System Integrity
System Integrity
Nrc_571
Nrc_571
Are insecure configuration files or options that act to control features of the application
identified and eliminated?
Are inadequate or inappropriate use of access control mechanisms to control access to
system resources identified and eliminated?
Are inappropriate privileges being granted to users, processes, or applications identified
and eliminated?
Are weak authentication mechanisms identified and eliminated?
Are improperly or failing to validate input and output data identified and eliminated?
�1139
System Integrity
Nrc_571
1140
1141
1142
1143
System Integrity
System Integrity
System Integrity
System Integrity
Nrc_571
Nrc_571
Nrc_571
Nrc_571
1144
System Integrity
Nrc_571
1145
System Integrity
Nrc_571
1146
System Integrity
Nrc_571
1147
System Integrity
Nrc_571
1148
1149
1150
1151
1152
1153
1154
1155
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
Nrc_571
Nrc_571
Nrc_571
Nrc_571
Nrc_571
Nrc_571
Nrc_571
Nrc_571
Are insecure or inadequate logging of system errors or security-related information
identified and eliminated?
Are format string vulnerabilities identified and eliminated?
Are privilege escalation vulnerabilities identified and eliminated?
Are unsafe database transactions identified and eliminated?
Are unsafe use of native function calls identified and eliminated?
Are hidden functions and vulnerable features embedded in the code identified and
eliminated?
Are implemented security features that increase the risk of security vulnerabilities,
increase susceptibility to cyber attack, or reduce the reliability of design-basis functions
identified and eliminated?
Is the use of unsupported or undocumented methods or functions identified and
eliminated?
Is the use of undocumented code or malicious functions that might allow either
unauthorized access or use of the system or the system to behave beyond the system
requirements identified and eliminated?
Is there documentation of the system design transformed into code, database structures,
and related machine executable representations?
Is there documentation of the communication configuration and setup?
Are the results of the developer's security testing conducted in accordance with Section
12.5 of RG 5.71 verified and validated?
Are CDA security devices, security controls, and software tested to ensure that they do
not compromise the CDA or the operation of an interconnected CDA operation before
installation?
Are CDAs tested to ensure they do not provide a pathway to compromise the CDA or
other CDAs?
Are the security controls in Appendixes B and C to RG 5.71 implemented in accordance
with the process described in Section 3.1.6 of Appendix A to RG 5.71?
Are the security controls tested for effectiveness, as described in Section 4.1.2 of
Appendix A to RG 5.71?
Are vulnerability scans performed in accordance with Section 4.1.3 of Appendix A to RG
5.71 and Section 13.1 of this plan?
�1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
Nrc_571
Are vulnerability scans performed against the CDA in its integrated state and correction,
elimination, or discussion of discovered vulnerabilities?
Nrc_571
Is the CDA installed and tested in the target environment?
Nrc_571
Is there an acceptance review and test of the CDA security features?
Nrc_571
Are the security controls implemented in accordance with Appendix B of RG 5.71?
Nrc_571
Nrc_571
Is the effectiveness of the security controls implemented in accordance with Appendix C
verified?
Are the security design features developed to address the identified security
requirements for the CDA documented?
Nrc_571
Are the security controls implemented in accordance with Appendix B to 5.7.1?
Nrc_571
Does the documentation include a description of the feature, its method of
implementation, and any configurable options associated with the feature?
Nrc_571
Is each security feature traceable to its corresponding security requirement?
Nrc_571
Are the security reviews of the implemented design by the cybersecurity organization
responsible for the protection of the critical assets/systems/networks?
Does the security review ensure that the security design configuration item
transformations from the requirements implemented are correct, accurate, and
complete?
Are annual audits of CDAs required to verify the security controls present during testing
remain in place and are functioning correctly in the production system?
Are annual audits of CDAs required to verify CDAs are free from known vulnerabilities and
security compromises and continue to provide information on the nature and extent of
compromises?
1166
System and Services
Acquisition
Nrc_571
1167
System and Services
Acquisition
Nrc_571
1168
System and Services
Acquisition
Nrc_571
1169
Monitoring & Malware Nrc_571
Are SSEP functions not adversely impacted by the scanning process?
1170
Monitoring & Malware Nrc_571
If SSEP functions are adversely impacted by the scanning process, are the CDAs removed
from service or replicated before scanning is conducted, or is scanning scheduled to occur
during planned CDA maintenance cycles?
�1171
Monitoring & Malware Nrc_571
1172
Monitoring & Malware Nrc_571
1173
1174
1175
1176
1177
1178
1179
1584
1585
1828
1
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Organizational
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Policies & Procedures
General
Nrc_571
Nrc_571
Nrc_571
Nrc_571
Nrc_571
Where the organization cannot conduct vulnerability scanning on a production CDA
because of the potential for an adverse impact on SSEP functions, alternate controls are
employed?
Are historic audit logs reviewed to determine if a vulnerability identified in the CDA has
been previously exploited?
Are protection and mitigation of risk achieved by implementing the defense-in-depth
strategies discussed in Section 3.2 of RG 5.71?
Are protection and mitigation of risk achieved by implementing the security controls
described in Appendixes B and C to RG 5.71?
Are protection and mitigation of risk achieved by implementing digital equipment and
software cyber attack detection, prevention, and recovery techniques and tools to the
systems, structures, and components within the scope of the rule?
Are protection and mitigation of risk achieved by implementing Section 4 of Appendix A
of RG 5.71?
Is there detailed information on how these requirements are implemented to achieve the
high assurance objectives of security controls specified in this plan?
Nrc_571
Is the detailed information available for NRC inspections and audits?
Nrc_571
Is the corrective action program criteria consistent with RG 5.71 for adverse conditions
and the requirements for corrective action implemented and documented?
Tsa
Tsa
Tsa
Universal
2
Policies & Procedures
General
Universal
3
Policies & Procedures
General
Universal
Has a risk assessment been conducted to weigh the benefits of implementing wireless
networking against the potential risks for exploitation?
Has the need for enhanced networking control technologies for wireless networks been
evaluated prior to implementation?
Has an assessment of wireless networking risk been performed before implementation?
Are security policies and procedures implemented to define roles, responsibilities,
behaviors, and practices of an overall security program?
Does the security team assign roles and responsibilities in accordance with the policies
and confirm that processes are in place to protect company assets and critical
information?
Do the security policies and procedures ensure coordination or integration with the
physical security plan?
�4
Policies & Procedures
General
Universal
5
Policies & Procedures
General
Universal
6
Policies & Procedures
General
Universal
7
Plans
Universal
8
Policies & Procedures
General
Universal
9
Plans
Universal
10
Plans
Policies & Procedures
General
Policies & Procedures
General
Policies & Procedures
General
Policies & Procedures
General
Policies & Procedures
General
Policies & Procedures
General
Universal
11
12
13
14
15
16
Universal
Universal
Universal
Universal
Universal
Universal
17
Policies & Procedures
General
Universal
18
Policies & Procedures
General
Universal
Do the security policies and procedures delineate how the organization implements its
emergency response plan and coordinates efforts with law enforcement agencies,
regulators, Internet service providers, and other relevant organizations in the event of a
security incident?
Are the external suppliers and contractors that can impact system security held to the
same security policies and procedures as the organization's own personnel?
Do the security policies and procedures of second and third-tier suppliers that can impact
system security comply with the procuring organizations corporate cyber security policies
and procedures?
Are there policies and procedures for the delivery and removal of system assets in the
system security plan?
Are policies and procedures in place to enforce explicit rules and management
expectations governing user installation of software?
Does the security plan define and communicate the specific roles and responsibilities in
relation to various types of incidents?
Is the security plan regularly tested to validate the system objectives?
Does the organization manage system-related data for both electronic and paper data
and manage access to the data based on formally assigned roles and responsibilities?
Are there policies and procedures detailing the handling of information and are they
periodically reviewed and updated?
Are there policies and procedures for the classification of data, both electronic and paper
media?
Do the data policies and procedures establish retention policies and procedures for both
electronic and paper media?
Do the data policies and procedures address sharing, copying, transmittal, and
distribution appropriate for the level of protection required?
Do the data policies and procedures establish access to the data based on formally
assigned roles and responsibilities for the system?
Do the policies and procedures detail the retrieval of written and electronic records,
equipment, and other media for the system in the overall information and document
management policy?
Do the policies and procedures detail the destruction of written and electronic records,
equipment, and other media for the system, without compromising the confidentiality of
the data?
�19
Policies & Procedures
General
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
Policies & Procedures
General
Configuration
Management
Policies & Procedures
General
Policies & Procedures
General
Policies
Policies
Policies
Policies
Policies
Policies
Policies
Policies
Policies
Policies
Policies
Policies
Policies
Policies
Policies
Policies
Policies
Policies
Policies
Policies
44
Policies
20
21
22
23
Universal
Are there policies and procedures to upgrade existing legacy control systems to include
security mitigating measures commensurate with the organization's risk tolerance and
the risk to the system and processes controlled?
Universal
Are maintenance authorization and approval policies and procedures documented?
Universal
Universal
Are policies and procedures implemented to address the addition, removal, and disposal
of all system equipment?
Are roles and responsibilities established that address the overlap and synergy between
physical and system security risks?
Universal
Is there a list of personnel authorized to perform maintenance on the system?
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
System Security Policy
Planning Policy
Personnel Security Policy
Physical and Environmental Policy
System and Services Acquisition Policy
Configuration Management Policy
System and Communication Protection Policy
Information and Document Management Policy
Maintenance Policy
Awareness and Training Policy
Incident Response Policy
Media Protection Policy
System Control and Integrity Policy
Access Control Policy
Identification and Authentication Policy
Audit and Accountability Policy
Monitoring and Review Policy
Security Assessment Policy
Cryptographic Policy
Risk Assessment Policy
Does the system security policy address the purpose of the security program as it relates
to protecting the organization's personnel and assets?
Universal
�45
Policies
Universal
46
Policies
Universal
47
Policies
Universal
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
Procedures
Procedures
Procedures
Procedures
Procedures
Procedures
Procedures
Procedures
Procedures
Procedures
Procedures
Procedures
Procedures
Procedures
Procedures
Procedures
Procedures
Procedures
Procedures
Policies & Procedures
General
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
68
Procedures
Universal
69
70
71
72
Plans
Plans
Plans
Plans
Universal
Universal
Universal
Universal
67
Universal
Does the system security policy address the scope of the security program as it applies to
all organizational staff and third-party contractors?
Are there legal reviews of the retention policies to ensure compliance with all applicable
laws and regulations?
Are periodic reviews of compliance with the system information and document security
management policy performed to ensure compliance with any laws and regulatory
requirements?
Security Procedure
Personnel Security Procedure
Physical and Environmental Procedure
System and Services Acquisition Procedure
Configuration Management Procedure
Strategic Planning Procedure
System and Communication Protection Procedure
Information and Document Management Procedure
Maintenance Procedure
Awareness and Training Procedure
Incident Response Procedure
Media Protection Procedure
System Control and Integrity Procedure
Access Control Procedure
Identification and Authentication Procedure
Audit and Accountability Procedure
Monitoring and Review Procedure
Risk Assessment Procedure
Security Assessment Procedure
Are procedures established to remove external supplier physical and electronic access at
the conclusion/termination of the contract in a timely manner?
Does a process exist to monitor changes to the system and conduct security impact
analyses to determine the effects of the changes?
Configuration Management Plan
Security Plan
Continuity of Operations Plan
Incident Response Plan
�73
74
Plans
Plans
Universal
Universal
75
Plans
Universal
76
77
Plans
Plans
Universal
Universal
Security Program Plan
Critical Infrastructure Plan
Is the risk assessment plan updated annually or whenever significant changes occur to the
system, the facilities where the system resides, or other conditions that may affect the
security or accreditation status of the system?
