TBD CSET Question Set- collection instrument

Infrastructure Protection Gateway Facility Surveys

CSET Question Set- collection instrument 06-01-2016

IP Gateway Facility Assessments

OMB: 1670-0035

Document [pdf]
Download: pdf | pdf
question question group
id
heading
3492
3493
3494
3495
3496
3497
3498
3499
3500
3501
3502
3503
3504
3505
3506
3507

Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment

original set
simple_question
name
C2M2_V11

Is there a documented cybersecurity risk management strategy?

C2M2_V11

Does the strategy provide an approach for risk prioritization, including consideration of
impact?

C2M2_V11

Are the organizational risk criteria defined and available?

C2M2_V11
C2M2_V11

Do you periodically update your risk management strategy to reflect the current threat
environment?
Does the organization categorize and document risks and is it used in risk management
activities?

C2M2_V11

Have cybersecurity risks been identified?

C2M2_V11

Are identified risks mitigated, accepted, tolerated, or transferred?

C2M2_V11

Are risk assessments performed to identify risks in accordance with the risk management
strategy?

C2M2_V11

Are identified risks documented?

C2M2_V11

Are identified risks analyzed to prioritize response activities in accordance with the risk
management strategy?

C2M2_V11

Are identified risks monitored in accordance with the risk management strategy?

C2M2_V11
C2M2_V11

Does the risk analysis process use information provided by network (IT and/or OT)
architecture?
Does your risk management program define and use policies and procedures that
implement the risk management strategy?

C2M2_V11

Is a recent cybersecurity architecture used to inform risk analysis?

C2M2_V11

Is a risk register (repository of identified risks) used to support risk management
activities?

C2M2_V11

Are documented practices followed for risk management activities?

3508
3509
3510
3511
3512
3513
3514
3515
3516
3517
3518
3519
3520
3521
3522
3523
3524

Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management

C2M2_V11

Are stakeholders for risk management activities identified and involved?

C2M2_V11

Are adequate resources (people, funding, and tools) provided to support risk
management activities?

C2M2_V11

Have standards and/or guidelines been identified to inform risk management activities?

C2M2_V11
C2M2_V11
C2M2_V11
C2M2_V11
C2M2_V11
C2M2_V11
C2M2_V11
C2M2_V11
C2M2_V11
C2M2_V11

Are risk management activities guided by documented policies or other organizational
directives?
Do risk management policies include compliance requirements for specified standards
and/or guidelines?
Are risk management activities periodically reviewed to ensure conformance with policy?
Are responsibility and authority for the performance of risk management activities
assigned to personnel?
Do personnel performing risk management activities have the skills and knowledge
needed to perform their assigned responsibilities?
Is there an inventory of operations technology (OT) and information technology (IT)
assets that are important to the delivery of the function?
Is there an inventory of information assets that are important to the delivery of the
function?
When building an inventory of assets are information attributes to support cybersecurity
strategy included?
Are inventoried assets prioritized based on their importance to the delivery of the
function?
Is there an inventory for all connected information technology (IT) and operations
technology (OT) assets related to the delivery of the function?

C2M2_V11

Is the asset inventory current and complete?

C2M2_V11

When it is desirable to ensure that multiple inventoried assets are configured similarly,
are configuration baselines established?

C2M2_V11

Are configuration baselines used to configure assets at deployment?

C2M2_V11

Does the design of configuration baselines include cybersecurity objectives?

3525
3526
3527
3528
3529
3530
3531
3532
3533
3534
3535
3536
3537
3538
3539
3540

Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management

C2M2_V11
C2M2_V11

Is the configuration monitored for consistency with its baselines throughout the assets'
life cycle?
Are configuration baselines reviewed and updated at an organizationally-defined
frequency?

C2M2_V11

Are changes to inventoried assets evaluated before being implemented?

C2M2_V11

Are changes to inventoried assets logged?

C2M2_V11

Are changes to assets tested prior to being deployed, whenever possible?

C2M2_V11

Do change management practices address the full life cycle of assets?

C2M2_V11

Are changes to assets tested for cybersecurity impact prior to being deployed?

C2M2_V11
C2M2_V11
C2M2_V11
C2M2_V11
C2M2_V11
C2M2_V11
C2M2_V11
C2M2_V11
C2M2_V11

Do change logs include information about modifications that impact the cybersecurity
requirements of assets?
Are documented practices followed for asset inventory, configuration, and change
management activities?
Are stakeholders involved in activities such as asset inventory, configuration, and change
management?
Are adequate resources (people, funding, and tools) provided to support asset inventory,
configuration, and change management activities?
Have standards and/or guidelines been identified to inform asset inventory,
configuration, and change management activities?
Are asset inventory, configuration, and change management activities guided by
documented policies or other organizational directives?
Are asset inventory, configuration, and change management policies included in
compliance requirements for specified standards and/or guidelines?
Are asset inventory, configuration, and change management activities periodically
reviewed to ensure conformance with the policy?
Are responsibility and authority for the performance of asset inventory, configuration,
and change management activities assigned to personnel?

3541

Configuration
Management

C2M2_V11

Do personnel performing asset inventory, configuration, and change management
activities have the skills and knowledge needed to perform their assigned responsibilities?

3542

Account Management

C2M2_V11

3543

Account Management

C2M2_V11

3544

Account Management

C2M2_V11

3545

Account Management

C2M2_V11

3546

Account Management

C2M2_V11

3547

Account Management

C2M2_V11

3548

Account Management

C2M2_V11

3549

Account Management

C2M2_V11

Are access requirements determined (including those for remote access)?

3550

Account Management

C2M2_V11

Is access granted to identities based on requirements?

3551

Account Management

C2M2_V11

Is access revoked when no longer required?

3552

Account Management

C2M2_V11

Do your access requirements incorporate least privilege and separation of duties
principles?

3553

Account Management

C2M2_V11

Are access requests reviewed and approved by the asset owner?

3554

Account Management

C2M2_V11

3555

Account Management

C2M2_V11

3556

Account Management

C2M2_V11

Are identities provisioned for personnel and other entities (e.g., services, devices) who
require access to assets? (note that this does not preclude shared identities)
Are credentials issued for personnel and other entities that require access to assets? (e.g.,
passwords, smart cards, certificates, keys)
Are identities removed when no longer required?
Are identity repositories periodically reviewed and updated to ensure validity? (i.e., to
ensure that the identities still need access)
Are credentials periodically reviewed to ensure that they are associated with the correct
person or entity?
Are identities deprovisioned within organizationally defined time thresholds when no
longer required?
Are requirements or credentials informed by the organization's risk criteria? (e.g.,
multifactor credentials for higher risk access)

Do root privileges, administrative access, emergency access, and shared accounts receive
additional scrutiny and monitoring?
Are access privileges reviewed and updated to ensure validity, at an organizationally
defined frequency?
Is access to assets granted by the asset owner based on risk to the function?

3557

Account Management

C2M2_V11

Are anomalous access attempts monitored as indicators of cybersecurity events?

3558

Access Control

C2M2_V11

Are documented practices followed to establish and maintain identities and control
access?

3559

Access Control

C2M2_V11

Are stakeholders identified and involved in access and identity management activities?

3560

Access Control

C2M2_V11

3561

Access Control

C2M2_V11

3562

Access Control

C2M2_V11

3563

Access Control

C2M2_V11

3564

Access Control

C2M2_V11

3565

Access Control

C2M2_V11

3566

Access Control

C2M2_V11

3567

System Integrity

C2M2_V11

3568

System Integrity

C2M2_V11

3569

System Integrity

C2M2_V11

3570

System Integrity

C2M2_V11

3571

System Integrity

C2M2_V11

3572
3573

System Integrity
System Integrity

C2M2_V11
C2M2_V11

Are adequate resources (people, funding, and tools) provided to support access and
identity management activities?
Have standards and/or guidelines been identified to inform access and identity
management activities?
Are access and identity management activities guided by documented policies or other
organizational directives?
Do access and identity management policies include compliance requirements for
specified standards and/or guidelines?
Are access and identity management activities periodically reviewed to ensure
conformance with policy?
Do personnel have responsibility and authority for the performance of access and identity
management activities assigned to them?
Do personnel that are performing access and identity management activities have the
skills and knowledge needed to perform their assigned responsibilities?
Are information sources to support threat management activities identified? (e.g., USCERT, ISACs, ICS-CERT, industry associations, vendors, federal briefings)
Is cybersecurity threat information gathered and interpreted for the function?
Are threats that are considered important to the function addressed? (e.g., implement
mitigating controls, monitor threat status)
Is a threat profile for the function established that includes characterization of likely
intent, capability, and target of threats?
Are threat information sources that address all components of the threat profile
prioritized and monitored?
Are identified threats analyzed and prioritized?
Are threats addressed according to the assigned priority?

3574

System Integrity

C2M2_V11

Is the threat profile for the function validated at an organizationally-defined frequency?

3575

System Integrity

C2M2_V11

3576

System Integrity

C2M2_V11

3577

System Integrity

C2M2_V11

3578

System Integrity

C2M2_V11

3579

System Integrity

C2M2_V11

3580

System Integrity

C2M2_V11

3581

System Integrity

C2M2_V11

3582

System Integrity

C2M2_V11

3583

System Integrity

C2M2_V11

Are analysis and prioritization of threats informed by the function's or organization's risk
criteria?
Is threat information added to the risk register?
Are information sources to support cybersecurity vulnerability discovery identified? (e.g.,
US-CERT, ISACs, ICS-CERT, industry associations, vendors, federal briefings, internal
assessments)
Is cybersecurity vulnerability information gathered and interpreted for the function?
Are cybersecurity vulnerabilities which are considered important to the function
addressed? (e.g., implement mitigating controls, apply cybersecurity patches)
Are cybersecurity vulnerability information sources that address all assets important to
the function monitored?
Are cybersecurity vulnerability assessments performed? (e.g., architectural reviews,
penetration testing, cybersecurity exercises, vulnerability identification tools)
Are identified cybersecurity vulnerabilities analyzed and prioritized? (e.g., NIST Common
Vulnerability Scoring System could be used for patches)
Are cybersecurity vulnerabilities addressed according to the assigned priority?

3584

System Integrity

C2M2_V11

Is operational impact to the function evaluated prior to deploying cybersecurity patches?

3585
3586
3587
3588
3589
3590

Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment

C2M2_V11
C2M2_V11
C2M2_V11
C2M2_V11

Are cybersecurity vulnerability assessments performed for all assets important to the
delivery of the function, at an organization-defined frequency?
Are cybersecurity vulnerability assessments informed by the function's (or organization's)
risk criteria?
Are cybersecurity vulnerability assessments performed by parties that are independent of
the operations of the function?
Are analysis and prioritization of cybersecurity vulnerabilities informed by the function's
(or organization's) risk criteria?

C2M2_V11

Is cybersecurity vulnerability information added to the risk register?

C2M2_V11

Do risk monitoring activities validate the responses to cybersecurity vulnerabilities? (e.g.,
deployment of patches or other activities)

3591

System Integrity

C2M2_V11

Are documented practices followed for threat and vulnerability management activities?

3592

System Integrity

C2M2_V11

Do stakeholders identify and are they involved with threat and vulnerability management
activities?

3593

System Integrity

C2M2_V11

3594

System Integrity

C2M2_V11

3595

Monitoring & Malware C2M2_V11

3596

Monitoring & Malware C2M2_V11

3597

Monitoring & Malware C2M2_V11

3598

Monitoring & Malware C2M2_V11

3599

Monitoring & Malware C2M2_V11

3600

Audit and
Accountability

3601

Audit and
Accountability

3602
3603
3604
3605
3606
3607
3608

Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability

Are adequate resources (people, funding, and tools) are provided to support threat and
vulnerability management activities?
Have standards and/or guidelines been identified to inform threat and vulnerability
management activities?
Are threat and vulnerability management activities guided by documented policies or
other organizational directives?
Do threat and vulnerability management policies include compliance requirements for
specified standards and/or guidelines?
Are threat and vulnerability management activities periodically reviewed to ensure
conformance with policy?
Are responsibility and authority for the performance of threat and vulnerability
management activities assigned to personnel?
Do personnel performing threat and vulnerability management activities have the skills
and knowledge needed to perform their assigned responsibilities?

C2M2_V11

Are logs being generated for assets important to the function where possible?

C2M2_V11

Have logging requirements been defined for all assets important to the function? (e.g.,
scope of activity and coverage of assets, cybersecurity requirements [confidentiality,
integrity, availability])

C2M2_V11

Are log data being aggregated within the function?

C2M2_V11

Are logging requirements based on risk to the function?

C2M2_V11

Does log data support other business and security processes? (e.g., incident response,
asset management)

C2M2_V11

Are cybersecurity monitoring activities performed? (e.g., periodic reviews of log data)

C2M2_V11
C2M2_V11
C2M2_V11

Are operational environments monitored for anomalous behavior that may indicate a
cybersecurity event?
Have monitoring and analysis requirements been defined for the function and address
timely review of event data?
Are alarms and alerts configured to aid in the identification of cybersecurity events?

3609
3610
3611
3612
3613
3614
3615

Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability

C2M2_V11

Have indicators of anomalous activity been defined and are monitored across the
operational environment?

C2M2_V11

Are monitoring activities aligned with the function's threat profile?

C2M2_V11

Are monitoring requirements based on the risk to the function?

C2M2_V11
C2M2_V11
C2M2_V11
C2M2_V11

3616

System Integrity

C2M2_V11

3617

System Integrity

C2M2_V11

3618

System Integrity

C2M2_V11

3619

System Integrity

C2M2_V11

3620

System Integrity

C2M2_V11

3621

System Integrity

C2M2_V11

3622

System Integrity

C2M2_V11

3623

System Integrity

C2M2_V11

3624

System Integrity

C2M2_V11

Is monitoring integrated with other business and security processes? (e.g., incident
response, asset management)
Is continuous monitoring performed across the operational environment to identify
anomalous activity?
Is risk register (a structured repository of identified risks. See RM-2j) content used to
identify indicators of anomalous activity?
Are alarms and alerts configured according to indicators of anomalous activity?
Are methods of communicating the current cybersecurity state for the function
established and maintained?
Are monitoring data aggregated to provide an understanding of the operational state of
the function? (i.e., a common operating picture (COP) which may or may not include
visualization or be presented graphically)
Is information from across the organization available to enhance the common operating
picture?
Are aggregated monitoring data used to provide near-real-time understanding of the
cybersecurity state for the function in order to enhance the common operating picture?
Is information from outside the organization collected to enhance the common operating
picture?
Are predefined states of operation defined and invoked (manual or automated) based on
the common operating picture?
Are documented practices followed for logging, monitoring, and COP activities?
Are stakeholders identified and become involved in logging, monitoring, and COP
activities?
Are adequate resources (people, funding, and tools) provided to support logging,
monitoring, and COP activities?

3625

System Integrity

C2M2_V11

3626

System Integrity

C2M2_V11

3627

System Integrity

C2M2_V11

3628

System Integrity

C2M2_V11

3629

System Integrity

C2M2_V11

3630

System Integrity

C2M2_V11

3631

System Integrity

C2M2_V11

3632

System Integrity

C2M2_V11

3633

System Integrity

C2M2_V11

3634

System Integrity

C2M2_V11

3635

System Integrity

C2M2_V11

3636

System Integrity

C2M2_V11

3637

System Integrity

C2M2_V11

3638

System Integrity

C2M2_V11

3639

System Integrity

C2M2_V11

3640

System Integrity

C2M2_V11

3641

System Integrity

C2M2_V11

3642

System Integrity

C2M2_V11

Have standards and/or guidelines been identified to inform logging, monitoring, and COP
activities?
Are logging, monitoring, and COP activities guided by documented policies or other
organizational directives?
Do logging, monitoring, and COP policies include compliance requirements for specified
standards and/or guidelines?
Are logging, monitoring, and COP activities periodically reviewed to ensure conformance
with policy?
Are responsibility and authority for the performance of logging, monitoring, and COP
activities assigned to personnel?
Do personnel performing logging, monitoring, and COP activities have the skills and
knowledge needed to perform their assigned responsibilities?
Is information collected from and provided to selected individuals and/or organizations?
Is the responsibility for cybersecurity reporting assigned to personnel? (e.g., internal
reporting, ICS-CERT, law enforcement)
Are information-sharing stakeholders identified based on their relevance to the continued
operation of the function? (e.g., connected organizations, vendors, sector organizations,
regulators, internal entities)
Is information collected from and provided to identified information-sharing
stakeholders?
Are technical sources identified that can be consulted on cybersecurity issues?
Are provisions established and maintained to enable secure sharing of sensitive or
classified information?
Do information-sharing practices address standard and emergency operations?
Are information-sharing stakeholders identified based on shared interest and risk to
critical infrastructure?
Does the function or the organization participate with information sharing and analysis
centers?
Have information-sharing requirements and the timely dissemination of cybersecurity
information for the function been defined and addressed?
Are procedures in place to analyze and coordinate received information?
Have a network of internal and external trust relationships (formal and/or informal) been
established to vet and validate cyber events?

3643
3644

System Integrity
System Integrity

C2M2_V11
C2M2_V11

3645

System Integrity

C2M2_V11

3646

System Integrity

C2M2_V11

3647

System Integrity

C2M2_V11

3648

System Integrity

C2M2_V11

3649

System Integrity

C2M2_V11

3650

System Integrity

C2M2_V11

3651

System Integrity

C2M2_V11

3652

System Integrity

C2M2_V11

3653

Incident Response

C2M2_V11

3654
3655

Incident Response
Incident Response

C2M2_V11
C2M2_V11

3656

Incident Response

C2M2_V11

3657

Incident Response

C2M2_V11

3658

Incident Response

C2M2_V11

3659

Incident Response

C2M2_V11

Are documented practices followed for information-sharing activities?
Are stakeholders for information-sharing activities identified and involved?
Are adequate resources (people, funding, and tools) provided to support informationsharing activities?
Have standards and/or guidelines been identified to inform information-sharing
activities?
Are information-sharing activities guided by documented policies or other organizational
directives?
Do information-sharing policies include compliance requirements for specified standards
and/or guidelines?
Are information-sharing activities periodically reviewed to ensure conformance with
policy?
Are responsibility and authority for the performance of information-sharing activities
assigned to personnel?
Do personnel performing information-sharing activities have the skills and knowledge
needed to perform their assigned responsibilities?
Do information-sharing policies address protected information and ethical use and
sharing of information, including sensitive and classified information as appropriate?
Is there a point of contact (person or role) to whom cybersecurity events could be
reported?
Are detected cybersecurity events reported?
Are cybersecurity events logged and tracked?
Are criteria established for cybersecurity event detection? (e.g., what constitutes an
event, where to look for events)
Is there a repository where cybersecurity events are logged based on the established
criteria?
Is event information correlated to support incident analysis by identifying patterns,
trends, and other common features?
Are cybersecurity event detection activities adjusted based on information from the
organization's risk register (a structured repository of identified risks, see RM-2j) and
threat profile (including characterization of likely intent, capability, and target of threats
to the function, see TVM-1d) to help detect known threats and monitor for identified
risks?

3660

Incident Response

C2M2_V11

3661

Incident Response

C2M2_V11

3662

Incident Response

C2M2_V11

3663

Incident Response

C2M2_V11

3664

Incident Response

C2M2_V11

3665

Incident Response

C2M2_V11

3666

Incident Response

C2M2_V11

3667

Incident Response

C2M2_V11

3668

Incident Response

C2M2_V11

3669

Incident Response

C2M2_V11

3670

Incident Response

C2M2_V11

3671

Incident Response

C2M2_V11

3672

Incident Response

C2M2_V11

3673

Incident Response

C2M2_V11

3674

Incident Response

C2M2_V11

3675

Incident Response

C2M2_V11

3676

Incident Response

C2M2_V11

Is the common operating picture for the function monitored to support the identification
of cybersecurity events?
Are criteria for cybersecurity event escalation established, including cybersecurity
incident declaration criteria?
Are cybersecurity events analyzed to support escalation and the declaration of
cybersecurity incidents?
Are escalated cybersecurity events and incidents logged and tracked?
Are criteria for cybersecurity event escalation (including cybersecurity incident criteria)
established based on the potential impact to the function?
Are criteria for cybersecurity event escalation (including cybersecurity incident
declaration criteria) updated at an organizationally-defined frequency?
Is there a repository where escalated cybersecurity events and incidents are logged and
tracked to closure?
Are criteria for cybersecurity event escalation (including cybersecurity incident
declaration criteria) adjusted according to information from the organization's risk
register (RM-2j) and threat profile (TVM-1d)?
Do escalated cybersecurity events and declared cybersecurity incidents inform the
common operating picture (COP) (SA-3a) for the function?
Are escalated cybersecurity events and declared incidents correlated to support the
discovery of patterns, trends, and other common features?
Are cybersecurity event and incident response personnel identified and roles assigned?
Are responses to escalated cybersecurity events and incidents implemented to limit
impact to the function and restore normal operations?
Is reporting of escalated cybersecurity events and incidents performed? (e.g., internal
reporting, ICS-CERT, relevant ISACs)
Is cybersecurity event and incident response performed according to defined procedures
that address all phases of the incident life cycle? (e.g., triage, handling, communication,
coordination, and closure)
Are cybersecurity event and incident response plans exercised at an organizationallydefined frequency?
Do cybersecurity event and incident response plans address information technology (IT)
and operations technology (OT) assets important to the delivery of the function?
Is training conducted for cybersecurity event and incident response teams?

3677

Incident Response

C2M2_V11

3678

Incident Response

C2M2_V11

3679

Incident Response

C2M2_V11

3680

Incident Response

C2M2_V11

3681

Incident Response

C2M2_V11

3682

Incident Response

C2M2_V11

3683

Incident Response

C2M2_V11

3684

Incident Response

C2M2_V11

3685

Continuity

C2M2_V11

3686

Continuity

C2M2_V11

3687
3688

Continuity
Continuity

C2M2_V11
C2M2_V11

3689

Continuity

C2M2_V11

3690
3691

Continuity
Continuity

C2M2_V11
C2M2_V11

3692

Continuity

C2M2_V11

Are cybersecurity event and incident root-cause analysis and lessons-learned activities
performed, and corrective actions taken?
Are cybersecurity event and incident responses coordinated with law enforcement and
other government entities as appropriate, including support for evidence collection and
preservation?
Do cybersecurity event and incident response personnel participate in joint cybersecurity
exercises with other organizations? (e.g., table top, simulated incidents)
Are cybersecurity event and incident response plans reviewed and updated at an
organizationally-defined frequency?
Are cybersecurity event and incident response activities coordinated with relevant
external entities?
Are cybersecurity event and incident response plans aligned with the function's risk
criteria (RM-1c) and threat profile (TVM-1d)?
Do policies and procedures for reporting cybersecurity event and incident information to
designated authorities conform with applicable laws, regulations, and contractual
agreements?
Are restored assets configured appropriately and inventory information updated
following execution of response plans?
Are the necessary activities identified to sustain minimum operations of the function?
Is the sequence of necessary activities identified to return the function to normal
operation?
Are continuity plans developed to sustain and restore operation of the function?
Do business impact analyses inform the development of continuity plans?
Are recovery time objectives (RTO) and recovery point objectives (RPO) for the function
incorporated into continuity plans?
Are continuity plans evaluated and exercised?
Are business impact analyses periodically reviewed and updated?
Are recovery time objective (RTO) and recovery point objectives (RPO) aligned with the
function's risk criteria (objective criteria that the organization uses for evaluating,
categorizing, and prioritizing operational risks based on impact, tolerance for risk, and risk
response approaches, see RM-1c)?

3693

Continuity

C2M2_V11

3694

Continuity

C2M2_V11

3695

Continuity

C2M2_V11

3696

Continuity

C2M2_V11

3697

Continuity

C2M2_V11

3698

Continuity

C2M2_V11

3699

Continuity

C2M2_V11

3700

Continuity

C2M2_V11

3701

Continuity

C2M2_V11

3702

Continuity

C2M2_V11

3703

Continuity

C2M2_V11

3704

Continuity

C2M2_V11

3705

System and Services
Acquisition

C2M2_V11

3706
3707

System and Services
Acquisition
System and Services
Acquisition

C2M2_V11
C2M2_V11

Are the results of continuity plan testing and/or activation compared to recovery
objectives, and plans are improved accordingly?
Are continuity plans periodically reviewed and updated?
Are restored assets configured appropriately and inventory information updated
following execution of the continuity plans?
Are documented practices followed for cybersecurity event and incident response as well
as continuity of operations activities?
Are stakeholders for cybersecurity event and incident response as well as continuity of
operations activities identified and involved?
Are adequate resources (people, funding, and tools) provided to support cybersecurity
event and incident response as well as continuity of operations activities?
Have standards and/or guidelines been identified to inform cybersecurity event and
incident response as well as continuity of operations activities?
Are cybersecurity event and incident response as well as continuity of operations
activities guided by documented policies or other organizational directives?
Do cybersecurity event and incident response as well as continuity of operations policies
include compliance requirements for specified standards and/or guidelines?
Are cybersecurity event and incident response as well as continuity of operations
activities periodically reviewed to ensure conformance with policy?
Are responsibility and authority for the performance of cybersecurity event and incident
response as well as continuity of operations activities assigned to personnel?
Do personnel performing cybersecurity event and incident response as well as continuity
of operations activities have the skills and knowledge needed to perform their assigned
responsibilities?
Are important information technology (IT) and operations technology (OT) supplier
dependencies identified? (e.g., external parties on which the delivery of the function
depend, including operating partners)
Are important customer dependencies identified? (e.g., external parties that are
dependent on the delivery of the function, including operating partners)
Are supplier dependencies identified according to established criteria?

3708
3709
3710
3711
3712
3713
3714
3715
3716
3717
3718
3719
3720
3721
3722
3723

System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition

C2M2_V11

Are customer dependencies identified according to established criteria?

C2M2_V11

Are single source and other essential dependencies identified?

C2M2_V11

Are dependencies prioritized?

C2M2_V11
C2M2_V11
C2M2_V11

Is dependency prioritization and identification based on the function's or organization's
risk criteria (RM-1c)?
Are significant cybersecurity risks due to suppliers and other dependencies identified and
addressed?
Are cybersecurity requirements considered when establishing relationships with suppliers
and other third parties?

C2M2_V11

Are identified cybersecurity dependency risks entered into the risk register (RM-2j)?

C2M2_V11

Do contracts and agreements with third parties incorporate sharing of cybersecurity
threat information?

C2M2_V11

Are cybersecurity requirements established for suppliers according to a defined practice,
including requirements for secure software development practices where appropriate?

C2M2_V11
C2M2_V11
C2M2_V11
C2M2_V11
C2M2_V11
C2M2_V11
C2M2_V11

Do agreements with suppliers and other external entities include cybersecurity
requirements?
Do evaluation and selection of suppliers and other external entities include consideration
of their ability to meet cybersecurity requirements?
Do agreements with suppliers require notification of cybersecurity incidents related to
the delivery of the product or service?
Are suppliers and other external entities periodically reviewed for their ability to
continually meet the cybersecurity requirements?
Are cybersecurity risks due to external dependencies managed according to the
organization's risk management criteria and process?
Are cybersecurity requirements established for supplier dependencies based on the
organization's risk criteria (RM-1c)?
Do agreements with suppliers require notification of vulnerability-inducing product
defects throughout the intended life cycle of delivered products?

3735
3736

System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
Organizational
Organizational

3737

Organizational

C2M2_V11

3738

Organizational

C2M2_V11

3739

Organizational

C2M2_V11

3740

Organizational

C2M2_V11

3741

Organizational

C2M2_V11

3742

Personnel

C2M2_V11

3724
3725
3726
3727
3728
3729
3730
3731
3732
3733
3734

C2M2_V11
C2M2_V11

Does acceptance testing of procured assets include testing for cybersecurity
requirements?
Are information sources monitored to identify and avoid supply chain threats? (e.g.,
counterfeit parts, software, and services)

C2M2_V11

Are documented practices followed for managing dependency risk?

C2M2_V11

Are stakeholders for managing dependency risk identified and involved?

C2M2_V11

Are adequate resources (people, funding, and tools) provided to support dependency risk
management activities?

C2M2_V11

Have standards and/or guidelines been identified to inform managing dependency risk?

C2M2_V11
C2M2_V11
C2M2_V11
C2M2_V11
C2M2_V11
C2M2_V11
C2M2_V11

Are dependency risk management activities guided by documented policies or other
organizational directives?
Do dependency risk management policies include compliance requirements for specified
standards and/or guidelines?
Are dependency risk management activities periodically reviewed to ensure conformance
with policy?
Are responsibility and authority for the performance of dependency risk management
assigned to personnel?
Do personnel performing dependency risk management have the skills and knowledge
needed to perform their assigned responsibilities?
Are cybersecurity responsibilities for the function identified?
Are cybersecurity responsibilities assigned to specific people?
Are cybersecurity responsibilities assigned to specific roles, including external service
providers?
Are cybersecurity responsibilities documented? (e.g., in position descriptions)
Are cybersecurity responsibilities and job requirements reviewed and updated as
appropriate?
Are cybersecurity responsibilities included in job performance evaluation criteria?
Are assigned cybersecurity responsibilities managed to ensure adequacy and redundancy
of coverage?
Is personnel vetting (e.g., background checks, drug tests) performed at hire for positions
that have access to the assets required for delivery of the function?

3743

Personnel

C2M2_V11

3744

Personnel

C2M2_V11

3745

Personnel

C2M2_V11

3746

Personnel

C2M2_V11

3747

Personnel

C2M2_V11

3748

Personnel

C2M2_V11

3749

Personnel

C2M2_V11

3750

Training

C2M2_V11

3751
3752

Training
Training

C2M2_V11
C2M2_V11

3753

Training

C2M2_V11

3754

Training

C2M2_V11

3755

Training

C2M2_V11

3756

Training

C2M2_V11

3757

Training

C2M2_V11

3758

Training

C2M2_V11

3759
3760

Training
Training

C2M2_V11
C2M2_V11

Do personnel termination procedures address cybersecurity?
Is personnel vetting performed at an organizationally-defined frequency for positions that
have access to the assets required for delivery of the function?
Do personnel transfer procedures address cybersecurity?
Are risk designations assigned to all positions that have access to the assets required for
delivery of the function?
Is vetting performed for all positions (including employees, vendors, and contractors) at a
level commensurate with position risk designation?
Is succession planning performed for personnel based on risk designation?
Is a formal accountability process (including disciplinary actions) implemented for
personnel who fail to comply with established security policies and procedures?
Is cybersecurity training made available to personnel with assigned cybersecurity
responsibilities?
Are cybersecurity knowledge, skill, and ability gaps identified?
Are identified gaps addressed through recruiting and/or training?
Is cybersecurity training provided as a prerequisite to granting access to assets that
support the delivery of the function? (e.g., new personnel training, personnel transfer
training)
Are cybersecurity workforce management objectives that support current and future
operational needs established and maintained?
Are recruiting and retention aligned to support cybersecurity workforce management
objectives?
Are training programs aligned to support cybersecurity workforce management
objectives?
Is the effectiveness of training programs evaluated at an organizationally-defined
frequency and are improvements made as appropriate?
Do training programs include continuing education and professional development
opportunities for personnel with significant cybersecurity responsibilities?
Do any cybersecurity awareness activities occur?
Are objectives for cybersecurity awareness activities established and maintained?

3761

Training

C2M2_V11

Is cybersecurity awareness content based on the organization's threat profile (TVM-1d)?

3762

Training

C2M2_V11

Are cybersecurity awareness activities aligned with the predefined states of operation (SA3f)?

3763

Training

C2M2_V11

Is the effectiveness of cybersecurity awareness activities evaluated at an organizationallydefined frequency and are improvements made as appropriate?

3764

Incident Response

C2M2_V11

Are documented practices followed for cybersecurity workforce management activities?

3765

Incident Response

C2M2_V11

3766

Incident Response

C2M2_V11

3767

Incident Response

C2M2_V11

3768

Incident Response

C2M2_V11

3769

Incident Response

C2M2_V11

3770

Incident Response

C2M2_V11

3771

Incident Response

C2M2_V11

3772

Incident Response

C2M2_V11

3773
3774
3775
3776
3777
3778
3779

Policies & Procedures
General
Policies & Procedures
General
Policies & Procedures
General
Policies & Procedures
General
Policies & Procedures
General
Policies & Procedures
General
Policies & Procedures
General

C2M2_V11
C2M2_V11
C2M2_V11
C2M2_V11
C2M2_V11

Are stakeholders for cybersecurity workforce management activities identified and
involved?
Are adequate resources (people, funding, and tools) provided to support cybersecurity
workforce management activities?
Have standards and/or guidelines been identified to inform cybersecurity workforce
management activities?
Are cybersecurity workforce management activities guided by documented policies or
other organizational directives?
Do cybersecurity workforce management policies include compliance requirements for
specified standards and/or guidelines?
Are cybersecurity workforce management activities periodically reviewed to ensure
conformance with policy?
Are responsibility and authority for the performance of cybersecurity workforce
management activities assigned to personnel?
Do personnel performing cybersecurity workforce management activities have the skills
and knowledge needed to perform their assigned responsibilities?
Does the organization have a cybersecurity program strategy?
Does the cybersecurity program strategy define objectives for the organization's
cybersecurity activities?
Are the cybersecurity program strategy and priorities documented and aligned with the
organization's strategic objectives and risk to critical infrastructure?
Does the cybersecurity program strategy define the organization's approach to provide
program oversight and governance for cybersecurity activities?
Does the cybersecurity program strategy define the structure and organization of the
cybersecurity program?

C2M2_V11

Is the cybersecurity program strategy approved by senior management?

C2M2_V11

Is the cybersecurity program strategy updated to reflect business changes, changes in the
operating environment, and changes in the threat profile (TVM-1d)?

3780

Organizational

C2M2_V11

3781

Organizational

C2M2_V11

3782

Organizational

C2M2_V11

3783

Organizational

C2M2_V11

3784

Organizational

C2M2_V11

3785

Organizational

C2M2_V11

3786

Organizational

C2M2_V11

Are resources (people, tools, and funding) provided to support the cybersecurity
program?
Does senior management provide sponsorship for the cybersecurity program?
Is the cybersecurity program established according to the cybersecurity program
strategy?
Are adequate funding and other resources (e.g., people and tools) provided to establish
and operate a cybersecurity program aligned with the program strategy?
Is senior management sponsorship for the cybersecurity program visible and active? (i.e.,
the importance and value of cybersecurity activities is regularly communicated by senior
management)
If the organization develops or procures software, are secure software development
practices sponsored as an element of the cybersecurity program?
Is the development and maintenance of cybersecurity policies sponsored?

3787

Organizational

C2M2_V11

Is responsibility for the cybersecurity program assigned to a role with requisite authority?

3788

Organizational

C2M2_V11

3789

Organizational

C2M2_V11

3790

Organizational

C2M2_V11

3791

Organizational

C2M2_V11

3792

Organizational

C2M2_V11

3793

System Protection

C2M2_V11

3794

System Protection

C2M2_V11

Is architectural segmentation and isolation maintained according to a documented plan?

3795

Organizational

C2M2_V11

3796

System Integrity

C2M2_V11

Is cybersecurity architecture updated at an organizationally-defined frequency?
Is software to be deployed on assets that are important to the delivery of the function
developed using secure software development practices?

Is the performance of the cybersecurity program monitored to ensure it aligns with the
cybersecurity program strategy?
Is the cybersecurity program independently reviewed for achievement of cybersecurity
program objectives? (i.e., by reviewers who are not in the program)
Does the cybersecurity program address and enable the achievement of regulatory
compliance as appropriate?
Does the cybersecurity program monitor and/or participate in selected industry
cybersecurity standards or initiatives?
Is a strategy to architecturally isolate the organization's IT systems from OT systems
implemented?
Is a cybersecurity architecture in place to enable segmentation, isolation, and other
requirements that support the cybersecurity strategy?

3797

System Integrity

C2M2_V11

Do policies require that software that is to be deployed on assets that are important to
the delivery of the function be developed using secure software development practices?

3798

Organizational

C2M2_V11

Are documented practices followed for cybersecurity program management activities?

3799

Organizational

C2M2_V11

3800

Organizational

C2M2_V11

3801

Organizational

C2M2_V11

3802

Organizational

C2M2_V11

3803

Organizational

C2M2_V11

1259

Account Management

C800_53_R3

1260

Account Management

C800_53_R3

Is the normal time-of-day and duration usage for accounts determined?

1261

Account Management

C800_53_R3

Is the atypical usage of accounts monitored?

1262

Account Management

C800_53_R3

Is the atypical usage of accounts reported to designated officials?

1263

Account Management

C800_53_R3

Are user privileges and associated access authorizations dynamically managed?

1269

Account Management

C800_53_R3

Is the separation of duties documented?

1270

Access Control

C800_53_R3

1271

Access Control

C800_53_R3

1272

Access Control

C800_53_R3

Are stakeholders for cybersecurity program management activities identified and
involved?
Have standards and/or guidelines been identified to inform cybersecurity program
management activities?
Are cybersecurity program management activities guided by documented policies or
other organizational directives?
Are cybersecurity program management activities periodically reviewed to ensure
conformance with policy?
Do personnel performing cybersecurity program management activities have the skills
and knowledge needed to perform their assigned responsibilities?
Are users required to log out when a defined time-period of expected inactivity and/or
description of when to log out?

Is the authorization to super user accounts limited to designated system administration
personnel?
Is the privileged access to the system prohibited for nonorganizational users?
Does the system purge information from mobile devices after a defined number of
consecutive, unsuccessful login attempts to the device?

1273

Portable/Mobile/Wirel
C800_53_R3
ess

Is the system monitored for unauthorized wireless connections? Does the monitoring
include scanning for unauthorized wireless access points on defined frequency, and is
appropriate action taken if an unauthorized connection is discovered?

1274

Portable/Mobile/Wirel
C800_53_R3
ess

Are wireless communications confined to organization-controlled boundaries?

1275

Training

C800_53_R3

1276

Training

C800_53_R3

1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287

Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability

C800_53_R3
C800_53_R3
C800_53_R3
C800_53_R3
C800_53_R3
C800_53_R3
C800_53_R3
C800_53_R3
C800_53_R3
C800_53_R3
C800_53_R3

Are employees provided with initial and periodic training in the employment and
operation of environmental controls?
Are employees provided with initial and periodic training in the employment and
operation of physical security controls?
Does the system shut down in the event of an audit failure, unless an alternative audit
capability exists?
Is information from audit records correlated with information from monitoring physical
access to identify suspicious, inappropriate, unusual, or malevolent activity?
Are the permitted actions specified for each authorized information system process, role,
and/or user in the audit and accountability policy?
Are automated mechanisms used to alert security personnel of a defined list of
inappropriate or unusual activities?
Is full-text analysis of privileged functions executed performed in a physically dedicated
system?
Are cryptographic mechanisms used to protect the integrity of audit information and
audit tools?
Is access to management of audit functionality authorized only to a limited subset of
privileged users? Are audit records of nonlocal accesses to privileged accounts and the
execution of privileged functions protected?
Does the system protect against an individual falsely denying having performed a
particular action?
Is the identity of the information producer associated with the information?
Does the system validate the binding of the information producer's identity to the
information?
Are reviewer/releaser identity and credentials maintained within the established chain of
custody for all information reviewed or released?

1288
1289
1290
1291

1292

1293
1294
1295

Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment

C800_53_R3

Does the system validate the binding of the reviewer's identity to the information at the
transfer/release point prior to release/transfer from one security domain to another
security domain?

C800_53_R3

Is FIPS-validated or NSA-approved cryptography used to implement digital signatures?

C800_53_R3

Is a systemwide audit trail produced and composed of audit records in a standardized
format?

C800_53_R3

Are session audits initiated at system startup?

C800_53_R3

C800_53_R3
C800_53_R3
C800_53_R3

1296

Plans

C800_53_R3

1297

Organizational
Risk Management and
Assessment
Configuration
Management

C800_53_R3

1298
1299

C800_53_R3
C800_53_R3

1300

Configuration
Management

C800_53_R3

1301

Configuration
Management

C800_53_R3

1302

Configuration
Management

C800_53_R3

Does the security assessment plan describe the scope of the assessment and include the
security controls and control enhancements under assessment, the assessment
procedures to be used, the assessment environment, the assessment team, and
assessment roles and responsibilities?
Are the written results of the security control assessment provided to the authorizing
official or designated representative?
Is the direct connection of an unclassified national security system prohibited to an
external network?
Is the direct connection of a classified national security system prohibited to an external
network?
Are automated mechanisms used to help ensure that the plan of action and milestones
for the system are accurate, up to date, and readily available?
Is the security authorization updated on a defined frequency?
Does the continuous monitoring program include ongoing security control assessments in
accordance with the organizational continuous monitoring strategy?
Are older versions of baseline configurations retained as necessary to support rollback?
Is there a defined list of software programs not authorized to execute on the system? Is
the authorization policy an allow-all, deny-by-exception for software allowed to execute
on the system?
Are configuration-controlled changes to the system approved with explicit consideration
for security impact analyses?
Are configuration change control activities provided and coordinated through a defined
configuration change control element that convenes on a defined frequency or for
defined configuration change conditions?

1303

Configuration
Management

1304

Configuration
Management

1305
1306
1307
1308

Configuration
Management
Configuration
Management
System Protection
Configuration
Management

C800_53_R3

Does the configuration change control element have a security representative member?

C800_53_R3

Are the security functions checked after any system changes to verify that the functions
are implemented correctly, operating as intended, and meeting the security requirements
for the system?

C800_53_R3

Are the privileges to change software resident within software libraries limited?

