Download:
pdf |
pdfOMB No. 7100-0180
Approval Expires May 2022
FR 1400C
Offeror Questionnaire
The Offeror shall complete the entire questionnaire for the application that will be used to meet the requirements of the solicitation that processes, stores and/or transmits data from
Board of Governors of the Federal Reserve System. The questions below refer to the specific application's controls. The Offeror shall enter answers on Columns C and D. If the control
does not apply, select "Other" AND enter in a comment (required).
For guidance on each question, reference the control on Column E in NIST SP 800-53 r4 publication.
Link to NIST 800-53 r4 Publication
Solicitation Number:
Title:
Control/Control Questions
ACCESS CONTROL
Selection Options
Enter Response in Column C & D
AC-2
Low
1-no
Do you permit the use of guest or anonymous type accounts?
2-other
3-yes
1- yes
Do you disable or change the default password for default accounts?
2-other
3-no
1-no
Do you allow for group level access? If yes, please explain design
2-other
criteria
3-yes
1-no
Do you require a designated individual to approve account creation?
2-other
3-yes
1-yes
Do you have a repeatable process for activating, modifying, disabling,
2-other
and removing accounts?
3-no
Page 1 of 22
Offeror's
Response
Offeror's Response
Explanation/File Name
�OMB No. 7100-0180
Approval Expires May 2022
FR 1400C
Selection Options
Enter Response in Column C & D
1-yes, 180 days
Do you guarantee the deactivation of inactive accounts within a set
2-yes, <180 days
period of time?
3-other
4-no
1-yes
Do you periodically review system accounts and provide customers
2-no
with a list of accounts to review?
3-explain
AC-3
Low and Moderate
1-yes
Do you have the capability to limit access to the information system or
2-other
service?
3-no
1-yes
Do you limit access privileges on accounts?
2-other
3-no
AC-7
Low and Moderate
1-yes
Do you automatically suspend accounts after a maximum number of
2-other
unsuccessful login attempts?
3-no
1-yes
Do you require an administrator-level user to unlock suspended
2-other
accounts?
3-no
AC-8
Low and Moderate
1-yes
Do you have the capability to display a customized system usage
2-other
notification for the Federal Reserve Board?
3-no
AC-14
Low and Moderate
1-no
Are users given access without authentication? If yes, please explain. 2-other
3-yes
Control/Control Questions
Page 2 of 22
Offeror's
Response
Offeror's Response
Explanation/File Name
�OMB No. 7100-0180
Approval Expires May 2022
FR 1400C
Selection Options
Enter Response in Column C & D
1-n/a
Are the actions of an unauthenticated user only extended to necessary 2-yes
functions?
3-other
4-no
AC-17
Low
1-no
Do you authorize and monitor remote access to your systems?
2-other
3-yes
AC-18
Low
1-no
2-other
Do you deploy wireless network access?
3-yes
1-yes
If so, do you monitor for unauthorized access and enforce
2-other
requirements for connectivity?
3-no
Control/Control Questions
AWARENESS TRAINING
AT-2, AT-3 & AT-4
Do you require your employees to go through security awareness
training?
If so, is the training based on an employee’s role in the organization?
Do you keep records of employee training?
AUDIT AND ACCOUNTABILITY
AU-2
Do you generate audit records that identify users and when they
accessed the information system or service?
Low and Moderate
1-yes
2-other
3-no
1-yes
2-other
3-no
1-yes
2-other
3-no
Low
1-yes
2-other
3-no
Page 3 of 22
Offeror's
Response
Offeror's Response
Explanation/File Name
�OMB No. 7100-0180
Approval Expires May 2022
FR 1400C
Control/Control Questions
Do you generate audit records that identify users and when they
accessed the application?
Do you generate audit records that identify unauthorized access
attempts to your service/system?
Do you generate audit records that identify failed access attempts to
your application?
AU-3
Do the audit records for your system/service contain information to
establish what event occurred, when (date and time) the event
occurred, where the event occurred, the sources of the event, the
success or failure of the event, and the identity of subjects associated
with the event?