Does the security plan align with the organization's enterprise architecture?
Does the security plan explicitly define the authorization boundary of the system?
78
Plans
Universal
Does the security plan describe the relationships with or connections to other systems?
79
Plans
Universal
Does the security plan provide an overview of the security requirements for the system?
80
Plans
Universal
81
Plans
Universal
82
Plans
Universal
Does the security plan describe the security controls in place or planned?
Is the authorizing official or designated representative who reviews and approves the
system security plan specified?
Is the security plan for the system reviewed on a defined frequency, annually at a
minimum?
83
Plans
Universal
Does the security plan limit data ports, physical access, specific data technology, impose
additional physical and electronic inspections and physical separation requirements?
84
Plans
Universal
Is the security plan revised to address changes to the system/environment or problems
identified during plan implementation or security control assessments?
85
Plans
Universal
Does the configuration management plan define the configuration items for the system?
86
Plans
Universal
87
Plans
Universal
88
Plans
Universal
89
Continuity
Universal
90
Continuity
Universal
Does the configuration management plan define when the configuration items are placed
under configuration management?
Does the configuration management plan define the means for uniquely identifying
configuration items throughout the system development life cycle?
Does the configuration management plan define the process for managing the
configuration of the configuration items?
Does the continuity of operations plan address the issue of maintaining or re-establishing
production in case of an undesirable interruption for the system?
Do designated officials review and approve the continuity of operations plan?
�Does the continuity of operations plan delineate that at the time of the disruption to
normal system operations, the organization executes its incident response policies and
procedures to place the system in a safe configuration and initiates the necessary
notifications to regulatory authorities?
Is the continuity of operations plan tested to determine its effectiveness, and are the
results documented?
Do the appropriate officials review the documented test results and initiate corrective
actions if necessary?
Is the continuity of operations plan tested at least annually, using organization-prescribed
tests and exercises?
Is the continuity of operations plan testing and exercises coordinated with the
organizational elements responsible for related plans?
91
Continuity
Universal
92
Continuity
Universal
93
Continuity
Universal
94
Continuity
Universal
95
Continuity
Universal
96
Continuity
Universal
97
Continuity
Universal
98
Continuity
Universal
99
Plans
Universal
100
Plans
Universal
101
Plans
Universal
Is the incident response plan revised to address system/organizational/operational
changes or problems encountered during plan implementation, execution, or testing?
102
Plans
Universal
Are incident response plan changes communicated to active incident response personnel?
103
Plans
Universal
104
Plans
Universal
105
106
Plans
Plans
Universal
Universal
Is the continuity of operations plan tested and exercised at the alternate processing site?
Are exercises used to thoroughly and effectively test and exercise the continuity of
operations plan?
Is the continuity of operations plan reviewed at least annually and updated to address
system, organizational, and technology changes or problems encountered during plan
implementation, execution, or testing?
Are copies of the incident response plan distributed to active incident response
personnel?
Is the incident response plan reviewed on a periodic frequency?
Is the incident response investigation and analysis process developed, tested, deployed,
and documented?
Are roles and responsibilities specified with respect to local law enforcement and/or
other critical stakeholders in an internal and shared incident response investigation and
analysis program?
Has a risk management plan been developed?
Does a senior official review and approve the risk management plan?
�107
Plans
Universal
108
Plans
Universal
109
Plans
Universal
110
Plans
Universal
111
Plans
Universal
112
Plans
Universal
113
Plans
Universal
114
Plans
Universal
115
Plans
Universal
116
Plans
Universal
117
Plans
Universal
118
Plans
Universal
119
Plans
Universal
120
Plans
Universal
121
Plans
Universal
122
Plans
Universal
Is there a current plan of action and milestones for the system that documents the
planned, implemented, and evaluated remedial actions to correct weaknesses or
deficiencies noted during the assessment?
Is the plan of action reviewed at least annually?
Is there a process for ensuring that the action plan and milestones for the security
program and the associated organizational systems are maintained?
Does the security plan provide sufficient information about the program management
controls and common controls to enable an implementation that is unambiguously
compliant with the intent of the plan and a determination of the risk to be incurred if the
plan is implemented as intended?
Does the security program plan include roles, responsibilities, management commitment,
coordination among organizational entities, and compliance?
Is the security plan approved by a senior official with responsibility and accountability for
the risk being incurred to organizational operations, organizational assets, individuals, and
other organizations?
Is the organization-wide security plan reviewed on a defined frequency, at least annually?
Is the security plan revised to address organizational changes and problems identified
during plan implementation or security control assessments?
Does the incident response plan provide a roadmap for implementing the incident
response capability?
Does the incident response plan describe the structure and organization of the incident
response capability?
Does the incident response plan provide a high-level approach for how the incident
response capability fits into the overall organization?
Does the incident response plan meet the unique requirements of the organization's
mission, function, size, and structure?
Does the incident response plan define reportable incidents?
Does the incident response plan provide metrics for measuring the incident response
capability?
Are security issues addressed in the development, documentation, and updating of a
critical infrastructure and key resources protection plan?
Is the investigation and analysis of system incidents included in the planning process?
�123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Plans
Risk Management and
Assessment
Risk Management and
Assessment
Organizational
Universal
Are the security controls in the system assessed on a defined frequency, at least annually,
to determine the extent the controls are implemented correctly, operating as intended,
and producing the desired outcome?
Universal
Is a security assessment report produced that documents the results of the assessment?
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Are periodic, unannounced, in-depth monitoring, penetration testing, and red team
exercises included as part of the security control assessments?
Are the system connections monitored on an ongoing basis verifying enforcement of
documented security requirements?
Are the security mechanisms in the system monitored on an ongoing basis? (audit,
studies, analysis, etc.)
Are the security mechanisms that are volatile or critical to protecting the system assessed
at least annually?
Are all noncritical or nonvolatile security mechanisms assessed at least once during the
system's 3-year accreditation cycle for regulated systems?
Is there an independent assessor or assessment team to monitor the security controls in
the system on an ongoing basis?
Are information and systems categorized in accordance with applicable management
orders, policies, regulations, standards, and guidance?
Universal
Are the security categorization results documented in the system security plan?
Universal
Is the security categorization decision reviewed and approved by the authorizing official?
Universal
Universal
Universal
Are potential security threats, vulnerabilities, and consequences identified, classified,
prioritized, and analyzed using accepted methodologies?
Does the plan of action call out remedial security actions to mitigate risk to organizational
operations and assets, individuals, other organizations?
Is there a comprehensive strategy to manage risk to organizational operations and assets,
individuals, other organizations?
Universal
Is the risk management strategy implemented consistently across the organization?
Universal
Is there a defined framework of management leadership accountability that establishes
roles and responsibilities to approve cybersecurity policy, assign security roles, and
coordinate the implementation of cybersecurity?
�139
Policies
Universal
140
Organizational
Universal
141
Organizational
Universal
142
Organizational
Universal
143
144
Policies & Procedures
General
Risk Management and
Assessment
Universal
Universal
Does sufficient authority and an appropriate level of funding exist to implement the
security policy?
Do contracts with external entities address security policies and procedures with business
partners, third-party contractors, and outsourcing partners?
Does the mission/business case planning include a determination of system security
requirements?
Does the capital planning and investment control process include the determination,
documentation, and allocation of the resources required to protect the system?
Is the system managed using a system development life-cycle methodology that includes
security considerations?
Are risk-reduction mitigation measures planned and implemented, and the results
monitored to ensure effectiveness of the risk management plan?
Are a set of rules that describes the system users responsibilities and expected behavior
established and made available?
Are security-related activities affecting the system planned and coordinated before
conducting such activities to reduce the impact on organizational operations,
organizational assets, or individuals?
Does the system design and implementation process define the security roles and
responsibilities for the users of the system?
Are individuals with system security roles and responsibilities identified?
Does the security program implement continuous improvement practices to ensure that
industry lessons learned and best practices are incorporated into system security policies
and procedures?
145
Organizational
Universal
146
Organizational
Universal
147
Organizational
Universal
148
Organizational
Universal
149
Organizational
Universal
150
Policies
Universal
Is there a process for monitoring and reviewing the performance of cybersecurity policy?
151
Organizational
Universal
152
Organizational
Universal
153
Organizational
Universal
154
Organizational
Universal
155
Organizational
Universal
Are industry best practices incorporated into the security program?
Is the system authorized before being placed into operations and is the authorization
updated on a defined frequency or when significant changes occur?
Does a senior official sign and approve the security accreditation?
Is an independent certification agent or certification team used to assess the security
mechanisms in the system?
Does the authorizing official decide on the required level of certifier independence based
on the criticality and sensitivity of the system and the ultimate risk to operations and
organizational assets and individuals?
�156
Organizational
Universal
Does the authorizing official determine if the level of certifier independence is sufficient
to provide confidence that the assessment results produced are sound and can be used to
make a credible, risk-based decision?
157
Organizational
Universal
Has the authorizing official consulted with representatives of the appropriate regulatory
bodies, the senior agency information security officer, and the chief information officer to
fully discuss the implications of any decisions on certifier independence.
158
Organizational
Universal
159
Organizational
Universal
160
161
Organizational
Organizational
Universal
Universal
162
Monitoring & Malware Universal
163
Organizational
Universal
164
Organizational
Universal
165
Organizational
Universal
166
Organizational
Universal
167
Organizational
Universal
168
Organizational
Universal
Is a senior security officer appointed with the mission and resources to coordinate,
develop, implement, and maintain an organization-wide security program?
Do all capital planning and investment requests include the resources needed to
implement the security program, and are exceptions documented?
Is a business case used to record the resources required?
Are security resources available for expenditure as planned and approved?
Are the results of security measures of performance monitored and reported?
Is the security state of organizational systems managed through security authorization
processes?
Is the security authorization processes fully integrated into an organization-wide risk
management strategy?
Are the mission/business processes defined with consideration for security and the
resulting risk to organizational operations, organizational assets, individuals, other
organizations, and the nation?
Are protection needs arising from the defined mission/business processes determined
and the processes revised as necessary until an achievable set of protection needs is
obtained?
Is the independent certification agent or certification team an individual or group capable
of conducting an impartial assessment of an organizational control system?
Is the system owner prevented from being directly involved in the contracting process
and from unduly influencing the independence of the certification agent or certification
team conducting the assessment of the security mechanisms in the system?
�In special situations, is the independence of the certification process achieved by ensuring
the assessment results are carefully reviewed and analyzed by an independent team of
experts to validate the completeness, consistency, and veracity of the results?
169
Organizational
Universal
170
Personnel
Universal
171
172
Personnel
Personnel
Universal
Universal
173
Personnel
Universal
174
Personnel
Universal
175
Personnel
Universal
176
Personnel
Universal
177
Personnel
Universal
Are all required controls for employees terminated for cause completed within 24 hours?
178
Personnel
Universal
Are automated processes used to revoke access permissions for terminated employees?
179
Personnel
Universal
180
Personnel
Universal
181
Policies & Procedures
General
Universal
182
Personnel
Universal
183
Personnel
Universal
184
Personnel
Universal
Is a risk designation assigned to all positions and are screening criteria established for
individuals filling those positions?
Are position risk designations periodically reviewed and revised?
Are individuals requiring access screened before access is authorized?
Are individuals with access rescreened based on a defined list of conditions and
frequency?
Is the logical and physical access to systems and facilities revoked for terminated
employees?
Does the organization ensure all organization-owned property is returned for terminated
employees?
Are documents and data files in the terminated employee's possession transferred to new
authorized owners?
Are electronic and physical access permissions reviewed when individuals are reassigned
or transferred?
Are electronic and physical access permissions reviewed within 7 days when individuals
are reassigned or transferred?
Are security controls for third-party personnel enforced, and is service provider behavior
and compliance monitored?