C800_53_R3
C800_53_R3
C800_53_R3

1309

Policies & Procedures
General

C800_53_R3

1310

Plans

C800_53_R3

1311

Plans

C800_53_R3

1312

Plans

C800_53_R3

1313

Plans

C800_53_R3

1314

Plans

C800_53_R3

1315

Continuity

C800_53_R3

1316

Continuity

C800_53_R3

1317

Continuity

C800_53_R3

Is conformance to security configuration guidance demonstrated prior to being
introduced into a production environment?
Are there defined registration requirements for ports, protocols, and services?
Is there an inventory of system components that is available for review and audit by
organizational officials?
Is there a formal, documented contingency planning policy that addresses purpose,
scope, roles, responsibilities, management commitment, coordination among
organizational entities, and compliance?
Is the contingency plan distributed to a defined list of key contingency personnel and
organizational elements?
Are contingency plan changes communicated to a defined list of key contingency
personnel and organizational elements?
Has capacity planning determined the necessary capacity for information processing,
telecommunications, and environmental support needed during contingency operations?
Is the resumption of essential missions and business functions planned for within a
defined time period of contingency plan activation?
Is a full recovery and reconstitution of the system to a known state included as part of
contingency plan testing?
Are the backups of system documentation, including security-related documentation,
done on a defined frequency consistent with recovery time and recovery point
objectives?
Is system backup information transferred to the alternate storage site on a defined time
period, and is the transfer rate consistent with the recovery time and recovery point
objectives?
Is a redundant secondary system that is not co-located used for system backup, and can it
be activated without loss of information or disruption to the operation?

1318
1319

Access Control
Access Control

C800_53_R3
C800_53_R3

Is multifactor authentication used for network access to nonprivileged accounts?
Is multifactor authentication used for local access to nonprivileged accounts?

1320

Access Control

C800_53_R3

Is multifactor authentication used for network access to nonprivileged accounts where
one of the factors is provided by a device separate from the system being accessed?

1321

Access Control

C800_53_R3

1322

Access Control

C800_53_R3

1323

Access Control

C800_53_R3

1324

Account Management

C800_53_R3

1325

Account Management

C800_53_R3

Are identifiers, attributes, and associated access authorizations dynamically managed?

Are defined replay-resistant authentication mechanisms used for network access to
privileged accounts? (e.g., Kerberos, LDAP, etc.)
Are defined replay-resistant authentication mechanisms used for network access to
nonprivileged accounts?
Does the organization standardize, with regard to dynamic address allocation, Dynamic
Host Control Protocol (DHCP) lease information and the time assigned to devices, and
audit lease information when assigned to a device?
Do user identifiers uniquely identify the user by a defined characteristic identifying user
status?

1326

Account Management

C800_53_R3

Is there a minimum password complexity of defined requirements for case sensitivity,
number of characters, mix of upper case letters, lower case letters, numbers, and special
characters, including minimum requirements for each type?

1327

Account Management

C800_53_R3

Do new passwords require a defined number of changed characters?

1328

Account Management

C800_53_R3

Are passwords encrypted in storage and in transmission?

1329

Account Management

C800_53_R3

Is there a defined minimum and maximum lifetime restriction for passwords?

1330

Account Management

C800_53_R3

Is password reuse prohibited for a defined number of generations?

1331

Account Management

C800_53_R3

1332

Incident Response

C800_53_R3

1333

Incident Response

C800_53_R3

1334

Incident Response

C800_53_R3

Are defined measures taken to manage the risk of compromise due to individuals having
accounts on multiple systems?
Is the system dynamically reconfigured as part of the incident response capability?
Are classes of incidents identified, and are appropriate actions defined to ensure
continuation of organizational missions and business functions?
Are personnel required to report suspected security incidents to the organizational
incident response authority within a defined time-period?

1335

1336

Maintenance

Maintenance

C800_53_R3

Are there procedures for the use of maintenance personnel that lack appropriate security
clearances or for non - U.S. citizens?

C800_53_R3

Are maintenance personnel who do not have needed access authorizations, clearances,
or formal access approvals escorted and supervised during the performance of
maintenance and diagnostic activities on the system by approved personnel who are fully
cleared, have appropriate access authorizations, and are technically qualified?

1337

Maintenance

C800_53_R3

1338

Maintenance

C800_53_R3

1339

Maintenance

C800_53_R3

1340

Maintenance

C800_53_R3

1341

Maintenance

C800_53_R3

1342

Maintenance

C800_53_R3

1343

Info Protection

C800_53_R3

1344

Info Protection

C800_53_R3

1345

Info Protection

C800_53_R3

1346

Info Protection

C800_53_R3

Are all volatile information storage components within the system sanitized, and are all
nonvolatile storage media removed or physically disconnected from the system and
secured before initiating maintenance or diagnostic activities by personnel who do not
have needed access authorizations, clearances or formal access approvals?
Are the procedures contained in the security plan for the system enforced when a system
component cannot be sanitized?
Are all personnel performing maintenance and diagnostic activities on a system
processing, storing, or transmitting classified information cleared for the highest level of
information on the system?
Are all personnel performing maintenance and diagnostic activities on a system
processing, storing, or transmitting classified information U.S. citizens?
Are cleared foreign nationals used to conduct maintenance and diagnostic activities on a
system only when the system is jointly owned and operated by the United States and
foreign allied governments, or owned and operated solely by foreign allied governments?
Are the approvals, consents, and detailed operational conditions regarding the use of
foreign nationals to conduct maintenance and diagnostic activities on a system fully
documented with a Memorandum of Agreement?
Are cryptographic mechanisms used to protect and restrict access to information on
portable digital media?
Are cryptographic mechanisms used to protect information in storage?
Are cryptographic mechanisms used to protect digital media during transport outside of
controlled areas?
Are the circumstances defined where portable, removable storage devices are required to
be sanitized prior to connection to the system?

1347

Info Protection

C800_53_R3

1348

Info Protection

C800_53_R3

1349

Info Protection

C800_53_R3

1350

Physical Security

C800_53_R3

1351

Physical Security

C800_53_R3

1352

Physical Security

C800_53_R3

1353

Environmental Security C800_53_R3

1354

Environmental Security C800_53_R3

1355

Environmental Security C800_53_R3

1356

Continuity

C800_53_R3

1357

Communication
Protection

C800_53_R3

1358

Organizational

C800_53_R3

1359
1360

Organizational
Organizational

C800_53_R3
C800_53_R3

1361

Organizational

C800_53_R3

1362

Organizational

C800_53_R3

Is system media containing Controlled Unclassified Information (CUI) or other sensitive
information sanitized in accordance with applicable organizational and/or federal
standards and policies?
Is system media containing classified information sanitized in accordance with NSA
standards and policies?
Is system media that cannot be sanitized destroyed?
Is the physical access to the facility containing a system that processes classified
information restricted to authorized personnel with appropriate clearances and access
authorizations?
Is the physical tampering or alteration of hardware components within the system
detected or prevented?
The organization controls physical access to information system distribution and
transmission lines within organizational facilities.
Does the facility undergo fire marshal inspections on a defined frequency, and are
identified deficiencies promptly resolved?
Are automatic temperature and humidity controls used to prevent fluctuations
potentially harmful to the system?
Does temperature and humidity monitoring provide an alarm or notification of changes
potentially harmful to personnel or equipment?
Is the effectiveness of security controls at alternate work sites assessed?
Are system components, associated data communications, and networks protected in
accordance with National emissions and TEMPEST policies and procedures, and the
sensitivity of the information being transmitted?
Is there a security Concept of Operations for the system that contains the purpose of the
system, a description of the system architecture, the security authorization schedule, and
the security categorization and associated factors considered in determining the
categorization?
Is the Conduct of Operations reviewed and updated on a defined frequency?
Is there a functional architecture for the system?
Does the functional architecture define the external interfaces, the information being
exchanged across the interfaces, and the protection mechanisms associated with each
interface?
Does the functional architecture define the user roles and the access privileges assigned
to each role?

1363

Organizational

C800_53_R3

Does the functional architecture define the unique security requirements?
Does the functional architecture define the types of information processed, stored, or
transmitted by the system and any specific protection needs in accordance with
applicable federal laws, executive orders, directives, policies, regulations, standards, and
guidance?
Does the functional architecture define the restoration priority of information or system
services?
Is a privacy impact assessment conducted on the system in accordance with Office of
Management and Budget policy?
Are the results of information security measures of performance monitored and
reported?
Are individuals designated to fulfill specific roles and responsibilities within the
organizational risk management process?
Are information protection needs determined, and are the processes revised as
necessary, until an achievable set is obtained?
Is every user accessing a system processing, storing, or transmitting classified information
cleared and indoctrinated to the highest classification level of the information on the
system?
Is every user accessing a system processing, storing, or transmitting types of classified
information which require formal indoctrination, formally indoctrinated for all the
relevant types of information on the system?
Is access to information with special protection measures granted only to individuals who
have a valid access authorization that is demonstrated by assigned official government
duties and that satisfy associated personnel security criteria?
Is access to classified information with special protection measures granted only to
individuals who have a valid access authorization that is demonstrated by assigned official
government duties?

1364

Organizational

C800_53_R3

1365

Organizational

C800_53_R3

1366

Organizational

C800_53_R3

1367

Info Protection

C800_53_R3

1368

Organizational

C800_53_R3

1369

Info Protection

C800_53_R3

1370

Personnel

C800_53_R3

1371

Personnel

C800_53_R3

1372

Personnel

C800_53_R3

1373

Personnel

C800_53_R3

1374

Personnel

C800_53_R3

Is access to classified information with special protection measures granted only to
individuals that satisfy associated personnel security criteria consistent with applicable
federal laws, executive orders, directives, policies, regulations, standards, and guidance?

1375

Personnel

C800_53_R3

Is access to classified information with special protection measures granted only to
individuals that have read, understand, and signed a nondisclosure agreement?

1376

Monitoring & Malware C800_53_R3

1377

System and Services
Acquisition

C800_53_R3

1378

System and Services
Acquisition

C800_53_R3

1379

System and Services
Acquisition

C800_53_R3

1380

System and Services
Acquisition

C800_53_R3

1381

System and Services
Acquisition

C800_53_R3

1382

System and Services
Acquisition

C800_53_R3

1383

System and Services
Acquisition

C800_53_R3

1384

1385

1386

Information and
Document
Management
Information and
Document
Management
Information and
Document
Management

Are historic audit logs reviewed to determine if a vulnerability identified in the system has
been previously exploited?
Are software vendors/manufacturers required to demonstrate that their software
development processes employ state-of-the-practice software and security engineering
methods, quality control processes, and validation techniques to minimize flawed or
malformed software?
Is each system component acquired explicitly assigned to a system, and does the owner
of the system acknowledge the assignment?
Are system components required to be delivered in a secure documented configuration,
and is the secure configuration the default configuration for any software reinstalls or
upgrades?
Are only government off-the-shelf or commercial off-the-shelf information assurance (IA)
and IA-enabled information technology products employed that composes an NSAapproved solution to protect classified information when the networks used to transmit
the information at a lower classification level than the information being transmitted?
Have these products been evaluated and/or validated by the NSA or in accordance with
NSA-approved procedures?
Is the use of commercially provided information technology products limited to those
products that have been successfully evaluated against a validated U.S. Government
Protection Profile for a specific technology type?
Is it required that the cryptographic module be FIPS-validated if no U.S. Government
Protection Profile exists for a specific technology type but a commercially provided
information technology product relies on cryptographic functionality to enforce its
security policy?

C800_53_R3

Are attempts to obtain system documentation documented when such documentation is
either unavailable or nonexistent?

C800_53_R3

Is the source code for the system protected and made available to authorized personnel?

C800_53_R3

Is the use of binary or machine executable code prohibited from sources with limited or
no warranty without accompanying source code?

1387
1388
1389

Information and
Document
Management
System and Services
Acquisition
System and Services
Acquisition

C800_53_R3
C800_53_R3
C800_53_R3

1390

System Protection

C800_53_R3

1391

System Protection

C800_53_R3

1392

System Protection

C800_53_R3

1393

System Protection

C800_53_R3

1394

System Protection

C800_53_R3

1395
1396
1397
1398
1399
1400
1401
1402

Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection

C800_53_R3
C800_53_R3
C800_53_R3
C800_53_R3
C800_53_R3
C800_53_R3

Are exceptions to the source code requirement provided only for compelling
mission/operational requirements when no alternative solutions are available and with
the express written consent of the authorizing official?
Is an organizational assessment of risk conducted prior to the acquisition or outsourcing
of dedicated information security services?
Is the acquisition or outsourcing of dedicated information security services approved by a
senior organizational official?
Is there a defined list of untrusted critical information system components that require reimplementation?
Are these untrusted information system components re-implemented or custom
developed?
Is user functionality separated from system management functionality?
Is the presentation of system management-related functionality prevented at an interface
for general users?
Are underlying hardware separation mechanisms used to facilitate security function
isolation?
Is the discovery of specific system components (or devices) composing a managed
interface prevented?
Are automated mechanisms used to enforce strict adherence to protocol format?
Are symmetric cryptographic keys using either NIST-approved or NSA-approved key
management technology and processes produced, controlled, and distributed?
Are symmetric and asymmetric cryptographic keys using NSA-approved key management
technology and processes produced, controlled, and distributed?
Are asymmetric cryptographic keys using approved PKI Class 3 certificates or
prepositioned keying material produced, controlled, and distributed?
Are asymmetric cryptographic keys using approved PKI Class 3 or Class 4 certificates and
hardware security tokens that protect the user's private key produced, controlled, and
distributed?

C800_53_R3

Is FIPS-validated cryptography used to protect unclassified information?

C800_53_R3

Is NSA-approved cryptography used to protect classified information?

1403
1404
1405
1406
1407
1408
1409
1410
1411

Communication
Protection
Communication
Protection
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection

C800_53_R3
C800_53_R3
C800_53_R3

Is FIPS-validated cryptography used to protect information that must be separated from
individuals who have the necessary clearances but lack the necessary access approvals?
Is either FIPS-validated or NSA-approved cryptography used to implement digital
signatures?
Does the acquisition, development, and/or use of mobile code to be deployed in the
system meet defined mobile code requirements?

C800_53_R3

Is the download and execution of prohibited mobile code prevented?

C800_53_R3

Is the automatic execution of mobile code prevented in defined software applications,
and are defined actions required prior to executing the code?

C800_53_R3

Are session identifiers invalidated upon user logout or other session termination?

C800_53_R3
C800_53_R3
C800_53_R3

1412

Monitoring & Malware C800_53_R3

1413
1414

Physical Security
Physical Security

C800_53_R3
C800_53_R3

1415

Physical Security

C800_53_R3

1416

Physical Security

C800_53_R3

1417

Physical Security

C800_53_R3

1418

Physical Security

C800_53_R3

1419

Physical Security

C800_53_R3

Is a readily observable logout capability provided whenever authentication is used to gain
access to Web pages?
Is a unique session identifier generated for each session, and are only system-generated
session identifiers recognized?
Are unique session identifiers generated with defined randomness requirements?
Are malicious code protection mechanisms tested on a defined frequency by introducing
a known benign, nonspreading test case into the system and verifying that both detection
of the test case and associated incident reporting occur?
Are the communications traffic/event patterns analyzed for the system?
Are profiles that represent the common traffic patterns and/or events developed?
Are the traffic/event profiles used in tuning the system-monitoring devices to reduce the
number of false positives and negatives to a defined measure?
Is a wireless intrusion detection system used to identify rogue wireless devices and to
detect attack attempts and potential compromises/breaches to the system?
Is an intrusion detection system used to monitor wireless communications traffic as the
traffic passes from wireless to wireline networks?
Is information from monitoring tools correlated to achieve organizationwide situational
awareness?
Are the results from monitoring physical, cyber, and supply chain activities correlated to
achieve integrated situational awareness?

1420

System Integrity

C800_53_R3

1421
1831

Personnel
Access Control

C800_53_R3
C800_53_R4

1832

Access Control

C800_53_R4

1833

Access Control

C800_53_R4

1834

Access Control

C800_53_R4

1835

Access Control

C800_53_R4

1836
1837
1838

Access Control
Access Control
Access Control
Portable/Mobile/Wirel
ess

C800_53_R4
C800_53_R4
C800_53_R4

1839
1840

C800_53_R4

Portable/Mobile/Wirel
C800_53_R4
ess

1844

Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
System Protection

1845

Access Control

C800_53_R4

1846

Access Control

C800_53_R4

1847

Monitoring & Malware C800_53_R4

1841
1842
1843

C800_53_R4
C800_53_R4
C800_53_R4
C800_53_R4

Is the result of security function verification reported to designated organizational
officials with information security responsibilities?
Is an exit interview conducted upon termination of employment?
Does the system allow authorized users to create and maintain security controls?
Does the system allow security attributes to be transmitted between distributed system
components?
Does the system use proven techniques or technology to protect security attributes?
Does the organization have a security attribute re-grading mechanism that has been
validated?
Does the system have authorized personnel to modify the security attributes on objects
or persons?
Does the system maintain security attributes with the information?
Does the system establish permitted security values in security attributes?
Does the system allow permitted security values for each security attribute?
Is the use of unclassified mobile device internal or external modem prohibited in a
classified environment?
Does the organization employ full-device encryption or container encryption to protect
the confidentiality and integrity of information on organization defined mobile devices?
Does the organization disable accounts of users found to be posing significant risk?
Does the organization only permit the use of shared/group accounts that meet
organization-defined conditions for establishing shared/group accounts?
Does the system have the capacity to terminate group account credentials if members
leave the group?
Does the organization detect and protect against data mining?
Does the information system transmit authorizations in a secure manner between
systems?
Does the information system enforce access control and ensure that user identity or
processes from a user are not disclosed based on security levels?
Does the information system implement a reference monitor process that checks for
access control permissions and has properties such as tamperproof, is always executing,
and has a small resource footprint?

1848

Access Control

C800_53_R4

1849

Access Control

C800_53_R4

1850

Access Control

C800_53_R4

1851
1852

Communication
Protection
Communication
Protection

C800_53_R4
C800_53_R4

1853

Access Control

C800_53_R4

1854

Access Control

C800_53_R4

1855

Access Control

C800_53_R4

1857
1858
1859
1860
1861
1862
1863
1865
1866

Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability

C800_53_R4
C800_53_R4

Does the Discretionary Access Control (DAC) policy allow users to specify and control
sharing by named individuals or groups of individuals, or by both?
Does the Discretionary Access Control (DAC) policy limit propagation of access right?
Does the Discretionary Access Control (DAC) policy include or exclude access to the
granularity of a single user?
Does the system identify information flows by data type, specification, and usage when
transferring information between different security domains?
Does the system enforce security policies regarding information on interconnected
systems?
Does the system provide separate processing domains to enable finer-grained allocation
of user privileges?
Does the system prevent software from executing at higher privilege levels than the user?
Does the system display upon successful logon relevant organization information in
addition to date and time of last logon?
Does the system allow for changing the level of auditing to meet organizational
requirements?
Are automated mechanisms used to determine if organizational information has been
disclosed in an unauthorized manner?

C800_53_R4

Does the organization review social networking site information being monitored?

C800_53_R4

Does the organization monitor social networking sites for unauthorized disclosure of
organizational information?

C800_53_R4

Does the organization maintain user identity of cross-organization audit information?

C800_53_R4
C800_53_R4

Does the organization share services with other organizations and coordinate audit
information transmitted across organizational boundaries?
Does the information system contain a secondary authoritative time source located in a
different place than the primary time source?

C800_53_R4

Does the information system back up audit records daily onto a different system?

C800_53_R4

Does the organization enforce dual authorization to change or delete audit information?

1867
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884

Audit and
Accountability
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Software

C800_53_R4
C800_53_R4
C800_53_R4

Does the organization authorize read-only access to audit information for administrators?
Is the direct connection of a classified national security system prohibited to an external
network without a boundary protection device?
Does the organization use analysis techniques on continuous monitoring process data and
modifies the monitoring based on the results?

C800_53_R4

Does the organization establish target areas for a continuous monitoring program?

C800_53_R4

Does the organization continuously monitor security targets they have established?

C800_53_R4

Does the organization do a review of security information generated by continuous
monitoring program?

C800_53_R4

Does the organization have response actions to address results of a security review?

C800_53_R4
C800_53_R4
C800_53_R4
C800_53_R4
C800_53_R4
C800_53_R4
C800_53_R4
C800_53_R4
C800_53_R4
C800_53_R4

Does the organization do penetration testing on information system according to a
testing plan and defined frequency?
Does the system perform security compliance checks before establishing an internal
connection?
Does the organization authorize and document interconnection of company owned
information system?
Does the organization have cryptographic mechanisms under configuration management?
Does the system prevent the installation of software without verification of digital
signature that is recognized and approved?
Is there a defined list of software programs authorized to execute on the system? Is the
authorization policy a deny-all, permit-by-exception for software allowed to execute on
the system? Is it reviewed at least annually?
Does the organization store component information and send the component owner an
acknowledgment of this assignment?
Does the organization implement a configuration management plan that addresses roles,
responsibilities, and management process and procedures?
Does the organization protect the configuration management plan from unauthorized
disclosure and modification?
Is open source software usage restricted based on company policy?

1885
1886
1887
1888

Software
Software
Software
Software

C800_53_R4
C800_53_R4
C800_53_R4
C800_53_R4

Does the organization enforce user software installation?
Does the organization monitor compliance of user installed software?
Does the system monitor and alert when users have installed unauthorized software?
Does the system prohibit users from installing software (e.g., least user privileges)?
Is there a formal, documented contingency planning policy for the information system
that addresses essential missions, business functions, and full system restoration despite
a system catastrophic failure. In addition, does the plan include restoration of security
safeguards and is the plan reviewed and approved by key personnel?

1889

Continuity

C800_53_R4

1890

Continuity

C800_53_R4

1891

Continuity

C800_53_R4

1892

Continuity

C800_53_R4

1893

Continuity

C800_53_R4

1894

Continuity

C800_53_R4

1895

Continuity

C800_53_R4

1896

Continuity

C800_53_R4

1897

Continuity

C800_53_R4

1898

Continuity

C800_53_R4

1899

Training

C800_53_R4

1900

Training

C800_53_R4

1901

Training

C800_53_R4

Is the information system contingency plan reviewed according to company policy time
period?
Is the information system contingency plan updated when changes occur in the company
or system?
Is the modified information system contingency plan distributed to contingency
personnel?
Is the information system contingency plan protected from unauthorized disclosure and
modification?
Does the organization identify critical information system assets?
Does the organization have a contingency plan for resumption of company business
functions within a company-defined time period?
Does the organization plan for recovery of essential missions and business functions
reducing loss of operation and sustains continuity until full system restoration at the
primary site?
Does the organization plan for transfer of essential missions and business functions to an
alternate site with little loss of operational continuity?
Does the organization coordinate its contingency plan with external service providers to
ensure contingency requirements can be satisfied?
Does the organization provide contingency training to system users of their contingency
role and responsibility in recovery? Also when contingency plans change and are they
done within a predetermined time allowance?
Does the organization use simulated events in contingency training to facilitate personnel
response?
Does the organization use automated mechanisms to make contingency training more
realistic?

Does the organization test the contingency plan on a company-defined time interval and
frequency to determine the effectiveness of the plan?
Does the organization review the contingency plan test results and makes corrective
action changes if needed?
Does the organization coordinate contingency plan testing with groups responsible for
the design?
Does the organization test the continuity plan at the alternate processing site to gain
familiarity and to evaluate capabilities with the site?
Does the alternate site have equipment required to transfer business operations and are
contracts in place to support the transfer within a prescribed time frame?
Does the organization plan and prepare for situations where returning to normal
operations from the primary site is prevented?
Does the organization request Telecommunications Service Priority for all
telecommunication services used for national security emergency preparedness,
especially when primary and secondary providers are the same?

1902

Training

C800_53_R4

1903

Training

C800_53_R4

1904

Training

C800_53_R4

1905

Training

C800_53_R4

1906

Continuity

C800_53_R4

1907

Continuity

C800_53_R4

1908

Communication
Protection

C800_53_R4

1909

Communication
Protection

C800_53_R4

Does the organization test alternate telecommunication services at least annually?

1910

Continuity

C800_53_R4

Does the organization enforce dual authorization for destruction of backup media
containing data?

1911

Continuity

C800_53_R4

Does the organization protect backup and restoration hardware, firmware, and software?

1912

Continuity

C800_53_R4

1913

Continuity

C800_53_R4

1914

Continuity

C800_53_R4

1915

Access Control

C800_53_R4

1916

Access Control

C800_53_R4

1917

Access Control

C800_53_R4

Does the system provide alternate communication protocols in support of maintaining
continuity of operations?
Does the system enter a safe mode with operation restrictions when abnormal conditions
are detected?
Are there alternative security mechanisms available to provide system security when the
primary security functions fail or are compromised?
Is multifactor authentication used for remote access to privileged accounts where one of
the factors is provided by a device separate from the system being accessed?
Does the information system accept and electronically verify Personal Identity
Verification credentials?
Does the organization require user authentication even though a group authenticator is
available?

1918

Access Control

C800_53_R4

1919

Access Control

C800_53_R4

1920

Access Control

C800_53_R4

1921

Account Management

C800_53_R4

1922

Account Management

C800_53_R4

1924
1925

Audit and
Accountability
Access Control
Access Control

1926

Access Control

C800_53_R4

1927

Access Control

C800_53_R4

1928
1929
1930

Access Control
Access Control
Access Control

C800_53_R4
C800_53_R4
C800_53_R4

1931

Access Control

C800_53_R4

1932

Access Control

C800_53_R4

1933

Access Control

C800_53_R4

1934

Access Control

C800_53_R4

1935
1936

Access Control
Access Control

C800_53_R4
C800_53_R4

1937

Access Control

C800_53_R4

1938

Access Control

C800_53_R4

1923

C800_53_R4
C800_53_R4
C800_53_R4

Is multifactor authentication used for network access to privileged accounts where one of
the factors is provided by a device separate from the system being accessed?
Is single sign-on capability available on the system?
Does the organization have a process to ensure that device identification and
authentication based on attestation is handled?
Are user or device identifiers disabled after a time period of inactivity (e.g., 30 days)?
Is the registration process to receive a user authenticator carried out in person before a
designated registration authority and require supervisor authorization?
Does the organization coordinate with external organizations for cross-organization
management of identifiers?
When changes to group accounts occur are password changes made as well?
Do hardware token-based authentication devices satisfy quality requirements?
Does the registration process require authenticators to be given in person by authorized
personnel?
Does the organization protect authenticators at the same level of security as the
information?
Are external organizations required to coordinate credentials?
Does the system dynamically provision identities (e.g., for smart card binding)?
Does the system prohibit the use of cached authenticators after a specified time?
Does the organization employ an organization-wide methodology for managing the
content of PKI trusted stores installed across all platforms including networks, operating
systems, browsers, and applications?
Does the organization use only FICAM approved path discovery and validation products
and services?
Does the system accept FICAM-approved credentials?
Does the organization employ only FICAM-approved information system components to
accept third-party credentials?
Does the system conform to FICAM-issued profiles?
Does the system accept and verifies PIV-I credentials?
Does the organization ensure that service providers receive, validate, and transmit
identification and authentication information?
Does accessing the system under special circumstances still require authentication?

Does the user re-authenticate when circumstances require (e.g., when authenticators or
roles change, after time out)?
Are there incident handling capabilities for insider threats?
Are there coordinated incident handling capabilities for insider threats across the
organization?

1939

Access Control

C800_53_R4

1940

Incident Response

C800_53_R4

1941

Incident Response

C800_53_R4

1942

Incident Response

C800_53_R4

Do external organizations coordinate with and correlate shared incident information to
achieve a cross-organizational incident awareness and effective incident response?

1943

Incident Response

C800_53_R4

Does the organization use dynamic responses when responding to security incidences?

1944

Incident Response

C800_53_R4

1946

Incident Response

C800_53_R4

Does the organization coordinate incident handling activities which involve vendor supply
chain activities with other organizations involved in the supply chain?
Does the organization report security incident information to vendors of the system?

1947

Incident Response

C800_53_R4

Is the incident response plan protected from unauthorized disclosure and modification?

1948

Incident Response

C800_53_R4

Does the organization have a plan to respond to information spills that is comprehensive?

1949

Incident Response

C800_53_R4

1950

Incident Response

C800_53_R4

1951

Incident Response

C800_53_R4

1952

Incident Response

C800_53_R4

1953

Incident Response

C800_53_R4

1954

Maintenance

C800_53_R4

1955

Maintenance

C800_53_R4

1956

Info Protection

C800_53_R4

1957

Info Protection

C800_53_R4

1958

Info Protection

C800_53_R4

Are there personnel identified and responsible for responding to information spills?
Does the organization provide information spillage response training on a defined
frequency?
Does the organization have procedures that ensure continuity while the information spill
is active and undergoing corrective actions?
Does the organization inform personnel of responsibility associated with exposure to
information spillage?
Does the organization have an integrated team of forensic analysts, tool developers, and
real-time personnel established?
Is predictive maintenance used in your organization?
Does the organization employ automated mechanisms to transfer predictive maintenance
data to a computerized maintenance management system?
Does the organization restrict the use of system media that can't be sanitized?
Does the organization have an erasing process for digital media that is established
according to procedures?
Does the organization document the erase system media process?

1959

Info Protection

C800_53_R4

1960

Info Protection

C800_53_R4

1961

Info Protection

C800_53_R4

1962

Access Control

C800_53_R4

1963

Access Control

C800_53_R4

1964

Access Control

C800_53_R4

1965

Access Control

C800_53_R4

1966

Access Control

C800_53_R4

1967

Physical Security

C800_53_R4

1968

Incident Response

C800_53_R4

1969

Organizational

C800_53_R4

1970

Organizational

C800_53_R4

1971

Organizational

C800_53_R4

1972

Organizational

C800_53_R4

Does the organization employs tests of media erasing equipment and procedures to verify
correct performance regularly?
Does the organization erase information system media, containing Controlled Unclassified
Information (CUI) prior to public release in accordance with applicable federal and
organizational standards and policies?
Does the organization erase information system media, containing classified information
prior to release to individuals without required access authorizations in accordance with
NSA standards and policies?
Does the organization control physical access to output devices (displays, printers) and
ensure only authorized users receive output from the device?
Do you control physical access and verify identity of the person receiving the output from
the device (e.g., pin or hardware tokens)?
Does the organization mark system output devices with the appropriate security marking
of the information permitted to be output from the device?
Does the organization employ automated mechanisms to recognize classes/types of
intrusions and initiate response actions?
Does the organization employ video surveillance of operational areas and retain video
recordings for a specified time period?
Does the organization employ and maintain fire suppression and detection
devices/systems for the information system that are supported by an independent energy
source?
Does the organization implement an insider threat program that includes a crossdiscipline insider threat incident handling team?
Does the organization establish an information security workforce development and
improvement program?
Does the organization have a process for conducting security testing, training, and
monitoring which are maintained and executed in a timely manner? Also, are periodic
reviews done on these plans for consistency and according to company policy?
Does the organization maintain contact with selected security groups to facilitate training
on current security practices, share security-related information?
Does the organization implement a threat awareness program that includes a crossorganization information-sharing capability?

1973
1974
1975
1976
1977
1978

Personnel
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
System and Services
Acquisition

C800_53_R4
C800_53_R4
C800_53_R4
C800_53_R4
C800_53_R4
C800_53_R4

1979

System and Services
Acquisition

C800_53_R4

1980

System and Services
Acquisition

C800_53_R4

1981

System and Services
Acquisition

C800_53_R4

1982

System and Services
Acquisition

C800_53_R4

1983
1984
1985
1986

System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
Communication
Protection

C800_53_R4
C800_53_R4
C800_53_R4
C800_53_R4

Does the organization notify terminated individuals of applicable, legally binding postemployment requirements for the protection of organizational information?
Does the organization update the information system vulnerabilities list when new
vulnerabilities are identified and reported?
Does the system implement privileged access authorization to system components for
selected vulnerability scanning activities?
Does the organization correlate the output from vulnerability scanning tools to determine
the presence of multi-vulnerability/multi-hop attack vectors?
Does the organization employ a technical surveillance countermeasure survey at least
once a year?
Does the organization restrict the location of information processing based on
requirements or conditions?
Does the organization approve, document, and control the use of live data in
development and test environments for the system, system component, or system
service?
Does the organization require the developer of the system to archive the system or
component to be released or delivered together with the corresponding evidence
supporting the final security review?
Does the organization require the developer of the system to provide training on the
correct use and operation of the implemented security functions, controls, and/or
mechanisms?
Does the organization require the developers of the system, system components, or
system services to structure security-relevant hardware, software, and firmware to
facilitate controlling access with least privilege principles?
Does the organization train personnel to detect counterfeit information system
components (including hardware, software, and firmware)?
Does the organization require that developers of the system are trustworthy and are able
to pass a personnel screening test?
Does the organization ensure that steps have been taken to verify the personnel
screening of those who performed work on the system?
Does the organization employ monitoring tools to detect indicators of denial of service
attacks against the information system and monitors system resources to determine if
sufficient resources exist to prevent effective denial-of-service attacks?

1987
1988
1989
1990
1991
1992
1993
1994
1995
1996

Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection

C800_53_R4
C800_53_R4
C800_53_R4
C800_53_R4
C800_53_R4
C800_53_R4
C800_53_R4
C800_53_R4
C800_53_R4
C800_53_R4

Does the organization allow execution of permitted mobile code only in confined virtual
machine environments?
Does the organization remove from online storage and stores off-line in a secure location
system information?
Does the organization employ realistic, but misleading information in the system with
regard to its security state or posture?
Does the organization employ techniques to hide or conceal information system
components?
Does the organization measure the bandwidth of a subset of identified covert channels in
the operational environment of the information system?
Does the organization distribute processing and storage across multiple physical
locations?
Does the organization employ polling techniques to identify potential faults, errors, or
compromises to distributed processing and storage components?
Does the organization employ out-of-band channels for the physical delivery or electronic
transmission of information, information system components, or devices to individuals or
information systems?
Does the information system maintain a separate execution domain for each executing
process?
Does the information system maintain a separate execution domain for each thread in
multi-threaded processing?
Does the information system implement cryptographic mechanisms to identify and reject
wireless transmissions that are deliberate attempts to achieve imitative or manipulative
communications deception based on signal parameters?
Does the information system implement cryptographic mechanisms to prevent the
identification of wireless transmitters by using the transmitter signal parameters?
Does the information system prohibit the remote activation of environmental sensing
capabilities except where remote activation of sensors is allowed and provides an explicit
indication of sensor use?

1997

Communication
Protection

C800_53_R4

1998

Communication
Protection

C800_53_R4

1999

Communication
Protection

C800_53_R4

2000

Communication
Protection

C800_53_R4

Does the organization ensure that the system is configured so that data or information
collected by the sensors is only reported to authorized individuals or roles?

2001

Communication
Protection

C800_53_R4

Does the organization use data or information collected only for authorized purposes?

2002

Communication
Protection

C800_53_R4

2003

System Integrity

C800_53_R4

2004

System Integrity

C800_53_R4

2005

System Integrity

C800_53_R4

2006
2007
2008

System Integrity
System Integrity
System Integrity

C800_53_R4
C800_53_R4
C800_53_R4

2009

System Integrity

C800_53_R4

2010

System Integrity

C800_53_R4

2011

System Integrity

C800_53_R4

2012

System Integrity

C800_53_R4

2013

System Integrity

C800_53_R4

2014

System Integrity

C800_53_R4

2015

System Integrity

C800_53_R4

2016

System Integrity

C800_53_R4

Does the organization establishes usage restrictions and implementation guidance for
system components based on the potential to cause damage to the information system if
used maliciously? And does the organization authorize, monitor, and control the use of
such components within the information system?
Does the organization remove software and firmware components after updated versions
have been installed?
Does the information system implement nonsignature-based malicious code detection
mechanisms?
Does the organization implement additional monitoring of individuals who have been
identified by sources as posing an increased level of risk?
Does the organization implement additional monitoring of privileged users?
Does the system automatically shut down when integrity violations are discovered?
Does the system verify the integrity of the boot process of devices?
Does the organization require that user-installed software execute in a confined physical
or virtual machine environment with limited privileges?
Does the organization requires that the integrity of user-installed software be verified
prior to execution?
Does the organization allow execution of binary or machine-executable code obtained
from sources with limited or no warranty and without the provision of source code only in
confined physical or virtual machine environments and with explicit approval?
Does the organization prohibit the use of binary or machine-executable code from
sources with limited or no warranty and without the provision of source code and provide
exceptions to the source code requirement only for compelling mission/operational
requirements and with the approval of the authorizing official?
The information system implements cryptographic mechanisms to authenticate software
or firmware components prior to installation?
Does the information system implement cryptographic mechanisms to authenticate
software or firmware components prior to installation?
Does the information system implement spam protection mechanisms with a learning
capability to more effectively identify legitimate communications traffic?
Does the organization ensure that input validation errors are reviewed and resolved
within defined time period?

2017

System Integrity

C800_53_R4

2018

System Integrity

C800_53_R4

2019

System Integrity

C800_53_R4

2020

System Integrity

C800_53_R4

2021

System Integrity

C800_53_R4

2022

System Integrity

C800_53_R4

2025

Access Control

C800_53_R4

2026

Physical Security

C800_53_R4

2028

Access Control

C800_53_R4

2801

Privacy

C800_53_R4_A
pp_J

2802

Privacy

C800_53_R4_A
pp_J

2803

Privacy

C800_53_R4_A
pp_J

2804

Privacy

2805

Privacy

2806

Privacy

C800_53_R4_A
pp_J
C800_53_R4_A
pp_J
C800_53_R4_A
pp_J

Does the information system behave in a predictable and documented manner that
reflects organizational and system objectives when invalid inputs are received?
Does the organization account for timing interactions among information system
components in determining appropriate responses for invalid inputs?
Does the organization restrict the use of information inputs to trusted sources and/or
formats?
Does the organization provide real-time failover capability for the system?
Does the organization implement non-persistent information system components and
services?
Does the information system implement security safeguards to protect its memory from
unauthorized code execution?
Does the information system have out-of-band authentication designed for use under
abnormal condition?
Does the organization employ automatic voltage controls for critical information system
components?
Are access privileges to protected information reviewed at least annually to confirm they
are correct and that they correspond to the organizations' needs and appropriate
personnel roles and responsibilities?
Does the organization determine and document the legal authority that permits the
collection, use, maintenance, and sharing of PII, in general or in support of a specific
program or information system need?
Does the organization document the purpose(s) for which PII is collected, used,
maintained, and shared in its privacy notices?
Does the organization appoint a Senior Agency Official for Privacy (SAOP) and a Chief
Privacy Officer (CPO) who are accountable for developing, implementing, and maintaining
an organization-wide governance and privacy program to ensure compliance with all
applicable laws and regulations regarding the collection, use, maintenance, sharing, and
disposal of PII by programs and information system?
Does the organization monitor federal privacy laws and policy for changes that affect the
privacy program?
Does the organization allocate appropriate level of funding and resources to implement
and operate the organization-wide privacy program?
Does the organization develop a privacy plan for implementing applicable privacy
controls, policies, and procedures?

2807

Privacy

2808

Privacy

2809

Privacy

2810

Privacy

2811

Privacy

2812

Privacy

2813

Privacy

2814

Privacy

2815

Privacy

2816

Privacy

Does the organization develop, disseminate, and implement operational privacy policies
C800_53_R4_A
and procedures that govern the appropriate privacy and security controls for programs,
pp_J
information systems, or technologies involving PII?
C800_53_R4_A Does the organization update the privacy plan, policies, and procedures according to
pp_J
company-defined time period or at least biennially?
Does the organization document and implement a privacy risk management process that
C800_53_R4_A
assesses privacy risk to individuals resulting from collection, sharing, storing, transmitting,
pp_J
use, or disposal of PII?
Does the organization conduct Privacy Impact Assessments (PIAs) for information
C800_53_R4_A
systems, programs, or other activities that pose a privacy risk in accordance with
pp_J
applicable law, OMB policy, or any existing organizational policies and procedures?
C800_53_R4_A Does the organization establish privacy roles, responsibilities, and access requirements
pp_J
for contractors and service providers?
C800_53_R4_A Does the organization include privacy requirements in contracts and other acquisitionpp_J
related documents?
C800_53_R4_A Does the organization monitor and audit privacy controls and internal privacy policy
pp_J
according to company-defined time interval to ensure effective implementation?
C800_53_R4_A Does the organization develop, implement, and update comprehensive training and
pp_J
awareness for ensuring personnel understand privacy responsibilities and procedures?
Does the organization administer basic privacy training at least annually and targeted,
C800_53_R4_A
role-based privacy training for personnel having responsibility for PII or for activities that
pp_J
involve PII, and is this done at least annually?
C800_53_R4_A Does the organization ensure that personnel certify (manually or electronically)
pp_J
acceptance of responsibilities for privacy requirements at least annually?

2817

Privacy

Does the organization develop, distribute, and update reports to OMB, Congress, and
C800_53_R4_A other oversight bodies to demonstrate accountability with specific statutory and
pp_J
regulatory privacy program mandates, and to senior management and other personnel
with responsibility for monitoring privacy program progress and compliance?

2818

Privacy

C800_53_R4_A Does the organization design information systems to support privacy by automating
pp_J
privacy controls?

2819

Privacy

2820

Privacy

2821

Privacy

2822

Privacy

2823

Privacy

2824

Privacy

2825

Privacy

2826

Privacy

2827

Privacy

2828

Privacy

2829

Privacy

2830

Privacy

2831

Privacy

2832

Privacy

C800_53_R4_A
pp_J
C800_53_R4_A
pp_J
C800_53_R4_A
pp_J
C800_53_R4_A
pp_J
C800_53_R4_A
pp_J
C800_53_R4_A
pp_J
C800_53_R4_A
pp_J
C800_53_R4_A
pp_J

Does the organization keep an accurate accounting of disclosures of information held in
each system of records under its control that includes the Date, nature, and purpose of
each disclosure of a record and name with the address of the person or agency to which
the disclosure was made?
Does the organization retain the accounting of disclosures for the life of the record or five
years after the disclosure is made, whichever is longer?
Does the organization make the accounting of disclosures available to the person named
in the record upon request?
Does the organization confirm upon collection or creation of PII, the accuracy, relevance,
timeliness, and completeness of that information?
Does the organization collect PII directly from the individual to the greatest extent
practical?
Does the organization check for, and correct, as necessary, any inaccurate or outdated PII
used by its programs or systems?
Does the organization issue guidelines ensuring and maximizing the quality, utility,
objectivity, and integrity of disseminated information?
Does the organization request that the individual or individual's authorized representative
validate PII during the collection process?

