| 3.10.1 |
3.10.1[a]
|
Not Yet Assessed
|
Certification blocker
|
authorized individuals allowed physical access are identified.
|
-
|
| 3.10.1 |
3.10.1[b]
|
Not Yet Assessed
|
Certification blocker
|
physical access to organizational systems is limited to authorized individuals.
|
-
|
| 3.10.1 |
3.10.1[c]
|
Not Yet Assessed
|
Certification blocker
|
physical access to equipment is limited to authorized individuals.
|
-
|
| 3.10.1 |
3.10.1[d]
|
Not Yet Assessed
|
Certification blocker
|
physical access to operating environments is limited to authorized individuals.
|
-
|
| 3.10.2 |
3.10.2[a]
|
Not Yet Assessed
|
Certification blocker
|
the physical facility where that system resides is protected.
|
-
|
| 3.10.2 |
3.10.2[b]
|
Not Yet Assessed
|
Certification blocker
|
the support infrastructure for that system is protected.
|
-
|
| 3.10.2 |
3.10.2[c]
|
Not Yet Assessed
|
Certification blocker
|
the physical facility where that system resides is monitored.
|
-
|
| 3.10.2 |
3.10.2[d]
|
Not Yet Assessed
|
Certification blocker
|
the support infrastructure for that system is monitored.
|
-
|
| 3.10.3 |
3.10.3[a]
|
Not Yet Assessed
|
Certification blocker
|
visitors are escorted.
|
-
|
| 3.10.3 |
3.10.3[b]
|
Not Yet Assessed
|
Certification blocker
|
visitor activity is monitored.
|
-
|
| 3.10.4 |
3.10.4
|
Not Yet Assessed
|
Certification blocker
|
audit logs of physical access are maintained.
|
-
|
| 3.10.5 |
3.10.5[a]
|
Not Yet Assessed
|
Certification blocker
|
physical access devices are identified.
|
-
|
| 3.10.5 |
3.10.5[b]
|
Not Yet Assessed
|
Certification blocker
|
physical access devices are controlled.
|
-
|
| 3.10.5 |
3.10.5[c]
|
Not Yet Assessed
|
Certification blocker
|
physical access devices are managed.
|
-
|
| 3.10.6 |
3.10.6[a]
|
Not Yet Assessed
|
Certification blocker
|
safeguarding measures for CUI are defined for alternate work sites.
|
-
|
| 3.10.6 |
3.10.6[b]
|
Not Yet Assessed
|
Certification blocker
|
safeguarding measures for CUI are enforced for alternate work sites.
|
-
|
| 3.11.1 |
3.11.1[b]
|
Not Yet Assessed
|
Certification blocker
|
risk to organizational operations, organizational assets, and individuals resulting from the operation of an organizational system that processes, stores, or transmits CUI is assessed with the defined frequency.
|
-
|
| 3.11.2 |
3.11.2[a]
|
Not Yet Assessed
|
Certification blocker
|
the frequency to scan for vulnerabilities in an organizational system and its applications that process, store, or transmit CUI is defined.
|
-
|
| 3.11.2 |
3.11.2[b]
|
Not Yet Assessed
|
Certification blocker
|
vulnerability scans are performed in an organizational system that processes, stores, or transmits CUI with the defined frequency.
|
-
|
| 3.11.2 |
3.11.2[c]
|
Not Yet Assessed
|
Certification blocker
|
vulnerability scans are performed in an application that contains CUI with the defined frequency.
|
-
|
| 3.11.2 |
3.11.2[d]
|
Not Yet Assessed
|
Certification blocker
|
vulnerability scans are performed in an organizational system that processes, stores, or transmits CUI when new vulnerabilities are identified.
|
-
|
| 3.11.2 |
3.11.2[e]
|
Not Yet Assessed
|
Certification blocker
|
vulnerability scans are performed in an application that contains CUI when new vulnerabilities are identified.
|
-
|
| 3.11.3 |
3.11.3[a]
|
Not Yet Assessed
|
Certification blocker
|
vulnerabilities are identified.
|
-
|
| 3.11.3 |
3.11.3[b]
|
Not Yet Assessed
|
Certification blocker
|
vulnerabilities are remediated in accordance with risk assessments.
|
-
|
| 3.13.1 |
3.13.1[b]
|
Not Yet Assessed
|
Certification blocker
|
key internal system boundaries are defined.
|
-
|
| 3.13.1 |
3.13.1[c]
|
Not Yet Assessed
|
Certification blocker
|
communications are monitored at the external system boundary.
|
-
|
| 3.13.1 |
3.13.1[d]
|
Not Yet Assessed
|
Certification blocker
|
communications are monitored at key internal boundaries.