Does a formal accountability process exist that clearly documents potential disciplinary
actions for failing to comply?
Are employees and contractors provided with complete job descriptions including
detailed expectations of conduct, duties, terms and conditions of employment, legal
rights, and responsibilities?
Do employees and contractors acknowledge understanding of the job description by
signature?
�Are periodic reviews of physical and electronic access conducted to validate terminated
account access was removed?
Is training on the implementation of the system security plan included for employees,
contractors, and stakeholders?
185
Personnel
Universal
186
Training
Universal
187
Training
Universal
Is basic security awareness training provided to all system users before authorizing access
to the system, when required by system changes and at least annually thereafter?
188
Training
Universal
Is the effectiveness of security awareness training reviewed once a year at a minimum?
189
Training
Universal
190
Training
Universal
191
Training
Universal
192
Training
Universal
193
Training
Universal
194
Training
Universal
195
Training
Universal
196
Training
Universal
197
Training
Universal
198
Training
Universal
199
Account Management
Universal
Are system accounts identified by account type and managed?
200
Account Management
Universal
Do system accounts have conditions for group membership?
Are all system design and procedure changes reviewed for inclusion in the organization
security awareness training?
Are practical exercises included in the security awareness training that simulate actual
cyber attacks?
Are system security roles and responsibilities defined and documented throughout the
system development life cycle, and are the individuals who have these roles and
responsibilities identified and trained?
Is security-related technical training provided before authorizing access to the system or
performing assigned duties, when required by system changes and on an periodic basis?
Are individual system security training activities documented, maintained, and
monitored?
Is contact with security groups and associations established and maintained?
Is the knowledge of personnel on security policies and procedures based on their roles
and responsibilities documented and tested?
Is refresher training provided on a defined frequency, at least annually?
Are simulated events incorporated into continuity of operations training to facilitate
effective response by personnel in crisis situations?
Are automated mechanisms used to provide a thorough and realistic system training
environment?
�201
Account Management
Universal
Are the access rights and privileges specified, and are authorized users identified for
system accounts?
202
Account Management
Universal
Are appropriate approvals required for requests to establish accounts?
203
Account Management
Universal
Are system accounts authorized, established, activated, modified, disabled, and
removed?
204
Account Management
Universal
Are system accounts reviewed on a defined frequency?
205
Account Management
Universal
Is the use of guest/anonymous accounts specifically authorized and monitored?
206
Account Management
Universal
207
Account Management
Universal
208
Account Management
Universal
209
Account Management
Universal
210
Account Management
Universal
211
Account Management
Universal
212
Account Management
Universal
213
Account Management
Universal
Are user account names different than email user accounts?
214
Account Management
Universal
Is there an official assigned to authorize a user or device identifier?
215
Account Management
Universal
Are identifiers selected that uniquely identify an individual or device?
216
Account Management
Universal
Are the user identifiers assigned to the intended party or the device identifier to the
intended device?
Are account managers notified when system users are terminated, transferred, or system
usage or need-to-know/need-to-share changes?
Is access to the system granted based on a valid need-to-know or need-to-share as
determined by official duties and satisfying all security criteria?
Are automated mechanisms such as active directory used to support the management of
system accounts?
Does the system automatically terminate temporary and emergency accounts after a
defined time period for each type of account?
Does the system automatically disable inactive accounts after a defined time period?
Does the system automatically audit account creation, modification, disabling, and
termination actions and notify appropriate individuals?
Are currently active system accounts reviewed on a defined frequency to verify that
temporary accounts and accounts of terminated or transferred users have been
deactivated?
�217
Account Management
Universal
Are previous user or device identifiers archived?
218
Account Management
Universal
Is there a mechanism in place to verify the identity whenever an authenticator (password,
token) is created, distributed, or modified?
219
Account Management
Universal
Is the initial authenticator content for organization-defined authenticators established?
220
Account Management
Universal
Do authenticators have sufficient strength of mechanism for their intended use?
221
Account Management
Universal
Are there administrative procedures for initial authenticator distribution, for
lost/compromised or damaged authenticators, and for revoking authenticators? (e.g.,
passwords, tokens, cards, etc.)
222
Account Management
Universal
Is the default content of authenticators changed on system installation?
223
Account Management
Universal
224
Account Management
Universal
225
Account Management
Universal
226
Account Management
Universal
227
Account Management
Universal
228
Account Management
Universal
229
Account Management
Universal
230
Account Management
Universal
231
Account Management
Universal
232
Account Management
Universal
Is the separation of duties implemented through assigned system access authorizations?
233
Access Control
Universal
Is the concept of least privilege used to accomplish assigned tasks?
Are there minimum and maximum lifetime restrictions and reuse conditions for
authenticators?
Are authenticators changed or refreshed periodically as appropriate for authenticator
type?
Is authenticator content protected from unauthorized disclosure and modification? (i.e.,
not transmitting over email as open text)
Are users required to take, and devices implement, specific measures to safeguard
authenticators?
Are certificates validated for PKI-based authentication by constructing a certification path
with status information to an accepted trust anchor?
Is the registration process to receive a user authenticator carried out in person before a
designated registration authority?
Are automated tools used to determine if authenticators are sufficiently strong to resist
attacks intended to discover or otherwise compromise the authenticators?
Are unique authenticators required to be provided by vendors and manufacturers of
system components?
Is there a division of responsibilities and separation of duties of individuals to eliminate
conflicts of interest?
�234
Account Management
Universal
235
Account Management
Universal
236
Account Management
Universal
237
Account Management
Universal
238
Account Management
Universal
239
Access Control
Universal
240
Access Control
Universal
241
Access Control
Universal
242
Access Control
Universal
243
Access Control
Universal
244
Access Control
Universal
245
Access Control
Universal
246
247
Access Control
Access Control
Universal
Universal
248
Access Control
Universal
249
Access Control
Universal
Is access to a defined list of security functions and security-relevant information explicitly
authorized?
Are users of system accounts with access to a defined list of security functions or securityrelevant information required to use nonprivileged accounts when accessing other system
functions?
Is network access to defined privileged commands authorized only for compelling
operational needs and is the rationale documented?
Does the system enforce authorized access to the corresponding private key for PKIbased authentication?
Does the system map the authenticated identity to the user account for PKI-based
authentication?
Are periodic reviews conducted of existing authorized physical and electronic access
permissions to ensure they are current?
Are appropriate agreements finalized before access is granted, including for third parties
and contractors?
Are access agreements periodically reviewed and updated?
Are security measures in place to restrict information input to the system to authorized
personnel only?
Has a signed acknowledgement been obtained from users indicating that they have read,
understand, and agree to abide by the rules of behavior before authorizing access to the
system?
Are explicit restrictions on the use of social networking sites, posting information on
commercial Web sites, and sharing system account information included in the rules of
behavior?
Do electronic monitoring mechanisms alert system personnel when unauthorized access
or an emergency occurs?
Is public access to the system denied?
Is business IT and general corporation access to the system NOT permitted?
Does the system enforce assigned authorizations for controlling electronic access to the
system?
Are access control policies and associated access mechanisms to control access to the
system?
�Does the system enforce defined nondiscretionary access control policies over a defined
set of users and resources that specify the access control information employed and the
required relationships among the access control information to permit access?
250
Access Control
Universal
251
Access Control
Universal
252
253
Access Control
Access Control
Universal
Universal
254
Access Control
Universal
255
Access Control
Universal
256
Access Control
Universal
257
Access Control
Universal
258
Access Control
Universal
259
Access Control
Universal
Does the system authenticate devices before establishing remote network connections
using bi-directional authentication between devices that are cryptographically based?
260
Access Control
Universal
Does the system authenticate devices before establishing network connections, using
bidirectional authentication between devices that are cryptographically based?
261
Access Control
Universal
Do the authentication mechanisms obscure feedback of authentication information
during the authentication process (i.e., does not return any system specific information)?
262
Access Control
Universal
263
Access Control
Universal
264
Access Control
Universal
265
Access Control
Universal
Does the system prevent access to security-relevant information (except during secure
nonoperable system states)?
Does the system uniquely identify and authenticate organizational users?
Does the system employ multifactor authentication for remote access?
Does the system employ multifactor authentication for network access and for access to
privileged accounts?
Does the system employ multifactor authentication for local system access for all users?
Are specific user actions that can be performed on the system without identification or
authentication identified and documented?
Are actions to be performed without identification and authentication permitted only to
the extent necessary to accomplish mission objectives?
Is a device verified against a pre-defined list of authorized devices before a connection is
established? (e.g., Active Directory policy or firewall rules.)
Does the system employ authentication methods that meet the requirements of
applicable policies, standards, and guidance for authentication to a cryptographic
module?
If your authentication encryption module fails can you still authenticate without creating
a denial of service that impacts operational performance of system?
Are there policies and procedures concerning the generation and use of passwords?
Do the password policies stipulate rules of complexity, based on the criticality level of the
systems to be accessed?
�266
Access Control
Universal
267
Access Control
Universal
268
Access Control
Universal
269
Access Control
Universal
270
Access Control
Universal
271
272
Access Control
Access Control
Universal
Universal
273
Access Control
Universal
274
275
Access Control
Access Control
Universal
Universal
276
Access Control
Universal
277
Access Control
Universal
278
Access Control
Universal
279
Access Control
Universal
280
Access Control
Universal
Does system deployment require two-factor authentication or comparable compensating
measures?
Does the system display an approved system use notification message or banner before
granting access to the system?
Does the banner provide privacy and security notices consistent with applicable policies,
regulations, standards, and guidance and state that: (a) users are accessing a private or
government system; (b) system usage may be monitored, recorded, and subject to audit;
(c) unauthorized use of the system is prohibited and subject to criminal and civil penalties;
and (d) use of the system indicates consent to monitoring and recording?
Does the system retain the notification message or banner on the screen until users take
explicit actions to log on to or further access the system?
Does the system: (a) display the system use information before granting further access;
(b) ensure that any references to monitoring, recording, or auditing are consistent with
privacy accommodations for such systems that generally prohibit those activities; and (c)
include a description of the authorized uses of the system?
Are the number of concurrent sessions for any user limited?
Does the system log both successful and unsuccessful logon attempts?
Does the system notify the user upon successful logon of the number of unsuccessful
logon attempts since the last successful logon?
Does the system notify the user/admin of unsuccessful logon attempts?
Does the system capture security-related changes to the user's account?
Does the system enforce a limit of a defined number of consecutive invalid access
attempts by a user during a defined time period?
Does the system automatically lock the account/node for a defined time period, delaying
the next login prompt when the maximum number of unsuccessful attempts are
exceeded?
Does the system automatically lock the account/node until released by an administrator
when the maximum number of unsuccessful attempts is exceeded?
Does the system prevent further access to the system by initiating a session lock after a
defined time period of inactivity or a user initiated session lock?
Does the system retain the session lock until the user re-establishes access using
appropriate identification and authentication procedures?
�Universal
Does the system session lock mechanism place a publicly viewable pattern onto the
associated display hiding what was previously visible on the screen?
Does the system terminate a network connection at the end of a session or after a
defined time period of inactivity?
281
Access Control
282
Remote Access Control Universal
283
Remote Access Control Universal
Is automatic session termination applied to local and remote sessions?
284
Remote Access Control Universal
Does the system terminate a network connection at the end of a session or after a period
of inactivity?
285
Remote Access Control Universal
Are allowed methods of remote access to the system documented?
286
Remote Access Control Universal
Are there usage restrictions and implementation guidance for each allowed remote
access method?
287
Remote Access Control Universal
Does remote access to the network require authentication prior to system connection?
288
Remote Access Control Universal
Are the requirements for remote connections to the system enforced?