C800_53_R4_A Does the organization request that the individual or individual's authorized representative
pp_J
revalidate that PII collected is still accurate according to company policy?
C800_53_R4_A Does the organization document processes to ensure the integrity of PII through existing
pp_J
security controls?
Does the organization establish a Data Integrity Board when appropriate to oversee
C800_53_R4_A
organizational Computer Matching Agreements and to ensure that those agreements
pp_J
comply with the computer matching provisions of the Privacy Act?
C800_53_R4_A
Does the organization publish Computer Matching Agreements on its public Web site?
pp_J
C800_53_R4_A Does the organization identify the minimum PII elements that are relevant and necessary
pp_J
to accomplish the legally authorized purpose of collection?
Does the organization limit the collection and retention of PII to the minimum elements
C800_53_R4_A
identified for the purposes described in the notice and for which the individual has
pp_J
provided consent?

Privacy

Does the organization conduct an initial evaluation of PII holdings and establish and
C800_53_R4_A follow a schedule for regularly reviewing those holdings at least annually to ensure that
only PII identified in the notice is collected and retained, and that the PII continues to be
pp_J
necessary to accomplish the legally authorized purpose?

2834

Privacy

Does the organization locate and remove or redact specified PII and/or uses
C800_53_R4_A
anonymization and de-identification techniques to permit use of the retained information
pp_J
while reducing its sensitivity and reducing the risk resulting from disclosure?

2835

Privacy

C800_53_R4_A Does the organization retain each collection of PII for company defined time period to
pp_J
fulfill the purpose(s) identified in the notice or as required by law?

2836

Privacy

Does the organization dispose of, destroy, erase, and/or anonymize the PII, regardless of
C800_53_R4_A
the method of storage, in accordance with a NARA-approved record retention schedule
pp_J
and in a manner that prevents loss, theft, misuse, or unauthorized access?

2837

Privacy

2838

Privacy

2839

Privacy

2840

Privacy

2841

Privacy

2842

Privacy

2843

Privacy

2844

Privacy

2833

C800_53_R4_A Does the organization use company-defined techniques or methods to ensure secure
pp_J
deletion or destruction of PII (including originals, copies, and archived records)?
Does the organization configure its information systems to record the date PII is collected,
C800_53_R4_A
created, or updated and when PII is to be deleted or archived under an approved record
pp_J
retention schedule?
C800_53_R4_A Does the organization develop policies and procedures that minimize the use of PII for
pp_J
testing, training, and research?
C800_53_R4_A Does the organization implement controls to protect PII used for testing, training, and
pp_J
research?
C800_53_R4_A Does the organization use techniques to minimize the risk to privacy of using PII for
pp_J
research, testing, or training?
C800_53_R4_A Does the organization provide means for individuals to authorize the collection, use,
pp_J
maintaining, and sharing of PII prior to its collection?
Does the organization provide appropriate means for individuals to understand the
C800_53_R4_A
consequences of decisions to approve or decline the authorization of the collection, use,
pp_J
dissemination, and retention of PII?
C800_53_R4_A Does the organization obtain consent from individuals prior to any new uses or disclosure
pp_J
of previously collected PII?

2845

Privacy

2846

Privacy

2847

Privacy

2848

Privacy

2849

Privacy

2850

Privacy

2851

Privacy

2852

Privacy

2853

Privacy

2854

Privacy

2855

Privacy

2856

Privacy

2857

Privacy

Does the organization ensure that individuals are aware of and consent to all uses of PII
C800_53_R4_A
not initially described in the public notice that was in effect at the time the organization
pp_J
collected the PII?
C800_53_R4_A Does the organization implement mechanisms to support itemized or tiered consent for
pp_J
specific uses of data?
C800_53_R4_A Does the organization provide individuals the ability to have access to their PII maintained
pp_J
in its systems of records?
C800_53_R4_A Does the organization publish rules and regulations governing how individuals may
pp_J
request access to records maintained in a Privacy Act system of records?
C800_53_R4_A
Does the organization publish access procedures in System of Records Notices (SORNs)?
pp_J
C800_53_R4_A Does the organization adhere to Privacy Act requirements and OMB policies and guidance
pp_J
for the proper processing of Privacy Act requests?
C800_53_R4_A Does the organization provide a process for individuals to have inaccurate PII maintained
pp_J
by the organization corrected or amended, as appropriate?
Does the organization have an established process for disseminating corrections or
C800_53_R4_A amendments of the PII to other authorized users of the PII, such as external informationsharing partners and notifies affected individuals that their information has been
pp_J
corrected or amended?
C800_53_R4_A Does the organization implement a process for receiving and responding to complaints,
pp_J
concerns, or questions from individuals about the organizational privacy practices?
C800_53_R4_A Does the organization respond to complaints, concerns, or questions from individuals
pp_J
within the company defined time period?
Does the organization establish, maintain, and update according to company policy, an
C800_53_R4_A
inventory that contains a listing of all programs and information systems identified as
pp_J
collecting, using, maintaining, or sharing PII?
Does the organization provide each update of the PII inventory to the CIO or information
C800_53_R4_A security official, according to company time intervals, to support the establishment of
information security requirements for all new or modified information systems containing
pp_J
PII?
C800_53_R4_A
Does the organization develop and implement a Privacy Incident Response Plan?
pp_J

2858

Privacy

2859

Privacy

C800_53_R4_A Does the organization provide an organized and effective response to privacy incidents in
pp_J
accordance with the organizational Privacy Incident Response Plan?
Does the organization provide effective notice to the public and to individuals regarding:
(i) its activities that impact privacy, including its collection, use, sharing, safeguarding,
C800_53_R4_A maintenance, and disposal of PII; (ii) authority for collecting PII; (iii) the choices, if any,
individuals may have regarding how the organization uses PII and the consequences of
pp_J
exercising or not exercising those choices; and (iv) the ability to access and have PII
amended or corrected if necessary?

2860

Privacy

Does the organization describe: (i) the PII the organization collects and the purpose(s) for
which it collects that information; (ii) how the organization uses PII internally; (iii)
C800_53_R4_A whether the organization shares PII with external entities, the categories of those
entities, and the purposes for such sharing; (iv) whether individuals have the ability to
pp_J
consent to specific uses or sharing of PII and how to exercise any such consent; (v) how
individuals may obtain access to PII; and (vi) how the PII will be protected?

2861

Privacy

C800_53_R4_A Does the organization revise its public notices to reflect changes in practice or policy that
pp_J
affect PII or changes in its activities that impact privacy, before or soon after the change?

2862

Privacy

2863

Privacy

2864

Privacy

2865

Privacy

2866

Privacy

2867

Privacy

2868

Privacy

C800_53_R4_A
pp_J
C800_53_R4_A
pp_J
C800_53_R4_A
pp_J

Does the organization provide real-time and/or a layered notice when it collects PII?
Does the organization publish System of Records Notices (SORNs) in the Federal Register,
subject to required oversight processes, for systems containing PII?
Does the organization keep System of Records Notices (SORNs) current?

Does the organization include Privacy Act Statements on its forms that collect PII, or on
C800_53_R4_A
separate forms that can be retained by individuals, to provide additional formal notice to
pp_J
individuals from whom the information is being collected?
C800_53_R4_A
Does the organization publish System of Records Notices (SORNs) on its public website?
pp_J
Does the organization ensure that the public has access to information about its privacy
C800_53_R4_A
activities and is able to communicate with its Senior Agency Official for Privacy
pp_J
(SAOP)/Chief Privacy Officer (CPO)?
C800_53_R4_A Does the organization ensure that its privacy practices are publicly available through
pp_J
organizational websites or otherwise?

C800_53_R4_A Does the organization use PII internally only for the authorized purpose(s) identified in
pp_J
the Privacy Act and/or in public notices?
Does the organization share PII externally, only for the authorized purposes identified in
C800_53_R4_A
the Privacy Act and/or described in its notices or for a purpose that is compatible with
pp_J
those purposes?
Does the organization enter into Memoranda of Understanding, Memoranda of
C800_53_R4_A Agreement, Letters of Intent, Computer Matching Agreements, or similar agreements,
with third parties that specifically describe the PII covered and specifically enumerate the
pp_J
purposes for which the PII may be used?
C800_53_R4_A Does the organization monitor, audit, and train its staff on the authorized sharing of PII
pp_J
with third parties and on the consequences of unauthorized use or sharing of PII?
Does the organization evaluate any proposed new instances of sharing PII with third
C800_53_R4_A
parties to assess whether the sharing is authorized and whether additional or new public
pp_J
notice is required?
Is there a cross-functional cybersecurity team consisting of ICS personnel, IT personnel,
C800_82
and system vendors/system integrators that reports to and is accountable to
management?
Does the cybersecurity team consist of a member from the IT staff, a control engineer, a
C800_82
control system operator, a security subject matter expert, and a member of
management?
Does the cross-functional cybersecurity team, include network architecture and design
C800_82
personnel, security processes and practices personnel, and secure infrastructure design
and operation personnel?
Does the cybersecurity team have a charter defining the roles, responsibilities, and
C800_82
accountabilities?
Does the cybersecurity team report directly to site management or the company's
C800_82
CIO/CSO, who in turn, accepts complete responsibility and accountability for the
cybersecurity of the system?

2869

Privacy

2870

Privacy

2871

Privacy

2872

Privacy

2873

Privacy

1422

Organizational

1423

Organizational

1424

Organizational

1425

Organizational

1426

Organizational

1427

Policies & Procedures
General

C800_82

1428

Plans

C800_82

1429

System Protection

C800_82

Is the physical security organization aware of the locations of sensitive equipment?
Are interruptions to the recovery process defined and procedures in place to handle
them?
Are external incidents reviewed to determine if they are applicable?

1430

Communication
Protection

C800_82

Are critical networks redundant?

1431

Training

C800_82

Does the awareness and training program cover the physical process being controlled?

1432

Plans

C800_82

1433

Plans

C800_82

1434

Plans

C800_82

1435

Plans

C800_82

1436

Continuity

C800_82

1437

Plans

C800_82

1438

Plans

C800_82

1439

System Integrity

C800_82

1440

System Integrity

C800_82

1441

Monitoring & Malware C800_82

Are the system performance metrics sent to appropriate stakeholders?

1442

Monitoring & Malware C800_82

Are system auditing utilities incorporated into new and existing projects?

1443

Monitoring & Malware C800_82

Are auditing utilities tested offline before being deployed on an operational system?

1444

System Integrity

C800_82

1445

System Integrity

C800_82

1446
1447
1448

System Integrity
System Integrity
System Integrity

C800_82
C800_82
C800_82

Does the disaster recovery plan include procedures for operating the system in manual
mode until secure conditions are restored?
Does the disaster recovery plan include a complete and up-to-date logical network
diagram?
Does the disaster recovery plan include a communication procedure and list of personnel
to contact in the case of an emergency?
Does the disaster recovery plan include the requirements for the timely replacement of
components in the case of an emergency?
Are critical replacements for hard-to-obtain components kept in inventory?
Does the contingency plan cover the full range of failures and problems caused by cyber
incidents?
Are the business continuity and disaster recovery plans closely related to the contingency
plans?
Are the security controls present during system validation testing, and are they still
installed and operating correctly in the production system?
Is the production system free from security compromises, and does it provide information
on the nature and extent of compromises, should they occur?

Is there an active test facility that replicates the existing system to a high degree, and are
changes tested on the test system before being deployed on the main system?
Is the system software regression tested to ensure that it meets the security
requirements of the current installation?
Are the built-in security capabilities of software and components used?
Are patches applied during planned ICS maintenance cycles?
Are there procedures to guide patch deployment testing and installation?

1449

System Integrity

C800_82

Is OPC updated with patches to handle RPC/DCOM vulnerabilities?
Have single points of failure been evaluated when securing the network, and has a risk
assessment been performed to remediate those points found problematic?
Are critical components redundant to prevent single point failures?

1450

System Protection

C800_82

1451

System Protection

C800_82

1452

Environmental Security C800_82

Are components and systems shielded from RF signals?

1453

Environmental Security C800_82

Are unshielded twisted pair cables prohibited?

1454

Environmental Security C800_82

Are industrial RJ-45 connectors used for twisted pair connectors?

1455

Environmental Security C800_82

Are fiber optic and/or coax cables used to eliminate interference?

1456

Environmental Security C800_82

Are cables and connectors color coded and labeled to prevent cross connections?

1457

Environmental Security C800_82

Are cable runs installed to prevent unintended access?

1458

Environmental Security C800_82

Is equipment installed in locked cabinets with proper ventilation and air filtration?

1459

Physical Security

C800_82

1460

Account Management

C800_82

1461

Access Control

C800_82

1462

Access Control

C800_82

1463
1464

Access Control
Access Control

C800_82
C800_82

1465

Access Control

C800_82

1466

Access Control

C800_82

1467

Access Control

C800_82

Is a ringed layer of defense used for access to the facility?
Does access control take into account the special needs of personnel to access equipment
and perform their job duties?
Do passwords avoid predictable sequences of numbers, are not found in dictionaries, and
meet strength requirements?
Is the passwords administrator a trusted employee who is available during emergencies
and are copies of passwords stored securely?
Are the privileged user passwords more secure and changed frequently?
Is the authority to change master passwords limited to a trusted employee?
Is a password audit record, especially for master passwords, maintained separately from
the system?
Are network device passwords changed on a regular basis?
Are passwords used on system components and are they implemented to not interfere
with emergency actions?

1468

Access Control

C800_82

1469

Access Control

C800_82

1470

Access Control

C800_82

1471

Access Control

C800_82

1472

Account Management

C800_82

1473
1474

Communication
Protection
Communication
Protection

C800_82
C800_82

Is PIV (Personal Identity Verification) used and does it conform to the requirements of
FIPS 201 and NIST SP 800-73 and employ either cryptographic verification or biometric
verification?
Is token-based access control with cryptographic verification used, and does it conform to
the requirements of NIST SP 800-78?
Is token-based access control that employs biometric verification used, and does it
conform to the requirements of NIST SP 800-76?
Is challenge/response authentication used whenever possible and practical?
Is biometric authentication used where it is most appropriate and are the issues
associated with biometric authentication understood?
Is HTTPS used instead of HTTP, and SFTP, or SCP instead of FTP for Web services on
control devices?
Is inbound FTP and email traffic blocked for control devices?

1475

Monitoring & Malware C800_82

Has the use of antivirus software on devices with real time dependent code been
evaluated and does the vendor support installation of antivirus code?

1476

Monitoring & Malware C800_82

Is malware protection software and definitions reviewed and thoroughly tested?

1477

Communication
Protection

C800_82

Are data flow controls tested to ensure they do not adversely impact the system?

1478

Maintenance

C800_82

1479
1480
1481
1482
1483

Portable/Mobile/Wirel
ess
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection

C800_82
C800_82
C800_82

Are devices used for programming or maintenance/administrative functions secured in
the system environment?
Are laptops, portable engineering workstations, handhelds, and specialized devices
secured in the system environment?
Are multiple DMZs and intrusion detection systems used that apply different rule-sets to
each unique domain being monitored?
Are network-based IDS/IPS capabilities deployed between the control network and
corporate network with a firewall?

C800_82

Are host-based IDS/IPS capabilities used on appropriate devices?

C800_82

Is control system traffic given priority over any noncontrol system traffic?

1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499

Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection

C800_82
C800_82
C800_82
C800_82
C800_82
C800_82
C800_82
C800_82
C800_82
C800_82

Monitoring & Malware C800_82
Communication
Protection
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess

C800_82
C800_82
C800_82
C800_82
C800_82

Is the system configured so IT network services provide maximum priority to all control
system traffic, and is the network analyzed to ensure control system traffic is not
dependent on IT network services (i.e., DNS services)?
Is network traffic secured from protocol analyzers and other utilities that could use the
information to craft traffic to manipulate system activity?
Is a properly configured DMZ or a VPN connection used between the control system and
the corporate network?
Are security servers placed directly in the DMZ (e.g., patch management, anti-virus, IDS,
etc.)?
Are the risks of a DMZ fully understood?
Is a DMZ with paired firewalls (from different vendors) deployed between the corporate
and control system networks?
Is a three-zone system used with two historians - one on the control system side synced
with one in the DMZ?
Are methods employed for handling packets that are undefined, poorly defined, or
contain unexpected field values?
Are passwords and device configurations secured when transmitted across media that are
susceptible to eavesdropping?
Is the use of vulnerability scanners prohibited or are they only used on test or insensitive
redundant systems?
Are network protocol integrity checks built-in or provided by other techniques for control
system traffic?
Are Faraday cages or other devices used to limit the wireless signal as required?
Are wireless users authenticated using IEEE 802.1X that authenticates users via
certificates or RADIUS servers?
Are wireless services located on a dedicated and isolated server with minimal connections
to the system network?
Are wireless access points configured to have a unique service set identifier (SSID),
disabled SSID broadcast, and enabled MAC filtering?
Are wireless devices configured into a separate organizational unit of the Windows
domain? (For a Microsoft Windows network)

1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516

Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection

C800_82

Is encryption done at OSI Layer 2 (data layer) to reduce latency?

C800_82

Are hardware accelerators used for encryption to reduce latency?

C800_82

Are DNS requests out of the control network prohibited and are DNS requests from the
control network to the DMZ reviewed and approved?

C800_82

Is HTTP prevented from crossing network boundaries?

C800_82

Do HTTP proxies block all inbound scripts and Java applications?

C800_82

Is HTTPS implemented if HTTP is required?

C800_82

Are all TFTP sessions blocked?

C800_82

Is FTP used when it is authenticated with a multifactor passcode and encrypted in a
tunnel?

C800_82

Are secure FTP and secure copy employed whenever possible?

C800_82

Is telnet prohibited or only used inbound from the corporate network with a token-based
multifactor password and encrypted tunnel?

C800_82

Are outbound telnet sessions allowed only over encrypted tunnels to specific devices?

C800_82

Is SMTP not used for inbound mail and only used for outbound alert messages?

C800_82
C800_82
C800_82
C800_82
C800_82

Is SNMP V1 or V2 used over a secured management network or is SNMP V3 used with the
security features built-in?
Is the DCOM protocol used only between the control network and the DMZ networks and
is the protocol between the DMZ and the corporate network explicitly blocked?
Are DCOM port ranges restricted by making registry modifications on devices using
DCOM?
Is MODBUS/TCP, Ethernet/IP or DNP317 only used within the control network and
explicitly not allowed on the corporate network?
Is the use of NAT carefully reviewed before deployment?

1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532

Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection

C800_82

Are multicast protocols with IGMP used when using multiple LANs?

C800_82

Are "loss of communications" and the appropriate fail-safe process defined?

C800_82

Is an appropriate fail-safe process executed upon the loss of communications?

C800_82

Is MAC address locking implemented to prevent man-in-the-middle attacks?

C800_82

Are statically coded ARP tables implemented on capable devices?

C800_82

Is the system monitored for ARP poisoning? (i.e., corrupting host tables.)

C800_82

Are VLANs effectively deployed, with each automation cell assigned to a single VLAN to
limit unnecessary traffic and allow network devices on the same VLAN to span multiple
switches?

C800_82

Are VLANs configured to prohibit VLAN hopping?

C800_82

Are modems used in the callback mode?

C800_82

Are modems physically identified for control room operators to monitor?

C800_82
C800_82

Are modems disconnected when not in use, and is there a timeout after a fixed period of
inactivity?
Do mesh networks use broadcast key versus public key management implemented at OSI
Layer 2 (data link)?

C800_82

Is asymmetric cryptography used to perform administrative functions, and is symmetric
encryption used to secure each data stream as well as network control traffic?

C800_82

Is an adaptive routing protocol used if the devices are used for wireless mobility?

C800_82
C800_82

Is the convergence time of the network as fast as possible supporting rapid network
recovery in the event of a failure or power loss?
Are VPN devices thoroughly tested to verify that the technology is compatible with
applications being used?

1533
1534

Communication
Protection
Communication
Protection

C800_82

Are VPN devices tested to ensure they do not unacceptably affect network traffic?

C800_82

Are firewalls deployed between the control system and corporate network?
Do firewalls provide minimum connections to the corporate network such that the
control system network can be severed from the corporate network in times of serious
cyber incidents?
Are sophisticated security implementations used between the control system and
corporate networks?
Is a firewall used in front of a router to implement logical network separation from the
corporate network?

1535

Firewall

C800_82

1537

Firewall

C800_82

1538

Firewall

C800_82

1539

Firewall

C800_82

1540

Firewall

C800_82

1541

Firewall

C800_82

1542

Firewall

C800_82

1543

Firewall

C800_82

1544

Firewall

C800_82

1545

Firewall

C800_82

1546

Firewall

C800_82

1547

Firewall

C800_82

1548

Firewall

C800_82

Are outbound packets from the control network or DMZ allowed only if those packets
have a correct source IP address that is assigned to the control network or DMZ devices?

1549

Firewall

C800_82

Are control network devices prohibited to access the Internet?

Is there a DMZ with paired firewalls and are firewalls from different manufacturers used?
Have communications delays been thoroughly analyzed and accounted for with the
control system firewall implementation?
Are firewall operations monitored to ensure that the firewall is performing its data
collection tasks, and are the firewalls monitored on a real-time basis for rapid response to
cyber incidents?
Have all issues of firewall implementation been thoroughly considered such as the lack of
experience in design of rule sets and the configuration of management issues associated
with rule-set updates and deletions?
Do the firewall rules provide source and destination filtering in addition to TCP and UDP
port filtering and ICMP type and code filtering?
Are all "permit" rules both IP address and TCP/UDP port specific and stateful (e.g., deep
packet filtering and inspection), if appropriate?
Do all rules restrict traffic to a specific IP address or range of addresses?
Is any protocol allowed between the control network and DMZ explicitly prohibited
between the DMZ and corporate networks (and vice versa)?
Is all outbound traffic from the control network to the corporate network source and
destination restricted by service and port?

1550

Firewall

C800_82

Is all firewall management traffic carried on either a separate, secured management
network or over an encrypted network with multifactor authentication?

1551

Firewall

C800_82

Is firewall management traffic restricted by IP address to specific management stations?

1552

Firewall

C800_82

1553

Firewall

C800_82

1554

Firewall

C800_82

1555

Firewall

C800_82

1556

Firewall

C800_82

1557

Firewall

C800_82

1558

Firewall

C800_82

1559

Access Control

C800_82

1560
1561
1562
1563
1564
1565

Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Audit and
Accountability

C800_82

Are firewalls implemented to enforce security policy based on secure authentication of all
users or processes seeking to gain access to the ICS network?
Do firewalls enforce destination authorization based on user?
Do firewalls record information flow for traffic monitoring, analysis, and intrusion
detection?
Are firewalls used to implement operational policies such as prohibition of email and
permitted use of easy-to-remember usernames and group passwords?
Is a stateful firewall implemented between the control system network and the corporate
network and configured to deny all traffic except that which is explicitly authorized?
Do firewalls inspect packets at the application layer and filter traffic based on specific
application rules?
Are firewalls implemented to block all communications with the exception of specifically
enabled communications between devices on the unprotected LAN and protected control
system networks?
Are other cryptographic solutions such as cryptographic hashes considered in place of
storing encrypted user passwords and authentication tokens?
Is encryption at OSI Layer 2 (data link) considered/implemented rather than at Layer 3
(network) to reduce latency?

C800_82

Are record size increases considered with the use of encryption before deployment?

C800_82

Are key management issues considered before deployment of encryption?

C800_82

Are passwords encrypted in transit?

C800_82

Are the security auditors aware of the risks and consequences involved in testing the
control system?

Remote Access Control C800_82

Are users accessing the control network from remote networks required to authenticate
using an appropriately strong mechanism such as token-based authentication?

1566
1567
1568
1569
1570
1571

Remote Access Control C800_82
Communication
Protection
Training
Communication
Protection
Policies & Procedures
General
Policies & Procedures
General

C800_82

Is the noncontrol network traffic kept to the absolute minimum on an ICS network?

C800_82

Is feedback from the security awareness training used in revising the security plan?

C800_82

Is encryption used for device to device communication?

Cfats

Are there documented and distributed cybersecurity policies, procedures, or plans?

Cfats

Are there documented and distributed change management policies, procedures, or
plans?
Is the sharing of accounts prohibited?

1572

Account Management

Cfats

1573

Account Management

Cfats

1574

Monitoring & Malware Cfats

1575
1576
1577

Audit and
Accountability
Audit and
Accountability
Incident Response

Are users required to authenticate a second time at the control network firewall using a
strong mechanism such as a token based multi-factor authentication scheme?

Are IT management, systems administration, and IT security duties divided among three
different individuals?
Are networks monitored in near real time for unauthorized access or the introduction of
malicious code?

Cfats

Are logs reviewed on a daily basis?

Cfats

Are alerts responded to in a timely manner?

Cfats

Is the cyber incident response capability 24 × 7 × 365?
Is the safety instrumented systems (SIS) in the facility with control systems configured so
that they have no unsecured remote access and cannot be compromised through direct
connections to the systems managing the processes they monitor?

1578

Safety Instrumented
System (SIS)

Cfats

1579

Configuration
Management

Cfats

1580

Audit and
Accountability

Cfats

1581

Audit and
Accountability

Cfats

Is there a cohesive set of network/system architecture diagrams and other
documentation including nodes, interfaces, and information flows?
Are audits conducted at periodic intervals to determine whether the security objectives,
measures, processes, and procedures conform to the identified information security
requirements?
Are audits conducted at periodic intervals to determine whether the security objectives,
measures, processes, and procedures are effectively implemented and maintained?

1582
1583

Audit and
Accountability
Audit and
Accountability

Cfats
Cfats

1586

Account Management

1587

Management Practices Components

Are administrative default accounts, Administrator or root, renamed?

1588

Securing the
Component

Are all sample applications, toolkits, SDKs and unused virtual directories removed?

1589

Management Practices Components

1590

Securing Content

Components

1591

Logging

Components

1592

System Protection

Components

1593

Password
Securing the
Component

Components

1596

Logging

Components

1597

Management Practices Components

1598

Securing the
Component

1599

Management Practices Components

1600
1601
1602

Securing Content
Logging
Password

1603

Management Practices Components

1594

Components

Are audits conducted at periodic intervals to determine whether the security objectives,
measures, processes, and procedures perform as expected?
Are system audit records reviewed and analyzed on a periodic frequency, and are findings
reported to officials?

Components

Components

Components

Components
Components
Components

Are accounts locked after a defined number of failed login attempts?

Are all unused, accounts, groups, and sites removed, e.g., Guest, Guests?
Are code reviews performed by a change committee and/or peer group to ensure there
are no security or performance issues?
Are events, such as failed login attempts and failed file system actions, logged?
Are host-based Intrusion Detection Systems (IDSs) used to alert administrators of
anomalies?
Are password defaults changed?
Are portable media, such as CD-ROM drives, DVDs, floppy drives, or USBs, disabled or
limited for use only by system administrators?
Are system administrators automatically notified of potential security threats, e.g., failed
login attempts, failed file system activity, and malformed URL requests?
Are test and development servers located on a different network segment than the
production servers?
Are the OS and server located in separate logical or physical partitions from each other?
Are user and administrator account permissions/access based on least privilege
principles?
Do application errors return a generic message rather than a detailed error?
Do logs get archived securely on another host for offline analysis?
Does corporate policy support and enforce strong administrator and user passwords?
Does frequent and regular manual and/or automated security testing occur?

1604
1605
1606

Password
Policies & Procedures
General
Policies & Procedures
General

Components

Does the company have and enforce a policy for altering user and administrator
passwords on a regular interval?

Components

Does the company have and enforce a policy for locking out inactive user sessions?

Components

Does the company have and enforce a policy for periodically applying security patches?

1607

Firewall

Components

1608

Firewall

Components

1609

User Authentication

Components

1610

Securing Content

Components

1612

Policies & Procedures
General
Firewall

1613

Firewall

Components

1614

Securing Content

Components

1615

Management Practices Components

1611

Components
Components

Does the firewall rule set include a whitelist of approved users access, e.g., IP address
restrictions, all others are refused?
Does the firewall support Denial of Service (DoS) protection?
Does the system utilize an authentication mechanism such as Active Directory, LDAP, or a
Kerberos server?
Has third-party code and applications been reviewed and approved by an authorized
manager or committee?
Have all folder/file shares been reviewed and removed if not needed for critical
processing?
Have default ports been reviewed and modified to restrict noncritical traffic?
Have open ports been reviewed and closed if they do not support critical business
communications?
Have web servers, not designed for confidential information, been audited to ensure that
business sensitive or personal information is not stored on the system?
Is an access banner displayed on computers providing notice that unauthorized use of the
equipment may result in disciplinary action?

1617

Policies & Procedures
General
Securing Content

1618

Physical Access

1619

Remote Access Control Components

1620

Remote Access Control Components

Is remote access user, access list, and where possible remote client restricted?

1621
1622
1623

Securing Content
Password
Securing the System

Is sensitive content isolated from other content?
Passwords are not allowed to be reused?
Does the device sync system time to an accurate and reliable clock?

1616

Components

Is anti-malware software installed, running, and updated based on corporate policy?

Components

Is delivery of business sensitive or personal information restricted to https only?
Are critical servers (domain controllers, application servers, PBX, video management
systems) physically secure from unauthorized access? (i.e. located in a locked room)
Is remote access restricted to secure means only, such as AD secured, SSH, or 802.1X, and
insecure methods such as VNC or telnet prohibited?

Components

Components
Components
Components

1624

Securing Content

1625

Management Practices Components

Are all sample database, toolkits, and SDKs removed?

1626

Securing the
Component

Components

Are all services and processes not required by the application turned off, for example,
FTP, POP3, SMTP, and VNC?

1627

Account Management

Components

Are all unused, accounts, groups and databases removed, e.g., Guest, Guests?

1628

Access Control

Components

1629

Management Practices Components

1630
1631
1632

Securing Content
Securing Content
Access Control
Securing the
Component

Components
Components
Components

1634

Boundary Protection

Components

1635

Access Control

Components

1636

Management Practices Components

1637

1639
1640
1641

Securing Content
Securing the
Component
Firewall
Securing Content
User Authentication

1642

Management Practices Components

1643

Encryption
Communication
Protection

1633

1638

1644
1645

Components

Components

Components
Components
Components
Components
Components

Components
Components

Management Practices Components

Are ad hoc queries disabled on production systems?

Are application developers only given rights needed to develop applications and not full
administrative permissions?
Are audits performed on a regular basis as defined by corporate policy for potential
security and permission violations?
Are database backups stored securely, e.g., password protected and/or encrypted?
Are database communications secured, e.g., via SSL?
Are individual users denied Data Definition Language (DDL) permissions?
Are nonessential and unused administrative stored procedures, such an email or
command shell, disabled?
Are public facing servers placed in a DMZ? In other words, behind a firewall with an
additional firewall between that and any systems on the internal network?
Are stored procedure permissions granted to roles only, e.g., not users?
Are the OS, database, and logs located in separate logical or physical partitions from each
other?
Are unused link servers disabled?
Are passwords or other sensitive server information removed from scheduled jobs,
scripts, or queries? (particularly those in plain text format)
Have database ports been set to nonstandard values, e.g., not 1433, 1521, or 3306?
Have default accounts such as Guest or Public been denied object permissions?
Is authentication via secure means, SSL or SSH only?
Is the database hosted on a dedicated server? In other words, are file, print, or Web
servers capabilities hosted on separate physical or virtual servers?
Are components or services that use clear text turned off or uninstalled?
Are private VLANs, known as protected ports, used to secure sensitive communication
over public or unsecure circuits?
Are users required to take security training before accessing the system?

1646

1649
1650

System Protection
Policies & Procedures
General
Securing the
Component
Securing Content
Encryption

1651

Management Practices Components

1652

Management Practices Components

1653

Boundary Protection
Policies & Procedures
General
Policies & Procedures
General

Components

Are all personal firewalls, those that are hosted on workstations and laptops, centrally
administered?
Are loose and strict source routing blocked and logged?

Components

Does the company have and enforce a policy for backing up firewall configurations?

1656

Boundary Protection

Components

1657
1658

Boundary Protection
Boundary Protection

Components
Components

1659

Boundary Protection

Components

1660

Boundary Protection

Components

Is direct external traffic, traffic from the Internet, to critical servers blocked by default?

1661

Boundary Protection

Components

Is traffic to your e-mail server only allowed via a specific protocol and port?

1662

Management Practices Components

Are annual audits performed to ensure that wireless devices have not been lost or stolen?

1663

Encryption
Securing the
Component
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess

Are device backups encrypted?
Are devices labeled with the company name, address, and phone number in case the
device is lost?

1647
1648

1654
1655

1664
1665
1666

Components

Do you employ an Intrusion Prevention System (IPS)?

Components

Does the company have and enforce a policy for backing up critical software and data?

Components
Components
Components

Components

Components
Components

Is a robust Uninterruptible Power Supply (UPS) utilized to minimize the impact of a power
loss?
Is access to internal Web sites restricted to https?
Are data communications to and from the node encrypted?
Does system access require two factor authentication?

Does the company have and enforce a policy for locking out inactive administrator
sessions?
Has the egress firewall rules for the outbound traffic from the control network been
reviewed and implemented?
Have rule sets been reviewed for appropriate order?
Have state tables been reviewed?
Is all incoming and outgoing ICMP traffic denied except where specifically permitted by
your organization?

Components

Are handheld devices stored in a secure location when not in use?

Components

Are IR and Bluetooth capabilities disabled?

1668

Portable/Mobile/Wirel
Components
ess
Physical Access
Components

1669

Management Practices Components

Are users prohibited from storing sensitive information on handheld devices?

1670

Portable/Mobile/Wirel
Components
ess

Do handheld devices have a power on PIN code or password?

1671

Policies & Procedures
General

Components

Does the company have and enforce a policy for disposing of devices, which include
clearing permanent storage, such as hard drives, so that the data cannot be recovered?

1672

Management Practices Components

Does the company have and enforce a policy for performing periodic inventory checks?

1673

Management Practices Components

Does the organization keep a list of authorized device users?

1674

Management Practices Components

Does training include how to safely store devices when not in use?

1675

Management Practices Components

Does training include proper password selection?

1676

Management Practices Components

Does training include the approved uses for company devices?

1677

Management Practices Components

Does training include the type of information that the devices may store?

1678

Management Practices Components

Does training include the type of programs that can be installed?

1667

1679
1680
1681
1682
1683

Securing the
Component
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Securing the
Component

Are personal firewalls installed on handheld devices?
Are there physical access controls within buildings?

Components

Have the default “out-of-the-box” security settings been reviewed and modified?

Components

Is antivirus software installed on a handheld wireless device?

Components

Is business sensitive information stored on a handheld device encrypted?

Components

Is desktop application-mirroring software password protected?

Management Practices Components

Is there a disciplinary process that is enforced if a user misuses a device, and are users
made aware of this process during their security training?

1684

Management Practices Components

1685

Management Practices Components

1686
1687
1688
1689

Securing the System
Securing the System
Securing the System
Securing the System

Components
Components
Components
Components

1690

Securing the System

Components

1691

Logging

Components

1692
1693
1694
1695
1696
1697
1698
1699

Securing the System
Securing the System
Securing the System
Securing the System
Securing the System
Securing the System
Securing the System
Securing the System

Components
Components
Components
Components
Components
Components
Components
Components

Is there a process to report lost or stolen devices, and are users made aware of this
process during their security training?
Is wireless security training required of users before being issued a company handheld
wireless device?
Are events logged and alerts issued if attack signatures are detected?
Are events logged and alerts issued if common attack profiles are detected?
Are events logged and alerts issued if protocol anomalies are detected?
Are events logged and alerts issued if tcp and udp port scans are detected?
Does administration, log transfers, and system updates to and from the device occur
using secure protocols, such as HTTPS, SSH, SFTP, SNMPv3, and are all unsecure, clear
text, communications disabled?
Does logging include, but is not limited to, critical host file changes, unauthorized and
authorized client connection activity, and ad-hoc network creation?
Does the IDS include anomaly-based detection capabilities?
Does the IDS include host-based intrusion detection (HIDS) capabilities?
Does the IDS include network intrusion detection (NIDS) capabilities?
Does the IDS include root kit detection and mitigation?
Does the IDS include Signature-Based detection capabilities?
Does the IDS include stack-based detection (SIDS) capabilities?
Does the IDS include the ability to stop or mitigate known attack types?
Does the IDS issue timely alerts if system anomalies occur?

1700

Securing the System

Components

Does the IDS monitor its health and performance and issue alerts if there are problems?

1701

Securing the System

Components

1702
1703
1704
1705
1706
1707
1708

Securing the System
Securing the System
Securing the System
Securing the System
Securing the System
Securing the System
Securing the System

Components
Components
Components
Components
Components
Components
Components

Does the wireless network include wireless intrusion detection system (WIDS)
capabilities?
Does the IPS include Anomaly Based prevention capabilities?
Does the IPS include host-based intrusion prevention (HIPS) capabilities?
Does the IPS include network behavior analysis (NBA) capabilities?
Does the IPS include network intrusion prevention (NIPS) capabilities?
Does the IPS include root kit prevention and mitigation?
Does the IPS include Signature-Based prevention capabilities?
Does the IPS include the ability to stop or mitigate known attack types?

1709

Securing the System

Components

Does the IPS monitor its health and performance and issue alerts if there are problems?

1710

Securing the System

Components

1711

Securing the System

Components

1712

Management Practices Components

Are all login accounts except “root" removed?

1713
1714

Encryption
Encryption

Components
Components

1715

Encryption

Components

1716

Encryption
Securing the
Component

Components

Are cryptographic keys changed periodically?
Are cryptographic keys distributed according to recognized standards?
Are cryptographic keys generated in accordance with a specified algorithm and key size
using recognized standards?
Are cryptographic keys managed according to recognized standards?

Components

Are file transfers disabled?

1717

Does the IPS provide timely alerts if system anomalies occur?
Does the wireless network include wireless intrusion prevention system (WIPS)
capabilities?

1718

Management Practices Components

Does the company have and enforce a remote access policy which is verified through
assessments?

1720

Encryption

Components

Has the link encryption been confirmed to meet company or external security standards?

1721

Securing the
Component

Components

Is only confirmed trustworthy software allowed to be executed?

1722

Remote Access Control Components

Is remote command execution disabled?

1723

Remote Access Control Components

Is remote login disabled?

1724

Logging

Are all incoming connections logged?

1725

Management Practices Components

Are modems configured based on a corporate policy?

1726

Remote Access Control Components

Are modems, DSL, or other network backdoor access points for third party vendors or
partners disabled when not needed?

1727

Remote Access Control Components

Are remote dial access numbers periodically changed?

1728

Remote Access Control Components

Do you use a different range of phone numbers for the office than the IDS modem pool?

1729

Management Practices Components

Does the login screen display banner information according to corporate security
policies?

Components

1730

Remote Access Control Components

Is a telecom firewall implemented?

1731

Remote Access Control Components

Is auto answer disabled on modems when not needed?

1732

Logging

Is the callback option enabled?

1733

Remote Access Control Components

Modems are not attached to any type of server?

1734
1735

Securing Content
Encryption
Securing the
Component
Communication
Protection
Securing Content

Are data removed from the printer disk or memory after a print operation?
Are network printer communications encrypted?
Are network printers, other than those required for continuous control system
operations, locked after a period of user inactivity?

1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751

Securing the
Component
Securing Content
Access Control
Securing the
Component
Securing the
Component
Securing Content
Securing the
Component
Physical Access
Securing the
Component
Securing Content
Firewall
Encryption
Management

Components

Components
Components
Components
Components

Are network protocols that aren't being used turned off?

Components

Components
Components

Are printer hard drives encrypted?
Are sensitive communications to the Network Printer protected via a trusted
communication path? NOTE: This also includes FAX ports on multifunction printers. The
FAX ports should be restricted to only FAX-related activities.
Has a job timeout been set?
Have access control lists been implemented?

Components

Have Internet print capabilities, e.g., IPP or FTP, been turned off?

Components

Have you implemented Denial of Service (DoS) protection?

Components

IF the capability exists, has a PIN system been implemented for print authorization?

Components

If the printer has a hard drive, is remote access to the drive disabled?

Components

Is access to internal printer hardware restricted?
Is the Network Printer capable of automatic restart after a service discontinuity, and is
the capability enabled?
On print error, is disk or memory dumped?
Are ports 80 and 443, http and https respectively, closed?
Are optical ring communications encrypted?
Are access rules added, modified, and deleted as business needs change?

Components

Components
Components
Components
Components
Components

1752

Logging

1754
1755
1756
1757

Policies & Procedures
General
Securing the Router
Securing the Router
Securing the Router
Securing the Router

1758

Securing the Router

1753

1759
1760
1761
1762
1763
1764
1765
1766

Securing the
Component
Securing the
Component
Securing the Router
Password
Safety Instrumented
System (SIS)
Safety Instrumented
System (SIS)
Safety Instrumented
System (SIS)
Safety Instrumented
System (SIS)

Components
Components
Components
Components
Components
Components
Components

Are authentication and administrative events, including enabling and disabling logging,
recorded?
Are firmware patches reviewed and applied in a timely fashion as defined by the
corporate security policy?
Are IP directed broadcasts disallowed?
Are local user accounts disabled on the router?
Are TCP & UDP small services disallowed?
Are the device's incoming packets sourced with invalid addresses disallowed?
Do routers use an authentication service (i.e. TACACS+, Kerberos, LDAP) for all user
authentications?

