{ "total": 5776, "assessment_objectives": [ { "scf_control_id": "AAT-01", "ao_id": "AAT-01_A01", "objective": "Artificial Intelligence (AI) and Autonomous Technologies (AAT)-specific policies, standards and procedures are developed and documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-01", "ao_id": "AAT-01_A02", "objective": "Artificial Intelligence (AI) and Autonomous Technologies (AAT)-specific policies, standards and procedures are implemented effectively.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-01", "ao_id": "AAT-01_A03", "objective": "Artificial Intelligence (AI) and Autonomous Technologies (AAT) operations are conducted according to documented policies, standards, procedures and/or other organizational directives.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-01", "ao_id": "AAT-01_A04", "objective": "adequate resources (e.g., people, processes, technologies, data and/or facilities) are provided to support Artificial Intelligence (AI) and Autonomous Technologies (AAT) operations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-01", "ao_id": "AAT-01_A05", "objective": "responsibility and authority for the performance of Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related activities are assigned to designated personnel.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-01", "ao_id": "AAT-01_A06", "objective": "personnel performing Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related activities have the skills and knowledge needed to perform their assigned duties.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-01.1", "ao_id": "AAT-01.1_A01", "objective": "the organization analyzes its business practices to determine applicable statutory, regulatory and/or contractual obligations for Artificial Intelligence (AI) and Autonomous Technologies (AAT).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-01.2", "ao_id": "AAT-01.2_A01", "objective": "secure engineering principles are defined.", "pptdf": "Process", "origin": "53A_R5_SA-08_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-01.2", "ao_id": "AAT-01.2_A02", "objective": "privacy engineering principles are defined.", "pptdf": "Process", "origin": "53A_R5_SA-08_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-01.3", "ao_id": "AAT-01.3_A01", "objective": "the organization analyzes its business practices for Artificial Intelligence (AI) and Autonomous Technologies (AAT).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-01.3", "ao_id": "AAT-01.3_A02", "objective": "the organization continuously improves its business practices to sustain the value of deployed Artificial Intelligence (AI) and Autonomous Technologies (AAT).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-01.4", "ao_id": "AAT-01.4_A01", "objective": "the organization tracks AI models and AI agents deployed in development environments that captures:\n(1) ownership\n(2) intended purpose; and \n(3) status.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-01.4", "ao_id": "AAT-01.4_A02", "objective": "the organization tracks AI models and AI agents deployed in production environments that captures:\n(1) ownership\n(2) intended purpose; and \n(3) status.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-01.4", "ao_id": "AAT-01.4_A03", "objective": "the organization tracks AI models and AI agents updates that captures:\n(1) ownership\n(2) intended purpose; and \n(3) status.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-01.4", "ao_id": "AAT-01.4_A04", "objective": "the organization tracks decommissioned AI models and AI agents that captures:\n(1) ownership;\n(2) intended purpose; and\n(3) date of decommissioning.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-02", "ao_id": "AAT-02_A01", "objective": "an inventory of systems and system components that is at the level of granularity deemed necessary for tracking and reporting is documented.", "pptdf": "Process", "origin": "53A_R5_CM-08a.04", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-02.1", "ao_id": "AAT-02.1_A01", "objective": "a risk catalog of Artificial Intelligence (AI) and Autonomous Technologies (AAT)-specific risks is documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-02.1", "ao_id": "AAT-02.1_A02", "objective": "a compliance catalog of Artificial Intelligence (AI) and Autonomous Technologies (AAT)-specific laws, regulations and contractual obligations are documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-02.1", "ao_id": "AAT-02.1_A03", "objective": "the organization maps its risk catalog to its compliance catalog for Artificial Intelligence (AI) and Autonomous Technologies (AAT).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-02.2", "ao_id": "AAT-02.2_A01", "objective": "roles and responsibilities exist to compel data and/or process owners to select required cybersecurity / data privacy controls for Artificial Intelligence (AI) and Autonomous Technologies (AAT) under their control.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-02.2", "ao_id": "AAT-02.2_A02", "objective": "Individual Contributor (IC) performance reviews cover how data and/or process owners operationalized cybersecurity / data privacy practices for Artificial Intelligence (AI) and Autonomous Technologies (AAT) under their control.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-02.3", "ao_id": "AAT-02.3_A01", "objective": "risks and threats for Artificial Intelligence (AI) and Autonomous Technologies (AAT) are identified.