|
-
|
| 3.13.1 |
3.13.1[e]
|
Not Yet Assessed
|
Certification blocker
|
communications are controlled at the external system boundary.
|
-
|
| 3.13.1 |
3.13.1[f]
|
Not Yet Assessed
|
Certification blocker
|
communications are controlled at key internal boundaries.
|
-
|
| 3.13.1 |
3.13.1[g]
|
Not Yet Assessed
|
Certification blocker
|
communications are protected at the external system boundary.
|
-
|
| 3.13.1 |
3.13.1[h]
|
Not Yet Assessed
|
Certification blocker
|
communications are protected at key internal boundaries.
|
-
|
| 3.13.10 |
3.13.10[b]
|
Not Yet Assessed
|
Certification blocker
|
cryptographic keys are managed whenever cryptography is employed.
|
-
|
| 3.13.12 |
3.13.12[b]
|
Not Yet Assessed
|
Certification blocker
|
collaborative computing devices provide indication to users of devices in use.
|
-
|
| 3.13.12 |
3.13.12[c]
|
Not Yet Assessed
|
Certification blocker
|
remote activation of collaborative computing devices is prohibited.
|
-
|
| 3.13.13 |
3.13.13[b]
|
Not Yet Assessed
|
Certification blocker
|
use of mobile code is monitored.
|
-
|
| 3.13.14 |
3.13.14[b]
|
Not Yet Assessed
|
Certification blocker
|
use of Voice over Internet Protocol (VoIP) technologies is monitored.
|
-
|
| 3.13.15 |
3.13.15
|
Not Yet Assessed
|
Certification blocker
|
the authenticity of communications sessions is protected.
|
-
|
| 3.13.16 |
3.13.16
|
Not Yet Assessed
|
Certification blocker
|
the confidentiality of CUI at rest is protected.
|
-
|
| 3.13.2 |
3.13.2[b]
|
Not Yet Assessed
|
Certification blocker
|
software development techniques that promote effective information security are identified.
|
-
|
| 3.13.2 |
3.13.2[c]
|
Not Yet Assessed
|
Certification blocker
|
systems engineering principles that promote effective information security are identified.
|
-
|
| 3.13.2 |
3.13.2[d]
|
Not Yet Assessed
|
Certification blocker
|
identified architectural designs that promote effective information security are employed.
|
-
|
| 3.13.2 |
3.13.2[e]
|
Not Yet Assessed
|
Certification blocker
|
identified software development techniques that promote effective information security are employed.
|
-
|
| 3.13.2 |
3.13.2[f]
|
Not Yet Assessed
|
Certification blocker
|
identified systems engineering principles that promote effective information security are employed.
|
-
|
| 3.13.3 |
3.13.3[b]
|
Not Yet Assessed
|
Certification blocker
|
system management functionality is identified.
|
-
|
| 3.13.3 |
3.13.3[c]
|
Not Yet Assessed
|
Certification blocker
|
user functionality is separated from system management functionality.
|
-
|
| 3.13.4 |
3.13.4
|
Not Yet Assessed
|
Certification blocker
|
unauthorized and unintended information transfer via shared system resources is prevented.
|
-
|
| 3.13.5 |
3.13.5[b]
|
Not Yet Assessed
|
Certification blocker
|
subnetworks for publicly accessible system components are physically or logically separated from internal networks.
|
-
|
| 3.13.6 |
3.13.6[b]
|
Not Yet Assessed
|
Certification blocker
|
network communications traffic is allowed by exception.
|
-
|
| 3.13.7 |
3.13.7
|
Not Yet Assessed
|
Certification blocker
|
remote devices are prevented from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks (i.e., split tunneling).
|
-
|
| 3.13.8 |
3.13.8[b]
|
Not Yet Assessed
|
Certification blocker
|
alternative physical safeguards intended to prevent unauthorized disclosure of CUI are identified.
|
-
|
| 3.13.8 |
3.13.8[c]
|
Not Yet Assessed
|
Certification blocker
|
either cryptographic mechanisms or alternative physical safeguards are implemented to prevent unauthorized disclosure of CUI during transmission.
|
-
|
| 3.13.9 |
3.13.9[b]
|
Not Yet Assessed
|
Certification blocker
|
network connections associated with communications sessions are terminated at the end of the sessions.
|
-
|
| 3.13.9 |
3.13.9[c]
|
Not Yet Assessed
|
Certification blocker
|
network connections associated with communications sessions are terminated after the defined period of inactivity.
|
-
|
| 3.14.1 |
3.14.1[b]
|
Not Yet Assessed
|
Certification blocker
|
system flaws are identified within the specified time frame.
|
-
|
| 3.14.1 |
3.14.1[c]
|
Not Yet Assessed
|
Certification blocker
|
the time within which to report system flaws is specified.