Components

If SNMP is not used, are SNMP community strings erased and the service disabled?

Components

Is IP source routing disallowed?

Components
Components

Is remote access to routers restricted to SSH, e.g., no telnet?
Is the enabled password on the device kept in a secure encrypted format?
Does the Safety Instrument System (SIS) have its own inputs and actuators, separate from
the industrial control system (ICS)?

Components
Components

Has a hazard operations study to determine SIL (Safety Integrity Level) been performed?

Components

Has a review been conducted to ensure that all components are designed to the
determined SIL (Safety Integrity Level)?

Components

Is the SIS isolated from the process control network?

1767

Remote Access Control Components

Are terminal servers NOT installed on any type of domain controller?

1768

Remote Access Control Components

Has an approved application, e.g., white list, been established and implemented?

1769
1770

Management
Encryption

Is a single terminal server devoted to each shared application?
Is communication between clients and the terminal server encrypted?

1771

Remote Access Control Components

Is the terminal server remote control feature disabled?

1772

Securing the
Component

Is the unidirectional device employed certified to a rigorous and reliable standard, for
example, to CC EAL +7?

Components
Components

Components

1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789

Communication
Protection
Securing the
Component
Communication
Protection
Securing the
Component
Communication
Protection
Securing the
Component
Communication
Protection
Communication
Protection
Securing the
Component
Securing the
Component
Communication
Protection
Communication
Protection
Communication
Protection
Access Control
Securing the
Component
Securing the
Component
Securing the
Component

Components

Are local user accounts disabled on the VLAN router?

Components

Are MAC addresses security features implemented?

Components

Has a VLAN ID been dedicated for all trunk ports?

Components

Has Auto-trunking been disabled?

Components

Has Cisco Discovery Protocol (CDP) been disabled?

Components

Has Spanning Tree Attack (STP) mitigation been implemented?

Components

Have Address Resolution Protocol (ARP) security issues been mitigated?

Components

Have all disabled ports been put in an unused VLAN?

Components

Have all unused ports been disabled?

Components

Have dynamic trunk (virtual trunk) features been disabled?

Components

Have switch ports been isolated so that no traffic from other ports can be delivered to an
isolated or private VLAN port?

Components

Is VLAN 1 NOT used for anything?

Components

Is VLAN Trunk Protocol (VTP) used?

Components

Are common user accounts given limited privileges on company-owned computers?
Are email clients configured to prevent automatic loading of remote email images, limit
mobile code execution, default message is plain text, automatic previewing is disabled,
and spam filtering enabled?
Are Instant Messaging (IM) clients configured so that display of email addresses is
suppressed and file transfers are restricted?
Are office productivity suites configured so that macro use is restricted, personal
information is limited, and secured folders are used to store document files?

Components
Components
Components

1790
1791
1792
1793
1794
1795
1796

Securing Content
Policies & Procedures
General
Policies & Procedures
General

Components

Are only company-owned PCs used for telework or remote access?

Components

Are personal computer firewalls enabled and configured according to company policy?

Components

Are remote access users required to re-authenticate their credentials as stipulated by the
corporate security policy.

Remote Access Control Components
Securing the
Component
Password
Physical Access

Components

Are unneeded networking features disabled?

Components
Components

Are user accounts protected with passwords?
Are user sessions protected from unauthorized physical access?
Are web browsers used for telework configured to restrict cookies, block popups, enable
anti-phishing, remove unneeded browser plug-ins, set a master password to protect
stored information, and run programs with the least privileges possible?
Before disposing of a telework client device or remote access server, does the
organization remove any sensitive data from it?
Does the organization regularly perform operational processes to maintain telework and
remote access security, including deploying updates, verifying clock synchronization,
reconfiguring access control as needed, and detecting and documenting anomalies within
the remote access infrastructure?

1797

Policies & Procedures
General

Components

1798

Policies & Procedures
General

Components

1799

Management Practices Components

1805
1806
1807

Policies & Procedures
General
Securing Content
Policies & Procedures
General
Policies & Procedures
General
Portable/Mobile/Wirel
ess
Management
Securing Content
Securing Content

1808

Access Control

1800
1801
1802
1803
1804

Are remote sessions disconnected after 30 minutes of inactivity?

Components

Is a different brand of Web browser used for telework?

Components

Is disk storage encrypted on the telework devices?

Components

Is remote access software configured according to the company's security policies?

Components

Is the use of remote access utilities stipulated and enforced based on the corporate
security policy?

Components

Is wireless networking configured to automatically connect to available networks?

Components
Components
Components

Is workstation content filtering software installed and enabled?
Are any folders given execute and write permissions?
Are CGI execute permissions restricted to only those folders that require them?
Are read/write permissions denied to files and folders that do not require these
permissions?

Components

1809
1810
1811

Management
Securing the
Component
Policies & Procedures
General

Components

Are the Operating System (OS) and applications, data and database, and logs loaded on
separate logical or physical partitions?

Components

If there is no file extension, does the system return a 404 error?

Components

1812

Remote Access Control Components

1813

User Authentication

Components

1814

Securing Content

Components

1815

Communication
Protection

Components

1816

Management Practices Components

1817

Management Practices Components

1818

Securing Content

Components

1819

Securing Content

Components

1820
1821

Portable/Mobile/Wirel
Components
ess
Portable/Mobile/Wirel
Components
ess

1822

Communication
Protection

Components

1823

Securing Content

Components

1824

Management Practices Components

Is read/write ability restricted to only those services and processes that require this
access?
Is remote user access restricted, e.g., no remote root login, restricted remote access list,
and where possible restricted remote client?
Is Web-based authentication via SSL or TLS only?
Are “dual connected” devices, such as computers that have both wireless and hardwire
connectivity, prohibited?
Are Temporal Key Integrity Protocol (TKIP) or Advanced Encryption Standard (AES) used
with a minimum key length of 128 bits to secure wireless routers?
Are there standardized security configurations for client devices and access points?
Does the company have and enforce a policy for performing security assessments of the
organization’s wireless network on a regular basis?
For those “dual connected” devices that are approved, have software-based controls that
permit either wireless or wired network access, but not both simultaneously, been
installed?
For those devices that are not approved for wireless access, has the BIOS been configured
so that wireless connections are automatically terminated when a wired connection is
detected?
Has the default SSID wireless router name been changed?
Has the Service Set Identifier (SSID) broadcast been disabled on the wireless router?
Is either the Extensible Authentication Protocol-Fast Authentication via Secure Tunneling
(EAP-FAST), Protected Extensible Authentication Protocol (PEAP), or Extensible
Authentication Protocol-Translation Layer Security (EAP-TLS) used as the authentication
protocol?
Is interference between wireless access deployments avoided?
Is the wireless network installed, supported, and maintained by an approved support
team?

1825

Securing Content

Components

Is there a separate wireless network for visitors to use?
Is wireless access based on a list of hardware addresses (MAC address) that can be
registered and tracked?
Is wireless security configuration implementation and maintenance standardized,
automated, and centralized?

1826

Securing Content

Components

1827

Management Practices Components

3443

Account Management

Components

Are Active Directory domains used to restrict or allow user or group permissions?

3444

Account Management

Components

Do you use Active Directory to enforce authentication policies? (e.g. password
complexity, lockout on failed attempts, password expiration)

3445

Remote Access Control Components

Have you audited and eliminated backdoor remote access connections?

3446

Account Management

Components

Have Active Directory DNS administrators groups been set up to manage DNS?

3447

Account Management

Components

3448

Boundary Protection

Components

3449

Account Management

Components

3451

Password

Components

3452

Account Management

Components

3455

Management Practices Components

3456

Management Practices Components

3457

Boundary Protection

Components

3458

Account Management

Components

3459

Management Practices Components

Are the DNS administrators groups and users placed into a designated Organizational Unit
(OU) with appropriate Group Policy applied?
Is the DNS server co-located with the AD server? (i.e., not across a WAN or slow-speed
link).
Are Active Directory permissions configured to be compatible ONLY with the version of
Windows used?
Are robust passwords (e.g., length, complexity) used to access administrator accounts?
Have domain administrators (members of the Domain Admins group and the built-in
Administrator account) been limited to a small, controlled group?
Is the Active Directory SYSKEY stored externally (i.e. USB, CD, etc.) rather than on the local
hard drive?
Is there a backup domain controller available if the primary domain controller fails?
Have separate Active Directory domains been created to separate security or
administrative functions (e.g. separate domains for corporate and ICS networks)?
Have all default user and computer objects been moved into OUs with the correct
permissions?
Have you implemented an Active Directory policy to log changes to security
configurations and failed attempts to access system resources?

3460

System and
Communications
Protection

Components

3461

Recover

Components

3462

Password

Components

3463

System Integrity

Components

3467

Boundary Protection

Components

3468

Password

Components

3469
3470
3471
3473
3475
3476
3478
3480
3481

System and
Communications
Protection
Audit and
Accountability
Audit and
Accountability
Access Control
Configuration
Management
Communication
Protection
System and
Communications
Protection
Audit and
Accountability
System and
Communications
Protection

Has the network traffic for group policy object (GPO) refresh, password changes, and
time synchronization been evaluated for network loading?
Is there a current active directory object map to perform an authoritative restore in case
an object is maliciously deleted?
Has the Directory Services Restore Mode (DSRM) password been set utilizing robust
passwords (e.g., length, complexity)?
Are you using a DNS server?
Are system components (IP cameras, PBX, domain controllers, servers, modems,
switches, routers, etc.) protected from external networks by a firewall?
Have default user names and passwords for system components (IP cameras, PBX,
domain controllers, servers, modems, switches, routers, etc.) been changed utilizing
robust passwords (e.g., length, complexity)?

Components

Is security camera traffic properly secured when routed over an unsecured network (e.g.
Internet)?

Components

Is video storage protected from power interruptions?

Components

Are IP cameras included in the system component audit?

Components

Do you have any access agreements (formal or informal) for third party access to your
telephone (PBX) system?

Components

Is port security used on the VoIP Network particularly publicly accessible jacks?

Components

Are IP phones and PBX secured behind a VoIP ready firewall?

Components

Are voicemail messages and unified communications physically secure from unauthorized
access? (ex: located in a locked room with limited access.)

Components

Are VoIP handsets included in system audits?

Components

Is voice and data traffic separated?

3482

Remote Access Control Components

Are VPN tunnels used to secure remote access connections outside of the facility?

3483

Encryption

Components

3484

System Integrity

Components

3485

Physical Access

Components

3486

Password

Components

3487

Encryption
Configuration
Management
Configuration
Management
Configuration
Management
System Integrity

Components

Does your VoIP system encrypt phone calls?
Do you deploy patches for your VoIP equipment, including firmware updates on the
handsets themselves?
Are critical network components (modems, switches, routers, firewalls) physically secure
from unauthorized access? (i.e. located in a locked room)
Have default user names and passwords for administration been changed utilizing robust
password guidelines (e.g., length, complexity)?
Has WPA2 been implemented as the encryption type?

Components

Has the default SSID been changed?

Components

Has MAC address filtering been enabled?

Components

Has SSID broadcasting been disabled according to company policy?

Components

Do you have procedures in place for patch deployment, including firmware updates?
Does the organization require the developer of the information system, system
component, or information system service to execute procedures for ensuring that
security-relevant hardware, software, and firmware updates distributed to the
organization exactly as specified by the master copies?

3488
3489
3490
3491
3841

System and Services
Acquisition

DODI_8510

3842

System and Services
Acquisition

DODI_8510

3843
3844
3845
3846
3847

System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition

DODI_8510
DODI_8510
DODI_8510
DODI_8510
DODI_8510

Does the organization use independence criteria to verify if an independent assessor has
implemented a correct assessment plan and collected related assessment evidence?
Does the organization require the developers of the system, system components, or
system services to test software against organizationally-defined criteria?
Does the organization require the developer of the system to perform attack surface
reviews?
Does the organization require the system developer to verify that the security testing
scope provides complete coverage and depth?
Does the organization conduct an assessment of the system prior to selection,
acceptance, or update?
Does the organization use all-source intelligence analysis of suppliers of the system,
system component, or system service?

3848
3849
3850
3851
3852
3853
3854
3855
3856
3857
3858
3859
3860

System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition

DODI_8510
DODI_8510
DODI_8510
DODI_8510
DODI_8510
DODI_8510
DODI_8510
DODI_8510
DODI_8510
DODI_8510
DODI_8510
DODI_8510
DODI_8510

3861

System and Services
Acquisition

DODI_8510

3862

System and Services
Acquisition

DODI_8510

3863

System and Services
Acquisition

DODI_8510

Does the organization use Operations Security (OPSEC) safeguards to protect supply chainrelated information for the system, components, or services?
Does the organization implement security safeguards to validate that the system or
component is genuine?
Does the organization establish agreements and procedures with supply chain
organizations that provide systems, components, or services?
Does the organization employ security safeguards to ensure an adequate supply of
system components?
Does the organization establish identification of supply chain elements, processes, and
actors for system, components, or services?
Does the organization create a process to fix deficiencies in supply chain elements that
have been identified during an assessment?
Does the organization require the developer of the information system, component, or
service to define quality metrics at the beginning of the development process?
Does the organization require the developer of the system, component, or service to
validate quality metrics on a defined frequency or upon delivery?
Does the organization require the developer of the system to select and deploy a security
tracking tool for use during development?
Does the organization require the developer of the system to perform criticality analysis
in the system development life cycle?
Do developers perform threat modeling and vulnerability analysis for the system using
organizational parameters, tools, methods, and evidence?
Does the organization require the developer of the system to reduce attack surfaces to
company defined thresholds?
Does the organization require the developer of the system to implement an explicit
process to continuously improve the development process?
Does the organization require the developer of the system to perform automated
vulnerability analysis, determine exploitation potential, determine potential risk
mitigation, and deliver results to company defined roles?
Does the organization require the developer of the system to use threat modeling and
vulnerability analyses on similar systems as guidance for the current development
process?
Does the organization require the developer of the system to provide an incident
response plan?

3864

System and Services
Acquisition

DODI_8510

3865

System and Services
Acquisition

DODI_8510

3866

System and Services
Acquisition

DODI_8510

3867

System and Services
Acquisition

DODI_8510

3868

System and Services
Acquisition

DODI_8510

3869

System and Services
Acquisition

DODI_8510

3870

System and Services
Acquisition

DODI_8510

3871

System and Services
Acquisition

DODI_8510

3872

System and Services
Acquisition

DODI_8510

3873
3874
3875
3876

System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition

DODI_8510
DODI_8510
DODI_8510
DODI_8510

Does the organization require the developer of the system to produce a formal security
policy model that is consistent and sufficient when elements are implemented?
Does the organization require the developer of the system to define security-relevant
elements and provide a rational that it is complete?
Does the organization require the developer of the system to produce formal
specifications for security-relevant interfaces to the system and provide proof that it is
consistent with the formal policy model?
Does the organization require the developer of the system to demonstrate that the
formal top-level specification completely covers the security-relevant interfaces and that
it is an accurate description?
Does the organization require the developer of the system to describe the securityrelevant elements not addressed in the formal top-level specification? (i.e. internal
security-relevant elements)
Does the organization require the developer of the system to produce informal
specifications for security-relevant interfaces to the system and that it is consistent with
the formal policy model?
Does the organization require the developer of the system to demonstrate that the
descriptive top-level specification completely covers the security-relevant interfaces and
that it is an accurate description?
Does the organization require the developer of the system to describe the securityrelevant elements not addressed in the formal top-level specification?
Does the organization require the developer of the system to structure security-relevant
hardware, software, and firmware to integrate simple protection mechanisms with fine
configuration granularity?
Does the organization require the developers of the system to structure security-relevant
elements to facilitate testing?
Does the organization implement a tamper protection program for the system?
Does the organization employ anti-tamper technologies and techniques throughout the
system development life cycle?
Does the organization inspect systems, components, or devices, regularly or at random in
order to detect tampering?

3877
3878
3879

3880

3881

3882

3883

3884

3885

3886

3887

3888

System and Services
Acquisition
System and Services
Acquisition
System and
Communications
Protection
System and
Communications
Protection
System and
Communications
Protection
System and
Communications
Protection
System and
Communications
Protection
System and
Communications
Protection
System and
Communications
Protection
System and
Communications
Protection
System and
Communications
Protection
System and
Communications
Protection

DODI_8510

Does the organization have an anti-counterfeit policy and procedure and is it effective at
preventing counterfeit components from entering the system?

DODI_8510

Is justification provided for continued use of an unsupported component in the system?

DODI_8510

Does the system audit the identity of internal users associated with denied
communications?

DODI_8510

Does the organization prevent unauthorized physical connections across the boundary
protections?

DODI_8510

Does the system route all remote accesses through a managed interface for access
control and auditing?

DODI_8510

If the boundary protection device fails does the system fail in a secure mode?

DODI_8510

Does the system block both inbound and outbound traffic between all clients
independently configured by end users and external service providers?

DODI_8510

Does the system isolate or segregate organization defined system components from
other components of the system as needed?

DODI_8510

Does the organization use boundary protection mechanisms to separate system
components?

DODI_8510

Does the system obscure feedback of protocol format validation failures?

DODI_8510

Does the system employ techniques to randomize or conceal communication unless
otherwise protected by physical mechanisms?

DODI_8510

Does the system provide a trusted communication path that is identifiable from other
paths?

3889

3890

3891

3892

3893

3894

3895

3896

3897

3898

3899

System and
Communications
Protection
System and
Communications
Protection
System and
Communications
Protection
System and
Communications
Protection
System and
Communications
Protection
System and
Communications
Protection
System and
Communications
Protection
System and
Communications
Protection
System and
Communications
Protection
System and
Communications
Protection
System and
Communications
Protection

DODI_8510

Are systems configured to prohibit remote activation of collaborative computing (e.g., IM,
video conferencing) and is there an indication of use to the local user?

DODI_8510

Does the system identify who is present in all VTC and IP based online meetings?

DODI_8510

Does the system prevent the download and execution of unacceptable mobile code as
defined by mobile code requirements?

DODI_8510

Does the system allow the use of certificate authorities for verification of the session?

DODI_8510

Does the system protect the confidentiality and integrity of all nonpublic information?

DODI_8510

Does the system implement cryptography to prevent disclosure and modification of all
information outside of organization facilities?

DODI_8510

Are concealment and misdirection techniques used to confuse and mislead adversaries
used in protecting the system at an organization defined time period?

DODI_8510

Are organizational techniques used to introduce randomness into organizational
operations and assets?

DODI_8510

Does the organization change location of processing and storage at organization defined
time intervals?

DODI_8510

Does the organization reduce bandwidth for identified covert channels or storage to
organizationally-defined values?

DODI_8510

Does the organization protect the integrity of information prior to and after storage on
read-only media?

3900

3901

3902

3903

System and
Communications
Protection
System and
Communications
Protection
System and
Communications
Protection
System and
Communications
Protection

DODI_8510

Does the organization employ hardware based protection of system firmware
components?

DODI_8510

Does the organization ensure that only organization individuals or system can receive the
information, system components, or devices?

DODI_8510

Does the system use cryptographic mechanisms to protect from intentional
electromagnetic interference?

DODI_8510

Does the system use cryptographic mechanisms to reduce the detection potential of
wireless links?

3904

System and
Information Integrity

DODI_8510

Does the organization install security-relevant software and firmware updates within 30
days or according to organizational policy?

3905

System and
Information Integrity

DODI_8510

Does the system detect, audit, and prevent execution of unauthorized commands at a
console?

3906

System and
Information Integrity

DODI_8510

Does the system employ security measures to authenticate remote commands?

3907

System and
Information Integrity

DODI_8510

Does the organization use tools and techniques to analyze malicious code and uses the
results to enhance incident response and flaw remediation processes?

3908

System and
Information Integrity

DODI_8510

Does the organization analyze outbound communications at the boundary and interior of
the system to detect covert exfiltration?

3909

System and
Information Integrity

DODI_8510

Does the organization implement additional monitoring of new users?

3910

System and
Information Integrity

DODI_8510

Does the system monitor for unauthorized network services and alerts organization
defined personnel when found?

3911

System and
Information Integrity

DODI_8510

Are host-based monitoring mechanisms at system components implemented?

3912

System and
Information Integrity

DODI_8510

Does the system perform integrity checks of software, firmware, and data at startup or at
intermediate states or security events on an organizationally-defined frequency?

3913

System and
Information Integrity

DODI_8510

Upon detection of an integrity violation, does the system perform actions to document
the event and notify organizational personnel?

3914

System and
Information Integrity

DODI_8510

Is the integrity of boot firmware in defined devices protected?

3915

System and
Information Integrity

DODI_8510

Is spam protection automatically updated by the system?

3916

System and
Information Integrity

DODI_8510

Does the system check all external facing application software inputs that might receive
an exploit? (e.g., web/application servers, database servers, etc)

3917

System and
Information Integrity

DODI_8510

Is there a manual override on the system that is restricted to authorized users, allows for
input validation and creates audit records when used?

3918

System and
Information Integrity

DODI_8510

Is mean time to failure of system components used in a failure prevention strategy?

3919

System and
Information Integrity

DODI_8510

Are software and data used by system components and services reloaded from
organizational defined sources?

3920

System and
Information Integrity

DODI_8510

Does the system validate information output from software to ensure that it is consistent
with the expected content?

2874

Risk Management and
Assessment

INGAA

Do you implement physical security according to the INGAA AGA document specifically as
it relates to 49 CFR Parts 192 and 193, and according to the pre-TSA document “Security
Practices Guidelines Natural Gas Industry Transmission and Distribution,” revised May
2008?

2875

System Protection

INGAA

2876

Physical Security
Portable/Mobile/Wirel
ess
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment

INGAA

2877
2878
2879
2880

INGAA
INGAA
INGAA
INGAA

Have you established personnel security requirements including security roles and
responsibilities for third-party providers?
Have you established a secure method of monitoring?
Do you audit the use, access, and necessity of these connections, and base its monitoring
and periodic review on company policy?
Is the network infrastructure secured to prevent the unauthorized installation of wireless
technology?
Is the wireless connectivity included in network documentation, policies, and procedures?
Do you, at a minimum, conduct an annual review, reassessment, and update of the
control systems cybersecurity plans in accordance with the operator’s policy?
Where the responsible entity cannot conform to its own cybersecurity policy, do you
document these instances as exceptions, and are they authorized according to company
policy?
Are the criticality classification of cyber assets as defined in Section 3.2 reviewed at least
every 18 months?
Is the methodology used to define critical assets, the classification of critical assets, and
the classification of critical cyber assets reviewed, approved, and documented according
to company policy?
Have you defined a cross-functional cybersecurity team and an operational framework to
ensure coordination, communication, and accountability for information security on and
between the control systems and enterprise networks?
Have you defined information and cybersecurity roles, responsibilities, and lines of
communication among the operations, IT, and business groups, as well as with
outsourcers, partners, and third-party contractors?
Have you established a system and services acquisition policy, procurement standards,
and a process by which potential acquisitions are evaluated against the standards,
including encouraging the vendor to follow software development standards for
trustworthy software throughout the development life cycle?

2881

Risk Management and
Assessment

INGAA

2882

Risk Management and
Assessment

INGAA

2883

Organizational

INGAA

2884

System and Services
Acquisition

INGAA

2885

System and Services
Acquisition

INGAA

2886

Configuration
Management

INGAA

2887

Configuration
Management

INGAA

Does the company develop and document a network security coordination process?

INGAA

Does the network security coordination process include a delineation of roles and
responsibilities associated with coordination, communication, and accountability of
information security on and between the control systems and enterprise networks?

2888

Policies

Does the network security coordination process define information security coordination
requirements at every step of the systems development life cycle including strategic
planning, design, acquisition, testing, installation, configuration/change management, and
retirement?
Does the cybersecurity team establish and document a framework in accordance with
company policy that defines the security organization and the roles, responsibilities, and
accountabilities of the system owners and users?

2889

Plans

INGAA

2890

Plans

INGAA

2891

Plans

INGAA

2892

Plans

INGAA

2893

Access Control

INGAA

2894

Access Control

INGAA

2895
2896
2897
2898
2899
2900

System Integrity
System Integrity
System Integrity
System Integrity
System Integrity
System Integrity

INGAA
INGAA
INGAA
INGAA
INGAA
INGAA

2901

Configuration
Management

INGAA

Does your procurement standards require that providers of control system services
employ security controls in accordance with applicable laws, Executive Orders, directives,
policies, regulations, standards, guidance, and established service-level agreements?

2902

Continuity

INGAA

Does your procurement standards define oversight and user roles and responsibilities
with regard to external information system services?

2903

Monitoring & Malware INGAA

Does your procurement standards define oversight and user roles and responsibilities
with regard to monitors security control compliance by external service providers?

Does your company ensure the implementation of bi-directional lines of communication
no matter what structure is in place between the systems owners and users?
Are the lines of communication between system owners and users documented and
exercised to test and ensure their effectiveness?
Has the company established a control system and services acquisition policy,
procurement standards, and a process by which potential systems, components, and
service acquisitions are evaluated against the standards, in accordance with company
policy?
Does your company encourage the vendor to follow software development standards for
trustworthy software throughout the development life cycle.
Does your procurement standards include system hardening?
Does your procurement standards include perimeter protections?
Does your procurement standards include account management?
Does your procurement standards include coding practices?
Does your procurement standards include flaw remediation?
Does your procurement standards include malware detection and protection?

Does the life cycle section of your cybersecurity plan address the incorporation of security
measures and controls into the cyber system design and operation for both new system
creation and legacy system modification?
Does the life cycle section of your cybersecurity plan address mitigation strategies for
security deficiencies found in control system components?
Does the life cycle section of your cybersecurity plan address the implementation of
policies and procedures for the assessment and maintenance of system status and
configuration information including tracking changes made to the control systems
network, and patching and upgrading operating systems and applications?
Does the life cycle section of your cybersecurity plan address the implementation of
policies and procedures for the secure disposal of equipment and associated media?

2904

Monitoring & Malware INGAA

2905

Configuration
Management

INGAA

2906

System Protection

INGAA

2907

Physical Security

INGAA

2908

System Integrity

INGAA

2909

System Integrity

INGAA

2910

Physical Security

INGAA

2911

Monitoring & Malware INGAA

Do all existing practices and procedures include appropriate cybersecurity considerations?

3168

Risk Management and
Assessment

INGAA

3169

Policies

INGAA

3170

Policies

INGAA

3171

Policies

INGAA

3172

Policies

INGAA

Has the organization completed a determination of cyber assets that are classified as
Critical Cyber Assets?
The control system security policy should prohibit the embedding of sensitive passwords
in source code, scripts, aliases, and short-cuts. If necessary, encryption techniques should
be used.
Do you secure your source code to prevent both its unauthorized viewing and
modification?
Are your control systems’ hosts and workstations only used for approved control system
activities?
Do you run any new protocol, application, or software proposed to be added to the
control system network in a test-bed or development environment to evaluate the
potential for impairing the performance of the control system?

Have you developed and documented the practices and procedures that would
incorporate cybersecurity into the control systems design, modification, and operation?
Is cybersecurity consideration part of the initial specification and design of new control
systems and all changes to existing systems?
Do all new control system operation practices and procedures incorporate cybersecurity
consideration?

3173

Policies

INGAA

3174

Policies

INGAA

3175

Policies

INGAA

3178

Policies & Procedures
General
Policies & Procedures
General
Procedures

3179

Procedures

INGAA

3180

Procedures

INGAA

3181

Procedures

INGAA

3182

Procedures

INGAA

3183

Procedures

INGAA

3184

Procedures

INGAA

3185

Procedures

INGAA

3186

Procedures

INGAA

3187

Procedures

INGAA

3188

Procedures

INGAA

3189

Procedures

INGAA

3176
3177

INGAA
INGAA
INGAA

Do you only grant the minimum set of rights, privileges, or accesses required by users or
processes to perform any control system operation, maintenance, or monitoring task?
Do you enable audit logging for all devices that are capable?
Do you periodically review all rights, privileges, and accesses for all users or process to all
control system components and resources including but not limited to physical access, OS
services, files, disks, shared data, and networking resources to ensure that unauthorized
changes have not been made?
Do you review all control systems operational procedures to ensure cybersecurity policies
are maintained at design levels?
Do you have policies and procedures for addressing hardware and software security
deficiencies in control systems?
Do you have procedures for hardening all components used in control systems.
Do you have procedures for securing the configurations for all network devices such as
firewalls, routers, and switches and used to establish baseline configuration for these
devices?
Do you review the baseline system configurations including services and ports periodically
based on company policy to ensure that unauthorized changes have not been made?
Do you remove or disable the operating system services that are not used by the
production SCADA to reduce the risk of being exploited?
Do you review the enabled networking protocols on all networked devices and disable
unessential protocols should be disabled?
Do you document all required applications and open ports both for normal operation and
emergency operation?
Do you disable all port and applications not in use?
Do you perform a risk assessment on system services to see if the benefits of having them
running outweigh the potential for exploitation?
Do you only allow remote functions that an operating system provides when necessary
and only use secure versions?
Do you discourage the use of FTP on a SCADA system and strictly control it?
Do you disable or otherwise protect removable media devices (USB ports, CD/DVD drives,
and other removable media devices)?
Do you remove the guest accounts?

3190
3191
3192
3193
3194

Procedures
Procedures
Procedures
Procedures
Procedures

INGAA
INGAA
INGAA
INGAA
INGAA

3195

Procedures

INGAA

3196

Procedures

INGAA

3197

Procedures

INGAA

3198

Procedures

INGAA

3199

Procedures

INGAA

3200

Procedures

INGAA

3201

Procedures

INGAA

3202

Procedures

INGAA

3203

Procedures

INGAA

3204

Procedures

INGAA

3205

Procedures

INGAA

3206

Procedures

INGAA

3207

Plans

INGAA

3208

Plans

INGAA

Do you change the default passwords?
Do you disallow unhardened devices on the network?
Do you use secure coding techniques when developing applications?
Do you strictly control administrative access to all control systems?
Do you require strong passwords for administrative accounts?
Do you change passwords periodically based on company policy and whenever personnel
changes dictate?
Do you have policies and procedures for management of software patches and updates,
antivirus software, and anti-malware software?
Do you apply all critical control system supplier approved operating system updates in
accordance with company policy?
Do you use antivirus, anti-malware, and other protection software in accordance with the
control system supplier’s recommendations?
Do you periodically inventory the software patch level of all systems on the network to be
aware of unpatched systems based on company policy?
Do you ensure that critical application and database security patches are applied in
accordance with the control system supplier recommendations?
Do your change control policies and procedure address any change that will impact the
pipeline control system whether permanent or temporary?
Do you use some type of document control?
Do you use a baseline change approach that fully documents the control system
configuration?
Do you have procedures to recover the baseline configuration in the event of unexpected
impacts or failures from the changes made to the baseline configuration?
Do you follow the process steps as outlined in Section 3.3.3.3?
Have you established policies and procedures for the secure disposal of equipment and
associated media and does it include the sanitization of information system media, both
digital and nondigital, prior to disposal or release for reuse?
Does your control system cybersecurity plans address plans and preparation for the
return to full service of unavailable, degraded, or compromised control systems in a
timely fashion as defined by the organization consistent with their availability and
recovery requirements?
Do you plan and prepare for the prompt restoration and recovery of a failed or
compromised SCADA system?

3209

Plans

INGAA

3210
3211
3212

Procedures
Procedures
Procedures

INGAA
INGAA
INGAA

3213

Procedures

INGAA

3214

Procedures

INGAA

3215

Plans

INGAA

3216

Plans

INGAA

3217

Plans

INGAA

3218

Plans

INGAA

3219

Plans

INGAA

3220

Plans

INGAA

3221

Plans

INGAA

3222

Plans

INGAA

3223

Plans

INGAA

3224

Plans

INGAA

3225

Plans

INGAA

3226
3227

Policies
Policies

INGAA
INGAA

Do you have plans that include contingencies for cyber threats, natural disasters, and/or
equipment/software failures?
Do you have procedures for restoring systems from backups?
Does your employee training ensure familiarization with the contents of the plans?
Do your procedures define the roles and responsibilities of first responders?
Do you have communication procedures and a list of personnel to contact in the case of
an emergency, including control system vendors, network administrators, and control
system support personnel?
Do you have procedures for validating system backups?
Does the restoration and recovery plan include references to current configuration
information on all systems requiring restoration?
Does the restoration and recovery plan include specifications of recovery time objectives
and specific contingency plan objectives if recovery times are exceeded?
Does the restoration and recovery plan include a required response to events or
conditions of varying duration and severity that would activate the recovery plan?
Does the restoration and recovery plan include a personnel list for authorized physical
and cyber access to the control system?
Does the restoration and recovery plan include requirements for the timely replacement
of components in the case of an emergency?
Do you review the plan periodically according to company policy?
Do you make and secure backups of critical system software, including applications, data,
and configuration information, on a regular basis as defined by company policy consistent
with their availability and recovery requirements?
Do you keep Installation media and license information in a secure location?
Do you test the restoration and recovery process periodically according to company
policy, which includes executing it on a frequency according to company policy and
reviewing and refining as necessary according to company policy?
Does your CSP control system cybersecurity plan include the implementation of policies
and procedures for cyber intrusion monitoring, detection, incident handling, and
reporting?
Do you establish policies and procedures for cyber intrusion monitoring and detection as
well as incident handling and reporting?
Do your monitoring procedures include unexpected log file events?
Do your monitoring procedures include unusually heavy network traffic?

Do your monitoring procedures include out of disk space or significantly reduced free disk
space?
Do your monitoring procedures include unusually high CPU usage?
Do your monitoring procedures include creation of new user accounts?
Do your monitoring procedures include attempted or actual use of administrator-level
accounts?
Do your monitoring procedures include locked-out accounts?
Do your monitoring procedures include account in-use when the user is not at work?
Do your monitoring procedures include cleared log files?
Do your monitoring procedures include full log files with unusually large number of
events?
Do your monitoring procedures include antivirus alerts?
Do your monitoring procedures include disabled antivirus software and other security
controls?
Do your monitoring procedures include unexpected patch changes?
Do your monitoring procedures include machines connecting to outside IP addresses?
Do your monitoring procedures include requests for information about the system (social
engineering attempts)?

3228

Policies

INGAA

3229
3230

Policies
Policies

INGAA
INGAA

3231

Policies

INGAA

3232
3233
3234

Policies
Policies
Policies

INGAA
INGAA
INGAA

3235

Policies

INGAA

3236

Policies

INGAA

3237

Policies

INGAA

3238
3239

Policies
Policies

INGAA
INGAA

3240

Policies

INGAA

3241

Policies

INGAA

Do your monitoring procedures include unexpected changes in configuration settings?

3242
3243
3244
3245
3246

Policies
Policies
Policies
Policies
Policies

INGAA
INGAA
INGAA
INGAA
INGAA

3247

System Protection

INGAA

3249

Physical Security

INGAA

3250

Access Control

INGAA

Do your monitoring procedures include unexpected system shutdown?
Does your organization have cyber incident handling and procedures?
Does your incident response plan include Roles and Responsibilities Definition?
Does your incident response plan include Declaration of Preparation?
Does your incident response plan include Incident Response Phases Definition?
Does the organization develop and enforce policies and procedures where control system
workstations are only used for approved activities?
Are non-critical facilities access controls implemented to the same protection standards
as the main facility?
Does the enhanced access control in the security plan include consideration of physical
and logical access, risk assessment of wireless implementation, and access to Critical
Cyber Assets?

3251
3347
3348

Physical Security
Configuration
Management
Risk Management and
Assessment

INGAA

Does the organization implement physical access controls as specified in regulatory
sources? (i.e., INGAA Pipeline Security Practices Guidelines Natural Gas Pipeline Industry
Transmission and Distribution)

NCSF_V1

Is there a defined list of software programs authorized to execute on the system?

NCSF_V1

Does the organization map all communication and data flows?

3349

Remote Access Control NCSF_V1

3350

Plans

NCSF_V1

3351

Plans

NCSF_V1

3352
3353
3354
3355
3356
3357
3358
3359
3360
3361
3362

Policies
Policies
Policies
Access Control
Policies
Policies
Policies
Policies
Policies
Policies
Training

NCSF_V1
NCSF_V1
NCSF_V1
NCSF_V1
NCSF_V1
NCSF_V1
NCSF_V1
NCSF_V1
NCSF_V1
NCSF_V1
NCSF_V1

Are the organization's place in critical infrastructure and its industry sector identified and
communicated?
Does the organization have a plan for critical infrastructure recovery developed and
tested?
Does your organization have an Information and Document Management Policy?
Does your organization have a Media Protection Policy?
Does your organization have a System Security Policy?
Does your organization have an Access Control Policy?
Does your organization have an Audit and Accountability Policy?
Does your organization have a Cryptographic Policy?
Does your organization have an Identification and Authentication Policy?
Does your organization have a Monitoring and Review Policy?
Does your organization have a System and Communication Protection Policy?
Does your organization have a System and Services Acquisition Policy?
Do privileged users understand their roles and responsibilities in cybersecurity?

3363

Training

NCSF_V1

Do senior executives understand their roles and responsibilities with regard to security?

3364

Training

NCSF_V1

Do physical security personnel, through training and testing, understand their roles and
responsibilities in regard to cybersecurity?

NCSF_V1

Does your organization have a Configuration Management Plan?

NCSF_V1

Does the organization share with industry partners proven effective protection
technologies?

NCSF_V1

Does the continuity of operations plan include necessary notifications to stakeholders?

3365
3366
3367

Configuration
Management
Communication
Protection
Continuity

Are all external information systems catalogued?

3368

Continuity

NCSF_V1

3369

Incident Response

NCSF_V1

3370
3371
3372

NCSF_V1
NCSF_V1
NCSF_V1
NCSF_V1

Are new vulnerabilities mitigated or documented as acceptable risks?

3374

Incident Response
Incident Response
Incident Response
Risk Management and
Assessment
Continuity

Does the organization understand the impact of the cyber incident?
Do personnel have knowledge of cyber forensics and execute them in accordance with
the incident response plan?
Are cybersecurity incidents categorized according to the incident response plan?
Are cybersecurity incidents contained according to the incident response plan?
Are cybersecurity incidents mitigated according to the incident response plan?

NCSF_V1

3375

Continuity

NCSF_V1

Are lessons learned incorporated into recovery plans?
Is the recovery plan reviewed and updated to address lessons learned, system,
organizational, and technology changes?

3376

Continuity

NCSF_V1

3373

3378
3379
3380
3381
3382

Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
System and Services
Acquisition

NCSF_V1
NCSF_V1
NCSF_V1
NCSF_V1
NCSF_V1

3383

Incident Response

NCSF_V1

3384

Info Protection

NCSF_V1

3385

Environmental Security NCSF_V1

3386

Environmental Security NCSF_V1

3387

Continuity

NCSF_V1

3388

Continuity

NCSF_V1

Does the organization attempt to restore company reputation after an event is repaired?
Are risk management procedures developed, managed and distributed to the
organizational members?
Does the organization use risk information from similar industries to determine its own
risk tolerance?
Are information and systems categorized in accordance with business risk, policies,
regulations, standards, and guidance?
Are the security categorization results documented and prioritized in the system security
plan?
Is organization's place in critical infrastructure and its industry sector is identified and
communicated?
Have the organization's upstream and downstream dependencies been identified in the
supply chain?
Are organizational mission, objectives and activities determined and prioritized according
to organization time period?
Does the organization have critical services such as communications, internet provider, or
electrical power that are needed for critical functioning of the business?
Does the organization use UPS or generators as sources of alternate power to support
critical business processes?
Does the organization use an alternate telecommunications provider to provide critical
business services?
Does the organization test whether alternate critical functions are adequate?

3389

Communication
Protection

NCSF_V1

3390

Continuity

NCSF_V1

3391

Plans

NCSF_V1

3392

Continuity

NCSF_V1

3393

Plans
Risk Management and
Assessment

NCSF_V1

3395

Policies

NCSF_V1

3396

Procedures

NCSF_V1

3397

Account Management

NCSF_V1

3398

Account Management

NCSF_V1

3399

Audit and
Accountability

NCSF_V1

3400

Plans

NCSF_V1

3401

Procedures

NCSF_V1

3402

Remote Access Control NCSF_V1

3403

Monitoring & Malware NCSF_V1

3404

Incident Response

3405

Monitoring & Malware NCSF_V1

3394

NCSF_V1

NCSF_V1

Does the organization have adequate supply of materials to continue to provide delivery
of critical business service?
Does the organization understand resilience as it applies toward re-establishing critical
services?
Has capacity planning determined the necessary capacity for information processing,
telecommunications, and environmental support needed during restoration operations?
Is there a formal, documented resilience planning policy for the system that addresses
critical services?
Are risk-reduction mitigation measures identified and prioritized?
Is there a detailed mitigation strategy for individual systems that addresses risk and is
there a comprehensive strategy?
Does the organization manage user names and credentials for each user or device
contained in the system?
Do you have procedures for issuing a name and password for each user in all systems?
Are system accounts authorized, established, activated, modified, disabled, and removed
according to the organization defined time period?
Is there a minimum password complexity of defined requirements for case sensitivity,
number of characters, mix of upper case letters, lower case letters, numbers, and special
characters, including minimum requirements for each type and are passwords required to
be changed in an organization-defined time period?
Is there sufficient storage capacity allocated to reduce the likelihood of such capacity
being exceeded?
Has capacity planning determined the necessary capacity for information processing,
telecommunications, and environmental support needed for daily operations?
Do you have a configuration change control plan?
Is cryptography used to protect the confidentiality and integrity of remote access
sessions? (See FIPS 140 for validated cryptographic modules)
Are automated tools used to support near real-time analysis of events and are these
events analyzed for after-the-fact examples of attack targets and methods?
Are system network security incidents tracked and used to correlate with other sensors
and system log files?
Are vulnerability scans performed on a defined frequency or randomly in accordance with
organizational policy?