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-02.3", "ao_id": "AAT-02.3_A02", "objective": "reasonable cybersecurity and data protections that are commensurate with assessed risks and threats for Artificial Intelligence (AI) and Autonomous Technologies (AAT) are defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-02.3", "ao_id": "AAT-02.3_A03", "objective": "reasonable cybersecurity and data protections that are commensurate with assessed risks and threats for Artificial Intelligence (AI) and Autonomous Technologies (AAT) are implemented.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-02.4", "ao_id": "AAT-02.4_A01", "objective": "Artificial Intelligence (AI) and Autonomous Technologies (AAT)-specific threat modeling addresses the following criteria across the lifecycle of the AAT:\n(1) Attack surfaces;\n(2) Adversarial threats; and \n(3) Abuse / misuse scenarios.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-02.4", "ao_id": "AAT-02.4_A02", "objective": "Artificial Intelligence (AI) and Autonomous Technologies (AAT)-specific risk assessments address the following criteria across the lifecycle of the AAT:\n(1) Attack surfaces;\n(2) Adversarial threats; and \n(3) Abuse / misuse scenarios.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-03", "ao_id": "AAT-03_A01", "objective": "the context for the intended purpose(s) for Artificial Intelligence (AI) and Autonomous Technologies (AAT) is clearly documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-03", "ao_id": "AAT-03_A02", "objective": "the context for the potentially beneficial use(s) for Artificial Intelligence (AI) and Autonomous Technologies (AAT) is clearly documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-03", "ao_id": "AAT-03_A03", "objective": "the context for the legal and regulatory compliance for Artificial Intelligence (AI) and Autonomous Technologies (AAT) is clearly documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-03", "ao_id": "AAT-03_A04", "objective": "the context for the norms and expectations for Artificial Intelligence (AI) and Autonomous Technologies (AAT) is clearly documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-03", "ao_id": "AAT-03_A05", "objective": "the context for the proposed deployment setting(s) for Artificial Intelligence (AI) and Autonomous Technologies (AAT) is clearly documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-03.1", "ao_id": "AAT-03.1_A01", "objective": "the mission for Artificial Intelligence (AI) and Autonomous Technologies (AAT) is clearly documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-03.1", "ao_id": "AAT-03.1_A02", "objective": "the relevant goals for Artificial Intelligence (AI) and Autonomous Technologies (AAT) are clearly documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-03.2", "ao_id": "AAT-03.2_A01", "objective": "AI model and agent-related documentation artifacts for data lineage is created, maintained and accessible.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-03.2", "ao_id": "AAT-03.2_A02", "objective": "AI model and agent-related documentation artifacts for intended use is created, maintained and accessible.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-03.2", "ao_id": "AAT-03.2_A03", "objective": "AI model and agent-related documentation artifacts for limitations is created, maintained and accessible.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-04", "ao_id": "AAT-04_A01", "objective": "capabilities for Artificial Intelligence (AI) and Autonomous Technologies (AAT) are benchmarked.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-04", "ao_id": "AAT-04_A02", "objective": "targeted usage for Artificial Intelligence (AI) and Autonomous Technologies (AAT) is benchmarked.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-04", "ao_id": "AAT-04_A03", "objective": "goals for Artificial Intelligence (AI) and Autonomous Technologies (AAT) are benchmarked.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-04", "ao_id": "AAT-04_A04", "objective": "expected benefits for Artificial Intelligence (AI) and Autonomous Technologies (AAT) are benchmarked.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-04", "ao_id": "AAT-04_A05", "objective": "expected costs for Artificial Intelligence (AI) and Autonomous Technologies (AAT) are benchmarked.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-04.1", "ao_id": "AAT-04.1_A01", "objective": "documented methods exist to viably assess the potential benefits of Artificial Intelligence (AI) and Autonomous Technologies (AAT).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-04.2", "ao_id": "AAT-04.2_A01", "objective": "documented methods exist to viably assess the potential costs, including non-monetary costs, resulting from expected or realized Artificial Intelligence (AI)-related errors or system functionality and trustworthiness.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-04.3", "ao_id": "AAT-04.3_A01", "objective": "the scope for Artificial Intelligence (AI) and Autonomous Technologies (AAT) is defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-04.4", "ao_id": "AAT-04.4_A01", "objective": "a risk catalog of Artificial Intelligence (AI) and Autonomous Technologies (AAT)-specific risks is documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-04.4", "ao_id": "AAT-04.4_A02", "objective": "a compliance catalog of Artificial Intelligence (AI) and Autonomous Technologies (AAT)-specific laws, regulations and contractual obligations are documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-04.4", "ao_id": "AAT-04.4_A03", "objective": "a Third-Party Service Provider (TSP) catalog that includes Software as a Service (SaaS) is documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-04.4", "ao_id": "AAT-04.4_A04", "objective": "the organization maps its risk catalog across its compliance and Third-Party Service Provider (TSP) catalog for Artificial Intelligence (AI) and Autonomous Technologies (AAT) to determine the scope and potential impact of AAT-related risks.