|
-
|
| 3.14.1 |
3.14.1[d]
|
Not Yet Assessed
|
Certification blocker
|
system flaws are reported within the specified time frame.
|
-
|
| 3.14.1 |
3.14.1[e]
|
Not Yet Assessed
|
Certification blocker
|
the time within which to correct system flaws is specified.
|
-
|
| 3.14.1 |
3.14.1[f]
|
Not Yet Assessed
|
Certification blocker
|
system flaws are corrected within the specified time frame.
|
-
|
| 3.14.2 |
3.14.2[a]
|
Not Yet Assessed
|
Certification blocker
|
designated locations for malicious code protection are identified.
|
-
|
| 3.14.2 |
3.14.2[b]
|
Not Yet Assessed
|
Certification blocker
|
protection from malicious code at designated locations is provided.
|
-
|
| 3.14.3 |
3.14.3[a]
|
Not Yet Assessed
|
Certification blocker
|
response actions to system security alerts and advisories are identified.
|
-
|
| 3.14.3 |
3.14.3[b]
|
Not Yet Assessed
|
Certification blocker
|
system security alerts and advisories are monitored.
|
-
|
| 3.14.3 |
3.14.3[c]
|
Not Yet Assessed
|
Certification blocker
|
actions in response to system security alerts and advisories are taken.
|
-
|
| 3.14.4 |
3.14.4
|
Not Yet Assessed
|
Certification blocker
|
malicious code protection mechanisms are updated when new releases are available.
|
-
|
| 3.14.5 |
3.14.5[a]
|
Not Yet Assessed
|
Certification blocker
|
the frequency for malicious code scans is defined.
|
-
|
| 3.14.5 |
3.14.5[b]
|
Not Yet Assessed
|
Certification blocker
|
malicious code scans are performed with the defined frequency.
|
-
|
| 3.14.5 |
3.14.5[c]
|
Not Yet Assessed
|
Certification blocker
|
real-time malicious code scans of files from external sources as files are downloaded, opened, or executed are performed.
|
-
|
| 3.14.6 |
3.14.6[a]
|
Not Yet Assessed
|
Certification blocker
|
the system is monitored to detect attacks and indicators of potential attacks.
|
-
|
| 3.14.6 |
3.14.6[b]
|
Not Yet Assessed
|
Certification blocker
|
inbound communications traffic is monitored to detect attacks and indicators of potential attacks.
|
-
|
| 3.14.6 |
3.14.6[c]
|
Not Yet Assessed
|
Certification blocker
|
outbound communications traffic is monitored to detect attacks and indicators of potential attacks.
|
-
|
| 3.14.7 |
3.14.7[a]
|
Not Yet Assessed
|
Certification blocker
|
authorized use of the system is defined.
|
-
|
| 3.14.7 |
3.14.7[b]
|
Not Yet Assessed
|
Certification blocker
|
unauthorized use of the system is identified.
|
-
|
| 3.2.1 |
3.2.1[b]
|
Not Yet Assessed
|
Certification blocker
|
policies, standards, and procedures related to the security of the system are identified.
|
-
|
| 3.2.1 |
3.2.1[c]
|
Not Yet Assessed
|
Certification blocker
|
managers, systems administrators, and users of the system are made aware of the security risks associated with their activities.
|
-
|
| 3.2.1 |
3.2.1[d]
|
Not Yet Assessed
|
Certification blocker
|
managers, systems administrators, and users of the system are made aware of the applicable policies, standards, and procedures related to the security of the system.
|
-
|
| 3.2.2 |
3.2.2[a]
|
Not Yet Assessed
|
Certification blocker
|
information security-related duties, roles, and responsibilities are defined.
|
-
|
| 3.2.2 |
3.2.2[b]
|
Not Yet Assessed
|
Certification blocker
|
information security-related duties, roles, and responsibilities are assigned to designated personnel.
|
-
|
| 3.2.2 |
3.2.2[c]
|
Not Yet Assessed
|
Certification blocker
|
personnel are adequately trained to carry out their assigned information security-related duties, roles, and responsibilities.
|
-
|
| 3.2.3 |
3.2.3[a]
|
Not Yet Assessed
|
Certification blocker
|
potential indicators associated with insider threats are identified.
|
-
|
| 3.2.3 |
3.2.3[b]
|
Not Yet Assessed
|
Certification blocker
|
security awareness training on recognizing and reporting potential indicators of insider threat is provided to managers and employees.
|
-
|
| 3.3.1 |
3.3.1[a]
|
Not Yet Assessed
|
Certification blocker
|
audit logs needed (i.e., event types to be logged) to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity are specified.
|
-
|
| 3.3.1 |
3.3.1[b]
|
Not Yet Assessed
|
Certification blocker
|
the content of audit records needed to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity is defined.