Do the audit records for your application contain information to
establish what event occurred, when (date and time) the event
occurred, where the event occurred, the sources of the event, the
success or failure of the event, and the identity of subjects associated
with the event?
AU-4
Do you have audit record storage capacity to maintain audit records
for your system/service?
If yes, for what length of time?
Do you have audit record storage capacity to maintain audit records
for your application?
Selection Options
Enter Response in Column C & D
1-yes
2-other
3-no
1-yes
2-other
3-no
1-yes
2-other
3-no
Low
1-yes
2-other
3-no
1-yes
2-other
3-no
Low and Moderate
1-yes
2-other
3-no
1-more than 12 months
2-12 months
3-less than 12 months
1-yes
2-other
3-no
Page 4 of 22
Offeror's
Response
Offeror's Response
Explanation/File Name
�OMB No. 7100-0180
Approval Expires May 2022
FR 1400C
Selection Options
Enter Response in Column C & D
1-more than 12 months
If yes, for what length of time?
2-12 months
3-less than 12 months
AU-5
Low and Moderate
1-yes
Do you create alerts in the event of an audit processing failure in your
2-other
system/service?
3-no
1-yes
Do you create alerts in the event of an audit processing failure in your
2-other
application?
3-no
1-yes
Does log rotation take place for your system/service to prior to
2-other
truncation or overwriting?
3-no
1-yes
Does log rotation take place for your application to prior to truncation
2-other
or overwriting?
3-no
AU-6
Low and Moderate
1-yes
Are review and analysis conducted on system audit records for
2-other
inappropriate or unusual activity?
3-no
1-daily
2-weekly
If so, what is the frequency?
3-monthly
4-other
1-yes
Are review and analysis conducted on application audit records for
2-other
inappropriate or unusual activity?
3-no
1-daily
2-weekly
If so, what is the frequency?
3-monthly
4-other
Control/Control Questions
Page 5 of 22
Offeror's
Response
Offeror's Response
Explanation/File Name
�OMB No. 7100-0180
Approval Expires May 2022
FR 1400C
Selection Options
Enter Response in Column C & D
1-yes
Do you deploy automated mechanisms to integrate audit reviews,
2-other
analysis, and reporting?
3-no
1-yes
Are audit records across different repositories correlated and reviewed
2-other
to gain a better understanding of system-wide events?
3-no
AU-8
Low
1-yes
Do you use a common system clock for deployed information systems? 2-other
3-no
AU-9
Low
1-yes
Do you have protections in place to prevent unauthorized access to
2-other
audit information?
3-no
If so, please explain the controls.
answer in column D
AU-11
Low and Moderate
1-yes
Do you maintain audit records online for a minimum of four weeks and
2-other
offline for a minimum of a year?
3-no
AU-12
Low and Moderate
1-yes
Do you provide a centralized audit repository that allows for event
2-other
correlation and by-system reporting?
3-no
Control/Control Questions
SECURITY ASSESSMENT AND AUTHORIZATION
CA-2
Do you have a security assessment plan that determines security
control effectiveness and that produces an appropriate mitigation plan
from the results of the assessment?
CA-3
Do you create contractual agreements for your third-party service
providers?
Low
1-yes
2-other
3-no
Low
1-yes
2-other
3-no
Page 6 of 22
Offeror's
Response
Offeror's Response
Explanation/File Name
�OMB No. 7100-0180
Approval Expires May 2022
FR 1400C
Selection Options
Enter Response in Column C & D
Are your third-party service providers’ system connections documented 1-yes
with the interface characteristics, security requirements, and the
2-other
nature of the communication?
3-no
1-yes
Are system connections monitored for enforcement of security
2-other
requirements?
3-no
CA-5
Low and Moderate
1-yes
Do you develop plans of action and milestones for remediation of
2-other
deficiencies and weaknesses identified in your systems?
3-no
CA-6
Low and Moderate
1-yes
Do you employ a senior-level executive or manager to ensure effective
2-other
risk management?