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-05", "ao_id": "AAT-05_A01", "objective": "roles and responsibilities for role-based cybersecurity / data privacy training are defined for Artificial Intelligence (AI) and Autonomous Technologies (AAT) internal and external stakeholders.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-05", "ao_id": "AAT-05_A02", "objective": "the frequency at which to provide role-based cybersecurity / data privacy training to Artificial Intelligence (AI) and Autonomous Technologies (AAT) stakeholders after initial training is defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "AAT-05", "ao_id": "AAT-05_A03", "objective": "events that require role-based training content for Artificial Intelligence (AI) and Autonomous Technologies (AAT) to be updated are defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-05", "ao_id": "AAT-05_A04", "objective": "role-based privacy training is provided to organization-defined roles and responsibilities before authorizing access to Artificial Intelligence (AI) and Autonomous Technologies (AAT) or performing assigned duties.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-05", "ao_id": "AAT-05_A05", "objective": "role-based cybersecurity / data privacy training for Artificial Intelligence (AI) and Autonomous Technologies (AAT) is provided upon hire and per an organization-defined frequency thereafter.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "AAT-06", "ao_id": "AAT-06_A01", "objective": "a documented methodology prioritizes workforce diversity, equity, inclusion and accessibility processes in the mapping, measuring and managing of Artificial Intelligence (AI)-related risks throughout the AAT lifecycle.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-07", "ao_id": "AAT-07_A01", "objective": "the organization leverages decision makers from a diversity of demographics for mapping, measuring and managing Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks leverage personnel", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-07", "ao_id": "AAT-07_A02", "objective": "the organization leverages decision makers from a diversity of disciplines for mapping, measuring and managing Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks leverage personnel", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-07", "ao_id": "AAT-07_A03", "objective": "the organization leverages decision makers from a diversity of experience for mapping, measuring and managing Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks leverage personnel", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-07", "ao_id": "AAT-07_A04", "objective": "the organization leverages decision makers from a diversity of expertise for mapping, measuring and managing Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks leverage personnel", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-07", "ao_id": "AAT-07_A05", "objective": "the organization leverages decision makers from a diversity of backgrounds for mapping, measuring and managing Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks leverage personnel", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-07.1", "ao_id": "AAT-07.1_A01", "objective": "the organization characterizes the impacts of proposed Artificial Intelligence (AI) and Autonomous Technologies (AAT) on individuals.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-07.1", "ao_id": "AAT-07.1_A02", "objective": "the organization characterizes the impact of proposed Artificial Intelligence (AI) and Autonomous Technologies (AAT) on groups.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-07.1", "ao_id": "AAT-07.1_A03", "objective": "the organization characterizes the impact of proposed Artificial Intelligence (AI) and Autonomous Technologies (AAT) on communities", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-07.1", "ao_id": "AAT-07.1_A04", "objective": "the organization characterizes the impact of proposed Artificial Intelligence (AI) and Autonomous Technologies (AAT) on organizations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-07.1", "ao_id": "AAT-07.1_A05", "objective": "the organization characterizes the impact of proposed Artificial Intelligence (AI) and Autonomous Technologies (AAT) on society.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-07.2", "ao_id": "AAT-07.2_A01", "objective": "the potential likelihood is documented for each identified risk based on expected use and past uses of Artificial Intelligence (AI) and Autonomous Technologies (AAT) in similar contexts.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-07.2", "ao_id": "AAT-07.2_A02", "objective": "the potential impact is documented for each identified risk based on expected use and past uses of Artificial Intelligence (AI) and Autonomous Technologies (AAT) in similar contexts.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-07.3", "ao_id": "AAT-07.3_A01", "objective": "a documented strategy exists to implement continuously monitoring of Artificial Intelligence (AI) and Autonomous Technologies (AAT) that maximize benefits, while minimizing negative impacts.