|
-
|
| 3.3.1 |
3.3.1[c]
|
Not Yet Assessed
|
Certification blocker
|
audit records are created (generated).
|
-
|
| 3.3.1 |
3.3.1[d]
|
Not Yet Assessed
|
Certification blocker
|
audit records, once created, contain the defined content.
|
-
|
| 3.3.1 |
3.3.1[e]
|
Not Yet Assessed
|
Certification blocker
|
retention requirements for audit records are defined.
|
-
|
| 3.3.1 |
3.3.1[f]
|
Not Yet Assessed
|
Certification blocker
|
audit records are retained as defined.
|
-
|
| 3.3.2 |
3.3.2[a]
|
Not Yet Assessed
|
Certification blocker
|
the content of the audit records needed to support the ability to uniquely trace users to their actions is defined.
|
-
|
| 3.3.2 |
3.3.2[b]
|
Not Yet Assessed
|
Certification blocker
|
audit records, once created, contain the defined content.
|
-
|
| 3.3.3 |
3.3.3[a]
|
Not Yet Assessed
|
Certification blocker
|
a process for determining when to review logged events is defined.
|
-
|
| 3.3.3 |
3.3.3[b]
|
Not Yet Assessed
|
Certification blocker
|
event types being logged are reviewed in accordance with the defined review process.
|
-
|
| 3.3.3 |
3.3.3[c]
|
Not Yet Assessed
|
Certification blocker
|
event types being logged are updated based on the review.
|
-
|
| 3.3.4 |
3.3.4[a]
|
Not Yet Assessed
|
Certification blocker
|
personnel or roles to be alerted in the event of an audit logging process failure are identified.
|
-
|
| 3.3.4 |
3.3.4[b]
|
Not Yet Assessed
|
Certification blocker
|
types of audit logging process failures for which alert will be generated are defined.
|
-
|
| 3.3.4 |
3.3.4[c]
|
Not Yet Assessed
|
Certification blocker
|
identified personnel or roles are alerted in the event of an audit logging process failure.
|
-
|
| 3.3.5 |
3.3.5[a]
|
Not Yet Assessed
|
Certification blocker
|
audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity are defined.
|
-
|
| 3.3.5 |
3.3.5[b]
|
Not Yet Assessed
|
Certification blocker
|
defined audit record review, analysis, and reporting processes are correlated.
|
-
|
| 3.3.6 |
3.3.6[a]
|
Not Yet Assessed
|
Certification blocker
|
an audit record reduction capability that supports on-demand analysis is provided.
|
-
|
| 3.3.6 |
3.3.6[b]
|
Not Yet Assessed
|
Certification blocker
|
a report generation capability that supports on-demand reporting is provided.
|
-
|
| 3.3.7 |
3.3.7[a]
|
Not Yet Assessed
|
Certification blocker
|
internal system clocks are used to generate time stamps for audit records.
|
-
|
| 3.3.7 |
3.3.7[b]
|
Not Yet Assessed
|
Certification blocker
|
an authoritative source with which to compare and synchronize internal system clocks is specified.
|
-
|
| 3.3.7 |
3.3.7[c]
|
Not Yet Assessed
|
Certification blocker
|
internal system clocks used to generate time stamps for audit records are compared to and synchronized with the specified authoritative time source.
|
-
|
| 3.3.8 |
3.3.8[a]
|
Not Yet Assessed
|
Certification blocker
|
audit information is protected from unauthorized access.
|
-
|
| 3.3.8 |
3.3.8[b]
|
Not Yet Assessed
|
Certification blocker
|
audit information is protected from unauthorized modification.
|
-
|
| 3.3.8 |
3.3.8[c]
|
Not Yet Assessed
|
Certification blocker
|
audit information is protected from unauthorized deletion.
|
-
|
| 3.3.8 |
3.3.8[d]
|
Not Yet Assessed
|
Certification blocker
|
audit logging tools are protected from unauthorized access.
|
-
|
| 3.3.8 |
3.3.8[e]
|
Not Yet Assessed
|
Certification blocker
|
audit logging tools are protected from unauthorized modification.
|
-
|
| 3.3.8 |
3.3.8[f]
|
Not Yet Assessed
|
Certification blocker
|
audit logging tools are protected from unauthorized deletion.
|
-
|
| 3.3.9 |
3.3.9[a]
|
Not Yet Assessed
|
Certification blocker
|
a subset of privileged users granted access to manage audit logging functionality is defined.
|
-
|
| 3.3.9 |
3.3.9[b]
|
Not Yet Assessed
|
Certification blocker
|
management of audit logging functionality is limited to the defined subset of privileged users.
|
-
|
| 3.4.1 |
3.4.1[a]
|
Not Yet Assessed
|
Certification blocker
|
a baseline configuration is established.