3-no
CA-7
Low
1-yes
Do you apply continuous monitoring for configuration management
2-other
and for security control assessment of your systems?
3-no
CA-9
Low and Moderate
1-yes
Do you document interconnections with the interface characteristics
2-other
and security requirements for all system connections?
3-no
Control/Control Questions
CONFIGURATION MANAGEMENT
CM-2
Do you have and maintain a documented baseline configuration for
each type of system?
CM-4
Do you have qualified security professionals conduct security impact
analyses for changes to systems?
CM-6
Low
1-yes
2-other
3-no
Low and Moderate
1-yes
2-other
3-no
Low and Moderate
Page 7 of 22
Offeror's
Response
Offeror's Response
Explanation/File Name
�OMB No. 7100-0180
Approval Expires May 2022
FR 1400C
Control/Control Questions
Do you implement mandatory configuration settings for systems and
software using approved security configuration checklists?
If mandatory configurations are not followed, are these exceptions
documented and maintained?
Do you deploy detection mechanisms for the monitoring of
unauthorized changes to a system?
CM-7
Do you configure your systems to provide only essential capabilities
and specifically prohibit or restrict the use of unnecessary functions,
ports, protocols, and/or services?
CM-8
Do you develop, document, review, and update an inventory of your
systems?
CONTINGENCY PLANNING
CP-2
Do you create contingency plans that include recovery objectives and
restoration priorities?
Do you have documented contingency roles and responsibilities?
Do you revise the contingency plans to address changes and problems
encountered during contingency plan implementation and testing?
CP-3
Do you provide contingency training to your staff on a minimum
annual basis?
Selection Options
Enter Response in Column C & D
1-yes
2-other
3-no
1-yes
2-other
3-no
1-yes
2-other
3-no
Low
1-yes
2-other
3-no
Low
1-yes
2-other
3-no
Low
1-yes
2-other
3-no
1-yes
2-other
3-no
1-yes
2-other
3-no
Low and Moderate
1-yes
2-other
3-no
Page 8 of 22
Offeror's
Response
Offeror's Response
Explanation/File Name
�OMB No. 7100-0180
Approval Expires May 2022
FR 1400C
Control/Control Questions
Selection Options
Enter Response in Column C & D
CP-4
Low
1-yes
Do you test contingency plans on a minimum annual basis?
2-other
3-no
1-yes
Do you review the contingency plan test results, and identify and take
2-other
corrective actions?
3-no
CP-9
Low
1-yes
Do you back up user-level information?
2-other
3-no
1-yes
Do you back up system-level information?
2-other
3-no
1-yes
Do you protect the integrity of the backup information?
2-other
3-no
1-yes
Is at least one copy of the backup information stored in a secure offsite
2-other
location?
3-no
CP-10
Low
1-yes
Are systems recovered or reconstituted to a known state after a
2-other
disruption, compromise, or failure?
3-no
IDENTIFICATIION AND AUTHENTICATION
IA-2
Do privileged accounts require multifactor authentication?
IA-4
Low
1-yes
2-other
3-no
Low and Moderate
Page 9 of 22
Offeror's
Response
Offeror's Response
Explanation/File Name
�OMB No. 7100-0180
Approval Expires May 2022
FR 1400C
Control/Control Questions
Do you require authorization prior to the creation of user accounts?
Is each user or device assigned a unique identifier?
Are identifiers prevented from re-use for a defined time period after
being disabled?
Are identifiers disabled after a period of inactivity?
Are identifiers deleted when no longer required?
IA-5
Do you have a mechanism to verify a party upon the initial
authenticator/credential distribution?
Do you have an established and implemented procedure for initial
authenticator/credential distribution, for lost/compromised or
damaged authenticators/credentials, and for revoking
authenticators/credentials?
Do you change default password and settings of
authenticators/credentials upon system installation?
Do you have minimum and maximum lifetime restrictions and re-use
conditions on authenticators/credentials?
Do you protect authenticator/credential content from unauthorized
disclosure and modification?