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-08", "ao_id": "AAT-08_A01", "objective": "cybersecurity / data privacy roles and responsibilities are incorporated into organizational position descriptions.", "pptdf": "Process", "origin": "53A_R5_PS-09[01]\n53A_R5_PS-09[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-08", "ao_id": "AAT-08_A02", "objective": "users are formally made aware of their roles and responsibilities to maintain a safe and secure working environment.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-08", "ao_id": "AAT-08_A03", "objective": "acknowledgement of user awareness is maintained by the organization.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-08", "ao_id": "AAT-08_A04", "objective": "the frequency at which to review / update position risk designations is defined.", "pptdf": "Process", "origin": "53A_R5_PS-02_ODP", "assessment_rigor": "1", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "AAT-08", "ao_id": "AAT-08_A05", "objective": "a risk designation is assigned to all organizational positions.", "pptdf": "People", "origin": "53A_R5_PS-02a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-09", "ao_id": "AAT-09_A01", "objective": "a risk catalog of Artificial Intelligence (AI) and Autonomous Technologies (AAT)-specific risks is documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-09", "ao_id": "AAT-09_A02", "objective": "the organization maps its risk catalog, including potential impacts, to instances where Artificial Intelligence (AI) and Autonomous Technologies (AAT) are designed, developed, deployed, evaluated and used.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-09.1", "ao_id": "AAT-09.1_A01", "objective": "the organization assesses the risk associated with Artificial Intelligence (AI) and Autonomous Technologies (AAT).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-09.1", "ao_id": "AAT-09.1_A02", "objective": "Artificial Intelligence (AI) and Autonomous Technologies (AAT) are designated as \"High Risk\" if one(1), or more, of the follow criteria are met:\n(1) AAT is used as a safety component of a product or service;\n(2) AAT poses a significant risk of harm to an individual's health, safety or fundamental rights; and/or\n(3) AAT materially influences the outcome of an individual's decision making.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-10", "ao_id": "AAT-10_A01", "objective": "the organization's Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) capability is organization-wide.", "pptdf": "Process", "origin": "53A_R5_CA-01_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-10", "ao_id": "AAT-10_A02", "objective": "a process is implemented to ensure that organizational plans for conducting cybersecurity / data privacy testing, training and monitoring activities associated with organizational systems are developed.", "pptdf": "Process", "origin": "53A_R5_PM-14a.01[01]\n53A_R5_PM-14a.01[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-10", "ao_id": "AAT-10_A03", "objective": "a process is implemented to ensure that organizational plans for conducting cybersecurity / data privacy testing, training and monitoring activities associated with organizational systems are maintained.", "pptdf": "Process", "origin": "53A_R5_PM-14a.01[02]\n53A_R5_PM-14a.01[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-10", "ao_id": "AAT-10_A04", "objective": "a process is implemented to ensure that organizational plans for conducting cybersecurity / data privacy testing, training and monitoring activities associated with organizational systems continue to be executed.", "pptdf": "Process", "origin": "53A_R5_PM-14a.02[01]\n53A_R5_PM-14a.02[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-10", "ao_id": "AAT-10_A05", "objective": "the authorization processes are integrated into an organization-wide risk management program.", "pptdf": "Process", "origin": "53A_R5_PM-10c.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-10.1", "ao_id": "AAT-10.1_A01", "objective": "the organization's Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) capability evaluates Artificial Intelligence (AI) and Autonomous Technologies (AAT) for trustworthy characteristics.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-10.2", "ao_id": "AAT-10.2_A01", "objective": "the organization's Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) capability documents test sets used during AI TEVV.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-10.2", "ao_id": "AAT-10.2_A02", "objective": "the organization's Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) capability documents metrics used during AI TEVV.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-10.2", "ao_id": "AAT-10.2_A03", "objective": "the organization's Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) capability documents details about the tools used during AI TEVV.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-10.3", "ao_id": "AAT-10.3_A01", "objective": "the organization's Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) capability includes demonstrating the Artificial Intelligence (AI) and Autonomous Technologies (AAT) to be deployed is valid and reliable.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-10.4", "ao_id": "AAT-10.4_A01", "objective": "the organization's Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) capability demonstrates the Artificial Intelligence (AI) and Autonomous Technologies (AAT) to be deployed is safe", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-10.4", "ao_id": "AAT-10.4_A02", "objective": "the organization's Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) capability demonstrates residual, negative risk from Artificial Intelligence (AI) and Autonomous Technologies (AAT) does not exceed the organization's risk tolerance and can fail safely, particularly if made to operate beyond its knowledge limits.