289
Remote Access Control Universal
290
Remote Access Control Universal
291
Remote Access Control Universal
292
Remote Access Control Universal
293
Remote Access Control Universal
294
Remote Access Control Universal
295
Remote Access Control Universal
296
Remote Access Control Universal
Are all the methods of remote access to the system authorized, monitored, and
managed?
Are automated mechanisms used to facilitate the monitoring and control of remote
access methods?
Is cryptography used to protect the confidentiality and integrity of remote access
sessions?
Does the system route all remote accesses through a limited number of managed access
control points?
Is remote access for privileged commands and security-relevant information authorized
only for compelling operational needs and is the rationale for such access documented?
Is Bluetooth wireless networking capability disabled except for explicitly identified
components in support of specific operational requirements?
Are there mechanisms in the design and implementation of the system to restrict access
to the system from the enterprise network? (firewall, DMZ, VPN)
Are the terms and conditions established for authorized individuals to access the system
from an external system?
�297
Remote Access Control Universal
298
Remote Access Control Universal
299
Remote Access Control Universal
300
301
302
303
304
305
306
307
308
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Universal
Are the terms and conditions established for authorized individuals to process, store, and
transmit organization-controlled information using an external system?
Are authorized individuals prohibited from using an external system to access the system
or to process, store, or transmit organization-controlled information except in situations
where the organization: (a) can verify the implementation of required security controls on
the external system as specified in the organization's security policy and security plan, or
(b) has approved system connection or processing agreements with the organizational
entity hosting the external system?
Are restrictions imposed on authorized individuals with regard to the use of organizationcontrolled removable media on external systems?
Are usage restrictions and implementation guidance established for organizationcontrolled mobile devices?
Universal
Is mobile device connection to the system authorized?
Universal
Are requirements for mobile device connection to the system enforced?
Universal
Is the capability for automatic execution of code on removable media disabled?
Universal
Universal
Are specially configured mobile devices issued to individuals traveling to locations of
significant risk per policies and procedures?
Are specified measures applied to mobile devices returning from locations of significant
risk per policies and procedures?
Universal
Is the use of writable, removable media restricted on the system?
Universal
Is the use of personally owned, removable media prohibited on the system?
Universal
Is the use of removable media with no identifiable owner prohibited on the system?
309
Portable/Mobile/Wirel
Universal
ess
310
Portable/Mobile/Wirel
Universal
ess
Are usage restrictions and implementation guidance established for mobile code
technologies based on the potential to cause damage to the system if used maliciously?
(Java, JavaScript, ActiveX, Postscript, etc.)
Is the use of mobile code documented, monitored, and managed? (Java, JavaScript,
ActiveX, Postscript, etc.)
�311
312
313
314
315
316
317
318
319
320
321
322
323
324
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Universal
Do appropriate officials authorize the use of mobile code?
Universal
Does the system implement detection and inspection mechanisms to identify
unauthorized mobile code and take corrective actions?
Universal
Are there use restrictions and implementation guidance for wireless technologies?
Universal
Is wireless access to the system authorized, monitored, and managed?
Universal
Universal
Universal
Universal
Portable/Mobile/Wirel
Universal
ess
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Universal
Is authentication and encryption used to protect wireless access to the system and the
latency induced does NOT degrade the operational performance of the system?
Is the system scanned for unauthorized wireless access points at a specified frequency,
and is appropriate action taken if such access points are discovered?
Is there a thorough scan for unauthorized wireless access points in facilities containing
high-impact systems?
Does the system protect wireless access using authentication and encryption?
Are unauthorized remote connections to the system monitored, including scanning for
unauthorized mobile or wireless access points on a defined frequency and is appropriate
action taken if an unauthorized connection is discovered?
Are wireless networking capabilities internally embedded within system components
disabled prior to issue when not intended for use?
Universal
Are users NOT allowed to independently configure wireless networking capabilities?
Universal
Are users prohibited from establishing wireless networks?
Universal
Universal
325
System Protection
Universal
326
System Protection
Universal
Do you employ rigorous security measures for remote sessions with administrative
privileges and are they audited?
Is peer-to-peer wireless networking capability disabled except for explicitly identified
components in support of specific operational requirements?
Does the system isolate (e.g., through partitions, domains, security zones, etc.) security
functions (e.g., enforcing access and information flow control) functions from nonsecurity
functions?
Does the system isolate security functions from both nonsecurity functions and from
other security functions?
�327
System Protection
Universal
328
System Protection
Universal
329
System Protection
Universal
330
331
System Protection
System Protection
Universal
Universal
332
System Protection
Universal
333
System Protection
Universal
334
System Protection
Universal
335
System Protection
Universal
336
System Protection
Universal
337
System Protection
Universal
338
System Protection
Universal
339
System Protection
Universal
340
341
System Protection
System Protection
Universal
Universal
342
System Protection
Universal
343
System Protection
Universal
344
System Protection
Universal
Does the system minimize the number of nonsecurity functions included within the
isolation boundary containing security functions?
Are the system security functions implemented as largely independent modules that
avoid unnecessary interactions between modules?
Are the system security functions implemented as a layered structure minimizing
interactions between layers of the design and avoiding any dependence by lower defense
in depth layers on the functionality or correctness of higher layers?
Does the system limit the use of resources by priority?
Are the external boundaries of the system defined?
Are the operational system boundary, the strength required of the boundary, and the
respective barriers to unauthorized access and control of system assets and components
defined?
Are externally accessible system components physically allocated to separate
subnetworks (DMZ) with separate, physical network interfaces?
Is external access into the organization's internal system networks prevented, except as
appropriately mediated? (e.g., configuration files and settings, alarm points, passwords,
etc.)
Is an appropriate failure mode selected depending on the critical needs of system
availability? (preventative maintenance)
Does the system design and implementation protect the integrity of electronically
communicated information?
Is cryptographic hardware with remote key management capabilities used?
Are public key certificates issued under an appropriate certificate policy or are they
obtained under an appropriate certificate policy from an approved service provider?
Does the use of public key certificates avoid degrading (i.e., latency) the operational
performance of the system?
Does the system fail to a known state for defined failures?
Does the system preserve defined system state information in failure?
Does the system employ processing components that have minimal functionality and data
storage (e.g., diskless nodes, thin client technologies)?
Does the system use secure data transmission media, such as fiber optic technology, to
minimize data loss from eavesdropping and data tapping?
Does the system protect the confidentiality of information at rest? (e.g., disk encryption)
�Are cryptographic mechanisms used to prevent unauthorized disclosure of information at
rest unless otherwise protected by alternative physical measures?
Are diverse technologies used in the implementation of the system? (e.g., using different
vendors to avoid single vulnerability penetration)
Are system components partitioned into separate physical networks as necessary?
Does the system protect the integrity of information during the processes of data
aggregation, packaging, and transformation in preparation for transmission?
Does the system meet a defined level of trustworthiness?
Are all critical hardware and software system components defined and documented?
Has legacy equipment been updated with current or custom developed system
components?
Have system components been identified where there are no alternative sources or
vendors?
345
System Protection
Universal
346
System Protection
Universal
347
System Protection
Universal
348
System Protection
Universal
349
350
System Protection
System Protection
Universal
Universal
351
System Protection
Universal
352
System Protection
Universal
353
System Protection
Universal
Is the system protected from harm by considering mean time to failure for a defined list
of system components? (e.g., hot standby for real-time and/or application servers)
354
System Protection
Universal
Are substitute system components provided, and is there a mechanism to exchange
active and standby roles of the components?
355
System Protection
Universal
Are system components taken out of service by transferring component responsibilities
to a substitute component no later than a defined percentage of mean time to failure?
356
System Protection
Universal
357
System Protection
Universal
358
System Protection
Universal
359
System Protection
Universal
360
System Protection
Universal
Is a transfer between active and standby system components manually initiated at least
once per a defined frequency?
When a system component failure is detected, does the standby system component
successfully and transparently assume its role within a defined time period and activate
an alarm and/or automatically shut down the system?
Is the use of personally owned information copied to the system restricted?
Do the terms and conditions for personally owned information on the system state the
types of applications that can be accessed from personally owned IT, either remotely or
from within the system?
Is the system configured to provide only essential capabilities and specifically prohibits
and/or restricts the use of functions, ports, protocols, and/or services as defined in a
"prohibited and/or restricted" list?
�Is the system periodically reviewed to identify and eliminate unnecessary functions, ports,
protocols, and/or services?
Are automated mechanisms used to prevent program execution in accordance with
defined lists? (e.g., white listing)
Are the use of configuration laptops and/or removable electronic media approved, and
are authorized devices documented, secured, and available only to specified and
approved entities when their use cannot be avoided?
Is the enterprise architecture developed with consideration for security and the resulting
risk?
Do the terms and conditions for personally owned information on the system state the
maximum security category of information that can be processed, stored, and
transmitted?
Do the terms and conditions for personally owned information on the system state how
other users of the personally owned information will be prevented from accessing
organization information?
Do the terms and conditions for personally owned information on the system define the
use of VPN and firewall technologies?
Do the terms and conditions for personally owned information on the system state the
use of and protection against the vulnerabilities of wireless technologies?
Do the terms and conditions for personally owned information on the system require the
maintenance of adequate physical security mechanisms?
Do the terms and conditions for personally owned information on the system require the
use of virus and spyware protection software?
Do the terms and conditions for personally owned information on the system state how
often the security capabilities of installed software are to be updated?
Does the system include applications that are independent of the operating system?
Are virtualization techniques used to present gateway components into systems
environments as other types of components or components with differing
configurations?
Are virtualization techniques used to deploy a diversity of operating systems
environments and applications?
361
System Protection
Universal
362
System Protection
Universal
363
System Protection
Universal
364
System Protection
Universal
365
System Protection
Universal
366
System Protection
Universal
367
System Protection
Universal
368
System Protection
Universal
369
System Protection
Universal
370
System Protection
Universal
371
System Protection
Universal
372
Software
Universal
373
Software
Universal
374
Software
Universal
375
Software
Universal
Is the diversity of operating systems and applications changed on a defined frequency?
376
Software
Universal
Is randomness used in the implementation of the virtualization?
�377
Software
Universal
378
Software
Universal
379
Software
Universal
380
Software
Universal
381
Software
Universal
382
Software
Universal
383
384
385
386
387
388
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Universal
Universal
Universal
Universal
Universal
Universal
Does the system load and execute the operating system software from hardwareenforced, read-only media?
Does the system load and execute authorized applications from hardware-enforced, readonly media?
Are system components used that have no writable storage that is persistent across
component restart or power on/off cycles?
Is the integrity of the information on read-only media protected?
Do software developers employ software quality and validation methods to minimize
flawed or malformed software?
Is a process prevented from executing without supervision for more than a defined time
period?
Is the system protected from information leakage (e.g., removable media, official
documents, remote access, etc.)?
Do the system components separate telemetry/data acquisition services from
management port functionality?
Does the system prevent unauthorized or unintended information transfer via shared
system resources? (e.g., register, main memory, secondary storage)
Does the system separate resources that are used to interface with systems operating at
different security levels?
Does the system monitor and manage communications at the system boundary and at
key internal boundaries within the system?
Are the number of access points to the system limited to allow for better monitoring of
inbound and outbound network traffic?
Is the external communication interface connections implemented with security
measures appropriate to the required protection of the integrity and confidentiality of the
information being transmitted?
389
Communication
Protection
Universal
390
Communication
Protection
Universal
Does the system deny network traffic by default and allow network traffic by exception?
391
Communication
Protection
Universal
Is the unauthorized release of information outside the system boundary or any
unauthorized communication through the system boundary prevented when an
operational failure occurs of the boundary protection mechanisms?
392
Communication
Protection
Universal
Is the unauthorized release of information across managed interfaces prevented?
�393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Does the system check incoming communications to ensure that the communications are
coming from an authorized source and routed to an authorized destination?
Does the system, at managed interfaces, deny network traffic and audit internal users
posing a threat to external systems?