3406
3407
3408

Monitoring & Malware NCSF_V1
Risk Management and
Assessment
Risk Management and
Assessment

NCSF_V1
NCSF_V1

3409

Monitoring & Malware NCSF_V1

2912

Account Management

NEI_0809

2913

Account Management

NEI_0809

2914

Account Management

NEI_0809

2915

Access Control

NEI_0809

2916

Access Control

NEI_0809

2917

Access Control

NEI_0809

2918

Access Control

NEI_0809

2919

Access Control

NEI_0809

2920

Communication
Protection

NEI_0809

2921

Access Control

NEI_0809

If vulnerability scanning tools are unavailable, is the organization able to compensate
using passive monitoring tools?
Are the results of periodic, unannounced, in-depth monitoring or penetration testing used
to improve detection processes?
Are the results of system monitoring used as a basis for improving detection processes?
Are vulnerability scanning tools updated and improved?
Are CDA accounts managed and documented to include: authorizing, establishing,
activating, modifying, reviewing, disabling and removing accounts?
Are CDA accounts managed and reviewed against the access control list at least every 31
days?
Are computer automated mechanisms used to manage CDA accounts in activities such as
terminate, disable inactive accounts within 31 days, create and protect audit records, and
notify system administrator of account modifications?
Does the organization conduct reviews of job function changes to ensure account rights
remain limited to job function?
Does the organization define and document privileged functions and security relevant
information on the CDA?
Does the organization document and enforce access mechanisms (e.g. passwords) that
do not adversely impact the operational performance of CDAs and employs alternate
compensating security controls when access enforcement cannot be used?
When access enforcement mechanisms may adversely impact the performance of CDAs,
do you document and employ alternate security controls when access enforcement is
unavailable?
Does the organization restrict access to privileged functions and security information to
authorized personnel?
Does the organization document information flow control enforcement by using
protected processing level (e.g., defensive architecture) as a basis for flow control
decisions?
Does the organization enforce separation of CDA functions through assigned access
authorizations?

2922

Access Control

NEI_0809

2923

Access Control

NEI_0809

2924

Access Control

NEI_0809

2925

Access Control

NEI_0809

2926

Access Control

NEI_0809

2927

Info Protection

NEI_0809

2928

Portable/Mobile/Wirel
NEI_0809
ess

2929

System Integrity

NEI_0809

2930

Portable/Mobile/Wirel
NEI_0809
ess

2931

Access Control

NEI_0809

2932

Audit and
Accountability

NEI_0809

2933

Audit and
Accountability

NEI_0809

Does the organization implement alternative controls and document the justification
where a CDA cannot support differentiation of roles and where a single individual must
perform all roles within the CDA?
Does the organization implement alternative controls and document the justification for
alternative controls/countermeasures for increased auditing where a CDA cannot support
the differentiation of privileges within the CDA and where an individual must perform all
roles within the CDA?
Does the organization document the justification and details for alternative
controls/countermeasures where a CDA cannot support account/node locking or delayed
login attempts?
Does the organization ensure that CDA "Use Notification" provides privacy and security
notices?
Does the organization implement alternative controls and document the justification for
alternative controls/countermeasures where a CDA cannot support session locks? And
ensures that the CDA is protected from unauthorized access, monitored, audited, and has
verification of qualified personnel access?
Does the organization identify and implement standard naming conventions for
identification of special dissemination, handling, or distribution instructions in compliance
with 10 CRF 2.390 and 10 CFR 73.21?
Does the organization disable wireless capabilities when not utilized?
Does the organization perform verification during deployment of CDAs, when changes or
modifications occur to CDAs, and every 31 days for accessible areas and that CDAs are
free of insecure connections such as vendor connections and modems?
Does the organization enforce and document that mobile device security and integrity are
maintained at a level consistent with the CDA they support?
Is information that could cause an adverse impact on SSEP functions or could assist an
adversary in carrying out an attack not released to the public?
Where a CDA cannot support the use of automated mechanisms to generate audit
records, are there alternative controls and documented justification for alternative
controls or countermeasures?
Does the organization coordinate security audit functions within the facility to enhance
mutual support and help guide the selection of auditable events?

2934
2935
2936
2937
2938

Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability

NEI_0809

Does the CDA prevent users from altering or destroying audit records?

NEI_0809

Does the organization meet NRC record retention requirements?

NEI_0809

Does the CDA or security boundary device failover to a redundant CDA, where necessary,
to prevent adverse impact to safety, security or emergency preparedness functions?

NEI_0809
NEI_0809

2939

Audit and
Accountability

NEI_0809

2940

Audit and
Accountability

NEI_0809

2941

Audit and
Accountability

NEI_0809

2942

Communication
Protection

NEI_0809

2943

Communication
Protection

NEI_0809

2944

Communication
Protection

NEI_0809

2945

Communication
Protection

NEI_0809

Does the CDA or security boundary device, when necessary, respond during failure by
overwriting the oldest audit record or records?
Is the failure of audit processing capabilities attributed as a failure of the CDA or security
boundary device?
Does the organization review and analyze CDAs audit records every 31 days, for
indications of in appropriate or unusual activity, and report the findings to the designated
official?
Does the organization document the justification and details for alternate compensating
security controls where a CDA cannot support auditing reduction and report generation
by providing this capability through a separate system?
Does the organization ensure CDAs use a time source protected at an equal or greater
level than the CDAs or internal system clocks to generate time stamps for audit records,
and the time on CDAs are synchronized?
Does the organization document procedures that facilitate the implementation of the
CDA, system, and communications protection policy?
Does the organization implement alternative controls and document the justification for
alternative controls/countermeasures for individuals who have access to the CDA are
qualified, trustworthy, and reliable per 10 CFR 73.56?
Does the organization implement alternative controls and document the justification for
alternative controls/countermeasures for physically restricted access to the CDA and
timely detection and response to intrusions?
Does the organization implement alternative controls and document the justification for
alternative controls/countermeasures where a CDA cannot internally support
transmission confidentiality capabilities through ensuring that individuals who have
access to the CDA are qualified, trustworthy, and reliable per 10 CFR 73.56?

2946

Communication
Protection

NEI_0809

2947

Communication
Protection

NEI_0809

2948

Communication
Protection

NEI_0809

2949

Communication
Protection

NEI_0809

2950

Physical Security

NEI_0809

2951

Access Control

NEI_0809

2952

Account Management

NEI_0809

2953

Account Management

NEI_0809

2954

Access Control

NEI_0809

2955

System Integrity

NEI_0809

2956

System Integrity

NEI_0809

2957

Info Protection

NEI_0809

2958

Info Protection

NEI_0809

Does the organization implement alternative controls and document the justification for
alternative controls/countermeasures where a CDA cannot internally support
transmission confidentiality capabilities through physical restrictions, monitoring, and
record physical access to the CDA?
Does the organization manage cryptographic keys using automated mechanisms with
supporting procedures or manual procedures when cryptography is required and
employed within the CDAs in accordance with NEI 0809 Rev 6 Appendix D Section 3.9
(NRC Regulatory Issue Summary (RIS) 2002-15, Revision 1)?
Are CDAs configured to provide physical disconnection of cameras and microphones in a
manner that supports ease of use except where these technologies are used to control
and monitor the CDA for security purposes?
Does the organization configure CDAs so they, upon receipt of data, perform data origin
authentication and data integrity verification on resolution responses whether or not
CDAs request this service?
Is physical access to CDAs restricted?
Does the organization implement the strongest possible challenge-response
authentication mechanism where domain-based authentication is not used?
Are passwords changed every 92 days and have length and complexity for the required
security?
On a CDA that cannot support device identification and authentication, are alternative
controls implemented and documented with justification for using alternative controls?
Does the organization ensure that CDAs authenticate cryptographic modules in
accordance with NEI 08-09 Rev 6 Appendix D Section 3.9 (NRC Regulatory Issue Summary
(RIS) 2002-15, Revision 1)?
Does the organization verify and document that CDAs are patched or mitigated in
accordance with the patch management process and security prioritization timelines?
Does the organization document the level of support for testing patch releases?
Does the media protection policy and procedures detail the purpose, scope, roles,
responsibilities, management commitment, coordination among entities, and compliance
for information categories as defined by the site policies?
Does the media protection procedures include the methodology that defines the purpose,
scope, roles, responsibilities, and management commitment in the areas of media
receipt, storage, handling, sanitization, removal, reuse, and disposal?

2959

Info Protection

NEI_0809

2960

Personnel

NEI_0809

2961

Personnel

NEI_0809

2962

Personnel

NEI_0809

2963

System Integrity

NEI_0809

2964

System Integrity

NEI_0809

2965

Physical Security

NEI_0809

2966

Physical Security

NEI_0809

2967

Physical Security

NEI_0809

2968

Physical Security

NEI_0809

2969

Physical Security

NEI_0809

2970

Physical Security

NEI_0809

Is CDA testing with storage media verified every 92 days to ensure equipment and
procedures are functioning properly?
Does a certifying official grant access prior to an individual gaining access to CDAs or
communication systems?
Does the organization retrieve information (e.g. security-related and organizational)
formerly controlled by terminated or transferred individual?
Are qualified individuals proven to be trustworthy and reliable in accordance with 10 CFR
73.56?
Where a CDA cannot support the use of automated mechanisms for the management of
distributed security testing, is there justification and documentation for employing
alternative or compensating controls?
Does the organization perform scans to verify the integrity, operation and functions of
software and information every 92 days?
Does the organization develop, implement and document a plan for CDAs located outside
of the protected area in regard to physical security protection, roles, responsibilities and
management accountability, organization's staff, third-party contractors, and
environmental protection?
Does the organization include personnel security controls in acquisition-related contract
and agreement documents?
Does the organization implement physical security controls to limit access to CDAs and to
prevent degradation of the operational environment?
Does the organization control and document visitor access to CDAs by verifying the
identity and confirming access authorization prior to entry?
Does the organization employ secure management communications and encryption per
Appendix D of NEI 08-09, Rev 6?
Does the organization ensure that direct communications between digital assets at lower
security levels and digital assets at higher security levels are eliminated or restricted (e.g.
relating to defense-in-depth) with justification that explains that communication from a
lower security level to a higher security level verifies that a compromise of such
communication will not prevent or degrade the functions performed by the CDAs in the
higher security level?

2971

Incident Response

NEI_0809

2972

Continuity

NEI_0809

2973

Organizational

NEI_0809

2974
2975

Configuration
Management
Configuration
Management

NEI_0809
NEI_0809

2976

Configuration
Management

NEI_0809

2977

System and Services
Acquisition

NEI_0809

2993

Access Control

NEI_0809

2994

Monitoring & Malware NEI_0809

2995
1180
1181
1182
1183
1184
1185

Audit and
Accountability
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment

Are the incident response team members identified and do they represent the following
organizations: Physical security, Cyber security team, Operations, Engineering,
Information Technology, Human resources, System support vendors, Management, Legal,
and Safety?
Are backups of CDAs tested at an interval of no less than 31 days?
Does the situational awareness training include understanding normal behavior of the
CDA so that abnormal behavior is recognized?
Does the organization establish configuration management security controls for CDAs
with the process described in Section 4.2 of Cyber Security Plan?
Are the up-to-date baseline configurations audited every 92 days?
Does the organization document the justification for alternate (compensating) security
controls where a CDA cannot support the use of automated mechanisms to centrally
manage, apply, and verify configuration settings?
Does the organization develop a formal, documented procedure to facilitate the
implementation of the system and services acquisition policy and associated system and
services acquisition controls?
Does the system authenticate devices before establishing connections to CDAs?
Is unauthorized use of CDAs identified? (e.g., log monitoring)

NEI_0809

Are changes to CDAs consistent with your configuration management program?

Nerc_Cip_R3

control centers and backup control centers?

Nerc_Cip_R3

transmission substations that support the reliable operation of the Bulk Electric System?

Nerc_Cip_R3

consider generation resources that support the reliable operation of the Bulk Electric
System?

Nerc_Cip_R3

systems and facilities critical to system restoration?

Nerc_Cip_R3
Nerc_Cip_R3

systems and facilities critical to automatic load shedding under a common control system
capable of shedding 300 MW or more?
Special Protection Systems that support the reliable operation of the Bulk Electric
System?

1186

Risk Management and
Assessment

Nerc_Cip_R3

1187

System Protection

Nerc_Cip_R3

1188

Policies & Procedures
General

Nerc_Cip_R3

1189

Organizational

Nerc_Cip_R3

1190

Organizational

Nerc_Cip_R3

1191

Organizational

Nerc_Cip_R3

1192
1193
1194
1195

Policies & Procedures
General
Policies & Procedures
General
Policies & Procedures
General
Policies & Procedures
General

Nerc_Cip_R3
Nerc_Cip_R3
Nerc_Cip_R3
Nerc_Cip_R3

1196

Risk Management and
Assessment

Nerc_Cip_R3

1197

Info Protection

Nerc_Cip_R3

1198

Info Protection

Nerc_Cip_R3

1200

Info Protection

Nerc_Cip_R3

1201

Training

Nerc_Cip_R3

any additional assets that support the reliable operation of the Bulk Electric System?
Have the critical cyber assets been identified, reviewed, and updated on at least an
annual basis?
Has the control systems specific cybersecurity policy been disseminated to those with a
need to know?
Is the change in senior management leadership documented within 30 calendar days of
the effective date?
Does the senior manager delegate authority for specific actions to a named delegate or
delegates, and are the delegations documented by name, title, and date of designation
and approved by the senior manager?
Has the senior manager or delegate(s) authorized and documented any exception from
the requirements of the cybersecurity policy?
Have conformance issues with the cybersecurity policy been documented as exceptions
and authorized by the senior manager or delegate(s)?
Are exceptions to the cybersecurity policy documented within 30 days of senior manager
or delegate(s) approval?
Are exceptions to the cybersecurity policy documented with an explanation as to
necessity and any compensating measures?
Are exceptions to the cybersecurity policy reviewed and approved annually by the senior
manager or delegate(s) to ensure they are still valid and required?
Does the critical cyber asset information to be protected include operational procedures,
lists as required in Standard CIP-002-3, network topology, floor plans that contain critical
cyber assets, equipment layouts of critical cyber assets, disaster recovery plans, incident
response plans, and security configuration information?
Are personnel who authorize access to protected information identified by name, title,
and information for which they are responsible for authorizing access?
Is the list of personnel responsible for authorizing access to protected information
verified at least annually?
Are the processes for controlling access privileges to protected information assessed at
least annually?
Does training material include policies, access controls, and procedures for critical cyber
assets?

1202

Training

Nerc_Cip_R3

Does training include the proper use of critical cyber assets, physical and electronic access
controls to critical cyber assets, the proper handling of critical cyber asset information,
and action plans and procedures to recover or re-establish critical cyber assets and access
following a cyber security incident?

1203

Personnel

Nerc_Cip_R3

Does the personnel assessment include an identity verification and 7-year criminal check?

1204

Personnel

Nerc_Cip_R3

1205

Personnel

Nerc_Cip_R3

1206

Communication
Protection

Nerc_Cip_R3

1207

Communication
Protection

Nerc_Cip_R3

1208

Communication
Protection

Nerc_Cip_R3

1209

Communication
Protection

Nerc_Cip_R3

1210

Communication
Protection

Nerc_Cip_R3

1211

Communication
Protection

Nerc_Cip_R3

1212

Monitoring & Malware Nerc_Cip_R3

Is there a documented monitoring process(es) at each dial-up access point device?

1213

Monitoring & Malware Nerc_Cip_R3

Does the vulnerability assessment include a document identifying the vulnerability
assessment process?

Are the results of personnel risk assessments documented, and are personnel risk
assessments of contractor and service vendor personnel conducted pursuant to Standard
CIP-004-3?
Is the list of personnel who have access to critical cyber assets reviewed quarterly, and is
the list updated within 7 calendar days of any change of personnel or any change in the
access rights?
Is there a defined electronic security perimeter for dial-up accessible critical cyber assets
that use nonroutable protocols?
Are end points of communication links connecting discrete electronic security perimeters
considered access points and included in the electronic security perimeter?
Are noncritical cyber assets within a defined electronic security perimeter identified and
protected pursuant to the requirements of Standard CIP-005-3?
Are access control and monitoring assets of the electronic security perimeter afforded
protective measures as specified in CIP-003-3, CIP-004-3 Requirement R3, CIP-005-3
Requirements R2 and R3, CIP-006-3 Requirements R2 and R3, CIP-007-3 Requirements R1
and R3 through R9, CIP-008-3, and CIP-009-3?
Is there documentation of electronic security perimeter(s), all interconnected critical and
noncritical cyber assets within the electronic security perimeter(s), all electronic access
points to the electronic security perimeter(s), and the cyber assets deployed for the
access control and monitoring of these access points?
Is there a procedure for securing dial-up access to the electronic security perimeter(s)?

1214

Monitoring & Malware Nerc_Cip_R3

1215

Configuration
Management

Nerc_Cip_R3

1216

Access Control

Nerc_Cip_R3

1217

Plans

Nerc_Cip_R3

1218

Physical Security

Nerc_Cip_R3

1219

Plans

Nerc_Cip_R3

1220

Plans

Nerc_Cip_R3

1221

Physical Security

Nerc_Cip_R3

1222

Physical Security

Nerc_Cip_R3

1223

Physical Security

Nerc_Cip_R3

1224

Physical Security

Nerc_Cip_R3

1225

Physical Security

Nerc_Cip_R3

1226

Physical Security

Nerc_Cip_R3

Does the vulnerability assessment include a process of discovery for access points in the
electronic security perimeter?
Is the documentation updated to reflect the modification of the network or controls
within 90 calendar days of the change?
Are electronic access logs retained for at least 90 calendar days, and are logs related to
reportable incidents kept in accordance with the requirements of Standard CIP-008-3?
Is there a documented, implemented, and maintained physical security plan approved by
the senior manager or delegate(s)?
Do all cyber assets within an electronic security perimeter also reside in a physical
security perimeter OR are alternative measures deployed and documented to control
physical access to such cyber assets?
Does the physical security plan address update of the physical security plan within 30
calendar days of the completion of any physical security system redesign or
reconfiguration?
Does the physical security plan address annual review of the physical security plan?
Do cyber assets that authorize and/or log access to the physical security perimeter(s)
have the protective measures specified in Standard CIP-003-3; Standard CIP-004-3,
Requirement R3; Standard CIP-005-3, Requirements R2 and R3; Standard CIP-006-3,
Requirements R4 and R5; Standard CIP-007-3; Standard CIP-008-3; and Standard CIP-0093?
Do cyber assets used in the access control and/or monitoring of the electronic security
perimeter(s) reside within an identified physical security perimeter?
Does logging record sufficient information to uniquely identify individuals and the time of
access 24 hours a day, 7 days a week?
Are there documented technical and procedural mechanisms for logging physical entry at
all access points to the physical security perimeter(s)?
Are electronic physical access logs produced OR Is electronic capture of video images
used for logging physical access, and are they of sufficient quality to determine identity
OR Is manual logging of physical access used and maintained by security as specified in
Requirement R4?
Are physical access logs retained for at least 90 calendar days, and are logs related to
reportable incidents kept in accordance with the requirements of Standard CIP-008-3?

1227

Physical Security

Nerc_Cip_R3

Is there a maintenance and testing program to ensure that all physical security systems
under Requirements R4, R5, and R6 function properly?

1228

Physical Security

Nerc_Cip_R3

Are all physical security systems tested and maintained on a cycle no longer than 3 years?

1229

Physical Security

Nerc_Cip_R3

1230

Physical Security

Nerc_Cip_R3

1231

System Protection

Nerc_Cip_R3

1232

System Integrity

Nerc_Cip_R3

1233

System Integrity

Nerc_Cip_R3

1234

System Integrity

Nerc_Cip_R3

1235

Monitoring & Malware Nerc_Cip_R3

1236

Account Management

Nerc_Cip_R3

1237

Account Management

Nerc_Cip_R3

1238

Account Management

Nerc_Cip_R3

1239

Account Management

Nerc_Cip_R3

Is there a policy to minimize and manage the scope and acceptable use of administrator,
shared, and other generic account privileges, including factory default accounts?

1240

Account Management

Nerc_Cip_R3

Are individuals with access to shared accounts identified?

1241
1242

Access Control
Info Protection
Risk Management and
Assessment

Nerc_Cip_R3
Nerc_Cip_R3

Are passwords changed at least annually?
Are data storage media erased prior to redeployment?

Nerc_Cip_R3

Is there a document identifying the vulnerability assessment process?

1243

Are all physical security systems testing and maintenance records retained for the cycle
identified in accordance with Requirement R8.1.
Are all physical security systems outage records regarding access controls, logging, and
monitoring retained for a minimum of 1 calendar year?
Is there a documented process to ensure that only those ports and services required for
normal and emergency operations are enabled?
Is the assessment of security patches and security upgrades for applicability documented
within 30 calendar days of availability of the patches or upgrades?
Is the implementation of security patches documented?
Are compensating measures applied to mitigate risk exposure documented when patches
are not installed?
Are antivirus and malware prevention tools documented and implemented?
Are user accounts implemented as approved by designated personnel per CIP-003-3
Requirement R5?
Are there methods, processes, and procedures that generate logs of sufficient detail to
create historical audit trails of individual user account access activity for a minimum of 90
days?
Are user accounts reviewed at least annually to verify access privileges are in accordance
with CIP-003-3 R5 and CIP-004-3 R4 requirements?

1244
1245

Risk Management and
Assessment
Risk Management and
Assessment

Nerc_Cip_R3

Does the vulnerability assessment verify that only ports and services required for
operation of the cyber assets within the electronic security perimeter are enable?

Nerc_Cip_R3

Does the vulnerability assessment review the controls for default accounts?

1246

Risk Management and
Assessment

Nerc_Cip_R3

1247

Incident Response

Nerc_Cip_R3

1248

Incident Response

Nerc_Cip_R3

1249

Incident Response

Nerc_Cip_R3

1250

Continuity

Nerc_Cip_R3

1251

Risk Management and
Assessment

Nerc_Cip_R4

1252

Personnel

Nerc_Cip_R4

1253

Communication
Protection

Nerc_Cip_R4

1254

Communication
Protection

Nerc_Cip_R4

1255

Access Control

Nerc_Cip_R4

Is the documentation specified in Standard CIP-007-3 reviewed and updated at least
annually, including ensuring changes resulting from modifications to the systems or
controls are documented within 30 calendar days of the change?
Does the incident response plan include a process for reporting incidents to the Electricity
Sector Information Sharing and Analysis Center (ES-ISAC)?
Are all reportable cybersecurity incidents reported to the ES-ISAC either directly or
through an intermediary?
Is documentation related to cybersecurity incidents reportable per Requirement R1.1
retained for 3 calendar years?
Are updates to the recovery plan(s) communicated to personnel responsible for the
activation and implementation of the recovery plan(s) within 30 calendar days of the
change being completed?
Does the critical cyber asset information to be protected include operational procedures,
lists as required in Standard CIP-002-4, network topology, floor plans that contain critical
cyber assets, equipment layouts of critical cyber assets, disaster recovery plans, incident
response plans, and security configuration information?
Are the results of personnel risk assessments documented, and are personnel risk
assessments of contractor and service vendor personnel conducted pursuant to Standard
CIP-004-4?
Are noncritical cyber assets within a defined electronic security perimeter identified and
protected pursuant to the requirements of Standard CIP-005-4a?
Are access control and monitoring assets of the electronic security perimeter afforded
protective measures as specified in CIP-003-4, CIP-004-4 Requirement R3, CIP-005-4a
Requirements R2 and R3, CIP-006-4c Requirements R2 and R3, CIP-007-4 Requirements
R1 and R3 through R9, CIP-008-4, and CIP-009-4?
Are electronic access logs retained for at least 90 calendar days and are logs related to
reportable incidents kept in accordance with the requirements of Standard CIP-008-4?

1256

Physical Security

Nerc_Cip_R4

Do cyber assets that authorize and/or log access to the physical security perimeter(s)
have the protective measures specified in Standard CIP-003-4; Standard CIP-004-4,
Requirement R3; Standard CIP-005-4a, Requirements R2 and R3; Standard CIP-006-4c,
Requirements R4 and R5; Standard CIP-007-4; Standard CIP-008-4; and Standard CIP-0094?

1257

Physical Security

Nerc_Cip_R4

Are physical access logs retained for at least 90 calendar days, and are logs related to
reportable incidents kept in accordance with the requirements of Standard CIP-008-4?

1258

Risk Management and
Assessment

Nerc_Cip_R4

3413

Configuration
Management

Nerc_Cip_R5

3414

Configuration
Management

Nerc_Cip_R5

Does the Responsible Entity review the identification Requirement R1 (CIP-002-5.1) and
update changes at least every 15 calendar months even if no changes are required?

Is the documentation specified in Standard CIP-007-4 reviewed and updated at least
annually, including ensuring changes resulting from modifications to the systems or
controls are documented within 30 calendar days of the change?
Has the Responsible Entity identified and classified high, medium and low impact BES
Cyber systems according to CIP-002-5 Attachment 1, Section 1?

3415

Organizational

Nerc_Cip_R5

Is there a review process for high and medium impact BES Cyber Systems and is it
updated at least once every 15 calendar months and does a CIP Senior manager approve
it?

3416

Organizational

Nerc_Cip_R5

Is there a documented review process for high and medium impact BES Cyber Systems
and does the process include topics addressed in CIP-003-5 Parts 1.1 through 1.9?

3417

Organizational

Nerc_Cip_R5

3418

Organizational

Nerc_Cip_R5

3419

Organizational

Nerc_Cip_R5

3420

Organizational

Nerc_Cip_R5

3421

Organizational

Nerc_Cip_R5

3422

Personnel

Nerc_Cip_R5

Are low impact BES Cyber Security Systems reviewed at least once every 15 calendar
months in a manner that identifies, assesses, and corrects deficiencies?
Does the review of low impact BES Cyber Systems address cyber security topics from CIP003-5 R2 Part 2.1 through Part 2.4 and is it approved by management?
Is the CIP Senior Manager identified by name and documented within 30 calendar days of
any change?
Are changes to the delegation of authority document approved by the CIP Senior
Manager and updated within 30 days?
Is the responsible CIP Senior Manager authority delegation process documented and
reviewed in a manner that identifies, assesses, and corrects deficiencies?
Is security awareness training given at least once each calendar quarter to users that have
electronic or physical access to the BES cyber system ?

Does the Responsible Entity provide a cyber security awareness training that covers topics
listed in CIP-004-5.1 Parts 2.1.1 through 2.1.9?
Does the Responsible Entity have a Cyber Security Training program as specified in CIP004-5.1 R2 and is it offered at least once every 15 calendar months?

3423

Personnel

Nerc_Cip_R5

3424

Personnel

Nerc_Cip_R5

3425

Personnel

Nerc_Cip_R5

Are the results of personnel risk assessments documented, and are the risk assessments
of contractor and service vendor personnel conducted pursuant to Standard CIP-004-5?

3426

Personnel

Nerc_Cip_R5

Is appropriate personnel access, physical or electronic, to designated storage locations for
BES Cyber System Information verified at least once every 15 calendar months?

3427

Access Control

Nerc_Cip_R5

3428

Personnel
Communication
Protection

Nerc_Cip_R5

3430

Physical Security

Nerc_Cip_R5

3431

Physical Security

Nerc_Cip_R5

3432

System Integrity

Nerc_Cip_R5

3433

System Integrity

Nerc_Cip_R5

3434

System Integrity

Nerc_Cip_R5

3435

System Integrity

Nerc_Cip_R5

3436

Incident Response

Nerc_Cip_R5

3429

Nerc_Cip_R5

Is the Access Management Program documented, assessed, and if any deficiencies are
found they are corrected?
Does the Responsible Entity verify user accounts at least every 15 calendar months?
Does the Responsible Entity have a documented interactive remote access policy that
includes CIP-005-5 applicable requirements from Parts 2.1, 2.2, and 2.3?
Are physical access logs retained for at least 90 calendar days and are logs related to
reportable incidents kept in accordance with the requirements of CIP-006-5?
Is there a maintenance and testing program performed at least every 24 calendar months
to ensure that all physical security systems function properly?
Does the Responsible Entity implement, in a manner that identifies, assesses, and
corrects deficiencies, one or more documented processes from CIP-007-5 Table R3 Malicious Code Prevention?
Does the Responsible Entity implement, in a manner that identifies, assesses, and
corrects deficiencies, one or more documented processes from CIP-007-5 Table R4 –
Security Event Monitoring?
Are user accounts reviewed at least annually to verify access privileges are in accordance
with CIP-004-5 R4 requirements?
Are user accounts implemented as approved by designated personnel per CIP-004-5 R4
requirements?
Does the Responsible Entity implement and document processes from CIP-008-5 R1 for
one or more Cyber Security Incident response plans and where deficiencies are identified,
analyzed, and corrected?

3437

Incident Response

Nerc_Cip_R5

3438

Incident Response

Nerc_Cip_R5

3439

Continuity

Nerc_Cip_R5

3440

Continuity

Nerc_Cip_R5

3441

Continuity

Nerc_Cip_R5

3442

Configuration
Management

Nerc_Cip_R5

2978

Access Control

NISTIR_7628

2979

Audit and
Accountability

NISTIR_7628

2980
2981
2982
2983
2984
2985

Risk Management and
Assessment
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Continuity

NISTIR_7628
NISTIR_7628
NISTIR_7628
NISTIR_7628

Has the Responsible Entity developed, documented and implemented a Cyber Security
Incident response implementation and testing plan from CIP-008-5 R2 for one or more
Cyber Security Incident response plans and where deficiencies are identified, analyzed,
and corrected?
Does the Responsible Entity maintain Cyber Security Incident response plans in a manner
that reviews, updates and communicates roles and responsibilities?
Does the Responsible Entity have a documented recovery plan and a process that
identifies and corrects deficiencies as described in CIP-009-5 R1?
Does the Responsible Entity implement one or more documented processes listed in CIP009-5 R2 for a recovery plan implementation and testing? And are deficiencies identified
and corrected?
Are updates to the recovery plans made and communicated to personnel responsible for
the activation and implementation of the recovery plans within 60 calendar days of the
change completion?
Does the organization monitor changes to the baseline configuration at least every 35
days?
Does the organization control the use of personally owned and removable media in the
Smart Grid system?
Is the Smart Grid system configured to synchronize with internal Smart Grid system clocks
on an organization-defined frequency using an organization-defined time source?
Does the organization report the security state of the Smart Grid system to management
authority according to company-defined policy?
Does the organization analyze changes to the Smart Grid system for potential security
impacts?
Does the organization establish terms and conditions for installing any hardware,
firmware, or software on Smart Grid system devices?
Is there an inventory of the components of the Smart Grid system that documents the
names or roles of the individuals responsible for administering those components?

NISTIR_7628

Are the factory default settings changed during maintenance?

NISTIR_7628

Are the continuity of operations security policy and the associated continuity of
operations protection requirements developed, implemented, and reviewed according to
company policy?

2986

Continuity

NISTIR_7628

2987

Continuity

NISTIR_7628

2988

Continuity

NISTIR_7628

2989

2990

2991

2992

3804
3805
3806
3807
3808
3809
3810

Information and
Document
Management
Information and
Document
Management

NISTIR_7628

NISTIR_7628

Is the authorizing official or designated representative who reviews and approves the
continuity of operations plan specified?
Are individuals with continuity of operations roles and responsibilities identified?
Does the organization train personnel in their continuity of operations roles and
responsibilities?
Does the document management policy address the purpose of the document
management security program as it relates to protecting the organization's personnel and
assets?
Does the document management policy address the scope of the document management
security program as it applies to all organizational staff and third-party contractors?

Does the organization train personnel in their incident response roles and responsibilities
with respect to the Smart Grid system and receive refresher training defined by company
policy?
Are communications with Smart Grid information system components restricted to
specific components in the Smart Grid information system? Also are communications with
Communication
NISTIR_7628
Protection
any non-Smart Grid system denied unless separated by a controlled logical/physical
interface?
Does the organization ensure that the awareness and training security policy and
NISTIR_7628_R
Awareness and Training
procedures comply with applicable federal, state, local, tribal, and territorial laws and
1
regulations?
Audit and
NISTIR_7628_R Does the organization audit activities associated with configuration changes to the
Accountability
1
system?
Security Assessment
NISTIR_7628_R Does management commit to ensuring compliance with the organization's security
and Authorization
1
assessment and authorization security policy and other regulatory requirements?
Security Assessment
NISTIR_7628_R
Does a senior official sign and approve the security authorization to operate?
and Authorization
1
NISTIR_7628_R Are periodic reviews of compliance with the system security policy performed to ensure
Continuity
1
compliance with all applicable laws and regulatory requirements?
NISTIR_7628_R Does the continuity of operations security policy address protecting the organization's
Continuity
1
personnel and assets?
Has the organization identified circumstances that could inhibit the recovery of the
NISTIR_7628_R
Continuity
system to a known, secure state and established procedures to provide compensating
1
controls?
Incident Response

NISTIR_7628

3811

Incident Response

3812

Incident Response

3813

Incident Response

3814

Maintenance

3815

3816

Physical and
Environmental
Protection
Physical and
Environmental
Protection

3817

Plans

3818

Plans

3819

Personnel

3820
3821
3822
3823
3824
3825

Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
System and Services
Acquisition
System and Services
Acquisition

NISTIR_7628_R Are the incident handling procedures integrated with continuity of operations
1
procedures?
NISTIR_7628_R
Does the incident reporting procedure comply with applicable laws and regulations?
1
Is the incident reporting procedure written so that it includes what is a reportable
NISTIR_7628_R
incident, granularity of information necessary, who receives the report, and the process
1
for transmitting incident information?
NISTIR_7628_R Does the organization sanitize system components to be serviced both at removal and re1
installation?
NISTIR_7628_R Does the organization ensure that investigation of and response to detected physical
1
security incidents are part of the organization's incident response capability?
NISTIR_7628_R Does the organization authorize, monitor, control, and document and maintain records
1
for all system components entering and exiting the facility?
NISTIR_7628_R
1
NISTIR_7628_R
1
NISTIR_7628_R
1
NISTIR_7628_R
1
NISTIR_7628_R
1
NISTIR_7628_R
1
NISTIR_7628_R
1
NISTIR_7628_R
1
NISTIR_7628_R
1

Is a privacy impact assessment reviewed and approved by a management authority?
Does the organizational planning and coordination of security related activities include
both emergency and routine situations?
Does a formal accountability process comply with applicable regulatory requirements,
policies, standards, and guidance?
Are system and information security impact levels specified and documented in the
security plan for the system?
Does the organization review the system and information impact levels on a
organizationally-defined frequency?
Are assessments conducted to determine risk impacts from unauthorized access, use,
disclosure, disruption, modification, or destruction of information and systems?
Are risk assessments updated when significant changes occur to the system or on an
organizationally-defined frequency?
Are organization system acquisition contracts in compliance with applicable laws,
regulations, and organization-defined security policies?
Do the security engineering principles include a minimum standard for security and
privacy?

3826
3827
3828
3829
3830
3831
3832
3833
3834
3835
3836
3837
3838
3839
3840
825
826

System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition

NISTIR_7628_R
1
NISTIR_7628_R
1
NISTIR_7628_R
1

System and Services
Acquisition

NISTIR_7628_R Do the security engineering principles include performance of a final security audit prior
1
to authorization to operate in order to confirm adherence to security requirements?

System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
Communication
Protection
Communication
Protection
Communication
Protection

NISTIR_7628_R
1
NISTIR_7628_R
1
NISTIR_7628_R
1
NISTIR_7628_R
1
NISTIR_7628_R
1
NISTIR_7628_R
1
NISTIR_7628_R
1
NISTIR_7628_R
1

Communication
Protection

NISTIR_7628_R Are cryptography and other security functions (e.g. hashes, random number generators)
1
that are required for use in smart grid information systems, NIST (FIPS) approved?

Communication
Protection
Communication
Protection
Policies
Policies

NISTIR_7628_R
1
NISTIR_7628_R
1
Nrc_571
Nrc_571

Do the security engineering principles include creation of a threat model for the system?
Do the security engineering principles include updating product specifications to include
mitigations for threats discovered during threat modeling?
Do the security engineering principles include using secure coding practices?

Do the security engineering principles include creation of a documented and tested
security response plan in the event a vulnerability is discovered?
Do the security engineering principles include creation of a documented and tested
privacy response plan in the event a vulnerability is discovered?
Do the security engineering principles include performance of a root cause analysis to
understand the cause of identified vulnerabilities?
Do the security engineering principles include ongoing software security training
requirements for developers?
Do the system developers/integrators perform testing of developed security code only on
non-production systems?
Does the organization use cryptographic mechanisms to ensure information integrity?
Does the organization employ cryptographic mechanisms to prevent unauthorized
disclosure of information during transmission?
Does the system employ secure methods for the establishment and management of
cryptographic keys?

Has the organization developed a collaborative computing policy and do they update and
review it on a defined frequency?
Does the organization document, monitor, and manage the use of mobile code within the
system?
Does the access control policy address the management of CDAs?
Does the access control policy address the protection of password/key databases?

Nrc_571

Does the access control policy address the auditing of CDAs annually or immediately upon
changes in personnel responsibilities or major changes in system configurations or
functionality?
Are all user rights and privileges on the CDA assigned consistent with the user
authorizations?
Are privileged functions for CDAs defined and documented?
Are there assigned authorizations for controlling the flow of information in near-real time,
within CDAs and between interconnected systems?
Have the types of permissible and impermissible information flow between CDAs, security
boundary devices, and boundaries been analyzed and addressed, and is the required level
of authorization implemented as defined in the defensive strategy?
Are CDAs configured so user credentials are not transmitted in clear text, and is this
documented in the access control policy?
Are the security functions restricted to the least number of users necessary?

Access Control

Nrc_571

Are physical notices installed for when a CDA cannot support system use notifications?

835

Access Control

Nrc_571

836
837

Access Control
Physical Security

Nrc_571
Nrc_571

Are all end users required to report any suspicious activity to the Cybersecurity Program
manager?
Are CDAs configured to allow users to directly initiate session lock mechanisms?
Is the use of access controls documented, supervised, and reviewed?

838

Info Protection

Nrc_571

Is the hard and soft copy information in storage, in process, and in transmission labeled?

839

Access Control

Nrc_571

Are CDAs secured through media access control address locking, physical or electrical
isolation, static tables, encryption, or monitoring?

Nrc_571

Are protocols prohibited from initiating commands except within the same boundary?

827

Policies

Nrc_571

828

Access Control

Nrc_571

829

Access Control
Communication
Protection

Nrc_571

830
831

Communication
Protection

833

Communication
Protection
Access Control

834

832

840
841
842
843
844

Communication
Protection
Communication
Protection
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess

Nrc_571
Nrc_571
Nrc_571

Nrc_571
Nrc_571
Nrc_571
Nrc_571

Are protocols prohibited from initiating commands that could change the state of the
CDA from a more secured posture to a less secured posture?
Is wireless access only allowed through a boundary security control device and are
wireless connections treated as outside of the security boundary?
Is the use of wireless technologies for CDAs associated with safety-related and importantto-safety functions prohibited?
Are mobile devices used only in one security level and mobile devices are not moved
between security levels?

845
846
847
848
849
850
851
852

Communication
Protection
Communication
Protection
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability

Nrc_571
Nrc_571

Are alternative controls or countermeasures implemented to protect the CDAs from
cyber attack up to and including the design-basis threat (DBT) when proprietary protocols
that create a lack of visibility are used?
Do you ensure that external systems cannot be accessed from higher levels, such as
Levels 3 and 4?

Nrc_571

Are CDAs prevented from purging audit event records on restart?

Nrc_571

Are the justification and details for alternate compensating security controls documented
for those instances in which a CDA cannot respond to audit processing failures?

Nrc_571
Nrc_571
Nrc_571
Nrc_571

853

System Protection

Nrc_571

854

System Protection

Nrc_571

855

Monitoring & Malware Nrc_571

856

Monitoring & Malware Nrc_571

857

Monitoring & Malware Nrc_571

858

Communication
Protection

Nrc_571

859

Communication
Protection

Nrc_571

Does the response to audit failures include using an external system to provide these
capabilities?
Are methods of time synchronization used that do not introduce a vulnerability to cyber
attack and/or common-mode failure?
Is audit information protected at the same level as the device sources?
Are CDAs and audit records protected against an individual falsely denying they
performed a particular action?
Are CDAs configured to isolate security functions from nonsecurity functions including
control of access to and integrity of the hardware, software, and firmware performing
these security functions?
Are CDAs configured to use underlying hardware separation mechanisms to facilitate
security function isolation?
Are devices and ports locked via address locking to prevent MITM attacks and rogue
devices from being added to the network?
Is network access control used to prevent MITM attacks and rogue devices from being
added to the network?
Is the network monitored to detect MITM attacks and address resolution protocol
poisoning?
Are CDAs configured to prohibit remote activation of collaborative computing (e.g., IM,
video conferencing) and is there an indication of use to the local user?
Are systems that provide name/address resolution to CDAs configured to indicate the
security status of child subspaces and, if the child supports secure resolution services,
enabled verification of a chain of trust among parent and child domains?

860

Communication
Protection

Nrc_571

861

Account Management

Nrc_571

862

Account Management

Nrc_571

863

Account Management

Nrc_571

864
865
866
867
868
869

Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection

Do CDAs fail in a known-state so that SSEP functions are not adversely impacted by the
CDAs failure?
Do the identification and authentication policy and procedures ensure that the user
identifier is issued to the intended party?
Do the identification and authentication policy and procedures require the disabling of
user identifier after a maximum of 30 days of inactivity?
Do the identification and authentication policy and procedures require archiving of user
identifiers?