|
-
|
| 3.4.1 |
3.4.1[b]
|
Not Yet Assessed
|
Certification blocker
|
the baseline configuration includes hardware, software, firmware, and documentation.
|
-
|
| 3.4.1 |
3.4.1[c]
|
Not Yet Assessed
|
Certification blocker
|
the baseline configuration is maintained (reviewed and updated) throughout the system development life cycle.
|
-
|
| 3.4.1 |
3.4.1[d]
|
Not Yet Assessed
|
Certification blocker
|
a system inventory is established.
|
-
|
| 3.4.1 |
3.4.1[e]
|
Not Yet Assessed
|
Certification blocker
|
the system inventory includes hardware, software, firmware, and documentation.
|
-
|
| 3.4.1 |
3.4.1[f]
|
Not Yet Assessed
|
Certification blocker
|
the inventory is maintained (reviewed and updated) throughout the system development life cycle.
|
-
|
| 3.4.2 |
3.4.2[a]
|
Not Yet Assessed
|
Certification blocker
|
security configuration settings for information technology products employed in the system are established and included in the baseline configuration.
|
-
|
| 3.4.2 |
3.4.2[b]
|
Not Yet Assessed
|
Certification blocker
|
security configuration settings for information technology products employed in the system are enforced.
|
-
|
| 3.4.3 |
3.4.3[a]
|
Not Yet Assessed
|
Certification blocker
|
changes to the system are tracked.
|
-
|
| 3.4.3 |
3.4.3[b]
|
Not Yet Assessed
|
Certification blocker
|
changes to the system are reviewed.
|
-
|
| 3.4.3 |
3.4.3[c]
|
Not Yet Assessed
|
Certification blocker
|
changes to the system are approved or disapproved.
|
-
|
| 3.4.3 |
3.4.3[d]
|
Not Yet Assessed
|
Certification blocker
|
changes to the system are logged.
|
-
|
| 3.4.4 |
3.4.4
|
Not Yet Assessed
|
Certification blocker
|
the security impact of changes to each organizational system is analyzed prior to implementation.
|
-
|
| 3.4.5 |
3.4.5[a]
|
Not Yet Assessed
|
Certification blocker
|
physical access restrictions associated with changes to the system are defined.
|
-
|
| 3.4.5 |
3.4.5[b]
|
Not Yet Assessed
|
Certification blocker
|
physical access restrictions associated with changes to the system are documented.
|
-
|
| 3.4.5 |
3.4.5[c]
|
Not Yet Assessed
|
Certification blocker
|
physical access restrictions associated with changes to the system are approved.
|
-
|
| 3.4.5 |
3.4.5[d]
|
Not Yet Assessed
|
Certification blocker
|
physical access restrictions associated with changes to the system are enforced.
|
-
|
| 3.4.5 |
3.4.5[e]
|
Not Yet Assessed
|
Certification blocker
|
logical access restrictions associated with changes to the system are defined.
|
-
|
| 3.4.5 |
3.4.5[f]
|
Not Yet Assessed
|
Certification blocker
|
logical access restrictions associated with changes to the system are documented.
|
-
|
| 3.4.5 |
3.4.5[g]
|
Not Yet Assessed
|
Certification blocker
|
logical access restrictions associated with changes to the system are approved.
|
-
|
| 3.4.5 |
3.4.5[h]
|
Not Yet Assessed
|
Certification blocker
|
logical access restrictions associated with changes to the system are enforced.
|
-
|
| 3.4.6 |
3.4.6[a]
|
Not Yet Assessed
|
Certification blocker
|
essential system capabilities are defined based on the principle of least functionality.
|
-
|
| 3.4.6 |
3.4.6[b]
|
Not Yet Assessed
|
Certification blocker
|
the system is configured to provide only the defined essential capabilities.
|
-
|
| 3.4.7 |
3.4.7[a]
|
Not Yet Assessed
|
Certification blocker
|
essential programs are defined.
|
-
|
| 3.4.7 |
3.4.7[b]
|
Not Yet Assessed
|
Certification blocker
|
the use of nonessential programs is defined.
|
-
|
| 3.4.7 |
3.4.7[c]
|
Not Yet Assessed
|
Certification blocker
|
the use of nonessential programs is restricted, disabled, or prevented as defined.
|
-
|
| 3.4.7 |
3.4.7[d]
|
Not Yet Assessed
|
Certification blocker
|
essential functions are defined.
|
-
|
| 3.4.7 |
3.4.7[e]
|
Not Yet Assessed
|
Certification blocker
|
the use of nonessential functions is defined.
|
-
|
| 3.4.7 |
3.4.7[f]
|
Not Yet Assessed
|
Certification blocker
|
the use of nonessential functions is restricted, disabled, or prevented as defined.