Does the system prevent remote devices that have established connections (e.g., PLC,
remote laptops) with the system from communicating outside that communications path
with resources on uncontrolled/unauthorized networks?
Does the system route traffic to the Internet through authenticated proxy servers within
the managed interfaces of boundary protection devices?
Do you encrypt communication over all untrusted communication channels?
Have you evaluated the latency issues introduced by the use of cryptographic
mechanisms to ensure that they do not impact operational performance?
If the cryptographic mechanism fails, is your system protected against a denial of service
event?
Does the system design and implementation protect the confidentiality of communicated
information where necessary?
Universal
Are cryptographic mechanisms used to prevent unauthorized disclosure of information
during transmission unless otherwise protected by alternative physical measures?
Universal
Does the system establish a trusted communications path between the user and the
system?
Universal
Are cryptographic keys established and managed using automated mechanisms?
Universal
Universal
Universal
Is the availability of information in the event of the loss of cryptographic keys by users
maintained?
Do communication cryptographic mechanisms comply with applicable regulatory
requirements, policies, standards, and guidance?
Are collaborative computing devices (e.g., video and audio conferencing) restricted on
your control system network?
Universal
Are collaborative computing devices disconnected and powered down when not in use?
Universal
Does the system block both inbound and outbound traffic between instant messaging
clients?
�409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Are collaborative computing devices disabled or removed from systems in secure work
areas?
Does the system reliably associate security labels and markings with information
exchanged between the enterprise systems and the control system?
Does the system validate the integrity of security parameters exchanged between
systems?
Is there usage restrictions and implementation guidance for VoIP technologies, which is
based on the potential to cause damage to the system if used maliciously?
Is the use of VoIP authorized, monitored, and controlled?
Does the system provide mechanisms to protect the authenticity of device-to-device
communications sessions?
Are message authentication mechanisms implemented at the protocol level for both
serial and routable protocols?
Are the system devices that collectively provide name/address resolution services for an
organization fault tolerant?
Does the use of secure name/address resolution services avoid adverse impacts to the
operational performance of the system?
Does the DNS server that provides name/address resolution service provide additional
artifacts (e.g., digital signatures, cryptographic keys, etc.) along with the authoritative DNS
resource records it returns in response to resolution queries?
Universal
Does the system enable verification of a chain of trust among parent and child domains?
Universal
Does the local client perform DNS and data integrity verification from authoritative DNS
servers?
Universal
Does the authoritative DNS servers perform data origination and verification?
Universal
Does the system monitor and detect covert communication channels (e.g., back doors)?
Universal
Universal
Are a subset of the vendor-identified covert channel avenues tested to determine if they
are exploitable?
Does the system enforce assigned authorizations for controlling the flow of information
within the system and between interconnected systems?
�425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
System Integrity
Universal
Universal
Universal
Does the system enforce information flow control (e.g., firewalls, routers, gateways, etc.)
based on specific data for source, and destination paths?
Does the system enforce information flow control using domains as a basis for flow
control decisions?
Does the system enforce dynamic information flow control based on changing conditions
or operational considerations?
Universal
Does the system prevent encrypted data from bypassing content-checking mechanisms?
Universal
Does the system enforce defined limitations on the embedding of data types within other
data types to prevent propagation of malicious payloads?
Universal
Does the system enforce information flow control on metadata?
Universal
Does the system enforce defined one-way flows using hardware mechanisms (i.e., data
diode)?
Universal
Does the system enforce information flow control using defined security policy filters?
Universal
Universal
Universal
Universal
Universal
Does the system enforce the use of human review for defined security policy filters when
the system is not capable of making an information flow control decision?
Does the system provide the capability for a privileged administrator to enable and
disable organization-defined security policy filters?
Does the system provide the capability for a privileged administrator to configure the
organization-defined security policy filters to support different security policies?
Is confidential information (e.g., business sensitive, personally identifiable information,
etc.) restricted to authorized users?
Are automated or manual mechanisms (e.g., roles and responsibilities as defined by
Active Directory) used as required to assist authorizing users in making the correct
information sharing/collaboration decisions?
Universal
Is information sharing authorized and/or restricted between third-party partners?
Universal
Are communications limited to only the devices that need to communicate?
Universal
Are all other ports and routes locked down or disabled?
Universal
Are system flaws identified, reported, and corrected?
�442
System Integrity
Universal
443
System Integrity
Universal
444
System Integrity
Universal
445
System Integrity
Universal
446
System Integrity
Universal
447
System Integrity
Universal
448
System Integrity
Universal
449
System Integrity
Universal
450
System Integrity
Universal
451
452
System Integrity
System Integrity
Universal
Universal
453
System Integrity
Universal
454
System Integrity
Universal
455
System Integrity
Universal
456
System Integrity
Universal
457
System Integrity
Universal
458
System Integrity
Universal
459
System Integrity
Universal
Are software updates tested related to flaw remediation for effectiveness and potential
side effects before installation?
Is flaw remediation incorporated into the configuration management process as an
emergency change?
Is the patch management process centrally managed, and are updates installed
automatically?
Has the risk of employing automated flaw remediation been evaluated?
Are automated mechanisms (e.g., patching, service packs, etc.) used to periodically and
on demand determine the state of system components with regard to flaw remediation?
Is the time between flaw identification and flaw remediation measured and compared
with benchmarks?
Are automated patch management tools used to facilitate flaw remediation?
Does the use of automated flaw remediation processes NOT degrade the operational
performance of the system?
Are system security alerts, advisories, and directives received from designated external
organizations on an ongoing basis?
Are internal security alerts, advisories, and directives generated?
Are security alerts, advisories, and directives disseminated to a list of personnel?
Are security directives implemented in accordance with timeframes established by the
directives, or is the issuing organization notified of the degree of noncompliance?
Are automated mechanisms used to make security alert and advisory information
available throughout the organization?
Is the correct operation of security functions verified upon system startup and restart,
upon command by user with appropriate privilege, periodically, and at defined time
periods?
Does the system notify the system administrator when anomalies are discovered?
Are automated mechanisms used to provide notification of failed automated security
tests?
Are automated mechanisms used to support management of distributed security
functionality verification testing? (i.e., control log servers)
Does the system monitor and detect unauthorized changes to software and information?
�Is the integrity of software and information reassessed by performing, on a defined
frequency, integrity scans of the system, and are they used with extreme caution on
designated high-availability systems?
Are automated tools used to provide notification to designated individuals on discovering
discrepancies during integrity verification, and are they used with extreme caution on
designated high-availability systems?
Are centrally managed integrity verification tools used, and are they used with extreme
caution on designated high-availability systems?
Is tamper-evident packaging used during transportation from vendor to operational site,
during operation, or both?
Does the system check the validity of information inputs? (e.g., boundary limits)
Does the system identify error conditions?
Does the system generate error messages that provide information necessary for
corrective actions without revealing potentially harmful information that could be
exploited by adversaries?
Does the system reveal error messages only to authorized personnel?
Does the system prohibit inclusion of sensitive information in error logs or associated
administrative messages?
460
System Integrity
Universal
461
System Integrity
Universal
462
System Integrity
Universal
463
System Integrity
Universal
464
465
System Integrity
System Integrity
Universal
Universal
466
System Integrity
Universal
467
System Integrity
Universal
468
System Integrity
Universal
469
System Integrity
Universal
470
Physical Security
Universal
471
Physical Security
Universal
472
473
Physical Security
Physical Security
Universal
Universal
Are lists of personnel with authorized access developed and maintained, and are
appropriate authorization credentials issued?
Are the access list and authorization credentials reviewed and approved at least annually
and those no longer requiring access removed?
Is physical access to the facility authorized based on position or role?
Are two forms of identification required to gain access to the facility?
474
Physical Security
Universal
Are physical access authorizations enforced for all physical access points to the facility?
475
476
Physical Security
Physical Security
Universal
Universal
477
Physical Security
Universal
478
Physical Security
Universal
Are individual access authorizations verified before granting access to the facility?
Is entry to the facility controlled by physical access devices and/or guards?
Are the areas officially designated as publicly accessible controlled in accordance with the
organization's assessment of risk?
Are keys, combinations, and other physical access devices secured?
Is the output from the system handled and retained in accordance with applicable
regulations, standards, and organizational policy as well as operational requirements?
�479
Physical Security
Universal
480
Physical Security
Universal
481
482
Physical Security
Physical Security
Universal
Universal
Are physical access devices inventoried on a periodic basis?
Are combinations and keys changed on a defined frequency, and when keys are lost,
combinations compromised, or individuals are transferred or terminated?
Is physical access to distribution and communication lines controlled and verified?
Is physical access to output devices controlled?
483
Physical Security
Universal
Is physical access to the system controlled independently of the facility access controls?
484
Physical Security
Universal
485
Physical Security
Universal
486
Physical Security
Universal
487
488
Physical Security
Physical Security
Universal
Universal
489
Physical Security
Universal
490
Physical Security
Universal
491
Physical Security
Universal
492
Physical Security
Universal
Are security checks at physical boundaries performed for unauthorized removal of system
components?
Is every physical access point to the facility guarded or alarmed and monitored 24 hours
per day, 7 days per week?
Are lockable physical casings used to protect internal components of the system from
unauthorized physical access?
Is physical access monitored to detect and respond to physical security incidents?
Are physical access logs reviewed on a defined frequency?
Are results of reviews and investigations coordinated with the organization's incident
response capability?
Are real-time physical intrusion alarms and surveillance equipment monitored?
Are automated mechanisms used to recognize potential intrusions and initiate designated
response actions?
Is physical access controlled by authenticating visitors before authorizing access?
493
Physical Security
Universal
Are visitors escorted and monitored as required in the security policies and procedures?
494
Physical Security
Universal
495
Physical Security
Universal
496
497
498
499
500
501
502
Physical Security
Physical Security
Physical Security
Physical Security
Physical Security
Physical Security
Physical Security
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Are two forms of identification required for access?
Are visitor access records maintained, and are all physical access logs retained for as long
as required by regulations or per approved policy?
Do visitor records include name and organization of the person visiting?
Do visitor records include the signature of the visitor?
Do visitor records include a form of identification?
Do visitor records include the date of access?
Do visitor records include the time of entry and departure?
Do visitor records include the purpose of the visit?
Do visitor records include the name and organization of person visited?
�503
Physical Security
Universal
504
Physical Security
Universal
505
Physical Security
Universal
506
Physical Security
Universal
507
508
Physical Security
Physical Security
Universal
Universal
509
Physical Security
Universal
510
Physical Security
Universal
511
Environmental Security Universal
512
Environmental Security Universal
513
Environmental Security Universal
514
Environmental Security Universal
515
Environmental Security Universal
516
Environmental Security Universal
517
Environmental Security Universal
518
Environmental Security Universal
519
Environmental Security Universal
520
Environmental Security Universal
Are automated mechanisms employed to facilitate the maintenance and review of access
records?
Is cryptographic hardware protected from physical tampering and uncontrolled electronic
connections?
Are all external system and communication connections identified and protected from
tampering or damage?
Are asset location technologies used to track and monitor the movements of personnel
and vehicles to ensure they stay in authorized areas?
Are asset location technologies used to identify personnel needing assistance?
Are asset location technologies used to support emergency response?
Is hardware (cages, locks, cases, etc.) used to detect and deter unauthorized physical
access to system devices?
Is the ability to respond to an emergency not hindered by using tamper-evident
hardware?
Is the emergency power shutoff protected from unauthorized activation?
Is the emergency power-off capability protected from accidental and
intentional/unauthorized activation?
Is there a short-term uninterruptible power supply to be used for orderly system
shutdown?
Is there a long-term alternate power supply that is capable of maintaining minimally
required operational capability?
Is there a long-term alternate power supply that is self-contained and not reliant on
external power generation?