Nrc_571

Is secure domain-based authentication implemented?

Nrc_571

Are domain controllers within the given security level they service?

Nrc_571

Are domain controllers physically and logically secured?

Nrc_571

Are domain trust relationships between domains that of different security levels
prohibited?

Nrc_571

Are domain authentication protocols prohibited from being passed between boundaries?

Nrc_571

870

Access Control

Nrc_571

871
872

Access Control
Access Control

Nrc_571
Nrc_571

873

Physical Security

Nrc_571

874

Physical Security

Nrc_571

875

Account Management

Nrc_571

Is role-based access control used to restrict user privileges to only those required to
perform the task?
Are passwords not found in a dictionary, and do they not contain predictable sequences
of numbers or letters?
Are copies of master passwords stored in a secure location with limited access?
Is the authority to change master passwords limited to authorized personnel?
Do adequate physical security controls exist requiring operators be both authorized and
properly identified, and are they monitored so operator actions are audited and
recorded?
Is access to nonauthenticated human-machine interactions (NHMI) controlled so as to not
hamper HMI while maintaining security of the NHMI and ensuring that access to the
NHMI is limited to only authorized personnel?
Are SSEP functions not adversely affected by authentication, session lock, or session
termination controls?

876

Audit and
Accountability

Nrc_571

Is the auditing capability implemented on NHMIs to ensure that all operator activity is
recorded and monitored by authorized and qualified personnel and are historical records
maintained?

877

Account Management

Nrc_571

Is the user identifier disabled after a maximum of 30 days of inactivity?

878

Account Management

Nrc_571

Is the initial authenticator content defined? (Such as defining password length and
composition, tokens, keys, and other means of authenticating)

879

Access Control

Nrc_571

Do CDA authentication mechanisms prevent information (e.g. debug information, system
banners) that an attacker could use to compromise authentication mechanisms?

880

System Integrity

Nrc_571

881

Maintenance

Nrc_571

882
883
884
885
886

Maintenance
System Integrity
System Integrity
System Integrity
System Integrity

Nrc_571
Nrc_571
Nrc_571
Nrc_571
Nrc_571

887

System Integrity

Nrc_571

888
889

System Integrity
System Integrity

Nrc_571
Nrc_571

890

System Integrity

Nrc_571

891
892
893
894
895
896

System Integrity
System Integrity
System Integrity
System Integrity
System Integrity
System Integrity
Communication
Protection

Nrc_571
Nrc_571
Nrc_571
Nrc_571
Nrc_571
Nrc_571

897

Nrc_571

Are the operating system and software patches documented to allow traceability, and is
there verification that no extra services are reinstalled or reactivated?
Are software components that are not required for the operation and maintenance
removed or disabled before incorporating the CDA into the production environment?
Are the components that were removed or disabled documented?
all unused network device drivers
unused peripherals
messaging services
servers or clients for unused services (e.g., ftp, smtp, telenet, outlook express)
software compilers in all user workstations and servers except for development
workstations and servers
compilers for languages that are not used in the control system
unused networking and communications protocols
unused administrative utilities, diagnostics, network management, and system
management functions
backups of files, databases, and programs used only during system development
all unused data and configuration files
sample programs and scripts
unused document processing utilities
unused removable media support
games
Does configuration of the host intrusion detection system (HIDS) include attributes to
enable detection of cyber attacks up to and including the DBT?

906

Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Configuration
Management
Access Control

907

Access Control

Nrc_571

908

Access Control

Nrc_571

909

System Integrity

Nrc_571

910

Configuration
Management

Nrc_571

911

Monitoring & Malware Nrc_571

898
899
900
901
902
903
904
905

912
913
914
915

Configuration
Management
Configuration
Management
Configuration
Management
Info Protection

Nrc_571
Nrc_571
Nrc_571

Is the HIDS configured to log system and user account connections to alert security
personnel if an abnormal situation occurs?
Is the HIDS configured so it does not adversely impact the CDA safety, security, and
emergency preparedness functions?
Are the security logging storage devices configured as "append only" to prevent alteration
of records on those storage devices?

Nrc_571

Are rules updates and patches to the HIDS implemented as security issues identified?

Nrc_571

Are the HIDS configuration documents secured to ensure that only authorized personnel
may access them?

Nrc_571

Are CDAs configured with the lowest privilege, data, commands, file, and account access?

Nrc_571

Are system services configured to execute at the lowest privilege level possible for that
service and is the configuration documented?

Nrc_571

Is the changing or disabling of access to files and functions documented?

Nrc_571

Is the BIOS password protected from unauthorized changes?
Are the mitigation measures documented when password protection of the BIOS is not
technically feasible documented?
Are network devices used to limit access to and from specific zones?
Is there documentation allowing the system administrators to reenable devices if the
devices are disabled by software and document the configuration?
Is there verification and documentation that replacement devices are configured in a
manner that is equal to or better than the original?
Are vulnerability notifications processed within 4 hours of receipt of the vulnerability
information?
Are updates or workarounds to the baseline authorized and documented before
implementation?
Are received cybersecurity updates tested on a nonproduction system/device for
validation before installing on production systems?

Nrc_571
Nrc_571
Nrc_571

Does the nonproduction system/device accurately replicate the production CDA?

Nrc_571

Are automated mechanisms used to restrict access to media storage areas, audit access
attempts, and grant accesses?

916

Info Protection

Nrc_571

917

Info Protection

Nrc_571

918

Info Protection

Nrc_571

919

Info Protection

Nrc_571

920

Info Protection

Nrc_571

921

Personnel

Nrc_571

922

Personnel

Nrc_571

923
924
925

Procedures
Procedures
Procedures

Nrc_571
Nrc_571
Nrc_571

926

Procedures

Nrc_571

927

System Integrity

Nrc_571

928

Procedures

Nrc_571

929
930

Portable/Mobile/Wirel
Nrc_571
ess
Portable/Mobile/Wirel
Nrc_571
ess

931

System Integrity

Nrc_571

932
933

System Integrity
System Integrity

Nrc_571
Nrc_571

934

Access Control

Nrc_571

935

Access Control

Nrc_571

Are digital and nondigital media protected during transport outside of controlled areas
using defined security measures?
Is the guidance in NIST SP 800-88 followed to sanitize CDA media?
Is information destroyed by a method that precludes reconstruction by means available
to the DBT adversaries?
Is the CDA media requiring sanitization and the appropriate techniques and procedures to
be used in the process identified?
Is identified CDA media sanitized before disposal or release for reuse and is sanitization
consistent?
Are exit interviews conducted promptly upon termination or transfer of an individual's
employment?
Are appropriate personnel promptly informed of status change, transfer, or termination
of an individual's employment?
neutralizing malicious activity?
secure monitoring and management of security mechanisms?
time synchronization for all security-related devices?
that the physical and logical security of the monitoring network matches or exceeds, and
differs from, the systems or networks being monitored?
Are there procedures for correcting security flaws in CDAs?
Are there procedures for performing vulnerability scans and assessments of the CDA to
validate that the flaw has been eliminated before the CDA is put into production?
Are users not allowed to introduce unauthorized removable media onto the CDAs?
Are all media interfaces disabled that are not required for the operation of the CDA?
Is the need, severity, methods, and timeframes for implementing security directives
independently evaluated and determined?
Are hardware access controls used to prevent unauthorized software changes?
Are tamper evident packaging seals inspected on a regular basis?
Is information checked automatically for accuracy, completeness, validity, and
authenticity as close to the point of origin as possible?
Are inputs passed to interpreters prescreened to prevent the content from being
unintentionally interpreted as commands?

936

Policies & Procedures
General

Nrc_571

937

Maintenance

Nrc_571

938

Physical Security

Nrc_571

939
940

Physical Security
Physical Security

Nrc_571
Nrc_571

941

Planning

Nrc_571

942

Planning

Nrc_571

943

Planning

Nrc_571

944

Planning

Nrc_571

945

Planning

Nrc_571

946

Defense in Depth

Nrc_571

947
948
949

Defense in Depth
Defense in Depth
Defense in Depth

Nrc_571
Nrc_571
Nrc_571

950

Defense in Depth

Nrc_571

951

Defense in Depth

Nrc_571

952

Defense in Depth

Nrc_571

953

Defense in Depth

Nrc_571

Do the system maintenance policy and procedures cover assets located in all security
boundaries?
Are there mechanisms implemented to detect unauthorized command execution by an
escorted individual OR are there personnel with required access authorization and
knowledge necessary designated to supervise escorted personnel?
Are officials designated to review and approve the access lists and authorization
credentials?
Is logical access controlled through the use of electronic devices and software?
Is there adequate lighting for access monitoring devices?
Does the defensive strategy include and identify the protective controls associated within
each security level?
Does the defensive model identify the logical boundaries for data transfer and associated
communication protocols?
Does the defensive model define the level of connectivity permitted between levels and
individual CDAs?
Are the elements of the defensive strategy incorporated into CDAs?
Are the security controls applied commensurate with the risk associated to perform the
function required?
Is the highest degree of cybersecurity protection allocated to CDAs that carry out safety,
important to safety, and security functions, and are they protected from lower defensive
levels?
Is remote access to CDAs located in the highest defensive level prevented?
Is spoofing of addresses from one security level to another prevented?
Is only one-way data flow from Level 4 to Level 3 and from Level 3 to Level 2 allowed?
Is the initiation of communications from digital assets at lower security levels to digital
assets at higher security levels prohibited?
Is bi-directional communication only allowed between CDAs in Level 4 within a security
Level 4?
Do nonsafety systems that have bi-directional communication to safety systems have the
same level of protection as the safety systems?
Does one-way data flow from one level to other levels only occur through a device that
enforces the security policy between each level and detects, prevents, delays, mitigates,
and recovers from a cyber attack coming from the lower security level?

954

Defense in Depth

Nrc_571

955

Defense in Depth

Nrc_571

956

Defense in Depth

Nrc_571

957

Defense in Depth

Nrc_571

958

Defense in Depth

Nrc_571

959

Defense in Depth

Nrc_571

960

Defense in Depth

Nrc_571

961

Defense in Depth

Nrc_571

962

Defense in Depth

Nrc_571

963

Defense in Depth

Nrc_571

964

Defense in Depth

Nrc_571

965

Defense in Depth

Nrc_571

966

Defense in Depth

Nrc_571

967

Defense in Depth

Nrc_571

968

Defense in Depth

Nrc_571

Are data, software, firmware, and devices moved from lower levels of security to higher
levels of security using a documented validation process or procedure that is trustworthy
at or above the trust level of the device on which the data, code, information, or device
that will be installed or connected?
Are CDAs that provide safety, important-to-safety, security, or control functions allocated
defensive Level 4 protection?
Are CDAs that provide data acquisition functions allocated at least defensive Level 3
protection?
Do boundary control devices between higher and lower security levels physically and
logically secure and harden CDAs?
Do boundary control devices between higher and lower security levels employ secure
management communications and encryption in accordance with Appendix B to RG 5.71?
Do boundary control devices between higher and lower security levels provide logging
and alert capabilities?
Do boundary control devices between higher and lower security levels provide intrusion
detection and prevention capabilities?
Do boundary control devices between higher and lower security levels detect and prevent
malware from moving between boundaries?
Do boundary control devices between higher and lower security levels have the ability to
perform more than stateful inspection of the protocols used across the boundary?
Do boundary control devices between higher and lower security levels deny traffic, except
when explicitly authorized?
Do boundary control devices between higher and lower security levels provide protocol,
source, and destination filtering?
Do boundary control devices between higher and lower security levels base blocking on
source and destination address pairs, services, and ports?
Do boundary control devices between higher and lower security levels do not permit
either incoming or outgoing traffic by default?
Are boundary control devices between higher and lower security levels managed through
a direct connection to the firewall or through a dedicated interface?
Do boundary control devices between higher and lower security levels not permit direct
communication to the firewall from any of the managed interfaces?

969

Defense in Depth

Nrc_571

970

Defense in Depth

Nrc_571

971

Defense in Depth

Nrc_571

972

Defense in Depth

Nrc_571

973

Defense in Depth

Nrc_571

974

Defense in Depth

Nrc_571

975

Defense in Depth

Nrc_571

976

Defense in Depth

Nrc_571

977

Defense in Depth

Nrc_571

978

Defense in Depth

Nrc_571

979

Defense in Depth

Nrc_571

980

Defense in Depth

Nrc_571

981

Defense in Depth

Nrc_571

Do boundary control devices between higher and lower security levels record information
on accepted and rejected connections, traffic monitoring, analysis, and intrusion
detection?
Do boundary control devices between higher and lower security levels forwards logs to a
centralized logging server?
Do boundary control devices between higher and lower security levels enforce
destination authorization and restricts users by allowing them to reach only the CDAs
necessary for their function?
Do boundary control devices between higher and lower security levels record information
flow for traffic monitoring, analysis, and intrusion detection?
Are boundary control devices between higher and lower security levels deployed and
maintained by authorized personnel trained in the technologies used?
Do boundary control devices between higher and lower security levels permit acquisition
and control networks to be severed from corporate networks in times of serious cyber
incidents or when directed by authorized personnel?
Do boundary control devices between higher and lower security levels contain a rule set
that is evaluated, analyzed, and tested before deployment and routinely upon
modification and updates to the operational software and firmware?
Do boundary control devices between higher and lower security levels receive time
synchronization from a trusted and dedicated source existing on the security network,
attached directly to the CDA or via SNTP and a trusted key management process?
Do boundary control devices between higher and lower security levels synchronize time
with CDAs?
Are boundary control devices between higher and lower security levels capable of
forwarding logging information in a standard format to a secure logging server or use an
external device?
Are boundary control devices between higher and lower security levels logs routinely
reviewed by personnel to detect malicious or anomalous activity?
Do boundary control devices between higher and lower security levels contain a rule set
that is updated quarterly?
Do security boundary control devices between higher security levels and lower security
levels use only physically and logically secured and hardened computing devices and flow
control?

982

Defense in Depth

Nrc_571

983

Defense in Depth

Nrc_571

984

Incident Response

Nrc_571

985

Incident Response

Nrc_571

986

Incident Response

Nrc_571

987

Incident Response

Nrc_571

988

Incident Response

Nrc_571

989

Incident Response

Nrc_571

990
991
992
993
994

Incident Response
Incident Response
Incident Response
Incident Response
Incident Response

Nrc_571
Nrc_571
Nrc_571
Nrc_571
Nrc_571

995

Incident Response

Nrc_571

996

Incident Response

Nrc_571

997

Incident Response

Nrc_571

998

Incident Response

Nrc_571

Do boundary control devices between higher and lower security levels allow no
information to be transferred directly from networks, systems, or CDAs at a lower
security level to networks, systems, or CDAs at Level 4?
Do boundary control devices between higher and lower security levels prevent viruses or
other malicious or unwanted programs from propagating information between security
levels?
Do incident response procedures direct containment activities and provide for assisting
operations personnel in conducting and operability determination?
Do incident response procedures provide for isolating the affected CDA with approval by
shift superintendent operations and verifying that surrounding or interconnected CDAs,
networks, and support systems are not contaminated, degraded, or compromised?
Do eradication activities identify the attack and the compromised pathway?
Are incident response training exercises documented, and are personnel qualified and
trained?
Are drills of the incident response capability for CDAs tested and conducted at least
annually?
Are defined tests or drills or both used to update the incident response capability to
maintain its effectiveness?
Are the results of testing and drills documented?
Are there incident response testing and drill procedures?
Are automated mechanisms used to test or drill the incident response capability?
Are announced and unannounced tests and drills conducted and documented?
Is there an integrated cybersecurity incident response team (CSIRT)?
In the event of an unplanned incident that reduces the number of required cybersecurity
personnel, are other trained and qualified onsite cybersecurity personnel used, or are offduty personnel called in within 2 hours from the time of discovery?
Is the team provided with the technical skills and authority to effectively respond to a
potential cybersecurity event?
Are the processes, procedures, and controls documented that the team will employ upon
the discovery or identification of a potential or actual cybersecurity attack?
Is the identification of what constitutes a cybersecurity incident defined and
documented?

999

Incident Response

Nrc_571

Is the identification of threat level classification for incidents defined and documented?

1000

Incident Response

Nrc_571

Is the description of actions to be taken for each component of the Incident Response &
Recovery (IR&R) process defined and documented?

1001

Incident Response

Nrc_571

Is the description of individual postulated classes or categories of incidents or attacks and
indicators and potential or planned methods of mitigation defined and documented?

1002

Incident Response

Nrc_571

Is the identification of defensive strategies that would assist in identifying and containing
a cyber attack defined and documented?

1003

Incident Response

Nrc_571

Is the description of the CSIRT incident notification process defined and documented?

1004

Incident Response

Nrc_571

Is the description of incident documentation requirements defined and documented?

1005

Incident Response

Nrc_571

1006

Incident Response

Nrc_571

1007

Incident Response

Nrc_571

1008

Incident Response

Nrc_571

1009

Incident Response

Nrc_571

1010

Incident Response

Nrc_571

1011

Incident Response

Nrc_571

1012

Plans

Nrc_571

1013

Plans

Nrc_571

1014

Continuity

Nrc_571

Is the establishment of coordinated and secure communication methods to be used
between local and remote CSIRT members and outside agencies defined and
documented?
Is the description of response escalation requirements defined and documented?
Is the following incident data collected: incident title, date of incident, reliability of report,
type of incident, entry point, perpetrator, type of system, hardware and software
impacted, brief description of incident, impact on organization, measures to prevent
recurrence, and references?
Does the CSIRT consist of individuals with knowledge and experience in information and
digital system technology?
Does the CSIRT consist of individuals with knowledge and experience in nuclear facility
operations, engineering, and safety?
Does the CSIRT consist of individuals with knowledge and experience in physical and
operational security?
Are the competent and trained incident response support personnel available year round,
24 hours per day to offer advice and assistance?
Does the incident response plan define the resources and management support needed
to effectively maintain and mature an incident response capability?
Is the incident response plan reviewed and approved by the Cybersecurity Program
Sponsor?
the required response to events or conditions that activate the recovery plan?

1015

Continuity

Nrc_571

1016
1017
1018

Continuity
Continuity
Continuity

Nrc_571
Nrc_571
Nrc_571

procedures for operating the CDAs in manual mode, when external electronic
connections are severed, until secure conditions can be restored?
processes and procedures for the backup and secure storage of information?
complete and up-to-date logical diagrams depicting network connectivity?
Does it contain current configuration information for components?

1019

Continuity

Nrc_571

Does it contain a list of personnel authorized for physical and cyber access to the CDA?

1020

Continuity

Nrc_571

a communication procedure and list of personnel to contact in the case of an emergency?

1021

Continuity

Nrc_571

documented requirements for the replacement of components?

1022

Continuity

Nrc_571

Does the contingency plan maintain the SSEP functions by developing and disseminating
roles, responsibilities, and assigned individuals with contact information?

1023

Continuity

Nrc_571

1024

Continuity

Nrc_571

1025

Continuity

Nrc_571

1026

Continuity

Nrc_571

1027

Continuity

Nrc_571

1028

Continuity

Nrc_571

1029

Continuity

Nrc_571

1030

Continuity

Nrc_571

1031

Continuity

Nrc_571

Does the contingency plan maintain the SSEP functions by defining activities associated
with determining the effects of CDAs after a compromise, disruption, or failure and
restoring the CDAs?
Is the contingency plan development coordinated with organizations responsible for
related plans and requirements?
Are the required resources and capacity maintained to ensure that necessary information
processing, telecommunications, and environmental support exist during crisis situations?
Are the resources needed to ensure that the capacity necessary for information
processing, telecommunications, and environmental support exist during crisis situations
documented?
Do CDAs execute predetermined actions in the event of a loss of processing within a CDA
or a loss of communication with operational facilities?
Is recovery and reconstitution of CDAs included in contingency plan testing?
Are alternate controls established and documented for when the contingency plan cannot
be tested or exercised on production CDAs?
Are scheduled and unscheduled system maintenance activities used as an opportunity to
test or exercise the contingency plan?
Are personnel trained in their contingency roles and responsibilities with respect to the
CDAs?

1032

Continuity

Nrc_571

1033

Continuity

Nrc_571

1034

Continuity

Nrc_571

1035

Continuity

Nrc_571

1036

Continuity

Nrc_571

1037

Continuity

Nrc_571

1038

Training

Nrc_571

1039
1040

Training
Training

Nrc_571
Nrc_571

1041

Training

Nrc_571

1042

Training

Nrc_571

1043

Training

Nrc_571

1044

Training

Nrc_571

1045

Training

Nrc_571

1046

Training

Nrc_571

1047
1048

Training
Training

Nrc_571
Nrc_571

1049

Training

Nrc_571

1050

Training

Nrc_571

Is refresher training provided at least annually or consistent with the overall contingency
program, whichever period is shorter?
Are there training procedures, and are training records of individuals documented?
Are training drills used to familiarize contingency personnel with the facility, CDAs, and
available resources and in evaluating the site's capabilities to support contingency
operations?
Are realistic test/drill scenarios and environments used that effectively stress the CDAs?
Is the timeframe established and documented when data or the CDA must be restored
and the frequency at which critical data and configurations are changing?
Are CDAs recovered and reconstituted to a known secure state following a disruption or
failure? (Which may include regression testing)
Are individuals trained to a level of cybersecurity knowledge appropriate to their assigned
responsibilities?
Are the requirements for cybersecurity awareness implemented and documented ?
Is the content of cybersecurity training based on assigned roles and responsibilities?
Is the content of cybersecurity training based on specific requirements identified by the
defensive strategy?
Is the content of cybersecurity training based on CDAs to which personnel have
authorized access?
Does the cybersecurity awareness training address the site-specific objectives,
management expectations, programmatic authority, roles and responsibilities, policies,
procedures, and consequences for noncompliance with the cybersecurity program?
Does the cybersecurity awareness training address the general attack methodologies,
appropriate, and inappropriate cybersecurity practices?
Does the cybersecurity awareness training address unusually heavy network traffic?
Does the cybersecurity awareness training address out of disk space or significantly
reduced free disk space?
Does the cybersecurity awareness training address unusually high CPU usage?
Does the cybersecurity awareness training address creation of new user accounts?
Does the cybersecurity awareness training address attempted or actual use of
administrator-level accounts?
Does the cybersecurity awareness training address locked-out accounts?

1051

Training

Nrc_571

1052

Training

Nrc_571

1053

Training

Nrc_571

1054

Training

Nrc_571

1055

Training

Nrc_571

1056

Training

Nrc_571

1057

Training

Nrc_571

1058

Training

Nrc_571

1059

Training

Nrc_571

1060

Training

Nrc_571

Does the cybersecurity awareness training address account in-use when the user is not at
work?
Does the cybersecurity awareness training address cleared log files?
Does the cybersecurity awareness training address full log files with unusually large
number of events?
Does the cybersecurity awareness training address antivirus or IDS alerts?
Does the cybersecurity awareness training address disabled antivirus software and other
security controls?
Does the cybersecurity awareness training address unexpected patch changes?
Does the cybersecurity awareness training address machines connecting to outside IP
addresses?
Does the cybersecurity awareness training address requests for information about the
system?
Does the cybersecurity awareness training address unexpected changes in configuration
settings?
Does the cybersecurity awareness training address unexpected system shutdown?

1061

Training

Nrc_571

Does the cybersecurity awareness training address unusual activity from control devices?

1062

Training

Nrc_571

Does the cybersecurity awareness training address loss of signal from control devices?

1063

Training

Nrc_571

Does the cybersecurity awareness training address unusual equipment in secure areas?

1064

Training

Nrc_571

1065

Training

Nrc_571

1066

Training

Nrc_571

1067

Training

Nrc_571

1068

Training

Nrc_571

Does the cybersecurity awareness training address the contacts to whom to report
suspicious activity, incidents, and violations of cybersecurity policies, procedures, or
practices?
Does the cybersecurity awareness training explain why access and control methods are
required?
Does the cybersecurity awareness training address the measures users can employ to
reduce risks?
Does the cybersecurity awareness training address the impact on the organization if the
control methods are not incorporated?
Is there a training program for personnel performing, verifying, or managing activities
within the scope of the program to ensure that suitable proficiency is achieved and
maintained?

1069

Training

Nrc_571

1070

Training

Nrc_571

1071

Training

Nrc_571

1072

Training

Nrc_571

1073

Training

Nrc_571

1074

Training

Nrc_571

1075

Training

Nrc_571

1076

Training

Nrc_571

1077

Training

Nrc_571

1078

Training

Nrc_571

1079

Training

Nrc_571

1080

Training

Nrc_571

Do individuals that have cybersecurity responsibilities related to programs, processes,
procedures, or individuals that are involved in the design, modification, and maintenance
of CDAs, receive technical training?
Is cybersecurity-related technical training provided to individuals before authorizing
access to CDAs or performing assigned duties?
Is cybersecurity-related technical training provided to individuals when required by policy
or procedure changes and plant modifications?
Is cybersecurity-related technical training provided to individuals annually or at an interval
as defined by the organization, whichever is shorter?
Is cybersecurity-related technical training provided to those individuals whose roles and
responsibilities involve designing, installing, operating, maintaining, or administering CDAs
or associated networks?
Does cybersecurity-related technical training include specific cybersecurity and
engineering procedures, practices, and technologies, including implementation methods
and design requirements?
Does cybersecurity-related technical training include general information on cyber
vulnerabilities, potential consequences to CDAs and networks of successful cyber attacks,
and cybersecurity risk reduction methods?
Are system managers, cybersecurity specialists, system owners, network administrators,
and other personnel having access to system-level software provided with securityrelated technical training to perform their assigned duties?
Do individuals who have programmatic and procedural cybersecurity authority and
require the necessary skills and knowledge to execute capabilities expected of a
cybersecurity specialist receive specialized cybersecurity training?
Are the requirements for advanced training for designated security experts or specialists?
Does advanced training include achievement and maintenance of the necessary up-todate skills and knowledge in core competencies of data security, operation system
security, application security, network security, security controls, intrusion analysis,
incident management and response, digital forensics, penetration testing, and plant
system functionality and operations?
Does advanced training include competency in the use of tools and techniques to
physically and logically harden CDAs and networks?

1081

Training

Nrc_571

1082

Training

Nrc_571

1083

Training

Nrc_571

1084

Training

Nrc_571

1085

Training

Nrc_571

1086

Training

Nrc_571

1087

Training

Nrc_571

1088

Training

Nrc_571

1089
1090

Training
Training

Nrc_571
Nrc_571

1091

Training

Nrc_571

1092

Training

Nrc_571

1093

Training

Nrc_571

1094

Organizational

Nrc_571

1095

Organizational

Nrc_571

1097
1098
1099
1100

Organizational
Organizational
Organizational
Organizational

Nrc_571
Nrc_571
Nrc_571
Nrc_571

Does advanced training include the provision of cybersecurity guidance, assistance, and
training for other staff members?
Does advanced training include the review of programmatic and system-specific
cybersecurity plans and practices?
Does advanced training include the assessment of CDAs, networks, and assets for
compliance with cybersecurity policies?
Does advanced training include the design, acquisition, installation, operation,
maintenance, or administration of security controls?
Is there a cross-functional cybersecurity team (CST)?
Is there a program to share expertise and varied domain knowledge between members of
the CST?
Does the CST include a member of the information technology staff, an instrumentation
and control system engineer, a control system operator, a subject matter expert in
cybersecurity, and a member of the management staff?
Does the cybersecurity subject matter experts' skills include network architecture and
design, security processes and practices, and secure infrastructure design and operation?
Does the CST include the control system vendor or system integrator?
Does the CST periodically report directly to a specified group?
Does the security training describe the physical processes being controlled as well as the
associated CDAs and security controls?
Is there a feedback process for personnel and contractors to refine the cybersecurity
program and address identified training gaps?
Is contact with selected security groups maintained to remain informed of recommended
security practices, techniques, and technologies and to share current security-related
information?
Is the "Cyber Security Sponsor" staffed with a member of senior site management?
Does the "Cyber Security Sponsor" have overall responsibility and accountability for the
cybersecurity program, and do they provide the resources required for the development,
implementation, and sustenance of the cybersecurity program?
provide oversight of the plant cybersecurity operations?
function as a single point of contact for issues related to site cybersecurity?
provide oversight and direction on issues regarding nuclear plant cybersecurity?
initiate and coordinate CSIRT functions?

1101
1102

Organizational
Organizational

Nrc_571
Nrc_571

1103

Organizational

Nrc_571

1104

Organizational

Nrc_571

1106

Organizational

Nrc_571

1107

Organizational

Nrc_571

1108

Organizational

Nrc_571

1109

Organizational

Nrc_571

1110

Organizational

Nrc_571

1111

Organizational

Nrc_571

1112

Organizational

Nrc_571

1114

Organizational

Nrc_571

1115
1116
1117
1118

Organizational
Organizational
Organizational
Organizational

Nrc_571
Nrc_571
Nrc_571
Nrc_571

1119

Configuration
Management

Nrc_571

1120
1121
1122

Configuration
Management
Configuration
Management
Configuration
Management

coordinate with the NRC during cybersecurity events?
oversee and approve the development and implementation of a cybersecurity plan?
ensure and approve the development and operation of the cybersecurity education,
awareness, and training program?
oversee and approve the development and implementation of cybersecurity policies and
procedures?
protects CDAs from cyber threat?
understand the cybersecurity implications surrounding the overall architecture of plant
networks, control systems, safety systems, operating systems, hardware platforms, plant
specific applications, and the services and protocols upon which those applications rely?
perform cybersecurity evaluations of digital plant systems?
Does the Cyber Security Specialist conduct security audits, network scans, and
penetration tests against CDAs as necessary?
conduct cybersecurity investigations involving compromise of CDAs?
preserve evidence collected during cybersecurity investigations to prevent loss of
evidentiary value?
maintain expert skill and knowledge level in the area of cybersecurity?
personnel have knowledge of cyber forensics and functions in accordance with the
incident response plan?
initiate emergency action when required to safeguard CDAs from compromise?
assist with the eventual recovery of compromised systems?
contain and mitigate incidents involving critical and other support systems?
restore compromised CDAs?
Do the baseline configurations include a current list of all components, configuration of
peripherals, version releases of current software, and switch settings of machine
components?

Nrc_571

Is the minimum physical and logical access defined for the modifications?

Nrc_571

Does the configuration management program address discovered deviations?

Nrc_571

Are white-list, black-list, and gray-list application control technologies used?

1123

Configuration
Management

Nrc_571

1124

Configuration
Management

Nrc_571

1125

System and Services
Acquisition

Nrc_571

1126
1127
1128

1129

1130
1131

System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition

Nrc_571
Nrc_571
Nrc_571

Nrc_571

Nrc_571
Nrc_571

Is there an automated inventory of the components of CDAs used to detect the addition
of unauthorized components or devices into the environment, and does it disable access
by such components or devices or notify designated officials?
Is there an inventory of the components of CDAs that documents the names or roles of
the individuals responsible for administering those components?
Are all tools used to perform cybersecurity tasks or SSEP functions required to undergo a
commercial qualification process similar to that for software engineering tools that are
used to develop digital instrumentation and control systems?
Do new acquisitions contain security design information, capabilities or both to
implement security controls in Appendix B to RG 5.71?
Do the security capabilities include being cognizant of evolving cybersecurity threats and
vulnerabilities?
Do the security capabilities include being cognizant of advancements in cybersecurity
protective strategies and security controls?
Do the security capabilities include conducting analyses of the effects that each
advancement could have on the security, safety, and operation of critical assets, systems,
CDAs, and networks and implementing these advancements in a timely manner?
Do the security capabilities include replacing legacy systems as they reach end of life with
systems that incorporate security capabilities?
Are timeframes established to minimize the time it takes to deploy new and more
effective protective strategies and security controls?

1132

System Integrity

Nrc_571

Are weak, unproven, or nonstandard cryptographic modules identified and eliminated?

1133

System Integrity

Nrc_571

Are insecure network protocols for sensitive communications identified and eliminated?

1134

System Integrity

Nrc_571

1135

System Integrity

Nrc_571

1136

System Integrity

Nrc_571

1137
1138

System Integrity
System Integrity

Nrc_571
Nrc_571

Are insecure configuration files or options that act to control features of the application
identified and eliminated?
Are inadequate or inappropriate use of access control mechanisms to control access to
system resources identified and eliminated?
Are inappropriate privileges being granted to users, processes, or applications identified
and eliminated?
Are weak authentication mechanisms identified and eliminated?
Are improperly or failing to validate input and output data identified and eliminated?

1139

System Integrity

Nrc_571

1140
1141
1142
1143

System Integrity
System Integrity
System Integrity
System Integrity

Nrc_571
Nrc_571
Nrc_571
Nrc_571

1144

System Integrity

Nrc_571

1145

System Integrity

Nrc_571

1146

System Integrity

Nrc_571

1147

System Integrity

Nrc_571

1148
1149
1150
1151
1152
1153
1154
1155

System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition

Nrc_571
Nrc_571
Nrc_571
Nrc_571
Nrc_571
Nrc_571
Nrc_571
Nrc_571

Are insecure or inadequate logging of system errors or security-related information
identified and eliminated?
Are format string vulnerabilities identified and eliminated?
Are privilege escalation vulnerabilities identified and eliminated?
Are unsafe database transactions identified and eliminated?
Are unsafe use of native function calls identified and eliminated?
Are hidden functions and vulnerable features embedded in the code identified and
eliminated?
Are implemented security features that increase the risk of security vulnerabilities,
increase susceptibility to cyber attack, or reduce the reliability of design-basis functions
identified and eliminated?
Is the use of unsupported or undocumented methods or functions identified and
eliminated?
Is the use of undocumented code or malicious functions that might allow either
unauthorized access or use of the system or the system to behave beyond the system
requirements identified and eliminated?
Is there documentation of the system design transformed into code, database structures,
and related machine executable representations?
Is there documentation of the communication configuration and setup?
Are the results of the developer's security testing conducted in accordance with Section
12.5 of RG 5.71 verified and validated?
Are CDA security devices, security controls, and software tested to ensure that they do
not compromise the CDA or the operation of an interconnected CDA operation before
installation?
Are CDAs tested to ensure they do not provide a pathway to compromise the CDA or
other CDAs?
Are the security controls in Appendixes B and C to RG 5.71 implemented in accordance
with the process described in Section 3.1.6 of Appendix A to RG 5.71?
Are the security controls tested for effectiveness, as described in Section 4.1.2 of
Appendix A to RG 5.71?
Are vulnerability scans performed in accordance with Section 4.1.3 of Appendix A to RG
5.71 and Section 13.1 of this plan?

1156
1157
1158
1159
1160
1161
1162
1163
1164
1165

System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition

Nrc_571

Are vulnerability scans performed against the CDA in its integrated state and correction,
elimination, or discussion of discovered vulnerabilities?

Nrc_571

Is the CDA installed and tested in the target environment?

Nrc_571

Is there an acceptance review and test of the CDA security features?

Nrc_571

Are the security controls implemented in accordance with Appendix B of RG 5.71?

Nrc_571
Nrc_571

Is the effectiveness of the security controls implemented in accordance with Appendix C
verified?
Are the security design features developed to address the identified security
requirements for the CDA documented?

Nrc_571

Are the security controls implemented in accordance with Appendix B to 5.7.1?

Nrc_571

Does the documentation include a description of the feature, its method of
implementation, and any configurable options associated with the feature?

Nrc_571

Is each security feature traceable to its corresponding security requirement?

Nrc_571

Are the security reviews of the implemented design by the cybersecurity organization
responsible for the protection of the critical assets/systems/networks?
Does the security review ensure that the security design configuration item
transformations from the requirements implemented are correct, accurate, and
complete?
Are annual audits of CDAs required to verify the security controls present during testing
remain in place and are functioning correctly in the production system?
Are annual audits of CDAs required to verify CDAs are free from known vulnerabilities and
security compromises and continue to provide information on the nature and extent of
compromises?

1166

System and Services
Acquisition

Nrc_571

1167

System and Services
Acquisition

Nrc_571

1168

System and Services
Acquisition

Nrc_571

1169

Monitoring & Malware Nrc_571

Are SSEP functions not adversely impacted by the scanning process?

1170

Monitoring & Malware Nrc_571

If SSEP functions are adversely impacted by the scanning process, are the CDAs removed
from service or replicated before scanning is conducted, or is scanning scheduled to occur
during planned CDA maintenance cycles?

1171

Monitoring & Malware Nrc_571

1172

Monitoring & Malware Nrc_571

1173
1174
1175
1176
1177
1178
1179
1584
1585
1828
1

Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Organizational
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Policies & Procedures
General

Nrc_571
Nrc_571
Nrc_571
Nrc_571
Nrc_571

Where the organization cannot conduct vulnerability scanning on a production CDA
because of the potential for an adverse impact on SSEP functions, alternate controls are
employed?
Are historic audit logs reviewed to determine if a vulnerability identified in the CDA has
been previously exploited?
Are protection and mitigation of risk achieved by implementing the defense-in-depth
strategies discussed in Section 3.2 of RG 5.71?
Are protection and mitigation of risk achieved by implementing the security controls
described in Appendixes B and C to RG 5.71?
Are protection and mitigation of risk achieved by implementing digital equipment and
software cyber attack detection, prevention, and recovery techniques and tools to the
systems, structures, and components within the scope of the rule?
Are protection and mitigation of risk achieved by implementing Section 4 of Appendix A
of RG 5.71?
Is there detailed information on how these requirements are implemented to achieve the
high assurance objectives of security controls specified in this plan?

Nrc_571

Is the detailed information available for NRC inspections and audits?

Nrc_571

Is the corrective action program criteria consistent with RG 5.71 for adverse conditions
and the requirements for corrective action implemented and documented?

Tsa
Tsa
Tsa
Universal

2

Policies & Procedures
General

Universal

3

Policies & Procedures
General

Universal

Has a risk assessment been conducted to weigh the benefits of implementing wireless
networking against the potential risks for exploitation?
Has the need for enhanced networking control technologies for wireless networks been
evaluated prior to implementation?
Has an assessment of wireless networking risk been performed before implementation?
Are security policies and procedures implemented to define roles, responsibilities,
behaviors, and practices of an overall security program?
Does the security team assign roles and responsibilities in accordance with the policies
and confirm that processes are in place to protect company assets and critical
information?
Do the security policies and procedures ensure coordination or integration with the
physical security plan?

4

Policies & Procedures
General

Universal

5

Policies & Procedures
General

Universal

6

Policies & Procedures
General

Universal

7

Plans

Universal

8

Policies & Procedures
General

Universal

9

Plans

Universal

10

Plans
Policies & Procedures
General
Policies & Procedures
General
Policies & Procedures
General
Policies & Procedures
General
Policies & Procedures
General
Policies & Procedures
General

Universal

11
12
13
14
15
16

Universal
Universal
Universal
Universal
Universal
Universal

17

Policies & Procedures
General

Universal

18

Policies & Procedures
General

Universal

Do the security policies and procedures delineate how the organization implements its
emergency response plan and coordinates efforts with law enforcement agencies,
regulators, Internet service providers, and other relevant organizations in the event of a
security incident?
Are the external suppliers and contractors that can impact system security held to the
same security policies and procedures as the organization's own personnel?
Do the security policies and procedures of second and third-tier suppliers that can impact
system security comply with the procuring organizations corporate cyber security policies
and procedures?
Are there policies and procedures for the delivery and removal of system assets in the
system security plan?
Are policies and procedures in place to enforce explicit rules and management
expectations governing user installation of software?
Does the security plan define and communicate the specific roles and responsibilities in
relation to various types of incidents?
Is the security plan regularly tested to validate the system objectives?
Does the organization manage system-related data for both electronic and paper data
and manage access to the data based on formally assigned roles and responsibilities?
Are there policies and procedures detailing the handling of information and are they
periodically reviewed and updated?
Are there policies and procedures for the classification of data, both electronic and paper
media?
Do the data policies and procedures establish retention policies and procedures for both
electronic and paper media?
Do the data policies and procedures address sharing, copying, transmittal, and
distribution appropriate for the level of protection required?
Do the data policies and procedures establish access to the data based on formally
assigned roles and responsibilities for the system?
Do the policies and procedures detail the retrieval of written and electronic records,
equipment, and other media for the system in the overall information and document
management policy?
Do the policies and procedures detail the destruction of written and electronic records,
equipment, and other media for the system, without compromising the confidentiality of
the data?

19

Policies & Procedures
General

24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

Policies & Procedures
General
Configuration
Management
Policies & Procedures
General
Policies & Procedures
General
Policies
Policies
Policies
Policies
Policies
Policies
Policies
Policies
Policies
Policies
Policies
Policies
Policies
Policies
Policies
Policies
Policies
Policies
Policies
Policies

44

Policies

20
21
22
23

Universal

Are there policies and procedures to upgrade existing legacy control systems to include
security mitigating measures commensurate with the organization's risk tolerance and
the risk to the system and processes controlled?

Universal

Are maintenance authorization and approval policies and procedures documented?

Universal
Universal

Are policies and procedures implemented to address the addition, removal, and disposal
of all system equipment?
Are roles and responsibilities established that address the overlap and synergy between
physical and system security risks?

Universal

Is there a list of personnel authorized to perform maintenance on the system?

Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal

System Security Policy
Planning Policy
Personnel Security Policy
Physical and Environmental Policy
System and Services Acquisition Policy
Configuration Management Policy
System and Communication Protection Policy
Information and Document Management Policy
Maintenance Policy
Awareness and Training Policy
Incident Response Policy
Media Protection Policy
System Control and Integrity Policy
Access Control Policy
Identification and Authentication Policy
Audit and Accountability Policy
Monitoring and Review Policy
Security Assessment Policy
Cryptographic Policy
Risk Assessment Policy
Does the system security policy address the purpose of the security program as it relates
to protecting the organization's personnel and assets?