Selection Options
Enter Response in Column C & D
1-yes
2-other
3-no
1-yes
2-other
3-no
1-yes
2-other
3-no
1-yes
2-other
3-no
1-yes
2-other
3-no
Low
1-yes
2-other
3-no
1-yes
2-other
3-no
1-yes
2-other
3-no
1-yes
2-other
3-no
1-yes
2-other
3-no
Page 10 of 22
Offeror's
Response
Offeror's Response
Explanation/File Name
�OMB No. 7100-0180
Approval Expires May 2022
FR 1400C
Control/Control Questions
Do you enforce minimum password complexity?
Do you encrypt passwords in storage and in transmission?
If multi-factor authentication is offered, does the authentication
assurance level meet that of NIST 800-63 Level 4 authentication?
IA-6
Do you obscure feedback information during the authentication
process to protect the information from possible exploitation/use by
unauthorized individuals?
Do you obscure feedback information during the authentication
process to protect the application from possible exploitation/use by
unauthorized individuals?
IA-7
What cryptologic algorithms are used by your system?
Are they FIPS 140-2 compliant?
What cryptologic algorithms are used by your application?
Are they FIPS 140-2 compliant?
IA-8
Will non-Federal Reserve Board systems and users that connect to the
Federal Reserve Board system be uniquely identified?
Does the information system accept and electronically verify Personal
Identity Verification Interoperability (PIV-I) credentials?
Selection Options
Enter Response in Column C & D
1-yes
2-other
3-no
1-yes
2-other
3-no
1-yes
2-other
3-no
Low and Moderate
1-yes
2-other
3-no
1-yes
2-other
3-no
Low and Moderate
answer in column D
1-yes
2-other
3-no
answer in column D
1-yes
2-other
3-no
Low and Moderate
1-yes
2-other
3-no
1-yes
2-other
3-no
Page 11 of 22
Offeror's
Response
Offeror's Response
Explanation/File Name
�OMB No. 7100-0180
Approval Expires May 2022
FR 1400C
Control/Control Questions
INCIDENT RESPONSE
IR-2
Do you train personnel in incident response roles and responsibilities?
Do you provide refresher training for incident response?
IR-4
During contingency planning activities, are incident-handling processes
addressed?
IR-6
Do your personnel report suspected security incidents to designated
authorities within an established timeframe?
IR-7
Will you report security incidents to the Federal Reserve Board within a
timeframe based on the severity of the incident?
Will you ask the Federal Reserve Board for assistance in mitigating the
security incident?
IR-8
Do you have an established incident response plan that defines
reportable incidents, provides metrics for measuring, and provides a
roadmap for implementing incident responses?
Do you periodically review the incident response plan and address any
necessary changes or updates to the plan?
Selection Options
Enter Response in Column C & D
Low and Moderate
1-yes
2-other
3-no
1-yes
2-other
3-no
Low
1-yes
2-other
3-no
Low and Moderate
1-yes
2-other
3-no
Low and Moderate
1-yes
2-other
3-no
3-no
2-other
1-yes
Low and Moderate
1-yes
2-other
3-no
1-yes
2-other
3-no
Page 12 of 22
Offeror's
Response
Offeror's Response
Explanation/File Name
�OMB No. 7100-0180
Approval Expires May 2022
FR 1400C
Control/Control Questions
Is the updated plan communicated to the appropriate personnel?
MAINTENANCE
MA -2
Is all equipment maintenance documented, reviewed, and approved
prior to implementation of any changes?
Is equipment sanitized prior to removal from the facility?
Are security controls checked after a repair or change made during
maintenance?
Do your maintenance records include the following?
1. Date and time of maintenance
2. Name of the individual(s) preforming the maintenance
3. Name of escort, if necessary
4. Description of the maintenance performed
5. A list of equipment or components that are removed or replaced
Selection Options
Enter Response in Column C & D
1-yes
2-other
3-no
Low and Moderate
1-yes
2-other
3-no
1-yes
2-other
3-no
1-yes
2-other
3-no
1-yes
2-other
3-no
1-yes
2-other
3-no
1-yes
2-other
3-no
1-yes
2-other
3-no
1-yes
2-other
3-no
1-yes
2-other
3-no
Page 13 of 22
Offeror's
Response
Offeror's Response
Explanation/File Name
�OMB No. 7100-0180
Approval Expires May 2022
FR 1400C
Control/Control Questions
Selection Options
Enter Response in Column C & D
MA-4
Low
1-no
Do you allow remote maintenance?