|
-
|
| 3.4.7 |
3.4.7[g]
|
Not Yet Assessed
|
Certification blocker
|
essential ports are defined.
|
-
|
| 3.4.7 |
3.4.7[h]
|
Not Yet Assessed
|
Certification blocker
|
the use of nonessential ports is defined.
|
-
|
| 3.4.7 |
3.4.7[i]
|
Not Yet Assessed
|
Certification blocker
|
the use of nonessential ports is restricted, disabled, or prevented as defined.
|
-
|
| 3.4.7 |
3.4.7[j]
|
Not Yet Assessed
|
Certification blocker
|
essential protocols are defined.
|
-
|
| 3.4.7 |
3.4.7[k]
|
Not Yet Assessed
|
Certification blocker
|
the use of nonessential protocols is defined.
|
-
|
| 3.4.7 |
3.4.7[l]
|
Not Yet Assessed
|
Certification blocker
|
the use of nonessential protocols is restricted, disabled, or prevented as defined.
|
-
|
| 3.4.7 |
3.4.7[m]
|
Not Yet Assessed
|
Certification blocker
|
essential services are defined.
|
-
|
| 3.4.7 |
3.4.7[n]
|
Not Yet Assessed
|
Certification blocker
|
the use of nonessential services is defined.
|
-
|
| 3.4.7 |
3.4.7[o]
|
Not Yet Assessed
|
Certification blocker
|
the use of nonessential services is restricted, disabled, or prevented as defined.
|
-
|
| 3.4.8 |
3.4.8[a]
|
Not Yet Assessed
|
Certification blocker
|
a policy specifying whether whitelisting or blacklisting is to be implemented is specified.
|
-
|
| 3.4.8 |
3.4.8[b]
|
Not Yet Assessed
|
Certification blocker
|
the software allowed to execute under whitelisting or denied use under blacklisting is specified.
|
-
|
| 3.4.8 |
3.4.8[c]
|
Not Yet Assessed
|
Certification blocker
|
whitelisting to allow the execution of authorized software or blacklisting to prevent the use of unauthorized software is implemented as specified.
|
-
|
| 3.4.9 |
3.4.9[a]
|
Not Yet Assessed
|
Certification blocker
|
a policy for controlling the installation of software by users is established.
|
-
|
| 3.4.9 |
3.4.9[b]
|
Not Yet Assessed
|
Certification blocker
|
installation of software by users is controlled based on the established policy.
|
-
|
| 3.4.9 |
3.4.9[c]
|
Not Yet Assessed
|
Certification blocker
|
installation of software by users is monitored.
|
-
|
| 3.5.1 |
3.5.1[a]
|
Not Yet Assessed
|
Certification blocker
|
system users are identified.
|
-
|
| 3.5.1 |
3.5.1[b]
|
Not Yet Assessed
|
Certification blocker
|
processes acting on behalf of users are identified.
|
-
|
| 3.5.1 |
3.5.1[c]
|
Not Yet Assessed
|
Certification blocker
|
devices accessing the system are identified.
|
-
|
| 3.5.10 |
3.5.10[a]
|
Not Yet Assessed
|
Certification blocker
|
passwords are cryptographically protected in storage.
|
-
|
| 3.5.10 |
3.5.10[b]
|
Not Yet Assessed
|
Certification blocker
|
passwords are cryptographically protected in transit.
|
-
|
| 3.5.11 |
3.5.11
|
Not Yet Assessed
|
Certification blocker
|
authentication information is obscured during the authentication process.
|
-
|
| 3.5.2 |
3.5.2[a]
|
Not Yet Assessed
|
Certification blocker
|
the identity of each user is authenticated or verified as a prerequisite to system access.
|
-
|
| 3.5.2 |
3.5.2[b]
|
Not Yet Assessed
|
Certification blocker
|
the identity of each process acting on behalf of a user is authenticated or verified as a prerequisite to system access.
|
-
|
| 3.5.2 |
3.5.2[c]
|
Not Yet Assessed
|
Certification blocker
|
the identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access.
|
-
|
| 3.5.3 |
3.5.3[a]
|
Not Yet Assessed
|
Certification blocker
|
privileged accounts are identified.
|
-
|
| 3.5.3 |
3.5.3[b]
|
Not Yet Assessed
|
Certification blocker
|
multifactor authentication is implemented for local access to privileged accounts.
|
-
|
| 3.5.3 |
3.5.3[c]
|
Not Yet Assessed
|
Certification blocker
|
multifactor authentication is implemented for network access to privileged accounts.
|
-
|
| 3.5.3 |
3.5.3[d]
|
Not Yet Assessed
|
Certification blocker
|
multifactor authentication is implemented for network access to non-privileged accounts.