Universal

45

Policies

Universal

46

Policies

Universal

47

Policies

Universal

48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66

Procedures
Procedures
Procedures
Procedures
Procedures
Procedures
Procedures
Procedures
Procedures
Procedures
Procedures
Procedures
Procedures
Procedures
Procedures
Procedures
Procedures
Procedures
Procedures
Policies & Procedures
General

Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal

68

Procedures

Universal

69
70
71
72

Plans
Plans
Plans
Plans

Universal
Universal
Universal
Universal

67

Universal

Does the system security policy address the scope of the security program as it applies to
all organizational staff and third-party contractors?
Are there legal reviews of the retention policies to ensure compliance with all applicable
laws and regulations?
Are periodic reviews of compliance with the system information and document security
management policy performed to ensure compliance with any laws and regulatory
requirements?
Security Procedure
Personnel Security Procedure
Physical and Environmental Procedure
System and Services Acquisition Procedure
Configuration Management Procedure
Strategic Planning Procedure
System and Communication Protection Procedure
Information and Document Management Procedure
Maintenance Procedure
Awareness and Training Procedure
Incident Response Procedure
Media Protection Procedure
System Control and Integrity Procedure
Access Control Procedure
Identification and Authentication Procedure
Audit and Accountability Procedure
Monitoring and Review Procedure
Risk Assessment Procedure
Security Assessment Procedure
Are procedures established to remove external supplier physical and electronic access at
the conclusion/termination of the contract in a timely manner?
Does a process exist to monitor changes to the system and conduct security impact
analyses to determine the effects of the changes?
Configuration Management Plan
Security Plan
Continuity of Operations Plan
Incident Response Plan

73
74

Plans
Plans

Universal
Universal

75

Plans

Universal

76
77

Plans
Plans

Universal
Universal

Security Program Plan
Critical Infrastructure Plan
Is the risk assessment plan updated annually or whenever significant changes occur to the
system, the facilities where the system resides, or other conditions that may affect the
security or accreditation status of the system?
Does the security plan align with the organization's enterprise architecture?
Does the security plan explicitly define the authorization boundary of the system?

78

Plans

Universal

Does the security plan describe the relationships with or connections to other systems?

79

Plans

Universal

Does the security plan provide an overview of the security requirements for the system?

80

Plans

Universal

81

Plans

Universal

82

Plans

Universal

Does the security plan describe the security controls in place or planned?
Is the authorizing official or designated representative who reviews and approves the
system security plan specified?
Is the security plan for the system reviewed on a defined frequency, annually at a
minimum?

83

Plans

Universal

Does the security plan limit data ports, physical access, specific data technology, impose
additional physical and electronic inspections and physical separation requirements?

84

Plans

Universal

Is the security plan revised to address changes to the system/environment or problems
identified during plan implementation or security control assessments?

85

Plans

Universal

Does the configuration management plan define the configuration items for the system?

86

Plans

Universal

87

Plans

Universal

88

Plans

Universal

89

Continuity

Universal

90

Continuity

Universal

Does the configuration management plan define when the configuration items are placed
under configuration management?
Does the configuration management plan define the means for uniquely identifying
configuration items throughout the system development life cycle?
Does the configuration management plan define the process for managing the
configuration of the configuration items?
Does the continuity of operations plan address the issue of maintaining or re-establishing
production in case of an undesirable interruption for the system?
Do designated officials review and approve the continuity of operations plan?

Does the continuity of operations plan delineate that at the time of the disruption to
normal system operations, the organization executes its incident response policies and
procedures to place the system in a safe configuration and initiates the necessary
notifications to regulatory authorities?
Is the continuity of operations plan tested to determine its effectiveness, and are the
results documented?
Do the appropriate officials review the documented test results and initiate corrective
actions if necessary?
Is the continuity of operations plan tested at least annually, using organization-prescribed
tests and exercises?
Is the continuity of operations plan testing and exercises coordinated with the
organizational elements responsible for related plans?

91

Continuity

Universal

92

Continuity

Universal

93

Continuity

Universal

94

Continuity

Universal

95

Continuity

Universal

96

Continuity

Universal

97

Continuity

Universal

98

Continuity

Universal

99

Plans

Universal

100

Plans

Universal

101

Plans

Universal

Is the incident response plan revised to address system/organizational/operational
changes or problems encountered during plan implementation, execution, or testing?

102

Plans

Universal

Are incident response plan changes communicated to active incident response personnel?

103

Plans

Universal

104

Plans

Universal

105
106

Plans
Plans

Universal
Universal

Is the continuity of operations plan tested and exercised at the alternate processing site?
Are exercises used to thoroughly and effectively test and exercise the continuity of
operations plan?
Is the continuity of operations plan reviewed at least annually and updated to address
system, organizational, and technology changes or problems encountered during plan
implementation, execution, or testing?
Are copies of the incident response plan distributed to active incident response
personnel?
Is the incident response plan reviewed on a periodic frequency?

Is the incident response investigation and analysis process developed, tested, deployed,
and documented?
Are roles and responsibilities specified with respect to local law enforcement and/or
other critical stakeholders in an internal and shared incident response investigation and
analysis program?
Has a risk management plan been developed?
Does a senior official review and approve the risk management plan?

107

Plans

Universal

108

Plans

Universal

109

Plans

Universal

110

Plans

Universal

111

Plans

Universal

112

Plans

Universal

113

Plans

Universal

114

Plans

Universal

115

Plans

Universal

116

Plans

Universal

117

Plans

Universal

118

Plans

Universal

119

Plans

Universal

120

Plans

Universal

121

Plans

Universal

122

Plans

Universal

Is there a current plan of action and milestones for the system that documents the
planned, implemented, and evaluated remedial actions to correct weaknesses or
deficiencies noted during the assessment?
Is the plan of action reviewed at least annually?
Is there a process for ensuring that the action plan and milestones for the security
program and the associated organizational systems are maintained?
Does the security plan provide sufficient information about the program management
controls and common controls to enable an implementation that is unambiguously
compliant with the intent of the plan and a determination of the risk to be incurred if the
plan is implemented as intended?
Does the security program plan include roles, responsibilities, management commitment,
coordination among organizational entities, and compliance?
Is the security plan approved by a senior official with responsibility and accountability for
the risk being incurred to organizational operations, organizational assets, individuals, and
other organizations?
Is the organization-wide security plan reviewed on a defined frequency, at least annually?
Is the security plan revised to address organizational changes and problems identified
during plan implementation or security control assessments?
Does the incident response plan provide a roadmap for implementing the incident
response capability?
Does the incident response plan describe the structure and organization of the incident
response capability?
Does the incident response plan provide a high-level approach for how the incident
response capability fits into the overall organization?
Does the incident response plan meet the unique requirements of the organization's
mission, function, size, and structure?
Does the incident response plan define reportable incidents?
Does the incident response plan provide metrics for measuring the incident response
capability?
Are security issues addressed in the development, documentation, and updating of a
critical infrastructure and key resources protection plan?
Is the investigation and analysis of system incidents included in the planning process?

123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138

Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Risk Management and
Assessment
Plans
Risk Management and
Assessment
Risk Management and
Assessment
Organizational

Universal

Are the security controls in the system assessed on a defined frequency, at least annually,
to determine the extent the controls are implemented correctly, operating as intended,
and producing the desired outcome?

Universal

Is a security assessment report produced that documents the results of the assessment?

Universal
Universal
Universal
Universal
Universal
Universal
Universal

Are periodic, unannounced, in-depth monitoring, penetration testing, and red team
exercises included as part of the security control assessments?
Are the system connections monitored on an ongoing basis verifying enforcement of
documented security requirements?
Are the security mechanisms in the system monitored on an ongoing basis? (audit,
studies, analysis, etc.)
Are the security mechanisms that are volatile or critical to protecting the system assessed
at least annually?
Are all noncritical or nonvolatile security mechanisms assessed at least once during the
system's 3-year accreditation cycle for regulated systems?
Is there an independent assessor or assessment team to monitor the security controls in
the system on an ongoing basis?
Are information and systems categorized in accordance with applicable management
orders, policies, regulations, standards, and guidance?

Universal

Are the security categorization results documented in the system security plan?

Universal

Is the security categorization decision reviewed and approved by the authorizing official?

Universal
Universal
Universal

Are potential security threats, vulnerabilities, and consequences identified, classified,
prioritized, and analyzed using accepted methodologies?
Does the plan of action call out remedial security actions to mitigate risk to organizational
operations and assets, individuals, other organizations?
Is there a comprehensive strategy to manage risk to organizational operations and assets,
individuals, other organizations?

Universal

Is the risk management strategy implemented consistently across the organization?

Universal

Is there a defined framework of management leadership accountability that establishes
roles and responsibilities to approve cybersecurity policy, assign security roles, and
coordinate the implementation of cybersecurity?

139

Policies

Universal

140

Organizational

Universal

141

Organizational

Universal

142

Organizational

Universal

143
144

Policies & Procedures
General
Risk Management and
Assessment

Universal
Universal

Does sufficient authority and an appropriate level of funding exist to implement the
security policy?
Do contracts with external entities address security policies and procedures with business
partners, third-party contractors, and outsourcing partners?
Does the mission/business case planning include a determination of system security
requirements?
Does the capital planning and investment control process include the determination,
documentation, and allocation of the resources required to protect the system?
Is the system managed using a system development life-cycle methodology that includes
security considerations?
Are risk-reduction mitigation measures planned and implemented, and the results
monitored to ensure effectiveness of the risk management plan?
Are a set of rules that describes the system users responsibilities and expected behavior
established and made available?
Are security-related activities affecting the system planned and coordinated before
conducting such activities to reduce the impact on organizational operations,
organizational assets, or individuals?
Does the system design and implementation process define the security roles and
responsibilities for the users of the system?
Are individuals with system security roles and responsibilities identified?
Does the security program implement continuous improvement practices to ensure that
industry lessons learned and best practices are incorporated into system security policies
and procedures?

145

Organizational

Universal

146

Organizational

Universal

147

Organizational

Universal

148

Organizational

Universal

149

Organizational

Universal

150

Policies

Universal

Is there a process for monitoring and reviewing the performance of cybersecurity policy?

151

Organizational

Universal

152

Organizational

Universal

153

Organizational

Universal

154

Organizational

Universal

155

Organizational

Universal

Are industry best practices incorporated into the security program?
Is the system authorized before being placed into operations and is the authorization
updated on a defined frequency or when significant changes occur?
Does a senior official sign and approve the security accreditation?
Is an independent certification agent or certification team used to assess the security
mechanisms in the system?
Does the authorizing official decide on the required level of certifier independence based
on the criticality and sensitivity of the system and the ultimate risk to operations and
organizational assets and individuals?

156

Organizational

Universal

Does the authorizing official determine if the level of certifier independence is sufficient
to provide confidence that the assessment results produced are sound and can be used to
make a credible, risk-based decision?

157

Organizational

Universal

Has the authorizing official consulted with representatives of the appropriate regulatory
bodies, the senior agency information security officer, and the chief information officer to
fully discuss the implications of any decisions on certifier independence.

158

Organizational

Universal

159

Organizational

Universal

160
161

Organizational
Organizational

Universal
Universal

162

Monitoring & Malware Universal

163

Organizational

Universal

164

Organizational

Universal

165

Organizational

Universal

166

Organizational

Universal

167

Organizational

Universal

168

Organizational

Universal

Is a senior security officer appointed with the mission and resources to coordinate,
develop, implement, and maintain an organization-wide security program?
Do all capital planning and investment requests include the resources needed to
implement the security program, and are exceptions documented?
Is a business case used to record the resources required?
Are security resources available for expenditure as planned and approved?
Are the results of security measures of performance monitored and reported?
Is the security state of organizational systems managed through security authorization
processes?
Is the security authorization processes fully integrated into an organization-wide risk
management strategy?
Are the mission/business processes defined with consideration for security and the
resulting risk to organizational operations, organizational assets, individuals, other
organizations, and the nation?
Are protection needs arising from the defined mission/business processes determined
and the processes revised as necessary until an achievable set of protection needs is
obtained?
Is the independent certification agent or certification team an individual or group capable
of conducting an impartial assessment of an organizational control system?
Is the system owner prevented from being directly involved in the contracting process
and from unduly influencing the independence of the certification agent or certification
team conducting the assessment of the security mechanisms in the system?

In special situations, is the independence of the certification process achieved by ensuring
the assessment results are carefully reviewed and analyzed by an independent team of
experts to validate the completeness, consistency, and veracity of the results?

169

Organizational

Universal

170

Personnel

Universal

171
172

Personnel
Personnel

Universal
Universal

173

Personnel

Universal

174

Personnel

Universal

175

Personnel

Universal

176

Personnel

Universal

177

Personnel

Universal

Are all required controls for employees terminated for cause completed within 24 hours?

178

Personnel

Universal

Are automated processes used to revoke access permissions for terminated employees?

179

Personnel

Universal

180

Personnel

Universal

181

Policies & Procedures
General

Universal

182

Personnel

Universal

183

Personnel

Universal

184

Personnel

Universal

Is a risk designation assigned to all positions and are screening criteria established for
individuals filling those positions?
Are position risk designations periodically reviewed and revised?
Are individuals requiring access screened before access is authorized?
Are individuals with access rescreened based on a defined list of conditions and
frequency?
Is the logical and physical access to systems and facilities revoked for terminated
employees?
Does the organization ensure all organization-owned property is returned for terminated
employees?
Are documents and data files in the terminated employee's possession transferred to new
authorized owners?

Are electronic and physical access permissions reviewed when individuals are reassigned
or transferred?
Are electronic and physical access permissions reviewed within 7 days when individuals
are reassigned or transferred?
Are security controls for third-party personnel enforced, and is service provider behavior
and compliance monitored?
Does a formal accountability process exist that clearly documents potential disciplinary
actions for failing to comply?
Are employees and contractors provided with complete job descriptions including
detailed expectations of conduct, duties, terms and conditions of employment, legal
rights, and responsibilities?
Do employees and contractors acknowledge understanding of the job description by
signature?

Are periodic reviews of physical and electronic access conducted to validate terminated
account access was removed?
Is training on the implementation of the system security plan included for employees,
contractors, and stakeholders?

185

Personnel

Universal

186

Training

Universal

187

Training

Universal

Is basic security awareness training provided to all system users before authorizing access
to the system, when required by system changes and at least annually thereafter?

188

Training

Universal

Is the effectiveness of security awareness training reviewed once a year at a minimum?

189

Training

Universal

190

Training

Universal

191

Training

Universal

192

Training

Universal

193

Training

Universal

194

Training

Universal

195

Training

Universal

196

Training

Universal

197

Training

Universal

198

Training

Universal

199

Account Management

Universal

Are system accounts identified by account type and managed?

200

Account Management

Universal

Do system accounts have conditions for group membership?

Are all system design and procedure changes reviewed for inclusion in the organization
security awareness training?
Are practical exercises included in the security awareness training that simulate actual
cyber attacks?
Are system security roles and responsibilities defined and documented throughout the
system development life cycle, and are the individuals who have these roles and
responsibilities identified and trained?
Is security-related technical training provided before authorizing access to the system or
performing assigned duties, when required by system changes and on an periodic basis?
Are individual system security training activities documented, maintained, and
monitored?
Is contact with security groups and associations established and maintained?
Is the knowledge of personnel on security policies and procedures based on their roles
and responsibilities documented and tested?
Is refresher training provided on a defined frequency, at least annually?
Are simulated events incorporated into continuity of operations training to facilitate
effective response by personnel in crisis situations?
Are automated mechanisms used to provide a thorough and realistic system training
environment?

201

Account Management

Universal

Are the access rights and privileges specified, and are authorized users identified for
system accounts?

202

Account Management

Universal

Are appropriate approvals required for requests to establish accounts?

203

Account Management

Universal

Are system accounts authorized, established, activated, modified, disabled, and
removed?

204

Account Management

Universal

Are system accounts reviewed on a defined frequency?

205

Account Management

Universal

Is the use of guest/anonymous accounts specifically authorized and monitored?

206

Account Management

Universal

207

Account Management

Universal

208

Account Management

Universal

209

Account Management

Universal

210

Account Management

Universal

211

Account Management

Universal

212

Account Management

Universal

213

Account Management

Universal

Are user account names different than email user accounts?

214

Account Management

Universal

Is there an official assigned to authorize a user or device identifier?

215

Account Management

Universal

Are identifiers selected that uniquely identify an individual or device?

216

Account Management

Universal

Are the user identifiers assigned to the intended party or the device identifier to the
intended device?

Are account managers notified when system users are terminated, transferred, or system
usage or need-to-know/need-to-share changes?
Is access to the system granted based on a valid need-to-know or need-to-share as
determined by official duties and satisfying all security criteria?
Are automated mechanisms such as active directory used to support the management of
system accounts?
Does the system automatically terminate temporary and emergency accounts after a
defined time period for each type of account?
Does the system automatically disable inactive accounts after a defined time period?
Does the system automatically audit account creation, modification, disabling, and
termination actions and notify appropriate individuals?
Are currently active system accounts reviewed on a defined frequency to verify that
temporary accounts and accounts of terminated or transferred users have been
deactivated?

217

Account Management

Universal

Are previous user or device identifiers archived?

218

Account Management

Universal

Is there a mechanism in place to verify the identity whenever an authenticator (password,
token) is created, distributed, or modified?

219

Account Management

Universal

Is the initial authenticator content for organization-defined authenticators established?

220

Account Management

Universal

Do authenticators have sufficient strength of mechanism for their intended use?

221

Account Management

Universal

Are there administrative procedures for initial authenticator distribution, for
lost/compromised or damaged authenticators, and for revoking authenticators? (e.g.,
passwords, tokens, cards, etc.)

222

Account Management

Universal

Is the default content of authenticators changed on system installation?

223

Account Management

Universal

224

Account Management

Universal

225

Account Management

Universal

226

Account Management

Universal

227

Account Management

Universal

228

Account Management

Universal

229

Account Management

Universal

230

Account Management

Universal

231

Account Management

Universal

232

Account Management

Universal

Is the separation of duties implemented through assigned system access authorizations?

233

Access Control

Universal

Is the concept of least privilege used to accomplish assigned tasks?

Are there minimum and maximum lifetime restrictions and reuse conditions for
authenticators?
Are authenticators changed or refreshed periodically as appropriate for authenticator
type?
Is authenticator content protected from unauthorized disclosure and modification? (i.e.,
not transmitting over email as open text)
Are users required to take, and devices implement, specific measures to safeguard
authenticators?
Are certificates validated for PKI-based authentication by constructing a certification path
with status information to an accepted trust anchor?
Is the registration process to receive a user authenticator carried out in person before a
designated registration authority?
Are automated tools used to determine if authenticators are sufficiently strong to resist
attacks intended to discover or otherwise compromise the authenticators?
Are unique authenticators required to be provided by vendors and manufacturers of
system components?
Is there a division of responsibilities and separation of duties of individuals to eliminate
conflicts of interest?

234

Account Management

Universal

235

Account Management

Universal

236

Account Management

Universal

237

Account Management

Universal

238

Account Management

Universal

239

Access Control

Universal

240

Access Control

Universal

241

Access Control

Universal

242

Access Control

Universal

243

Access Control

Universal

244

Access Control

Universal

245

Access Control

Universal

246
247

Access Control
Access Control

Universal
Universal

248

Access Control

Universal

249

Access Control

Universal

Is access to a defined list of security functions and security-relevant information explicitly
authorized?
Are users of system accounts with access to a defined list of security functions or securityrelevant information required to use nonprivileged accounts when accessing other system
functions?
Is network access to defined privileged commands authorized only for compelling
operational needs and is the rationale documented?
Does the system enforce authorized access to the corresponding private key for PKIbased authentication?
Does the system map the authenticated identity to the user account for PKI-based
authentication?
Are periodic reviews conducted of existing authorized physical and electronic access
permissions to ensure they are current?
Are appropriate agreements finalized before access is granted, including for third parties
and contractors?
Are access agreements periodically reviewed and updated?
Are security measures in place to restrict information input to the system to authorized
personnel only?
Has a signed acknowledgement been obtained from users indicating that they have read,
understand, and agree to abide by the rules of behavior before authorizing access to the
system?
Are explicit restrictions on the use of social networking sites, posting information on
commercial Web sites, and sharing system account information included in the rules of
behavior?
Do electronic monitoring mechanisms alert system personnel when unauthorized access
or an emergency occurs?
Is public access to the system denied?
Is business IT and general corporation access to the system NOT permitted?
Does the system enforce assigned authorizations for controlling electronic access to the
system?
Are access control policies and associated access mechanisms to control access to the
system?

Does the system enforce defined nondiscretionary access control policies over a defined
set of users and resources that specify the access control information employed and the
required relationships among the access control information to permit access?

250

Access Control

Universal

251

Access Control

Universal

252
253

Access Control
Access Control

Universal
Universal

254

Access Control

Universal

255

Access Control

Universal

256

Access Control

Universal

257

Access Control

Universal

258

Access Control

Universal

259

Access Control

Universal

Does the system authenticate devices before establishing remote network connections
using bi-directional authentication between devices that are cryptographically based?

260

Access Control

Universal

Does the system authenticate devices before establishing network connections, using
bidirectional authentication between devices that are cryptographically based?

261

Access Control

Universal

Do the authentication mechanisms obscure feedback of authentication information
during the authentication process (i.e., does not return any system specific information)?

262

Access Control

Universal

263

Access Control

Universal

264

Access Control

Universal

265

Access Control

Universal

Does the system prevent access to security-relevant information (except during secure
nonoperable system states)?
Does the system uniquely identify and authenticate organizational users?
Does the system employ multifactor authentication for remote access?
Does the system employ multifactor authentication for network access and for access to
privileged accounts?
Does the system employ multifactor authentication for local system access for all users?
Are specific user actions that can be performed on the system without identification or
authentication identified and documented?
Are actions to be performed without identification and authentication permitted only to
the extent necessary to accomplish mission objectives?
Is a device verified against a pre-defined list of authorized devices before a connection is
established? (e.g., Active Directory policy or firewall rules.)

Does the system employ authentication methods that meet the requirements of
applicable policies, standards, and guidance for authentication to a cryptographic
module?
If your authentication encryption module fails can you still authenticate without creating
a denial of service that impacts operational performance of system?
Are there policies and procedures concerning the generation and use of passwords?
Do the password policies stipulate rules of complexity, based on the criticality level of the
systems to be accessed?

266

Access Control

Universal

267

Access Control

Universal

268

Access Control

Universal

269

Access Control

Universal

270

Access Control

Universal

271
272

Access Control
Access Control

Universal
Universal

273

Access Control

Universal

274
275

Access Control
Access Control

Universal
Universal

276

Access Control

Universal

277

Access Control

Universal

278

Access Control

Universal

279

Access Control

Universal

280

Access Control

Universal

Does system deployment require two-factor authentication or comparable compensating
measures?
Does the system display an approved system use notification message or banner before
granting access to the system?
Does the banner provide privacy and security notices consistent with applicable policies,
regulations, standards, and guidance and state that: (a) users are accessing a private or
government system; (b) system usage may be monitored, recorded, and subject to audit;
(c) unauthorized use of the system is prohibited and subject to criminal and civil penalties;
and (d) use of the system indicates consent to monitoring and recording?
Does the system retain the notification message or banner on the screen until users take
explicit actions to log on to or further access the system?
Does the system: (a) display the system use information before granting further access;
(b) ensure that any references to monitoring, recording, or auditing are consistent with
privacy accommodations for such systems that generally prohibit those activities; and (c)
include a description of the authorized uses of the system?
Are the number of concurrent sessions for any user limited?
Does the system log both successful and unsuccessful logon attempts?
Does the system notify the user upon successful logon of the number of unsuccessful
logon attempts since the last successful logon?
Does the system notify the user/admin of unsuccessful logon attempts?
Does the system capture security-related changes to the user's account?
Does the system enforce a limit of a defined number of consecutive invalid access
attempts by a user during a defined time period?
Does the system automatically lock the account/node for a defined time period, delaying
the next login prompt when the maximum number of unsuccessful attempts are
exceeded?
Does the system automatically lock the account/node until released by an administrator
when the maximum number of unsuccessful attempts is exceeded?
Does the system prevent further access to the system by initiating a session lock after a
defined time period of inactivity or a user initiated session lock?
Does the system retain the session lock until the user re-establishes access using
appropriate identification and authentication procedures?

Universal

Does the system session lock mechanism place a publicly viewable pattern onto the
associated display hiding what was previously visible on the screen?
Does the system terminate a network connection at the end of a session or after a
defined time period of inactivity?

281

Access Control

282

Remote Access Control Universal

283

Remote Access Control Universal

Is automatic session termination applied to local and remote sessions?

284

Remote Access Control Universal

Does the system terminate a network connection at the end of a session or after a period
of inactivity?

285

Remote Access Control Universal

Are allowed methods of remote access to the system documented?

286

Remote Access Control Universal

Are there usage restrictions and implementation guidance for each allowed remote
access method?

287

Remote Access Control Universal

Does remote access to the network require authentication prior to system connection?

288

Remote Access Control Universal

Are the requirements for remote connections to the system enforced?

289

Remote Access Control Universal

290

Remote Access Control Universal

291

Remote Access Control Universal

292

Remote Access Control Universal

293

Remote Access Control Universal

294

Remote Access Control Universal

295

Remote Access Control Universal

296

Remote Access Control Universal

Are all the methods of remote access to the system authorized, monitored, and
managed?
Are automated mechanisms used to facilitate the monitoring and control of remote
access methods?
Is cryptography used to protect the confidentiality and integrity of remote access
sessions?
Does the system route all remote accesses through a limited number of managed access
control points?
Is remote access for privileged commands and security-relevant information authorized
only for compelling operational needs and is the rationale for such access documented?
Is Bluetooth wireless networking capability disabled except for explicitly identified
components in support of specific operational requirements?
Are there mechanisms in the design and implementation of the system to restrict access
to the system from the enterprise network? (firewall, DMZ, VPN)
Are the terms and conditions established for authorized individuals to access the system
from an external system?

297

Remote Access Control Universal

298

Remote Access Control Universal

299

Remote Access Control Universal

300
301
302
303
304
305
306
307
308

Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess

Universal

Are the terms and conditions established for authorized individuals to process, store, and
transmit organization-controlled information using an external system?
Are authorized individuals prohibited from using an external system to access the system
or to process, store, or transmit organization-controlled information except in situations
where the organization: (a) can verify the implementation of required security controls on
the external system as specified in the organization's security policy and security plan, or
(b) has approved system connection or processing agreements with the organizational
entity hosting the external system?
Are restrictions imposed on authorized individuals with regard to the use of organizationcontrolled removable media on external systems?
Are usage restrictions and implementation guidance established for organizationcontrolled mobile devices?

Universal

Is mobile device connection to the system authorized?

Universal

Are requirements for mobile device connection to the system enforced?

Universal

Is the capability for automatic execution of code on removable media disabled?

Universal
Universal

Are specially configured mobile devices issued to individuals traveling to locations of
significant risk per policies and procedures?
Are specified measures applied to mobile devices returning from locations of significant
risk per policies and procedures?

Universal

Is the use of writable, removable media restricted on the system?

Universal

Is the use of personally owned, removable media prohibited on the system?

Universal

Is the use of removable media with no identifiable owner prohibited on the system?

309

Portable/Mobile/Wirel
Universal
ess

310

Portable/Mobile/Wirel
Universal
ess

Are usage restrictions and implementation guidance established for mobile code
technologies based on the potential to cause damage to the system if used maliciously?
(Java, JavaScript, ActiveX, Postscript, etc.)
Is the use of mobile code documented, monitored, and managed? (Java, JavaScript,
ActiveX, Postscript, etc.)

311
312
313
314
315
316
317
318
319
320
321
322
323
324

Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess

Universal

Do appropriate officials authorize the use of mobile code?

Universal

Does the system implement detection and inspection mechanisms to identify
unauthorized mobile code and take corrective actions?

Universal

Are there use restrictions and implementation guidance for wireless technologies?

Universal

Is wireless access to the system authorized, monitored, and managed?

Universal
Universal
Universal
Universal

Portable/Mobile/Wirel
Universal
ess
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess
Portable/Mobile/Wirel
ess

Universal

Is authentication and encryption used to protect wireless access to the system and the
latency induced does NOT degrade the operational performance of the system?
Is the system scanned for unauthorized wireless access points at a specified frequency,
and is appropriate action taken if such access points are discovered?
Is there a thorough scan for unauthorized wireless access points in facilities containing
high-impact systems?
Does the system protect wireless access using authentication and encryption?
Are unauthorized remote connections to the system monitored, including scanning for
unauthorized mobile or wireless access points on a defined frequency and is appropriate
action taken if an unauthorized connection is discovered?
Are wireless networking capabilities internally embedded within system components
disabled prior to issue when not intended for use?

Universal

Are users NOT allowed to independently configure wireless networking capabilities?

Universal

Are users prohibited from establishing wireless networks?

Universal
Universal

325

System Protection

Universal

326

System Protection

Universal

Do you employ rigorous security measures for remote sessions with administrative
privileges and are they audited?
Is peer-to-peer wireless networking capability disabled except for explicitly identified
components in support of specific operational requirements?
Does the system isolate (e.g., through partitions, domains, security zones, etc.) security
functions (e.g., enforcing access and information flow control) functions from nonsecurity
functions?
Does the system isolate security functions from both nonsecurity functions and from
other security functions?

327

System Protection

Universal

328

System Protection

Universal

329

System Protection

Universal

330
331

System Protection
System Protection

Universal
Universal

332

System Protection

Universal

333

System Protection

Universal

334

System Protection

Universal

335

System Protection

Universal

336

System Protection

Universal

337

System Protection

Universal

338

System Protection

Universal

339

System Protection

Universal

340
341

System Protection
System Protection

Universal
Universal

342

System Protection

Universal

343

System Protection

Universal

344

System Protection

Universal

Does the system minimize the number of nonsecurity functions included within the
isolation boundary containing security functions?
Are the system security functions implemented as largely independent modules that
avoid unnecessary interactions between modules?
Are the system security functions implemented as a layered structure minimizing
interactions between layers of the design and avoiding any dependence by lower defense
in depth layers on the functionality or correctness of higher layers?
Does the system limit the use of resources by priority?
Are the external boundaries of the system defined?
Are the operational system boundary, the strength required of the boundary, and the
respective barriers to unauthorized access and control of system assets and components
defined?
Are externally accessible system components physically allocated to separate
subnetworks (DMZ) with separate, physical network interfaces?
Is external access into the organization's internal system networks prevented, except as
appropriately mediated? (e.g., configuration files and settings, alarm points, passwords,
etc.)
Is an appropriate failure mode selected depending on the critical needs of system
availability? (preventative maintenance)
Does the system design and implementation protect the integrity of electronically
communicated information?
Is cryptographic hardware with remote key management capabilities used?
Are public key certificates issued under an appropriate certificate policy or are they
obtained under an appropriate certificate policy from an approved service provider?
Does the use of public key certificates avoid degrading (i.e., latency) the operational
performance of the system?
Does the system fail to a known state for defined failures?
Does the system preserve defined system state information in failure?
Does the system employ processing components that have minimal functionality and data
storage (e.g., diskless nodes, thin client technologies)?
Does the system use secure data transmission media, such as fiber optic technology, to
minimize data loss from eavesdropping and data tapping?
Does the system protect the confidentiality of information at rest? (e.g., disk encryption)

Are cryptographic mechanisms used to prevent unauthorized disclosure of information at
rest unless otherwise protected by alternative physical measures?
Are diverse technologies used in the implementation of the system? (e.g., using different
vendors to avoid single vulnerability penetration)
Are system components partitioned into separate physical networks as necessary?
Does the system protect the integrity of information during the processes of data
aggregation, packaging, and transformation in preparation for transmission?
Does the system meet a defined level of trustworthiness?
Are all critical hardware and software system components defined and documented?
Has legacy equipment been updated with current or custom developed system
components?
Have system components been identified where there are no alternative sources or
vendors?

345

System Protection

Universal

346

System Protection

Universal

347

System Protection

Universal

348

System Protection

Universal

349
350

System Protection
System Protection

Universal
Universal

351

System Protection

Universal

352

System Protection

Universal

353

System Protection

Universal

Is the system protected from harm by considering mean time to failure for a defined list
of system components? (e.g., hot standby for real-time and/or application servers)

354

System Protection

Universal

Are substitute system components provided, and is there a mechanism to exchange
active and standby roles of the components?

355

System Protection

Universal

Are system components taken out of service by transferring component responsibilities
to a substitute component no later than a defined percentage of mean time to failure?

356

System Protection

Universal

357

System Protection

Universal

358

System Protection

Universal

359

System Protection

Universal

360

System Protection

Universal

Is a transfer between active and standby system components manually initiated at least
once per a defined frequency?
When a system component failure is detected, does the standby system component
successfully and transparently assume its role within a defined time period and activate
an alarm and/or automatically shut down the system?
Is the use of personally owned information copied to the system restricted?
Do the terms and conditions for personally owned information on the system state the
types of applications that can be accessed from personally owned IT, either remotely or
from within the system?
Is the system configured to provide only essential capabilities and specifically prohibits
and/or restricts the use of functions, ports, protocols, and/or services as defined in a
"prohibited and/or restricted" list?

Is the system periodically reviewed to identify and eliminate unnecessary functions, ports,
protocols, and/or services?
Are automated mechanisms used to prevent program execution in accordance with
defined lists? (e.g., white listing)
Are the use of configuration laptops and/or removable electronic media approved, and
are authorized devices documented, secured, and available only to specified and
approved entities when their use cannot be avoided?
Is the enterprise architecture developed with consideration for security and the resulting
risk?
Do the terms and conditions for personally owned information on the system state the
maximum security category of information that can be processed, stored, and
transmitted?
Do the terms and conditions for personally owned information on the system state how
other users of the personally owned information will be prevented from accessing
organization information?
Do the terms and conditions for personally owned information on the system define the
use of VPN and firewall technologies?
Do the terms and conditions for personally owned information on the system state the
use of and protection against the vulnerabilities of wireless technologies?
Do the terms and conditions for personally owned information on the system require the
maintenance of adequate physical security mechanisms?
Do the terms and conditions for personally owned information on the system require the
use of virus and spyware protection software?
Do the terms and conditions for personally owned information on the system state how
often the security capabilities of installed software are to be updated?
Does the system include applications that are independent of the operating system?
Are virtualization techniques used to present gateway components into systems
environments as other types of components or components with differing
configurations?
Are virtualization techniques used to deploy a diversity of operating systems
environments and applications?

361

System Protection

Universal

362

System Protection

Universal

363

System Protection

Universal

364

System Protection

Universal

365

System Protection

Universal

366

System Protection

Universal

367

System Protection

Universal

368

System Protection

Universal

369

System Protection

Universal

370

System Protection

Universal

371

System Protection

Universal

372

Software

Universal

373

Software

Universal

374

Software

Universal

375

Software

Universal

Is the diversity of operating systems and applications changed on a defined frequency?

376

Software

Universal

Is randomness used in the implementation of the virtualization?

377

Software

Universal

378

Software

Universal

379

Software

Universal

380

Software

Universal

381

Software

Universal

382

Software

Universal

383
384
385
386
387
388

Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection

Universal
Universal
Universal
Universal
Universal
Universal

Does the system load and execute the operating system software from hardwareenforced, read-only media?
Does the system load and execute authorized applications from hardware-enforced, readonly media?
Are system components used that have no writable storage that is persistent across
component restart or power on/off cycles?
Is the integrity of the information on read-only media protected?
Do software developers employ software quality and validation methods to minimize
flawed or malformed software?
Is a process prevented from executing without supervision for more than a defined time
period?
Is the system protected from information leakage (e.g., removable media, official
documents, remote access, etc.)?
Do the system components separate telemetry/data acquisition services from
management port functionality?
Does the system prevent unauthorized or unintended information transfer via shared
system resources? (e.g., register, main memory, secondary storage)
Does the system separate resources that are used to interface with systems operating at
different security levels?
Does the system monitor and manage communications at the system boundary and at
key internal boundaries within the system?
Are the number of access points to the system limited to allow for better monitoring of
inbound and outbound network traffic?
Is the external communication interface connections implemented with security
measures appropriate to the required protection of the integrity and confidentiality of the
information being transmitted?

389

Communication
Protection

Universal

390

Communication
Protection

Universal

Does the system deny network traffic by default and allow network traffic by exception?

391

Communication
Protection

Universal

Is the unauthorized release of information outside the system boundary or any
unauthorized communication through the system boundary prevented when an
operational failure occurs of the boundary protection mechanisms?

392

Communication
Protection

Universal

Is the unauthorized release of information across managed interfaces prevented?

393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408

Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection

Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal

Does the system check incoming communications to ensure that the communications are
coming from an authorized source and routed to an authorized destination?
Does the system, at managed interfaces, deny network traffic and audit internal users
posing a threat to external systems?
Does the system prevent remote devices that have established connections (e.g., PLC,
remote laptops) with the system from communicating outside that communications path
with resources on uncontrolled/unauthorized networks?
Does the system route traffic to the Internet through authenticated proxy servers within
the managed interfaces of boundary protection devices?
Do you encrypt communication over all untrusted communication channels?
Have you evaluated the latency issues introduced by the use of cryptographic
mechanisms to ensure that they do not impact operational performance?
If the cryptographic mechanism fails, is your system protected against a denial of service
event?
Does the system design and implementation protect the confidentiality of communicated
information where necessary?

Universal

Are cryptographic mechanisms used to prevent unauthorized disclosure of information
during transmission unless otherwise protected by alternative physical measures?

Universal

Does the system establish a trusted communications path between the user and the
system?

Universal

Are cryptographic keys established and managed using automated mechanisms?

Universal
Universal
Universal

Is the availability of information in the event of the loss of cryptographic keys by users
maintained?
Do communication cryptographic mechanisms comply with applicable regulatory
requirements, policies, standards, and guidance?
Are collaborative computing devices (e.g., video and audio conferencing) restricted on
your control system network?

Universal

Are collaborative computing devices disconnected and powered down when not in use?

Universal

Does the system block both inbound and outbound traffic between instant messaging
clients?

409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424

Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection

Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal

Are collaborative computing devices disabled or removed from systems in secure work
areas?
Does the system reliably associate security labels and markings with information
exchanged between the enterprise systems and the control system?
Does the system validate the integrity of security parameters exchanged between
systems?
Is there usage restrictions and implementation guidance for VoIP technologies, which is
based on the potential to cause damage to the system if used maliciously?
Is the use of VoIP authorized, monitored, and controlled?
Does the system provide mechanisms to protect the authenticity of device-to-device
communications sessions?
Are message authentication mechanisms implemented at the protocol level for both
serial and routable protocols?
Are the system devices that collectively provide name/address resolution services for an
organization fault tolerant?
Does the use of secure name/address resolution services avoid adverse impacts to the
operational performance of the system?
Does the DNS server that provides name/address resolution service provide additional
artifacts (e.g., digital signatures, cryptographic keys, etc.) along with the authoritative DNS
resource records it returns in response to resolution queries?

Universal

Does the system enable verification of a chain of trust among parent and child domains?

Universal

Does the local client perform DNS and data integrity verification from authoritative DNS
servers?

Universal

Does the authoritative DNS servers perform data origination and verification?

Universal

Does the system monitor and detect covert communication channels (e.g., back doors)?

Universal
Universal

Are a subset of the vendor-identified covert channel avenues tested to determine if they
are exploitable?
Does the system enforce assigned authorizations for controlling the flow of information
within the system and between interconnected systems?

425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441

Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
Communication
Protection
System Integrity

Universal
Universal
Universal

Does the system enforce information flow control (e.g., firewalls, routers, gateways, etc.)
based on specific data for source, and destination paths?
Does the system enforce information flow control using domains as a basis for flow
control decisions?
Does the system enforce dynamic information flow control based on changing conditions
or operational considerations?

Universal

Does the system prevent encrypted data from bypassing content-checking mechanisms?

Universal

Does the system enforce defined limitations on the embedding of data types within other
data types to prevent propagation of malicious payloads?

Universal

Does the system enforce information flow control on metadata?

Universal

Does the system enforce defined one-way flows using hardware mechanisms (i.e., data
diode)?

Universal

Does the system enforce information flow control using defined security policy filters?

Universal
Universal
Universal
Universal
Universal

Does the system enforce the use of human review for defined security policy filters when
the system is not capable of making an information flow control decision?
Does the system provide the capability for a privileged administrator to enable and
disable organization-defined security policy filters?
Does the system provide the capability for a privileged administrator to configure the
organization-defined security policy filters to support different security policies?
Is confidential information (e.g., business sensitive, personally identifiable information,
etc.) restricted to authorized users?
Are automated or manual mechanisms (e.g., roles and responsibilities as defined by
Active Directory) used as required to assist authorizing users in making the correct
information sharing/collaboration decisions?

Universal

Is information sharing authorized and/or restricted between third-party partners?

Universal

Are communications limited to only the devices that need to communicate?

Universal

Are all other ports and routes locked down or disabled?

Universal

Are system flaws identified, reported, and corrected?