2-other
3-yes
1-yes
Do you authorize, monitor, and control remote maintenance activities? 2-other
3-no
1-yes
Do you terminate all sessions and network connections once remote
2-other
maintenance is complete?
3-no
MA-5
Low and Moderate
1-yes
Do you have a process that authorizes and maintains a list of
2-other
authorized personnel and organizations for maintenance activities?
3-no
1-yes
Do you have a process that ensures the personnel performing the
2-other
maintenance have the required access authorizations?
3-no
MEDIA PROTECTION
MP-2
Low and Moderate
1-yes
Do you restrict access to sensitive or classified information to those
2-other
individuals having a need to know?
3-no
MP-4
Low
Do you have automated mechanisms to restrict access to media
1-yes
storage areas and audit access attempts to the media against access
2-other
that has been granted?
3-no
MP-5
Low
1-yes
Do you document all transports of media into or out of the operational
2-other
facilities?
3-no
MP-6
Low and Moderate
Page 14 of 22
Offeror's
Response
Offeror's Response
Explanation/File Name
�OMB No. 7100-0180
Approval Expires May 2022
FR 1400C
Control/Control Questions
Do you sanitize digital and non-digital media prior to disposal or for
release out of your control?
MP- 7
Do you prohibit the use of portable storage devices in organizational
information systems when such devices have no identifiable owner?
PHYSICAL AND ENVIRONMENTAL PROTECTION
Selection Options
Enter Response in Column C & D
1-yes
2-other
3-no
Low and Moderate
1-yes
2-other
3-no
PE-2
Low and Moderate
1-yes
Do you develop and maintain lists of authorized personnel that have
2-other
access to the facility(s) and any restricted parts of the environment?
3-no
1-yes
Do you issue authorization credentials for restricted, information
2-other
system, and communication areas?
3-no
1-yes
Are access lists and authorization credentials reviewed at least
2-other
annually?
3-no
PE-3
Low and Moderate
1-yes
Do you enforce physical access authorization for all physical access
2-other
points?
3-no
1-yes
Do you verify individual access authorizations before granting access
2-other
to the facility?
3-no
1-yes
Does your facility have controlled entry points that use physical access
2-other
devices and/or guards?
3-no
1-yes
Do you authenticate visitors before allowing access to a facility that is
2-other
not designated for public access?
3-no
Page 15 of 22
Offeror's
Response
Offeror's Response
Explanation/File Name
�OMB No. 7100-0180
Approval Expires May 2022
FR 1400C
Control/Control Questions
Are visitors to the facility escorted and their activities monitored?
Do you change keys and combinations to the relevant access point of
the facility upon the loss or compromise of the access point to the
facility(s), or in the event of an employee or contractor transfer or
termination?
PE-6
Do you monitor physical access and respond to physical security
incidents?
Do you review physical access logs?
Are physical access events incorporated into incident response plans?
PE-8
Do you maintain visitor access records to the facility(s) and are these
records reviewed on at least a quarterly basis?
PE-12
Does the facility have emergency lighting for the loss or disruption of
electrical power?
PE-13
Do you have fire detection devices arranged in zones with remote
monitoring for fire suppression?
PE-14
Selection Options
Enter Response in Column C & D
1-yes
2-other
3-no
1-yes
2-other
3-no
Low
1-yes
2-other
3-no
1-yes
2-other
3-no
1-yes
2-other
3-no
Low and Moderate
1-yes
2-other
3-no
Low and Moderate
1-yes
2-other
3-no
Low
1-yes
2-other
3-no
Low and Moderate
Page 16 of 22
Offeror's
Response
Offeror's Response
Explanation/File Name
�OMB No. 7100-0180
Approval Expires May 2022
FR 1400C
Control/Control Questions
Does the facility employ automated mechanisms to monitor and
maintain temperature and humidity levels?