|
-
|
| 3.5.4 |
3.5.4
|
Not Yet Assessed
|
Certification blocker
|
replay-resistant authentication mechanisms are implemented for all network account access to privileged and non-privileged accounts.
|
-
|
| 3.5.5 |
3.5.5[a]
|
Not Yet Assessed
|
Certification blocker
|
a period within which identifiers cannot be reused is defined.
|
-
|
| 3.5.5 |
3.5.5[b]
|
Not Yet Assessed
|
Certification blocker
|
reuse of identifiers is prevented within the defined period.
|
-
|
| 3.5.6 |
3.5.6[a]
|
Not Yet Assessed
|
Certification blocker
|
a period of inactivity after which an identifier is disabled is defined.
|
-
|
| 3.5.6 |
3.5.6[b]
|
Not Yet Assessed
|
Certification blocker
|
identifiers are disabled after the defined period of inactivity.
|
-
|
| 3.5.7 |
3.5.7[a]
|
Not Yet Assessed
|
Certification blocker
|
password complexity requirements are defined.
|
-
|
| 3.5.7 |
3.5.7[b]
|
Not Yet Assessed
|
Certification blocker
|
password change of character requirements are defined.
|
-
|
| 3.5.7 |
3.5.7[c]
|
Not Yet Assessed
|
Certification blocker
|
minimum password complexity requirements as defined are enforced when new passwords are created.
|
-
|
| 3.5.7 |
3.5.7[d]
|
Not Yet Assessed
|
Certification blocker
|
minimum password change of character requirements as defined are enforced when new passwords are created.
|
-
|
| 3.5.8 |
3.5.8[a]
|
Not Yet Assessed
|
Certification blocker
|
the number of generations during which a password cannot be reused is specified.
|
-
|
| 3.5.8 |
3.5.8[b]
|
Not Yet Assessed
|
Certification blocker
|
reuse of passwords is prohibited during the specified number of generations.
|
-
|
| 3.5.9 |
3.5.9
|
Not Yet Assessed
|
Certification blocker
|
an immediate change to a permanent password is required when a temporary password is used for system logon.
|
-
|
| 3.6.1 |
3.6.1[a]
|
Not Yet Assessed
|
Certification blocker
|
an operational incident-handling capability is established.
|
-
|
| 3.6.1 |
3.6.1[b]
|
Not Yet Assessed
|
Certification blocker
|
the operational incident-handling capability includes preparation.
|
-
|
| 3.6.1 |
3.6.1[c]
|
Not Yet Assessed
|
Certification blocker
|
the operational incident-handling capability includes detection.
|
-
|
| 3.6.1 |
3.6.1[d]
|
Not Yet Assessed
|
Certification blocker
|
the operational incident-handling capability includes analysis.
|
-
|
| 3.6.1 |
3.6.1[e]
|
Not Yet Assessed
|
Certification blocker
|
the operational incident-handling capability includes containment.
|
-
|
| 3.6.1 |
3.6.1[f]
|
Not Yet Assessed
|
Certification blocker
|
the operational incident-handling capability includes recovery.
|
-
|
| 3.6.1 |
3.6.1[g]
|
Not Yet Assessed
|
Certification blocker
|
the operational incident-handling capability includes user response activities.
|
-
|
| 3.6.2 |
3.6.2[a]
|
Not Yet Assessed
|
Certification blocker
|
incidents are tracked.
|
-
|
| 3.6.2 |
3.6.2[b]
|
Not Yet Assessed
|
Certification blocker
|
incidents are documented.
|
-
|
| 3.6.2 |
3.6.2[c]
|
Not Yet Assessed
|
Certification blocker
|
authorities to whom incidents are to be reported are identified.
|
-
|
| 3.6.2 |
3.6.2[d]
|
Not Yet Assessed
|
Certification blocker
|
organizational officials to whom incidents are to be reported are identified.
|
-
|
| 3.6.2 |
3.6.2[e]
|
Not Yet Assessed
|
Certification blocker
|
identified authorities are notified of incidents.
|
-
|
| 3.6.2 |
3.6.2[f]
|
Not Yet Assessed
|
Certification blocker
|
identified organizational officials are notified of incidents.
|
-
|
| 3.6.3 |
3.6.3
|
Not Yet Assessed
|
Certification blocker
|
the incident response capability is tested.
|
-
|
| 3.7.1 |
3.7.1
|
Not Yet Assessed
|
Certification blocker
|
system maintenance is performed.
|
-
|
| 3.7.2 |
3.7.2[a]
|
Not Yet Assessed
|
Certification blocker
|
tools used to conduct system maintenance are controlled.
|
-
|
| 3.7.2 |
3.7.2[b]
|
Not Yet Assessed
|
Certification blocker
|
techniques used to conduct system maintenance are controlled.