Are there automatic emergency lighting systems for emergency exits and evacuation
routes?
Are there fire suppression and detection devices/systems?
Do fire detection devices/systems activate automatically and notify the organization and
emergency responders in the event of a fire?
Do fire suppression devices/systems provide automatic notification to the organization
and emergency responders?
Is there an automatic fire suppression capability in facilities that are not staffed
continuously?
�Is the temperature and humidity regularly monitored to ensure they are maintained
within acceptable levels?
Is the system protected from water damage by having the master shutoff valves
accessible, working properly, and known to key personnel?
Are automated mechanisms used to close shutoff valves and provide notification in the
event of a water leak?
521
Environmental Security Universal
522
Environmental Security Universal
523
Environmental Security Universal
524
Configuration
Management
525
Environmental Security Universal
526
Environmental Security Universal
527
Environmental Security Universal
528
Environmental Security Universal
529
Configuration
Management
Universal
Is there an inventory of systems and critical components and is it maintained?
530
Plans
Universal
Are the personnel qualification levels reviewed and periodically updated for personnel to
make changes, conditions for allowing changes, and the approvals required for changes?
Universal
Has a current baseline configuration been developed, documented, and maintained for
the system?
Universal
Is the baseline configuration of the system reviewed and updated?
531
532
533
534
535
536
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Universal
Universal
Universal
Universal
Universal
Is the delivery and removal of system components limited, authorized, and recorded?
Are system assets located to minimize potential damage from physical and environmental
hazards and to minimize unauthorized access?
Are the risks associated with physical and environmental hazards considered when
planning new system facilities or reviewing existing facilities, and are the risk mitigation
strategies documented in the security plan?
Is the system power equipment and power cabling protected from damage and
destruction?
Are redundant power equipment and parallel power cabling paths provided for the
system?
Are automated mechanisms used to maintain an up-to-date, complete, accurate, and
readily available baseline configuration?
Is a baseline configuration for the development and test environments maintained and
managed separately from the operational baseline?
Is a deny-all, permit-by-exception authorization policy used for software allowed on the
system?
Are changes to the system authorized and documented?
�537
538
Configuration
Management
Configuration
Management
Universal
Are records of configuration-managed changes to the system reviewed and retained?
Universal
Are configuration-managed changes to the system audited?
Universal
Are automated mechanisms used to document proposed changes, notify appropriate
approval authorities, highlight approvals that have not been received in a timely manner,
inhibit change until necessary approvals are received, and document completed changes?
539
Configuration
Management
540
Configuration
Management
Universal
541
Configuration
Management
Universal
542
Configuration
Management
Universal
543
Configuration
Management
Universal
544
545
546
547
548
549
550
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Universal
Universal
Universal
Are configuration changes tested, validated, and documented before installing them on
the operational system, and has testing been ensured to not interfere with system
operations?
Does the tester fully understand the corporate cyber and control system security policies
and procedures and the specific health, safety, and environmental risks associated with a
particular facility and/or process?
Are individual access privileges, physical access, and logical access restrictions associated
with configuration changes to the system defined, documented, and approved?
Are individual access privileges, physical access, and logical access restrictions records
associated with configuration changes to the system generated, retained, and periodically
reviewed?
Are automated mechanisms used to enforce change of access restrictions and support
auditing of the enforcement actions?
Does the system prevent the installation of device drivers that are not signed with an
organizationally recognized and approved certificate?
Is there physical security to restrict data devices, serial ports, network ports, USB, and
secure digital memory card?
Universal
Are mandatory configuration settings used for products employed within the system?
Universal
Are the security settings configured to the most restrictive mode consistent with system
operational requirements?
Universal
Are the changed configuration settings documented?
Universal
Are exceptions from the mandatory configuration settings identified, documented, and
approved based on explicit operational requirements?
�551
552
553
554
555
556
557
558
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
559
Configuration
Management
Universal
560
Configuration
Management
Universal
561
Configuration
Management
Universal
562
Configuration
Management
Universal
563
564
565
Configuration
Management
Configuration
Management
Configuration
Management
Universal
Universal
Universal
Are the configuration settings for all components of the system enforced?
Are changes to the configuration settings monitored and controlled in accordance with
policies and procedures?
Are automated mechanisms used to centrally manage, apply, and verify configuration
settings?
Are automated mechanisms used to respond to unauthorized changes to configuration
settings?
Is six wall bordering, equipment vaulting, two-man rules, and enhanced inventory control
and authorization used?
Are the duties and access between the system administrator and the cybersecurity officer
separate such that neither can make the changes by themselves?
Has an inventory of the components of the system been developed, documented and
maintained that accurately reflects the current system?
Has an inventory list of the components of the system been developed, documented, and
maintained that is consistent with the system boundary?
Has an inventory list of the components of the system been developed, documented, and
maintained that is at the level of granularity deemed necessary for tracking and
reporting?
Has an inventory of the components of the system been developed, documented, and
maintained that includes defined information deemed necessary to achieve effective
property accountability?
Is the inventory of system components and programming updated as an integral part of
component installation, replacement, and system updates?
Are automated mechanisms used to help maintain an up-to-date, complete, accurate, and
readily available inventory of system components, configuration files and set points,
alarm settings and other required operational settings?
Are automated mechanisms used to detect the addition of unauthorized
components/devices/component settings into the system?
Is network access by unauthorized components/devices disabled, or are designated
officials notified?
Are the names of the individuals responsible for component included in property
accountability information?
�566
567
568
569
570
571
572
573
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Plans
Configuration
Management
Configuration
Management
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
574
Incident Response
Universal
575
Incident Response
Universal
576
Incident Response
Universal
577
Incident Response
Universal
578
Incident Response
Universal
579
Incident Response
Universal
580
Incident Response
Universal
581
Incident Response
Universal
582
Incident Response
Universal
Are all system assets and information documented, identified, and tracked?
Do specialized critical digital assets have an internal registration, configuration and usage
plan, and secure storage before, during, and after usage?
Are critical digital assets (CDA) in security areas destroyed on removal from operations, or
are they inspected and subject to an approved documented desanitization procedure on
being removed from service (e.g., lifecycle plan)?
Are all factory default authentication credentials changed on system components and
applications upon installation?
Does legacy equipment with known authentication deficiencies have compensatory
access restrictions?
Is the responsibility for the configuration management process assigned to organizational
personnel that are not directly involved in system development?
Is there security authorization including two-man policies? (Requires the authorization of
two people.)
Are the legacy components identified, tested, and documented to verify that the
compensatory measures are effective?
Are potential interruptions identified and classified as to "cause," "effects," and
"likelihood"?
Is a root cause analysis initiated for the security events and any findings from the analysis
submitted to the organizations corrective action program?
Is an incident handling capability implemented for security incidents that include
preparation, detection and analysis, containment, eradication, and recovery?
Are incident handling activities coordinated with contingency planning activities?
Are lessons learned from ongoing incident handling activities incorporated into incident
response procedures?
Are automated mechanisms used to administer and support the incident handling process
and to assist in the reporting of security incidents?
Are system network security incidents tracked and documented on an ongoing basis?
Are automated mechanisms used to assist in the tracking of security incidents and in the
collection and analysis of incident information? (e.g., network monitoring, physical access
monitoring, etc.)
Are cyber and control system security incident information promptly reported to
authorities?
�Are automated mechanisms used to increase the availability of incident response-related
information and support?
Is there a direct, cooperative relationship between the incident response capability and
external providers of information system protection capability, and are the incident
response team members identified to the external providers? (e.g., third party alarm
service)
Are processes and mechanisms included in the planning to ensure that corrective actions
identified as the result of a cybersecurity incident are fully implemented?
Does the incident response capability incorporate detection of unauthorized, securityrelevant configuration changes to ensure that such detected events are tracked,
monitored, corrected, and available for historical purposes?
Is an incident response support resource provided that offers advice and assistance?
Does the system protect against or limit the effects of denial-of-service attacks based on a
defined list of types of denial-of-service attacks?
Does the system restrict the ability of users to launch denial-of-service attacks against
other systems or networks?
Does the system manage excess capacity, bandwidth, or other redundancy to limit the
effects of information flooding types of denial-of-service attacks?
Are malicious code protection mechanisms used at system entry and exit points and at
workstations, servers, or mobile computing devices?
Are malicious code protection mechanisms updated whenever new releases are available
in accordance with configuration management policy and procedures?
583
Incident Response
Universal
584
Incident Response
Universal
585
Incident Response
Universal
586
Incident Response
Universal
587
Incident Response
Universal
588
Monitoring & Malware Universal
589
Monitoring & Malware Universal
590
Monitoring & Malware Universal
591
Monitoring & Malware Universal
592
Monitoring & Malware Universal
593
Monitoring & Malware Universal
Are malicious code protection mechanisms configured to perform periodic scans of the
system on a defined frequency and real-time scans of files from external sources as the
files are downloaded, opened, or executed, and disinfect and quarantine infected files?
594
Monitoring & Malware Universal
Are malicious code protection software products from multiple vendors used?
595
Monitoring & Malware Universal
Are the receipt of false positives during malicious code detection and eradication and the
resulting potential impact on the availability of the system addressed?
596
Monitoring & Malware Universal
Are malicious code protection mechanisms centrally managed?
597
Monitoring & Malware Universal
Does the system automatically update malicious code protection mechanisms?
�Does the system prevent users from circumventing host-based malicious code protection
capabilities?
Does the system update malicious code protection mechanisms only when directed by a
privileged user?
598
Monitoring & Malware Universal
599
Monitoring & Malware Universal
600
Monitoring & Malware Universal
601
Monitoring & Malware Universal
602
Monitoring & Malware Universal
603
Monitoring & Malware Universal
604
Monitoring & Malware Universal
605
Monitoring & Malware Universal
Are events on the system monitored?
606
Monitoring & Malware Universal
Are system attacks detected? (Attacks can be detected via log monitoring, IDS system
monitoring, Signature/indicators)
607
Monitoring & Malware Universal
Is unauthorized use of the system identified? (e.g., log monitoring)
608
Monitoring & Malware Universal
609
Monitoring & Malware Universal
610
Monitoring & Malware Universal
Is legal counsel consulted with regard to system monitoring activities?
611
Monitoring & Malware Universal
Are individual intrusion detection tools interconnected into a systemwide intrusion
detection system?
612
Monitoring & Malware Universal
Are automated tools used to support near real-time analysis of events?
613
Monitoring & Malware Universal
Are automated tools used to integrate intrusion detection tools into access control and
flow control mechanisms in support of attack isolation and elimination?
Are users prohibited from introducing removable media into the system?
Does the system implement malicious code protection mechanisms to identify data
containing malicious code and respond accordingly when the system encounters data not
explicitly allowed by the security policy?
Does the use of mechanisms to centrally manage malicious code protection avoid
degradation of the operational performance of the system?
Are periodic security vulnerability assessments conducted according to the risk
management plan?
Is the system updated to address any identified vulnerabilities in accordance with the
system maintenance policy?
Are monitoring devices deployed strategically to collect essential information within the
system to track specific types of transactions of interest?
Is the level of system monitoring activity heightened whenever an indication of increased
risk exists?
�Does the system monitor inbound and outbound communications for unusual or
unauthorized activities or conditions?
Does the system provide a real-time alert when indications of compromise or potential
compromise occur?
Does the system prevent users from circumventing host-based intrusion detection and
prevention capabilities?
Does the system notify a list of incident response personnel of suspicious events and take
the least disruptive actions to terminate suspicious events?
Is information obtained from intrusion monitoring tools protected from unauthorized
access, modification, and deletion?
614
Monitoring & Malware Universal
615
Monitoring & Malware Universal
616
Monitoring & Malware Universal
617
Monitoring & Malware Universal
618
Monitoring & Malware Universal
619
Monitoring & Malware Universal
Are intrusion monitoring tools tested on a defined time-period?