PE-15
Selection Options
Enter Response in Column C & D
1-yes
2-other
3-no
Low and Moderate
Does the facility protect information systems from damage resulting
1-yes
from water leakage by providing master shutoff valves that are
2-other
accessible, working properly, and at locations known to key personnel? 3-no
PE-16
Do you control, authorize, and monitor information system component
hardware and devices entering and exiting the facility and maintain
records for those items?
Low and Moderate
1-yes
2-other
3-no
PL-2
Low
1-yes
2-other
3-no
1-yes
2-other
3-no
Low
PLANNING
Do you create an individualized security plan for each information
system or service hosted or executed at your facilities?
Do you own and maintain the controls that are documented in the
security plan for each hosted information system or service?
PL-4
Have you established rules that govern users on expected behavior
with regard to information and information system usage, and do the
users sign an acknowledgement indicating that they have read,
understand, and agree to abide by the rules?
PERSONNEL SECURITY
PS-2
Do you assign risk designations and establish screening criteria for
positions in your organization?
PS-3
1-yes
2-other
3-no
Low and Moderate
1-yes
2-other
3-no
Low and Moderate
Page 17 of 22
Offeror's
Response
Offeror's Response
Explanation/File Name
�OMB No. 7100-0180
Approval Expires May 2022
FR 1400C
Selection Options
Enter Response in Column C & D
Do you conduct background checks including credit reports prior to
1-yes
employment and recheck the employee or contractor within a two2-other
year period?
3-no
PS-4
Low and Moderate
Upon termination of an employee or contractor do you conduct exit
1-yes
interviews, immediately terminate access to systems, and retrieve all 2-other
security-related information and documentation?
3-no
PS-5
Low and Moderate
Upon the transfer of an employee or contractor, do review the logical 1-yes
and physical access authorizations to verify that the authorizations are 2-other
still appropriate?
3-no
PS-6
Low and Moderate
1-yes
Do you require employees and contractors to sign access agreements
2-other
that are reviewed on a periodic basis?
3-no
PS-7
Low and Moderate
Control/Control Questions
Have you established security requirements for third-party personnel
1-yes
that are included in contracts that require your providers to follow the 2-other
established security criteria and requirements of your organization?
3-no
PS-8
Low and Moderate
Are employees and contractors required to adhere to security policies
in which non-adherence is subject to disciplinary action, up to and
including termination and/or civil or criminal liability?
1-yes
2-other
3-no
RISK ASSESSMENT
RA-2
Low and Moderate
Do you have a documented information system categorization policy
that establishes how processing, storage, and transmission of
information will be conducted and maintained?
1-yes
2-other
3-no
RA-3
Low and Moderate
Page 18 of 22
Offeror's
Response
Offeror's Response
Explanation/File Name
�OMB No. 7100-0180
Approval Expires May 2022
FR 1400C
Control/Control Questions
Do you conduct information system risk assessments that include the
likelihood and magnitude of harm from the unauthorized access, use,
disclosure, disruption, modification, or destruction of an information
system?
Selection Options
Enter Response in Column C & D
1-yes
2-other
3-no
Do you analyze vulnerability scan reports and results, taking
appropriate actions for remediation in the appropriate amount of
time?
1-yes
2-other
3-no
Low
1-yes
2-other
3-no
1-yes
2-other
3-no
SA-2
Low and Moderate
Do you document, review, and update information system risk
assessments on a periodic basis?
RA-5
Do you conduct frequent scans for vulnerabilities on information
systems and hosted applications?
SYSTEM AND SERVICE ACQUISITION
Do you have processes and/or procedures for determining information 1-yes
security requirements and the allocation of security resources on a
2-other
minimum annual basis for your information system?
3-no
SA-3
Low and Moderate
Do you deploy a system development lifecycle methodology that
includes security considerations and identifies necessary system
security roles and responsibilities for your information system?