442

System Integrity

Universal

443

System Integrity

Universal

444

System Integrity

Universal

445

System Integrity

Universal

446

System Integrity

Universal

447

System Integrity

Universal

448

System Integrity

Universal

449

System Integrity

Universal

450

System Integrity

Universal

451
452

System Integrity
System Integrity

Universal
Universal

453

System Integrity

Universal

454

System Integrity

Universal

455

System Integrity

Universal

456

System Integrity

Universal

457

System Integrity

Universal

458

System Integrity

Universal

459

System Integrity

Universal

Are software updates tested related to flaw remediation for effectiveness and potential
side effects before installation?
Is flaw remediation incorporated into the configuration management process as an
emergency change?
Is the patch management process centrally managed, and are updates installed
automatically?
Has the risk of employing automated flaw remediation been evaluated?
Are automated mechanisms (e.g., patching, service packs, etc.) used to periodically and
on demand determine the state of system components with regard to flaw remediation?
Is the time between flaw identification and flaw remediation measured and compared
with benchmarks?
Are automated patch management tools used to facilitate flaw remediation?
Does the use of automated flaw remediation processes NOT degrade the operational
performance of the system?
Are system security alerts, advisories, and directives received from designated external
organizations on an ongoing basis?
Are internal security alerts, advisories, and directives generated?
Are security alerts, advisories, and directives disseminated to a list of personnel?
Are security directives implemented in accordance with timeframes established by the
directives, or is the issuing organization notified of the degree of noncompliance?
Are automated mechanisms used to make security alert and advisory information
available throughout the organization?
Is the correct operation of security functions verified upon system startup and restart,
upon command by user with appropriate privilege, periodically, and at defined time
periods?
Does the system notify the system administrator when anomalies are discovered?
Are automated mechanisms used to provide notification of failed automated security
tests?
Are automated mechanisms used to support management of distributed security
functionality verification testing? (i.e., control log servers)
Does the system monitor and detect unauthorized changes to software and information?

Is the integrity of software and information reassessed by performing, on a defined
frequency, integrity scans of the system, and are they used with extreme caution on
designated high-availability systems?
Are automated tools used to provide notification to designated individuals on discovering
discrepancies during integrity verification, and are they used with extreme caution on
designated high-availability systems?
Are centrally managed integrity verification tools used, and are they used with extreme
caution on designated high-availability systems?
Is tamper-evident packaging used during transportation from vendor to operational site,
during operation, or both?
Does the system check the validity of information inputs? (e.g., boundary limits)
Does the system identify error conditions?
Does the system generate error messages that provide information necessary for
corrective actions without revealing potentially harmful information that could be
exploited by adversaries?
Does the system reveal error messages only to authorized personnel?
Does the system prohibit inclusion of sensitive information in error logs or associated
administrative messages?

460

System Integrity

Universal

461

System Integrity

Universal

462

System Integrity

Universal

463

System Integrity

Universal

464
465

System Integrity
System Integrity

Universal
Universal

466

System Integrity

Universal

467

System Integrity

Universal

468

System Integrity

Universal

469

System Integrity

Universal

470

Physical Security

Universal

471

Physical Security

Universal

472
473

Physical Security
Physical Security

Universal
Universal

Are lists of personnel with authorized access developed and maintained, and are
appropriate authorization credentials issued?
Are the access list and authorization credentials reviewed and approved at least annually
and those no longer requiring access removed?
Is physical access to the facility authorized based on position or role?
Are two forms of identification required to gain access to the facility?

474

Physical Security

Universal

Are physical access authorizations enforced for all physical access points to the facility?

475
476

Physical Security
Physical Security

Universal
Universal

477

Physical Security

Universal

478

Physical Security

Universal

Are individual access authorizations verified before granting access to the facility?
Is entry to the facility controlled by physical access devices and/or guards?
Are the areas officially designated as publicly accessible controlled in accordance with the
organization's assessment of risk?
Are keys, combinations, and other physical access devices secured?

Is the output from the system handled and retained in accordance with applicable
regulations, standards, and organizational policy as well as operational requirements?

479

Physical Security

Universal

480

Physical Security

Universal

481
482

Physical Security
Physical Security

Universal
Universal

Are physical access devices inventoried on a periodic basis?
Are combinations and keys changed on a defined frequency, and when keys are lost,
combinations compromised, or individuals are transferred or terminated?
Is physical access to distribution and communication lines controlled and verified?
Is physical access to output devices controlled?

483

Physical Security

Universal

Is physical access to the system controlled independently of the facility access controls?

484

Physical Security

Universal

485

Physical Security

Universal

486

Physical Security

Universal

487
488

Physical Security
Physical Security

Universal
Universal

489

Physical Security

Universal

490

Physical Security

Universal

491

Physical Security

Universal

492

Physical Security

Universal

Are security checks at physical boundaries performed for unauthorized removal of system
components?
Is every physical access point to the facility guarded or alarmed and monitored 24 hours
per day, 7 days per week?
Are lockable physical casings used to protect internal components of the system from
unauthorized physical access?
Is physical access monitored to detect and respond to physical security incidents?
Are physical access logs reviewed on a defined frequency?
Are results of reviews and investigations coordinated with the organization's incident
response capability?
Are real-time physical intrusion alarms and surveillance equipment monitored?
Are automated mechanisms used to recognize potential intrusions and initiate designated
response actions?
Is physical access controlled by authenticating visitors before authorizing access?

493

Physical Security

Universal

Are visitors escorted and monitored as required in the security policies and procedures?

494

Physical Security

Universal

495

Physical Security

Universal

496
497
498
499
500
501
502

Physical Security
Physical Security
Physical Security
Physical Security
Physical Security
Physical Security
Physical Security

Universal
Universal
Universal
Universal
Universal
Universal
Universal

Are two forms of identification required for access?
Are visitor access records maintained, and are all physical access logs retained for as long
as required by regulations or per approved policy?
Do visitor records include name and organization of the person visiting?
Do visitor records include the signature of the visitor?
Do visitor records include a form of identification?
Do visitor records include the date of access?
Do visitor records include the time of entry and departure?
Do visitor records include the purpose of the visit?
Do visitor records include the name and organization of person visited?

503

Physical Security

Universal

504

Physical Security

Universal

505

Physical Security

Universal

506

Physical Security

Universal

507
508

Physical Security
Physical Security

Universal
Universal

509

Physical Security

Universal

510

Physical Security

Universal

511

Environmental Security Universal

512

Environmental Security Universal

513

Environmental Security Universal

514

Environmental Security Universal

515

Environmental Security Universal

516

Environmental Security Universal

517

Environmental Security Universal

518

Environmental Security Universal

519

Environmental Security Universal

520

Environmental Security Universal

Are automated mechanisms employed to facilitate the maintenance and review of access
records?
Is cryptographic hardware protected from physical tampering and uncontrolled electronic
connections?
Are all external system and communication connections identified and protected from
tampering or damage?
Are asset location technologies used to track and monitor the movements of personnel
and vehicles to ensure they stay in authorized areas?
Are asset location technologies used to identify personnel needing assistance?
Are asset location technologies used to support emergency response?
Is hardware (cages, locks, cases, etc.) used to detect and deter unauthorized physical
access to system devices?
Is the ability to respond to an emergency not hindered by using tamper-evident
hardware?
Is the emergency power shutoff protected from unauthorized activation?
Is the emergency power-off capability protected from accidental and
intentional/unauthorized activation?
Is there a short-term uninterruptible power supply to be used for orderly system
shutdown?
Is there a long-term alternate power supply that is capable of maintaining minimally
required operational capability?
Is there a long-term alternate power supply that is self-contained and not reliant on
external power generation?
Are there automatic emergency lighting systems for emergency exits and evacuation
routes?
Are there fire suppression and detection devices/systems?
Do fire detection devices/systems activate automatically and notify the organization and
emergency responders in the event of a fire?
Do fire suppression devices/systems provide automatic notification to the organization
and emergency responders?
Is there an automatic fire suppression capability in facilities that are not staffed
continuously?

Is the temperature and humidity regularly monitored to ensure they are maintained
within acceptable levels?
Is the system protected from water damage by having the master shutoff valves
accessible, working properly, and known to key personnel?
Are automated mechanisms used to close shutoff valves and provide notification in the
event of a water leak?

521

Environmental Security Universal

522

Environmental Security Universal

523

Environmental Security Universal

524

Configuration
Management

525

Environmental Security Universal

526

Environmental Security Universal

527

Environmental Security Universal

528

Environmental Security Universal

529

Configuration
Management

Universal

Is there an inventory of systems and critical components and is it maintained?

530

Plans

Universal

Are the personnel qualification levels reviewed and periodically updated for personnel to
make changes, conditions for allowing changes, and the approvals required for changes?

Universal

Has a current baseline configuration been developed, documented, and maintained for
the system?

Universal

Is the baseline configuration of the system reviewed and updated?

531
532
533
534
535
536

Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management

Universal

Universal
Universal
Universal
Universal

Is the delivery and removal of system components limited, authorized, and recorded?
Are system assets located to minimize potential damage from physical and environmental
hazards and to minimize unauthorized access?
Are the risks associated with physical and environmental hazards considered when
planning new system facilities or reviewing existing facilities, and are the risk mitigation
strategies documented in the security plan?
Is the system power equipment and power cabling protected from damage and
destruction?
Are redundant power equipment and parallel power cabling paths provided for the
system?

Are automated mechanisms used to maintain an up-to-date, complete, accurate, and
readily available baseline configuration?
Is a baseline configuration for the development and test environments maintained and
managed separately from the operational baseline?
Is a deny-all, permit-by-exception authorization policy used for software allowed on the
system?
Are changes to the system authorized and documented?

537
538

Configuration
Management
Configuration
Management

Universal

Are records of configuration-managed changes to the system reviewed and retained?

Universal

Are configuration-managed changes to the system audited?

Universal

Are automated mechanisms used to document proposed changes, notify appropriate
approval authorities, highlight approvals that have not been received in a timely manner,
inhibit change until necessary approvals are received, and document completed changes?

539

Configuration
Management

540

Configuration
Management

Universal

541

Configuration
Management

Universal

542

Configuration
Management

Universal

543

Configuration
Management

Universal

544
545
546
547
548
549
550

Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management

Universal
Universal
Universal

Are configuration changes tested, validated, and documented before installing them on
the operational system, and has testing been ensured to not interfere with system
operations?
Does the tester fully understand the corporate cyber and control system security policies
and procedures and the specific health, safety, and environmental risks associated with a
particular facility and/or process?
Are individual access privileges, physical access, and logical access restrictions associated
with configuration changes to the system defined, documented, and approved?
Are individual access privileges, physical access, and logical access restrictions records
associated with configuration changes to the system generated, retained, and periodically
reviewed?
Are automated mechanisms used to enforce change of access restrictions and support
auditing of the enforcement actions?
Does the system prevent the installation of device drivers that are not signed with an
organizationally recognized and approved certificate?
Is there physical security to restrict data devices, serial ports, network ports, USB, and
secure digital memory card?

Universal

Are mandatory configuration settings used for products employed within the system?

Universal

Are the security settings configured to the most restrictive mode consistent with system
operational requirements?

Universal

Are the changed configuration settings documented?

Universal

Are exceptions from the mandatory configuration settings identified, documented, and
approved based on explicit operational requirements?

551
552
553
554
555
556
557
558

Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management

Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal

559

Configuration
Management

Universal

560

Configuration
Management

Universal

561

Configuration
Management

Universal

562

Configuration
Management

Universal

563
564
565

Configuration
Management
Configuration
Management
Configuration
Management

Universal
Universal
Universal

Are the configuration settings for all components of the system enforced?
Are changes to the configuration settings monitored and controlled in accordance with
policies and procedures?
Are automated mechanisms used to centrally manage, apply, and verify configuration
settings?
Are automated mechanisms used to respond to unauthorized changes to configuration
settings?
Is six wall bordering, equipment vaulting, two-man rules, and enhanced inventory control
and authorization used?
Are the duties and access between the system administrator and the cybersecurity officer
separate such that neither can make the changes by themselves?
Has an inventory of the components of the system been developed, documented and
maintained that accurately reflects the current system?
Has an inventory list of the components of the system been developed, documented, and
maintained that is consistent with the system boundary?
Has an inventory list of the components of the system been developed, documented, and
maintained that is at the level of granularity deemed necessary for tracking and
reporting?
Has an inventory of the components of the system been developed, documented, and
maintained that includes defined information deemed necessary to achieve effective
property accountability?
Is the inventory of system components and programming updated as an integral part of
component installation, replacement, and system updates?
Are automated mechanisms used to help maintain an up-to-date, complete, accurate, and
readily available inventory of system components, configuration files and set points,
alarm settings and other required operational settings?
Are automated mechanisms used to detect the addition of unauthorized
components/devices/component settings into the system?
Is network access by unauthorized components/devices disabled, or are designated
officials notified?
Are the names of the individuals responsible for component included in property
accountability information?

566
567
568
569
570
571
572
573

Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Configuration
Management
Plans
Configuration
Management
Configuration
Management

Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal

574

Incident Response

Universal

575

Incident Response

Universal

576

Incident Response

Universal

577

Incident Response

Universal

578

Incident Response

Universal

579

Incident Response

Universal

580

Incident Response

Universal

581

Incident Response

Universal

582

Incident Response

Universal

Are all system assets and information documented, identified, and tracked?
Do specialized critical digital assets have an internal registration, configuration and usage
plan, and secure storage before, during, and after usage?
Are critical digital assets (CDA) in security areas destroyed on removal from operations, or
are they inspected and subject to an approved documented desanitization procedure on
being removed from service (e.g., lifecycle plan)?
Are all factory default authentication credentials changed on system components and
applications upon installation?
Does legacy equipment with known authentication deficiencies have compensatory
access restrictions?
Is the responsibility for the configuration management process assigned to organizational
personnel that are not directly involved in system development?
Is there security authorization including two-man policies? (Requires the authorization of
two people.)
Are the legacy components identified, tested, and documented to verify that the
compensatory measures are effective?
Are potential interruptions identified and classified as to "cause," "effects," and
"likelihood"?
Is a root cause analysis initiated for the security events and any findings from the analysis
submitted to the organizations corrective action program?
Is an incident handling capability implemented for security incidents that include
preparation, detection and analysis, containment, eradication, and recovery?
Are incident handling activities coordinated with contingency planning activities?
Are lessons learned from ongoing incident handling activities incorporated into incident
response procedures?
Are automated mechanisms used to administer and support the incident handling process
and to assist in the reporting of security incidents?
Are system network security incidents tracked and documented on an ongoing basis?
Are automated mechanisms used to assist in the tracking of security incidents and in the
collection and analysis of incident information? (e.g., network monitoring, physical access
monitoring, etc.)
Are cyber and control system security incident information promptly reported to
authorities?

Are automated mechanisms used to increase the availability of incident response-related
information and support?
Is there a direct, cooperative relationship between the incident response capability and
external providers of information system protection capability, and are the incident
response team members identified to the external providers? (e.g., third party alarm
service)
Are processes and mechanisms included in the planning to ensure that corrective actions
identified as the result of a cybersecurity incident are fully implemented?
Does the incident response capability incorporate detection of unauthorized, securityrelevant configuration changes to ensure that such detected events are tracked,
monitored, corrected, and available for historical purposes?
Is an incident response support resource provided that offers advice and assistance?
Does the system protect against or limit the effects of denial-of-service attacks based on a
defined list of types of denial-of-service attacks?
Does the system restrict the ability of users to launch denial-of-service attacks against
other systems or networks?
Does the system manage excess capacity, bandwidth, or other redundancy to limit the
effects of information flooding types of denial-of-service attacks?
Are malicious code protection mechanisms used at system entry and exit points and at
workstations, servers, or mobile computing devices?
Are malicious code protection mechanisms updated whenever new releases are available
in accordance with configuration management policy and procedures?

583

Incident Response

Universal

584

Incident Response

Universal

585

Incident Response

Universal

586

Incident Response

Universal

587

Incident Response

Universal

588

Monitoring & Malware Universal

589

Monitoring & Malware Universal

590

Monitoring & Malware Universal

591

Monitoring & Malware Universal

592

Monitoring & Malware Universal

593

Monitoring & Malware Universal

Are malicious code protection mechanisms configured to perform periodic scans of the
system on a defined frequency and real-time scans of files from external sources as the
files are downloaded, opened, or executed, and disinfect and quarantine infected files?

594

Monitoring & Malware Universal

Are malicious code protection software products from multiple vendors used?

595

Monitoring & Malware Universal

Are the receipt of false positives during malicious code detection and eradication and the
resulting potential impact on the availability of the system addressed?

596

Monitoring & Malware Universal

Are malicious code protection mechanisms centrally managed?

597

Monitoring & Malware Universal

Does the system automatically update malicious code protection mechanisms?

Does the system prevent users from circumventing host-based malicious code protection
capabilities?
Does the system update malicious code protection mechanisms only when directed by a
privileged user?

598

Monitoring & Malware Universal

599

Monitoring & Malware Universal

600

Monitoring & Malware Universal

601

Monitoring & Malware Universal

602

Monitoring & Malware Universal

603

Monitoring & Malware Universal

604

Monitoring & Malware Universal

605

Monitoring & Malware Universal

Are events on the system monitored?

606

Monitoring & Malware Universal

Are system attacks detected? (Attacks can be detected via log monitoring, IDS system
monitoring, Signature/indicators)

607

Monitoring & Malware Universal

Is unauthorized use of the system identified? (e.g., log monitoring)

608

Monitoring & Malware Universal

609

Monitoring & Malware Universal

610

Monitoring & Malware Universal

Is legal counsel consulted with regard to system monitoring activities?

611

Monitoring & Malware Universal

Are individual intrusion detection tools interconnected into a systemwide intrusion
detection system?

612

Monitoring & Malware Universal

Are automated tools used to support near real-time analysis of events?

613

Monitoring & Malware Universal

Are automated tools used to integrate intrusion detection tools into access control and
flow control mechanisms in support of attack isolation and elimination?

Are users prohibited from introducing removable media into the system?
Does the system implement malicious code protection mechanisms to identify data
containing malicious code and respond accordingly when the system encounters data not
explicitly allowed by the security policy?
Does the use of mechanisms to centrally manage malicious code protection avoid
degradation of the operational performance of the system?
Are periodic security vulnerability assessments conducted according to the risk
management plan?
Is the system updated to address any identified vulnerabilities in accordance with the
system maintenance policy?

Are monitoring devices deployed strategically to collect essential information within the
system to track specific types of transactions of interest?
Is the level of system monitoring activity heightened whenever an indication of increased
risk exists?

Does the system monitor inbound and outbound communications for unusual or
unauthorized activities or conditions?
Does the system provide a real-time alert when indications of compromise or potential
compromise occur?
Does the system prevent users from circumventing host-based intrusion detection and
prevention capabilities?
Does the system notify a list of incident response personnel of suspicious events and take
the least disruptive actions to terminate suspicious events?
Is information obtained from intrusion monitoring tools protected from unauthorized
access, modification, and deletion?

614

Monitoring & Malware Universal

615

Monitoring & Malware Universal

616

Monitoring & Malware Universal

617

Monitoring & Malware Universal

618

Monitoring & Malware Universal

619

Monitoring & Malware Universal

Are intrusion monitoring tools tested on a defined time-period?

620

Monitoring & Malware Universal

Is encrypted traffic visible to system monitoring tools?

621

Monitoring & Malware Universal

622

Monitoring & Malware Universal

623

Monitoring & Malware Universal

624

Monitoring & Malware Universal

625

Monitoring & Malware Universal

626

Monitoring & Malware Universal

627

Monitoring & Malware Universal

628

Monitoring & Malware Universal

629

Monitoring & Malware Universal

Does the use of monitoring tools and techniques avoid adversely impacting the
operational performance of the system?
Are spam protection mechanisms used at system entry points and at workstations,
servers, or mobile computing devices?
Are spam protection mechanisms updated when new releases are available in accordance
with configuration management policy and procedures?
Is spam protection software products from multiple vendors used?
Are spam protection mechanisms centrally managed and has the risk of employing
mechanisms to centrally manage spam protection on a system been considered?
Does centrally managed spam protection avoid degrade the operational performance of
the system?
Have you considered the risks of automatically updating spam protection mechanisms on
high-availability systems?
Does the system include components specifically designed to be the target of malicious
attacks for the purpose of detecting, deflecting, analyzing, and tracking such attacks?
(e.g., honeypots)
Does the system include components that proactively seek to identify Web-based
malicious code?

630

Monitoring & Malware Universal

631

Monitoring & Malware Universal

632

Monitoring & Malware Universal

633

Monitoring & Malware Universal

634

Monitoring & Malware Universal

635

Monitoring & Malware Universal

636

Monitoring & Malware Universal

637

Monitoring & Malware Universal

638

Monitoring & Malware Universal

639

Monitoring & Malware Universal

640

Monitoring & Malware Universal

641

Continuity

Universal

642

Continuity

Universal

643

Continuity

Universal

644

Continuity

Universal

Are vulnerability scans performed for in the system on a defined frequency and randomly
in accordance with company policy?
Are vulnerability scanning tools and techniques used that promote interoperability among
tools and automate parts of the vulnerability management process by using standards for:
(a) enumerating platforms, software flaws, and improper configurations; (b) formatting
and making transparent, checklists, and test procedures; and (c) measuring vulnerability
impact?
Is information obtained from the vulnerability scanning process shared with designated
personnel throughout the organization?
Are vulnerability scanning tools used that include the capability to readily update the list
of system vulnerabilities scanned?
Is the list of system vulnerabilities scanned updated on a defined frequency or when new
vulnerabilities are identified and reported?
Are there vulnerability scanning procedures that can demonstrate the breadth and depth
of coverage?
Does the organization attempt to discern what information about the system is
discoverable by adversaries?
Is security testing performed to determine the level of difficulty in circumventing the
security controls of the system?
Are privileged access vulnerability scans performed on selected system components?
Are automated mechanisms used to compare the results of vulnerability scans over time
to determine trends in system vulnerabilities?
Are automated mechanisms used on a defined frequency to detect the presence of
unauthorized software on organizational systems and notify designated officials?
Are backups of critical system software, applications, and data created and secured?
Is normal operation of the system resumed in accordance with its policies and procedures
after a security event?
Is an alternate storage site identified and are agreements in place to permit the storage of
system configuration information?
Are potential accessibility problems at the alternative storage site identified in the event
of an areawide disruption or disaster and are explicit mitigation actions outlined?

645

Continuity

Universal

646

Continuity

Universal

647

Continuity

Universal

648

Continuity

Universal

649

Continuity

Universal

650

Continuity

Universal

651

Continuity

Universal

Is an alternate storage site identified that is geographically separated from the primary
storage site?
Is the alternate storage site configured to facilitate timely and effective recovery
operations?
Are alternate command/control methods identified, and are agreements in place to
permit the resumption of operations within a defined time period when the primary
system capabilities are unavailable?
Do primary and alternate telecommunications service agreements contain priority-ofservice provisions in accordance with the availability requirements?
Do alternate telecommunications services avoid sharing a single point of failure with
primary telecommunications services (e.g., radio and lease lines)?
Are alternate telecommunications service providers sufficiently separated from primary
service providers?
Do primary and alternate telecommunications service providers have adequate
contingency plans?

652

Continuity

Universal

Are necessary communications for the alternate control center identified, and are
agreements in place to permit the resumption of system operations for critical functions
within a defined time period when the primary control center is unavailable?

653

Continuity

Universal

Is an alternate control center identified that is geographically separated from the primary
control center?

654

Continuity

Universal

Are potential accessibility problems to the alternate control center identified in the event
of an area-wide disruption or disaster and are explicit mitigation actions outlined?

655

Continuity

Universal

656

Continuity

Universal

657

Continuity

Universal

658

Continuity

Universal

659

Continuity

Universal

Are alternate control center agreements in place that contain priority-of-service
provisions in accordance with the availability requirements?
Is the alternate control center fully configured to be used as the operational site
supporting a minimum required operational capability?
Does the alternate processing site provide information security measures equivalent to
that of the primary site?
Are backups of user-level information contained in the system performed on a defined
frequency? (user account)
Are backups of system-level information contained in the system performed on a defined
frequency?

660

Continuity

Universal

661

Continuity

Universal

662

Continuity

Universal

663

Continuity

Universal

664

Continuity

Universal

665

Continuity

Universal

666

Continuity

Universal

667

Continuity

Universal

668

Continuity

Universal

Is the confidentiality and integrity of backup information protected at the storage
location?
Is backup information periodically tested to verify media reliability and information
integrity?
Is backup information selectively used in the restoration of system functions as part of
contingency plan testing?
Are backup copies of the operating system and other critical system software stored in a
separate facility or in a fire-rated container that is not collocated with the operational
software?
Is there a capability to recover and reconstitute the system to a known secure state after
a disruption, compromise, or failure?
Is there transaction recovery for systems that are transaction-based?
Is there a capability to re-image system components within defined restoration time
periods from configuration-controlled and integrity-protected disk images representing a
secure, operational state for the components?
Is the system able to execute an appropriate fail-safe procedure upon the loss of
communications with the system or the loss of the system itself?
Does the system preserve the system state information in failure?

669

Info Protection

Universal

Do only authorized users have access to information in printed form or on digital media?

670

Info Protection

Universal

671

Info Protection

Universal

673

Info Protection

Universal

674

Info Protection

Universal

675
676

Info Protection
Info Protection

Universal
Universal

677

Info Protection

Universal

Are automated mechanisms (e.g., card or keypad entry) used to ensure and audit
authorized access to media storage areas?
Is all removable information storage media and the system output reviewed and classified
to determine distribution limitations?
Is a defined list of media types or hardware components exempted from marking as long
as the exempted items remain within the protected environment?
Does the system mark output on external media to identify any of the set of special
dissemination, handling, or distribution instructions that apply to system output using
human readable, standard naming conventions?
Is the system media securely stored within protected areas?
Does the sensitivity of the material determine how the media are stored?
Are defined types of digital and nondigital media protected during transport outside
controlled areas?

678

Info Protection

Universal

Is accountability for system media maintained during transport outside controlled areas?

679

Info Protection

Universal

Are the activities associated with transport of media restricted to authorized personnel?

680

Info Protection

Universal

681
682
683

Info Protection
Info Protection
Info Protection

Universal
Universal
Universal

684

Info Protection

Universal

685

Info Protection

Universal

686

Info Protection

Universal

687

Info Protection

Universal

688

Info Protection

Universal

689

Info Protection

Universal

690

Info Protection

Universal

691

Access Control

Universal

692

Info Protection

Universal

693

Info Protection

Universal

694

Info Protection

Universal

695

Information and
Document
Management

Universal

Are activities associated with the transport of system media documented using a defined
system of records?
Is a custodian identified throughout the transport of system media?
Is system digital and nondigital media sanitized before disposal or release for reuse?
Are media sanitization and disposal actions tracked, documented, and verified?
Are sanitization equipment and procedures periodically tested to verify correct
performance?
Are the individuals designated who are authorized to post information onto an
organizational system that is publicly accessible?
Are authorized individuals trained to ensure that publicly accessible information does not
contain nonpublic information?
Is the proposed content of publicly accessible information reviewed prior to posting?
Is the content on the publicly accessible organizational information system reviewed on a
routine interval?
Is nonpublic information removed from publicly accessible information systems if
discovered?
Is all information classified to indicate the protection required in accordance with its
sensitivity and consequence?
Are formal contractual and confidentiality agreements established for the exchange of
information and software between the organization and external parties?
Is information that requires special control or handling periodically reviewed to
determine whether such special handling is still required?
Is removable system media and system output marked indicating the distribution
limitations, handling caveats, and applicable security markings?
Is there a list of media types or hardware components that is exempt from marking as
long as the exempted items remain within the organization-defined protected
environment?
Does the system automatically label information in storage, in process, and in
transmission in accordance with access control requirements?

696

697

698

699

700

701

702

703

704

705

706

Information and
Document
Management
Information and
Document
Management
Information and
Document
Management
Information and
Document
Management
Information and
Document
Management
Information and
Document
Management
Information and
Document
Management
Information and
Document
Management
Information and
Document
Management
Information and
Document
Management
Information and
Document
Management

Universal

Is information labeled in storage, in process, and in transmission in accordance with
special dissemination, handling, or distribution instructions?

Universal

Does the system automatically label information in storage, in process, and in
transmission as required by the system security policy?

Universal

Does the system dynamically reconfigure security attributes in accordance with an
identified security policy as information is created and combined?

Universal

Does the system allow authorized entities to change security attributes?

Universal

Does the system maintain the binding of security attributes to information with sufficient
assurance that the information attribute association can be used as the basis for
automated policy actions?

Universal

Does the system allow authorized users to associate security attributes with information?

Universal

Universal

Universal

Universal

Universal

Does the system display security attributes in human-readable form on each objectoutput from the system-to-system output devices to identify special dissemination,
handling, or distribution instructions?
Is administrator and user guidance for the system obtained, protected and provided that
includes configuring, installing, and operating the system and use of the system's security
features?
Is vendor/contractor information obtained, protected, and made available to authorized
personnel that describes the functional properties of the security controls within the
system?
Is vendor/contractor information obtained, protected, and made available to authorized
personnel that describes the design and implementation details of the security controls
within the system?
Is vendor/contractor information obtained, protected, and made available to authorized
personnel that describes the security-relevant external interfaces to the system?

707

708

709
710
711

Information and
Document
Management
Information and
Document
Management
Information and
Document
Management
System and Services
Acquisition
System and Services
Acquisition

Universal

Are software and associated documentation used in accordance with contract
agreements and copyright laws?

Universal

Are tracking systems used to control copying and distribution of software and associated
documentation protected by quantity licenses?

Universal
Universal
Universal

712

System and Services
Acquisition

Universal

713

System and Services
Acquisition

Universal

714

System and Services
Acquisition

Universal

715
716
717
718
719

System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition

Universal
Universal
Universal
Universal
Universal

Is the use of accessible peer-to-peer file sharing technology controlled and documented
to ensure that it is not used for the unauthorized distribution, display, performance, or
reproduction of copyrighted work?
Are security functional requirements and specifications included in system acquisition
contracts based on an assessment of risk?
Are security-related documentation requirements included in system acquisition
contracts based on an assessment of risk?
Are developmental and evaluation-related assurance requirements (acceptance testing,
compliance documentation) included in system acquisition contracts based on an
assessment of risk?
Do acquisition documents require that vendors/contractors provide information
describing the functional properties of the security controls employed within the system?
Do acquisition documents require that vendors/contractors provide information
describing the design and implementation details of the security controls employed
within the system?
Is the acquisition of commercial technology products with security capabilities limited to
products that have been evaluated and validated?
Are system security engineering principles applied in the specification, design,
development, and implementation of the system?
Are software development standards and practices for trustworthy software used
throughout the development life cycle?
Are software practices used to reduce buffer overflows and unsafe string management
for languages that have unsafe operations?
As part of trustworthy software development are commercially available tools employed,
including a robust set of data validation and software quality assurance?

720
721
722
723
724
725
726
727
728
729
730
731
732
733
734

System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition

Universal
Universal
Universal
Universal
Universal
Universal

Are providers of external system services required to employ security controls in
accordance with applicable, policies, regulations, standards, guidance, and established
service level agreements?
Are government oversight and user roles and responsibilities defined with regard to
external system services?
Is security control compliance by external service providers monitored?
Are system developers/integrators required to implement and document a configuration
management process that manages and controls changes to the system during design,
development, implementation, and operation?
Are system developers/integrators required to implement and document a configuration
management process that tracks security flaws?
Are system developers/integrators required to implement and document a configuration
management process that includes organizational approval of changes?

Universal

Are system developers/integrators required to provide an integrity check of software?

Universal

Is an alternative configuration management process provided in the absence of a
dedicated developer/integrator configuration management team?

Universal

Does the system developer have a security test and evaluation plan?

Universal

Does the system developer have a verifiable error remediation process to correct
weaknesses and deficiencies identified during the security testing and evaluation process?

Universal
Universal
Universal

Does the system developer/integrator document the result of the security
testing/evaluation and error remediation processes?
Does the system developer/integrator employ code analysis tools to examine software
for common flaws and document the results of the analysis?
Does the system developer/integrator perform a vulnerability analysis to document
vulnerabilities, exploitation potential, and risk mitigations?

Universal

Is the test and evaluation plan under independent verification and validation?

Universal

Are supply chain vulnerabilities protected from threats initiated against organizations,
people, information, and resources that provide products or services to the organization?

735
736
737
738
739
740
741
742

System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition
System and Services
Acquisition

Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal

743

Maintenance

Universal

744

Maintenance

Universal

745

Maintenance

Universal

746

Maintenance

Universal

747

Maintenance

Universal

748

Maintenance

Universal

749

Maintenance

Universal

Are all anticipated system components and spares purchased in the initial acquisition?
Are trusted intermediaries used for purchasing contract services, acquisitions, or logistical
activities during the system life cycle?
Is a due diligence review conducted of suppliers prior to entering into contractual
agreements to acquire system hardware, software, firmware, or services?
Is trusted shipping and warehousing used for systems, components, and technology
products?
Are a diverse set of suppliers used for systems, components, technology products, and
system services?
Are standard configurations used for systems, components, and technology products?
Is the time between purchase decisions and delivery minimized for systems, components,
and technology products?
Are independent analysis and penetration testing performed on delivered systems,
components, and technology products?
Are security requirements for the system reviewed and followed before undertaking any
unplanned maintenance activities?
Does unplanned maintenance documentation include: (a) date and time, (b) name of the
those performing the maintenance, (c) escorts name, (d) description of the maintenance
performed, and (e) list of equipment removed or replaced?
Is the decision not to perform emergency repairs maintenance after the identification of a
security vulnerability documented and justified?
Are repairs and maintenance scheduled, performed, and documented, and are records
reviewed in accordance with manufacturer or vendor specifications and/or organizational
requirements?
Is the removal of the system or system components from organizational facilities for
offsite maintenance or repairs approved?
Is the equipment sanitized to remove all information from associated media prior to
removal from organizational facilities for offsite maintenance or repairs?
Are all potentially impacted security controls checked to verify that the controls are still
functioning properly following maintenance or repair actions?

750

Maintenance

Universal

Are maintenance records for the system maintained and do they include: (a) date and
time, (b) name of those performing the maintenance, (c) escorts name, (d) description of
the maintenance performed, and (e) list of equipment removed or replaced?

751

Maintenance

Universal

Are automated mechanisms used to schedule and document maintenance and repairs?

752

Maintenance

Universal

753

Maintenance

Universal

754

Maintenance

Universal

755

Maintenance

Universal

756

Maintenance

Universal

757

Maintenance

Universal

758

Maintenance

Universal

759

Maintenance

Universal

760

Maintenance

Universal

761

Maintenance

Universal

762

Maintenance

Universal

763

Maintenance

Universal

764

Maintenance

Universal

765

Maintenance

Universal

Is the use of system maintenance tools approved and monitored?
Are all maintenance software tools carried into a facility inspected for obvious improper
modifications?
Are all media containing diagnostic and test programs checked for malicious code before
the media are used in the system?
Is the unauthorized removal of maintenance equipment prevented by one of the
following: (a) verifying that no organizational information is contained on the equipment,
(b) sanitizing or destroying the equipment, (c) retaining the equipment within the facility,
or (d) obtaining an exemption from a designated organization official explicitly authorizing
removal of the equipment?
Are automated mechanisms used to restrict the use of maintenance tools to authorized
personnel only?
Are maintenance software tools used with care on system networks to ensure that
system operations will not be degraded by their use?
Are only authorized and qualified organization or vendor personnel allowed to perform
maintenance on the system?
Are remotely executed maintenance and diagnostic activities authorized, monitored, and
controlled?
Are remote maintenance and diagnostic tools used only as consistent with policy and
documented in the security plan for the system?
Are records for remote maintenance and diagnostic activities maintained?
Are all sessions and remote connections terminated when remote maintenance is
completed?
Are passwords changed following each remote maintenance session if password-based
authentication is used to accomplish remote maintenance?
Are remote maintenance and diagnostic sessions audited and do designated
organizational personnel review the maintenance records of the remote sessions?
Is the installation and use of remote maintenance and diagnostic links documented?

766

Maintenance

Universal

767

Maintenance

Universal

768

Maintenance

Universal

769

Maintenance

Universal

770

Maintenance

Universal

771

Maintenance

Universal

772

Maintenance

Universal

773
774
775
776
777
778
779

Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability

Universal
Universal
Universal
Universal
Universal
Universal
Universal

Are remote maintenance or diagnostic services required to be performed from a system
that implements a level of security at least as high as that implemented on the system
being serviced, or is the component to be serviced sanitized and removed from the
system prior to remote maintenance or diagnostic services?
Is the authorized firmware code checked or reinstalled as specified by the configuration
management plan, and are all authorized embedded configuration settings reset after
component servicing and return of the component to the facility but before reconnecting
the component to the system?
Are the remote maintenance sessions protected by a strong authenticator tightly bound
to the user?
Do maintenance personnel notify the system administrator when remote maintenance is
planned, and does a designated official with specific security/system knowledge approve
the remote maintenance?
Are cryptographic mechanisms used to protect the integrity and confidentiality of remote
maintenance and diagnostic communications?
Is remote disconnect verification used at the termination of remote maintenance and
diagnostic sessions?
Is there maintenance support and spare parts for security-critical system components
within the period of failure?
Is there a frequency of auditing for each identified auditable event?
Is the security audit function coordinated with other organizational entities requiring
audit-related information?
Are auditable events adequate to support after-the-fact investigations of security
incidents?
Are the events to be audited adjusted within the system based on current threat
information and ongoing assessments of risk?
Is the list of defined auditable events reviewed and updated on a defined frequency?
Is execution of privileged functions (account creations, modifications, and object
permission changes) included in the list of events to be audited by the system?
Are audit records produced that contain sufficient information to establish what events
occurred, when the events occurred, where the events occurred, the sources of the
events, and the outcomes of the events?

780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795

Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability

Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal

Is there the capability to include additional, more detailed information in the audit
records for audit events identified by type, location, or subject?
Is there the capability to centrally manage the content of audit records generated by
individual hardware and/or software components throughout the system?
Is there sufficient audit record storage capacity allocated and is auditing configured to
reduce the likelihood of such capacity being exceeded?
Does the system alert designated organizational officials in the event of an audit
processing failure?
Does the system take the following actions: (e.g., shutdown system, overwrite oldest
audit records, stop generating audit records).
Does the system provide a warning when allocated audit record storage volume reaches a
defined percentage of maximum storage capacity?
Is there a real-time alert when any defined event occurs?
Does the system enforce configurable traffic volume thresholds representing auditing
capacity for network traffic, and does the system either reject or delay network traffic
above those thresholds?
Are system audit records reviewed and analyzed on a defined frequency, and are findings
reported to designated officials?
Is the level of audit review, analysis, and reporting within the system adjusted when a
change in risk exists?
Are automated mechanisms used to integrate audit review, analysis, and reporting into
processes for investigation and response to suspicious activities?
Are audit records analyzed and correlated across different repositories?
Are automated mechanisms used to centralize audit review and analysis of audit records
from multiple components within the system?
Is the analysis of audit records integrated with analysis of performance and network
monitoring information?

Universal

Does the system provide an audit reduction and report generation capability?

Universal

Is there the capability to automatically process audit records for events of interest based
on selectable event criteria?

796
797
798
799
800

Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability

Universal

Does audit record processing avoid degrading the operational performance of the
system?

Universal

Does the system use internal system clocks to generate time stamps for audit records?

Universal

Does the system synchronize internal system clocks on a defined frequency?

Universal
Universal

801

Audit and
Accountability

Universal

802

Audit and
Accountability

Universal

803

Audit and
Accountability

Universal

804

Audit and
Accountability

Universal

805
806
807
808
809
810

Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability

Universal
Universal

Does the system protect audit information and audit tools from unauthorized access,
modification, and deletion?
Does the system produce audit records on hardware-enforced, write-once media (e.g.,
CD, DVD, etc.)?
Are audit logs retained for a defined time period to provide support for after-the-fact
investigations of security incidents and to meet regulatory and organizational information
retention requirements?
Are audits conducted at planned intervals to determine whether the security objectives,
measures, processes, and procedures conform to the requirements and relevant
legislation or regulations?
Are audits conducted at planned intervals to determine whether the security objectives,
measures, processes, and procedures conform to the identified information security
requirements?
Are audits conducted at planned intervals to determine whether the security objectives,
measures, processes, and procedures are effectively implemented and maintained?
Are audits conducted at planned intervals to determine whether the security objectives,
measures, processes, and procedures perform as expected?
Are audits conducted at planned intervals to determine whether the security objectives,
measures, processes, and procedures identify inappropriate activities?

Universal

Does the audit program specify the auditor qualifications?

Universal

Are the auditor and system administration functions assigned to separate personnel?

Universal
Universal

Do the audit program specify strict rules and careful use of audit tools when auditing
system functions, especially with legacy systems?
Is extra care taken to ensure that automated scanning tools used on the business
networks do not scan the ICS network by mistake?

811
812
813
814
815

816

817
818
819
820
821
822
823
824

Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability
Audit and
Accountability

Universal

Is compliance to the security policy demonstrated through audits in accordance with the
audit program?

Universal

Does the system provide audit record generation capability for the auditable events?

Universal
Universal
Universal

Universal

Universal
Universal
Universal
Universal
Universal
Universal
Universal
Universal

Does the system provide audit record generation capability of the defined system
components?
Are authorized users allowed to select which auditable events are to be audited by
specific components of the system?
Are audit records generated for the selected list of auditable events?
Does the system provide the capability to compile audit records from multiple
components within the system into a systemwide audit trail that is time-correlated to
within a defined level of tolerance (e.g., time sync on audit logs, centralized log server,
etc.)?
Is open source information monitored for evidence of unauthorized release or disclosure
of organizational information?
Does the system provide the capability to capture, record, and log all content related to a
user session where it is required?
Does the system provide the capability to remotely view all content related to an
established user session in real time where legally required?
Are audits of system changes done at a defined frequency, and when indications warrant
to determine whether unauthorized changes have occurred?
Is the level of audit review, analysis, and reporting adjusted when there is a change in
risk?
Are automated mechanisms used to integrate audit review, analysis, and reporting for
investigation and response to suspicious activities?
Are automated mechanisms used to centralize audit review and analysis records from
multiple components within the system?
Is analysis of audit records integrated with analysis of performance and network
monitoring information to identify inappropriate or unusual activity?


File Typeapplication/pdf
AuthorINL
File Modified2015-08-06
File Created2015-08-06

© 2024 OMB.report | Privacy Policy