620
Monitoring & Malware Universal
Is encrypted traffic visible to system monitoring tools?
621
Monitoring & Malware Universal
622
Monitoring & Malware Universal
623
Monitoring & Malware Universal
624
Monitoring & Malware Universal
625
Monitoring & Malware Universal
626
Monitoring & Malware Universal
627
Monitoring & Malware Universal
628
Monitoring & Malware Universal
629
Monitoring & Malware Universal
Does the use of monitoring tools and techniques avoid adversely impacting the
operational performance of the system?
Are spam protection mechanisms used at system entry points and at workstations,
servers, or mobile computing devices?
Are spam protection mechanisms updated when new releases are available in accordance
with configuration management policy and procedures?
Is spam protection software products from multiple vendors used?
Are spam protection mechanisms centrally managed and has the risk of employing
mechanisms to centrally manage spam protection on a system been considered?
Does centrally managed spam protection avoid degrade the operational performance of
the system?
Have you considered the risks of automatically updating spam protection mechanisms on
high-availability systems?
Does the system include components specifically designed to be the target of malicious
attacks for the purpose of detecting, deflecting, analyzing, and tracking such attacks?
(e.g., honeypots)
Does the system include components that proactively seek to identify Web-based
malicious code?
�630
Monitoring & Malware Universal
631
Monitoring & Malware Universal
632
Monitoring & Malware Universal
633
Monitoring & Malware Universal
634
Monitoring & Malware Universal
635
Monitoring & Malware Universal
636
Monitoring & Malware Universal
637
Monitoring & Malware Universal
638
Monitoring & Malware Universal
639
Monitoring & Malware Universal
640
Monitoring & Malware Universal
641
Continuity
Universal
642
Continuity
Universal
643
Continuity
Universal
644
Continuity
Universal
Are vulnerability scans performed for in the system on a defined frequency and randomly
in accordance with company policy?
Are vulnerability scanning tools and techniques used that promote interoperability among
tools and automate parts of the vulnerability management process by using standards for:
(a) enumerating platforms, software flaws, and improper configurations; (b) formatting
and making transparent, checklists, and test procedures; and (c) measuring vulnerability
impact?
Is information obtained from the vulnerability scanning process shared with designated
personnel throughout the organization?
Are vulnerability scanning tools used that include the capability to readily update the list
of system vulnerabilities scanned?
Is the list of system vulnerabilities scanned updated on a defined frequency or when new
vulnerabilities are identified and reported?
Are there vulnerability scanning procedures that can demonstrate the breadth and depth
of coverage?
Does the organization attempt to discern what information about the system is
discoverable by adversaries?
Is security testing performed to determine the level of difficulty in circumventing the
security controls of the system?
Are privileged access vulnerability scans performed on selected system components?
Are automated mechanisms used to compare the results of vulnerability scans over time
to determine trends in system vulnerabilities?
Are automated mechanisms used on a defined frequency to detect the presence of
unauthorized software on organizational systems and notify designated officials?
Are backups of critical system software, applications, and data created and secured?
Is normal operation of the system resumed in accordance with its policies and procedures
after a security event?
Is an alternate storage site identified and are agreements in place to permit the storage of
system configuration information?
Are potential accessibility problems at the alternative storage site identified in the event
of an areawide disruption or disaster and are explicit mitigation actions outlined?
�645
Continuity
Universal
646
Continuity
Universal
647
Continuity
Universal
648
Continuity
Universal
649
Continuity
Universal
650
Continuity
Universal
651
Continuity
Universal
Is an alternate storage site identified that is geographically separated from the primary
storage site?
Is the alternate storage site configured to facilitate timely and effective recovery
operations?
Are alternate command/control methods identified, and are agreements in place to
permit the resumption of operations within a defined time period when the primary
system capabilities are unavailable?
Do primary and alternate telecommunications service agreements contain priority-ofservice provisions in accordance with the availability requirements?
Do alternate telecommunications services avoid sharing a single point of failure with
primary telecommunications services (e.g., radio and lease lines)?
Are alternate telecommunications service providers sufficiently separated from primary
service providers?
Do primary and alternate telecommunications service providers have adequate
contingency plans?
652
Continuity
Universal
Are necessary communications for the alternate control center identified, and are
agreements in place to permit the resumption of system operations for critical functions
within a defined time period when the primary control center is unavailable?
653
Continuity
Universal
Is an alternate control center identified that is geographically separated from the primary
control center?
654
Continuity
Universal
Are potential accessibility problems to the alternate control center identified in the event
of an area-wide disruption or disaster and are explicit mitigation actions outlined?
655
Continuity
Universal
656
Continuity
Universal
657
Continuity
Universal
658
Continuity
Universal
659
Continuity
Universal
Are alternate control center agreements in place that contain priority-of-service
provisions in accordance with the availability requirements?
Is the alternate control center fully configured to be used as the operational site
supporting a minimum required operational capability?
Does the alternate processing site provide information security measures equivalent to
that of the primary site?
Are backups of user-level information contained in the system performed on a defined
frequency? (user account)
Are backups of system-level information contained in the system performed on a defined
frequency?
�660
Continuity
Universal
661
Continuity
Universal
662
Continuity
Universal
663
Continuity
Universal
664
Continuity
Universal
665
Continuity
Universal
666
Continuity
Universal
667
Continuity
Universal
668
Continuity
Universal
Is the confidentiality and integrity of backup information protected at the storage
location?
Is backup information periodically tested to verify media reliability and information
integrity?
Is backup information selectively used in the restoration of system functions as part of
contingency plan testing?
Are backup copies of the operating system and other critical system software stored in a
separate facility or in a fire-rated container that is not collocated with the operational
software?
Is there a capability to recover and reconstitute the system to a known secure state after
a disruption, compromise, or failure?
Is there transaction recovery for systems that are transaction-based?
Is there a capability to re-image system components within defined restoration time
periods from configuration-controlled and integrity-protected disk images representing a
secure, operational state for the components?
Is the system able to execute an appropriate fail-safe procedure upon the loss of
communications with the system or the loss of the system itself?
Does the system preserve the system state information in failure?
669
Info Protection
Universal
Do only authorized users have access to information in printed form or on digital media?
670
Info Protection
Universal
671
Info Protection
Universal
673
Info Protection
Universal
674
Info Protection
Universal
675
676
Info Protection
Info Protection
Universal
Universal
677
Info Protection
Universal
Are automated mechanisms (e.g., card or keypad entry) used to ensure and audit
authorized access to media storage areas?
Is all removable information storage media and the system output reviewed and classified
to determine distribution limitations?
Is a defined list of media types or hardware components exempted from marking as long
as the exempted items remain within the protected environment?
Does the system mark output on external media to identify any of the set of special
dissemination, handling, or distribution instructions that apply to system output using
human readable, standard naming conventions?
Is the system media securely stored within protected areas?
Does the sensitivity of the material determine how the media are stored?
Are defined types of digital and nondigital media protected during transport outside
controlled areas?
�678
Info Protection
Universal
Is accountability for system media maintained during transport outside controlled areas?
679
Info Protection
Universal
Are the activities associated with transport of media restricted to authorized personnel?
680
Info Protection
Universal
681
682
683
Info Protection
Info Protection
Info Protection
Universal
Universal
Universal
684
Info Protection
Universal
685
Info Protection
Universal
686
Info Protection
Universal
687
Info Protection
Universal
688
Info Protection
Universal
689
Info Protection
Universal
690
Info Protection
Universal
691
Access Control
Universal
692
Info Protection
Universal
693
Info Protection
Universal
694
Info Protection
Universal
695
Information and
Document
Management
Universal
Are activities associated with the transport of system media documented using a defined
system of records?
Is a custodian identified throughout the transport of system media?
Is system digital and nondigital media sanitized before disposal or release for reuse?
Are media sanitization and disposal actions tracked, documented, and verified?
Are sanitization equipment and procedures periodically tested to verify correct
performance?
Are the individuals designated who are authorized to post information onto an
organizational system that is publicly accessible?
Are authorized individuals trained to ensure that publicly accessible information does not
contain nonpublic information?
Is the proposed content of publicly accessible information reviewed prior to posting?
Is the content on the publicly accessible organizational information system reviewed on a
routine interval?
Is nonpublic information removed from publicly accessible information systems if
discovered?
Is all information classified to indicate the protection required in accordance with its
sensitivity and consequence?
Are formal contractual and confidentiality agreements established for the exchange of
information and software between the organization and external parties?
Is information that requires special control or handling periodically reviewed to
determine whether such special handling is still required?
Is removable system media and system output marked indicating the distribution
limitations, handling caveats, and applicable security markings?
Is there a list of media types or hardware components that is exempt from marking as
long as the exempted items remain within the organization-defined protected
environment?
Does the system automatically label information in storage, in process, and in
transmission in accordance with access control requirements?
�696
697
698
699
700
701
702
703
704
705
706
Information and
Document
Management
Information and
Document
Management
Information and
Document
Management
Information and
Document
Management
Information and
Document
Management
Information and
Document
Management
Information and
Document
Management
Information and
Document
Management
Information and
Document
Management
Information and
Document
Management
Information and
Document
Management
Universal
Is information labeled in storage, in process, and in transmission in accordance with
special dissemination, handling, or distribution instructions?
Universal
Does the system automatically label information in storage, in process, and in
transmission as required by the system security policy?
Universal
Does the system dynamically reconfigure security attributes in accordance with an
identified security policy as information is created and combined?
Universal
Does the system allow authorized entities to change security attributes?
Universal
Does the system maintain the binding of security attributes to information with sufficient
assurance that the information attribute association can be used as the basis for
automated policy actions?
Universal
Does the system allow authorized users to associate security attributes with information?
Universal
Universal
Universal
Universal
Universal
Does the system display security attributes in human-readable form on each objectoutput from the system-to-system output devices to identify special dissemination,
handling, or distribution instructions?
Is administrator and user guidance for the system obtained, protected and provided that
includes configuring, installing, and operating the system and use of the system's security
features?
Is vendor/contractor information obtained, protected, and made available to authorized
personnel that describes the functional properties of the security controls within the
system?
Is vendor/contractor information obtained, protected, and made available to authorized
personnel that describes the design and implementation details of the security controls
within the system?
Is vendor/contractor information obtained, protected, and made available to authorized
personnel that describes the security-relevant external interfaces to the system?
�707
708
709
710
711
Information and
Document
Management
Information and
Document
Management
Information and
Document
Management
System and Services
Acquisition
System and Services
Acquisition
Universal
Are software and associated documentation used in accordance with contract
agreements and copyright laws?
Universal
Are tracking systems used to control copying and distribution of software and associated
documentation protected by quantity licenses?
Universal
Universal
Universal
712
System and Services
Acquisition
Universal
713
System and Services
Acquisition
Universal
714
System and Services
Acquisition
Universal
715
716
717
718
719
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
Universal
Universal
Universal
Universal
Universal
Is the use of accessible peer-to-peer file sharing technology controlled and documented
to ensure that it is not used for the unauthorized distribution, display, performance, or
reproduction of copyrighted work?
Are security functional requirements and specifications included in system acquisition
contracts based on an assessment of risk?
Are security-related documentation requirements included in system acquisition
contracts based on an assessment of risk?
Are developmental and evaluation-related assurance requirements (acceptance testing,
compliance documentation) included in system acquisition contracts based on an
assessment of risk?
Do acquisition documents require that vendors/contractors provide information
describing the functional properties of the security controls employed within the system?
Do acquisition documents require that vendors/contractors provide information
describing the design and implementation details of the security controls employed
within the system?
Is the acquisition of commercial technology products with security capabilities limited to
products that have been evaluated and validated?
Are system security engineering principles applied in the specification, design,
development, and implementation of the system?