1-yes
2-other
3-no
SA-4
Low
1-yes
2-other
3-no
1-yes
2-other
3-no
Are security attributes both implicit and explicit taken into
consideration in the acquisition of equipment?
Do you explicitly assign information systems or services to a specific
owner?
Page 19 of 22
Offeror's
Response
Offeror's Response
Explanation/File Name
�OMB No. 7100-0180
Approval Expires May 2022
FR 1400C
Selection Options
Enter Response in Column C & D
SA-5
Low and Moderate
Do you have explicit security documentation on the components,
1-yes
configuration, and settings for an information system for the purposes 2-other
of installation, review, and testing?
3-no
SA-9
Low
1-yes
Do you require external service providers to adhere to information
2-other
security requirements?
3-no
1-yes
Are external service providers contractually obligated to meet
2-other
particular service levels?
3-no
Control/Control Questions
SYSTEM AND COMMUNICATION PROTECTION
SC-5
Do you employ ‘content filtering’ mechanisms (e.g., packet filtering,
system redundancy, increased bandwidth capacity) to prevent denial
of service attacks?
SC -7
Low and Moderate
1-yes
2-other
3-no
Low
1-yes
Do you have policies in place to monitor and control external/internal
2-other
network connections?
3-no
1-yes
Do you have monitoring devices at these connection points?
2-other
3-no
SC-12
Low and Moderate
1-yes
Do you have a process in place to manage cryptographic logic keys for
2-other
your system/service?
3-no
1-yes
Do you have a process in place to manage cryptographic logic keys for
2-other
your application?
3-no
SC-13
Low and Moderate
Page 20 of 22
Offeror's
Response
Offeror's Response
Explanation/File Name
�OMB No. 7100-0180
Approval Expires May 2022
FR 1400C
Control/Control Questions
Do you use cryptology to protect information?
Do you use cryptology to protect applications?
SC-15
Do you employ a policy to prevent the remote connection of
collaborative devices?
SC-18
Do you have a policy in place for the use of mobile code?
Do you have a Certification Authority for issuance of mobile code
technology certificates?
SC-22
Do you employ a name/address resolution solution in your network
architecture?
SC-39
Does the information system maintain a separate execution domain
for each executing process?
Please describe how this is accomplished.
SYSTEM AND INFORMATION INTEGRITY
Selection Options
Enter Response in Column C & D
1-yes
2-other
3-no
1-yes
2-other
3-no
Low and Moderate
1-yes
2-other
3-no
Low and Moderate
1-yes
2-other
3-no
1-yes
2-other
3-no
Low and Moderate
1-yes
2-other
3-no
Low and Moderate
1-yes
2-other
3-no
answer in column D
SI-2
Low
1-yes
Do you employ a process for flaw remediation in information systems? 2-other
3-no
Page 21 of 22
Offeror's
Response
Offeror's Response
Explanation/File Name
�OMB No. 7100-0180
Approval Expires May 2022
FR 1400C
Control/Control Questions
Do you employ a process for flaw remediation in your application?
SI-3
Do you employ a mechanism to prevent and detect malicious code on
information systems?
SI-4
Do you employ a mechanism to monitor for attacks on information
systems?
Do you monitor for unauthorized use of information systems?
Do you deploy intrusion monitoring tools?
SI-5
Do you have a process to receive, generate, and disseminate security
alerts, advisories, and directives from designated external
organizations?
SI-12
Do you have a process or procedure in place to ensure the output of
information systems or services is properly handled based on data
classification?
Selection Options
Enter Response in Column C & D
1-yes
2-other
3-no
Low
1-yes
2-other
3-no
Low and Moderate
1-yes
2-other
3-no
1-yes
2-other
3-no
1-yes
2-other
3-no
Low and Moderate
1-yes
2-other
3-no
Low and Moderate
1-yes
2-other
3-no
Page 22 of 22
Offeror's
Response
Offeror's Response
Explanation/File Name
�
| File Type | application/pdf |
| File Modified | 2019-05-20 |
| File Created | 2019-05-20 |