|
-
|
| 3.7.2 |
3.7.2[c]
|
Not Yet Assessed
|
Certification blocker
|
mechanisms used to conduct system maintenance are controlled.
|
-
|
| 3.7.2 |
3.7.2[d]
|
Not Yet Assessed
|
Certification blocker
|
personnel used to conduct system maintenance are controlled.
|
-
|
| 3.7.3 |
3.7.3
|
Not Yet Assessed
|
Certification blocker
|
equipment to be removed from organizational spaces for off-site maintenance is sanitized of any CUI.
|
-
|
| 3.7.4 |
3.7.4
|
Not Yet Assessed
|
Certification blocker
|
media containing diagnostic and test programs are checked for malicious code before being used in organizational systems that process, store, or transmit CUI.
|
-
|
| 3.7.5 |
3.7.5[a]
|
Not Yet Assessed
|
Certification blocker
|
multifactor authentication is required to establish nonlocal maintenance sessions via external network connections.
|
-
|
| 3.7.5 |
3.7.5[b]
|
Not Yet Assessed
|
Certification blocker
|
nonlocal maintenance sessions established via external network connections are terminated when nonlocal maintenance is complete.
|
-
|
| 3.7.6 |
3.7.6
|
Not Yet Assessed
|
Certification blocker
|
maintenance personnel without required access authorization are supervised during maintenance activities.
|
-
|
| 3.8.1 |
3.8.1[a]
|
Not Yet Assessed
|
Certification blocker
|
paper media containing CUI is physically controlled.
|
-
|
| 3.8.1 |
3.8.1[b]
|
Not Yet Assessed
|
Certification blocker
|
digital media containing CUI is physically controlled.
|
-
|
| 3.8.1 |
3.8.1[c]
|
Not Yet Assessed
|
Certification blocker
|
paper media containing CUI is securely stored.
|
-
|
| 3.8.1 |
3.8.1[d]
|
Not Yet Assessed
|
Certification blocker
|
digital media containing CUI is securely stored.
|
-
|
| 3.8.2 |
3.8.2
|
Not Yet Assessed
|
Certification blocker
|
access to CUI on system media is limited to authorized users.
|
-
|
| 3.8.3 |
3.8.3[a]
|
Not Yet Assessed
|
Certification blocker
|
system media containing CUI is sanitized or destroyed before disposal.
|
-
|
| 3.8.3 |
3.8.3[b]
|
Not Yet Assessed
|
Certification blocker
|
system media containing CUI is sanitized before it is released for reuse.
|
-
|
| 3.8.4 |
3.8.4[a]
|
Not Yet Assessed
|
Certification blocker
|
media containing CUI is marked with applicable CUI markings.
|
-
|
| 3.8.4 |
3.8.4[b]
|
Not Yet Assessed
|
Certification blocker
|
media containing CUI is marked with distribution limitations.
|
-
|
| 3.8.5 |
3.8.5[a]
|
Not Yet Assessed
|
Certification blocker
|
access to media containing CUI is controlled.
|
-
|
| 3.8.5 |
3.8.5[b]
|
Not Yet Assessed
|
Certification blocker
|
accountability for media containing CUI is maintained during transport outside of controlled areas.
|
-
|
| 3.8.6 |
3.8.6
|
Not Yet Assessed
|
Certification blocker
|
the confidentiality of CUI stored on digital media is protected during transport using cryptographic mechanisms or alternative physical safeguards.
|
-
|
| 3.8.7 |
3.8.7
|
Not Yet Assessed
|
Certification blocker
|
the use of removable media on system components containing CUI is controlled.
|
-
|
| 3.8.8 |
3.8.8
|
Not Yet Assessed
|
Certification blocker
|
the use of portable storage devices is prohibited when such devices have no identifiable owner.
|
-
|
| 3.8.9 |
3.8.9
|
Not Yet Assessed
|
Certification blocker
|
the confidentiality of backup CUI is protected at storage locations.
|
-
|
| 3.9.1 |
3.9.1
|
Not Yet Assessed
|
Certification blocker
|
individuals are screened prior to authorizing access to organizational systems.
|
-
|
| 3.9.2 |
3.9.2[a]
|
Not Yet Assessed
|
Certification blocker
|
a policy and/or process for terminating system access authorization and any credentials coincident with personnel actions is established.
|
-
|
| 3.9.2 |
3.9.2[b]
|
Not Yet Assessed
|
Certification blocker
|
system access and credentials are terminated consistent with personnel actions such as termination or transfer.
|
-
|
| 3.9.2 |
3.9.2[c]
|
Not Yet Assessed
|
Certification blocker
|
the system is protected during and after personnel transfer actions.
|
-
|