Are software development standards and practices for trustworthy software used
throughout the development life cycle?
Are software practices used to reduce buffer overflows and unsafe string management
for languages that have unsafe operations?
As part of trustworthy software development are commercially available tools employed,
including a robust set of data validation and software quality assurance?
�720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
Universal
Universal
Universal
Universal
Universal
Universal
Are providers of external system services required to employ security controls in
accordance with applicable, policies, regulations, standards, guidance, and established
service level agreements?
Are government oversight and user roles and responsibilities defined with regard to
external system services?
Is security control compliance by external service providers monitored?
Are system developers/integrators required to implement and document a configuration
management process that manages and controls changes to the system during design,
development, implementation, and operation?
Are system developers/integrators required to implement and document a configuration
management process that tracks security flaws?
Are system developers/integrators required to implement and document a configuration
management process that includes organizational approval of changes?
Universal
Are system developers/integrators required to provide an integrity check of software?
Universal
Is an alternative configuration management process provided in the absence of a
dedicated developer/integrator configuration management team?
Universal
Does the system developer have a security test and evaluation plan?
Universal
Does the system developer have a verifiable error remediation process to correct
weaknesses and deficiencies identified during the security testing and evaluation process?
Universal
Universal
Universal
Does the system developer/integrator document the result of the security
testing/evaluation and error remediation processes?
Does the system developer/integrator employ code analysis tools to examine software
for common flaws and document the results of the analysis?
Does the system developer/integrator perform a vulnerability analysis to document
vulnerabilities, exploitation potential, and risk mitigations?
Universal
Is the test and evaluation plan under independent verification and validation?
Universal
Are supply chain vulnerabilities protected from threats initiated against organizations,
people, information, and resources that provide products or services to the organization?
�735
736
737
738
739
740
741
742
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
743
Maintenance
Universal
744
Maintenance
Universal
745
Maintenance
Universal
746
Maintenance
Universal
747
Maintenance
Universal
748
Maintenance
Universal
749
Maintenance
Universal
Are all anticipated system components and spares purchased in the initial acquisition?
Are trusted intermediaries used for purchasing contract services, acquisitions, or logistical
activities during the system life cycle?
Is a due diligence review conducted of suppliers prior to entering into contractual
agreements to acquire system hardware, software, firmware, or services?
Is trusted shipping and warehousing used for systems, components, and technology
products?
Are a diverse set of suppliers used for systems, components, technology products, and
system services?
Are standard configurations used for systems, components, and technology products?
Is the time between purchase decisions and delivery minimized for systems, components,
and technology products?
Are independent analysis and penetration testing performed on delivered systems,
components, and technology products?
Are security requirements for the system reviewed and followed before undertaking any
unplanned maintenance activities?
Does unplanned maintenance documentation include: (a) date and time, (b) name of the
those performing the maintenance, (c) escorts name, (d) description of the maintenance
performed, and (e) list of equipment removed or replaced?
Is the decision not to perform emergency repairs maintenance after the identification of a
security vulnerability documented and justified?
Are repairs and maintenance scheduled, performed, and documented, and are records
reviewed in accordance with manufacturer or vendor specifications and/or organizational
requirements?
Is the removal of the system or system components from organizational facilities for
offsite maintenance or repairs approved?
Is the equipment sanitized to remove all information from associated media prior to
removal from organizational facilities for offsite maintenance or repairs?
Are all potentially impacted security controls checked to verify that the controls are still
functioning properly following maintenance or repair actions?
�750
Maintenance
Universal
Are maintenance records for the system maintained and do they include: (a) date and
time, (b) name of those performing the maintenance, (c) escorts name, (d) description of
the maintenance performed, and (e) list of equipment removed or replaced?
751
Maintenance
Universal
Are automated mechanisms used to schedule and document maintenance and repairs?
752
Maintenance
Universal
753
Maintenance
Universal
754
Maintenance
Universal
755
Maintenance
Universal
756
Maintenance
Universal
757
Maintenance
Universal
758
Maintenance
Universal
759
Maintenance
Universal
760
Maintenance
Universal
761
Maintenance
Universal
762
Maintenance
Universal
763
Maintenance
Universal
764
Maintenance
Universal
765
Maintenance
Universal
Is the use of system maintenance tools approved and monitored?
Are all maintenance software tools carried into a facility inspected for obvious improper
modifications?
Are all media containing diagnostic and test programs checked for malicious code before
the media are used in the system?
Is the unauthorized removal of maintenance equipment prevented by one of the
following: (a) verifying that no organizational information is contained on the equipment,
(b) sanitizing or destroying the equipment, (c) retaining the equipment within the facility,
or (d) obtaining an exemption from a designated organization official explicitly authorizing
removal of the equipment?
Are automated mechanisms used to restrict the use of maintenance tools to authorized
personnel only?
Are maintenance software tools used with care on system networks to ensure that
system operations will not be degraded by their use?
Are only authorized and qualified organization or vendor personnel allowed to perform
maintenance on the system?
Are remotely executed maintenance and diagnostic activities authorized, monitored, and
controlled?
Are remote maintenance and diagnostic tools used only as consistent with policy and
documented in the security plan for the system?
Are records for remote maintenance and diagnostic activities maintained?
Are all sessions and remote connections terminated when remote maintenance is
completed?
Are passwords changed following each remote maintenance session if password-based
authentication is used to accomplish remote maintenance?
Are remote maintenance and diagnostic sessions audited and do designated
organizational personnel review the maintenance records of the remote sessions?
Is the installation and use of remote maintenance and diagnostic links documented?
�766
Maintenance
Universal
767
Maintenance
Universal
768
Maintenance
Universal
769
Maintenance
Universal
770
Maintenance
Universal
771
Maintenance
Universal
772
Maintenance
Universal
773
774
775
776
777
778
779
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Are remote maintenance or diagnostic services required to be performed from a system
that implements a level of security at least as high as that implemented on the system
being serviced, or is the component to be serviced sanitized and removed from the
system prior to remote maintenance or diagnostic services?
Is the authorized firmware code checked or reinstalled as specified by the configuration
management plan, and are all authorized embedded configuration settings reset after
component servicing and return of the component to the facility but before reconnecting
the component to the system?
Are the remote maintenance sessions protected by a strong authenticator tightly bound
to the user?
Do maintenance personnel notify the system administrator when remote maintenance is
planned, and does a designated official with specific security/system knowledge approve
the remote maintenance?
Are cryptographic mechanisms used to protect the integrity and confidentiality of remote
maintenance and diagnostic communications?
Is remote disconnect verification used at the termination of remote maintenance and
diagnostic sessions?
Is there maintenance support and spare parts for security-critical system components
within the period of failure?
Is there a frequency of auditing for each identified auditable event?
Is the security audit function coordinated with other organizational entities requiring
audit-related information?
Are auditable events adequate to support after-the-fact investigations of security
incidents?
Are the events to be audited adjusted within the system based on current threat
information and ongoing assessments of risk?
Is the list of defined auditable events reviewed and updated on a defined frequency?
Is execution of privileged functions (account creations, modifications, and object
permission changes) included in the list of events to be audited by the system?
Are audit records produced that contain sufficient information to establish what events
occurred, when the events occurred, where the events occurred, the sources of the
events, and the outcomes of the events?
�780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Is there the capability to include additional, more detailed information in the audit
records for audit events identified by type, location, or subject?
Is there the capability to centrally manage the content of audit records generated by
individual hardware and/or software components throughout the system?
Is there sufficient audit record storage capacity allocated and is auditing configured to
reduce the likelihood of such capacity being exceeded?
Does the system alert designated organizational officials in the event of an audit
processing failure?
Does the system take the following actions: (e.g., shutdown system, overwrite oldest
audit records, stop generating audit records).
Does the system provide a warning when allocated audit record storage volume reaches a
defined percentage of maximum storage capacity?
Is there a real-time alert when any defined event occurs?
Does the system enforce configurable traffic volume thresholds representing auditing
capacity for network traffic, and does the system either reject or delay network traffic
above those thresholds?
Are system audit records reviewed and analyzed on a defined frequency, and are findings
reported to designated officials?
Is the level of audit review, analysis, and reporting within the system adjusted when a
change in risk exists?
Are automated mechanisms used to integrate audit review, analysis, and reporting into
processes for investigation and response to suspicious activities?
Are audit records analyzed and correlated across different repositories?
Are automated mechanisms used to centralize audit review and analysis of audit records
from multiple components within the system?
Is the analysis of audit records integrated with analysis of performance and network
monitoring information?
Universal
Does the system provide an audit reduction and report generation capability?
Universal
Is there the capability to automatically process audit records for events of interest based
on selectable event criteria?
�796
797
798
799
800
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Universal
Does audit record processing avoid degrading the operational performance of the
system?
Universal
Does the system use internal system clocks to generate time stamps for audit records?
Universal
Does the system synchronize internal system clocks on a defined frequency?
Universal
Universal
801
Audit and
Accountability
Universal
802
Audit and
Accountability
Universal
803
Audit and
Accountability
Universal
804
Audit and
Accountability
Universal
805
806
807
808
809
810
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Universal
Universal
Does the system protect audit information and audit tools from unauthorized access,
modification, and deletion?
Does the system produce audit records on hardware-enforced, write-once media (e.g.,
CD, DVD, etc.)?
Are audit logs retained for a defined time period to provide support for after-the-fact
investigations of security incidents and to meet regulatory and organizational information
retention requirements?
Are audits conducted at planned intervals to determine whether the security objectives,
measures, processes, and procedures conform to the requirements and relevant
legislation or regulations?
Are audits conducted at planned intervals to determine whether the security objectives,
measures, processes, and procedures conform to the identified information security
requirements?
Are audits conducted at planned intervals to determine whether the security objectives,
measures, processes, and procedures are effectively implemented and maintained?
Are audits conducted at planned intervals to determine whether the security objectives,
measures, processes, and procedures perform as expected?
Are audits conducted at planned intervals to determine whether the security objectives,
measures, processes, and procedures identify inappropriate activities?
Universal
Does the audit program specify the auditor qualifications?
Universal
Are the auditor and system administration functions assigned to separate personnel?
Universal
Universal
Do the audit program specify strict rules and careful use of audit tools when auditing
system functions, especially with legacy systems?
Is extra care taken to ensure that automated scanning tools used on the business
networks do not scan the ICS network by mistake?
�811
812
813
814
815
816
817
818
819
820
821
822
823
824
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Universal
Is compliance to the security policy demonstrated through audits in accordance with the
audit program?
Universal
Does the system provide audit record generation capability for the auditable events?
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Does the system provide audit record generation capability of the defined system
components?
Are authorized users allowed to select which auditable events are to be audited by
specific components of the system?
Are audit records generated for the selected list of auditable events?
Does the system provide the capability to compile audit records from multiple
components within the system into a systemwide audit trail that is time-correlated to
within a defined level of tolerance (e.g., time sync on audit logs, centralized log server,
etc.)?
Is open source information monitored for evidence of unauthorized release or disclosure
of organizational information?
Does the system provide the capability to capture, record, and log all content related to a
user session where it is required?
Does the system provide the capability to remotely view all content related to an
established user session in real time where legally required?
Are audits of system changes done at a defined frequency, and when indications warrant
to determine whether unauthorized changes have occurred?
Is the level of audit review, analysis, and reporting adjusted when there is a change in
risk?
Are automated mechanisms used to integrate audit review, analysis, and reporting for
investigation and response to suspicious activities?
Are automated mechanisms used to centralize audit review and analysis records from
multiple components within the system?
Is analysis of audit records integrated with analysis of performance and network
monitoring information to identify inappropriate or unusual activity?
�
| File Type | application/pdf |
| Author | INL |
| File Modified | 2015-08-06 |
| File Created | 2015-08-06 |