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-10.4", "ao_id": "AAT-10.4_A03", "objective": "the organization's Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) capability demonstrates Artificial Intelligence (AI) and Autonomous Technologies (AAT) can fail safely, particularly if made to operate beyond its knowledge limits.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-10.5", "ao_id": "AAT-10.5_A01", "objective": "the organization's Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) capability evaluates the security of the Artificial Intelligence (AI) and Autonomous Technologies (AAT) to be deployed.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-10.5", "ao_id": "AAT-10.5_A02", "objective": "the organization's Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) capability evaluates the resilience of the Artificial Intelligence (AI) and Autonomous Technologies (AAT) to be deployed.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-10.6", "ao_id": "AAT-10.6_A01", "objective": "the organization's Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) capability is integrated into an organization-wide risk management program.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-10.6", "ao_id": "AAT-10.6_A02", "objective": "the organization's Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) capability examines risks associated with transparency and accountability of Artificial Intelligence (AI) and Autonomous Technologies (AAT) to be deployed.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-10.7", "ao_id": "AAT-10.7_A01", "objective": "the organization's Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) capability includes a Data Protection Impact Assessment (DPIA) to identify and remediate reasonably-expected risks to Personal Data (PD).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-10.8", "ao_id": "AAT-10.8_A01", "objective": "the organization's Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) capability includes examining fairness and bias of Artificial Intelligence (AI) and Autonomous Technologies (AAT) to be deployed.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-10.9", "ao_id": "AAT-10.9_A01", "objective": "the organization's Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) capability includes validating the engineering model used in the design of the Artificial Intelligence (AI) and Autonomous Technologies (AAT) to be deployed.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-10.10", "ao_id": "AAT-10.10_A01", "objective": "the organization's Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) capability includes a determination on the viability of the proposed Artificial Intelligence (AI) and Autonomous Technologies (AAT).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-10.11", "ao_id": "AAT-10.11_A01", "objective": "After Action Reviews (AARs), or similar lessons learned exercises, are conducted after each Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) cycle to evaluate the effectiveness of the AI TEVV processes.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-10.12", "ao_id": "AAT-10.12_A01", "objective": "results from Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) findings are evaluated against Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related performance demonstrated for conditions similar to deployment settings.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-10.12", "ao_id": "AAT-10.12_A02", "objective": "results from Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) findings are evaluated against Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related assurance criteria demonstrated for conditions similar to deployment settings.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-10.13", "ao_id": "AAT-10.13_A01", "objective": "the organization's Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) capability includes proactive and continuous monitoring of deployed Artificial Intelligence (AI) and Autonomous Technologies (AAT).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-10.14", "ao_id": "AAT-10.14_A01", "objective": "the organization's Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) capability integrates continual improvements for deployed Artificial Intelligence (AI) and Autonomous Technologies (AAT).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-10.15", "ao_id": "AAT-10.15_A01", "objective": "results from Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) are documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-10.15", "ao_id": "AAT-10.15_A02", "objective": "the status and results of Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) are reported to relevant stakeholders, including governing bodies, as required.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-10.16", "ao_id": "AAT-10.16_A01", "objective": "an empirically validated methods to evaluate claims of Artificial Intelligence (AI) and Autonomous Technologies (AAT) model capabilities is defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-10.16", "ao_id": "AAT-10.16_A02", "objective": "the organization evaluates claims of Artificial Intelligence (AI) and Autonomous Technologies (AAT) model capabilities using an organization-defined empirically validated method.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-10.17", "ao_id": "AAT-10.17_A01", "objective": "a method to benchmark the verifiable lineage and origin of content used by Artificial Intelligence (AI) and Autonomous Technologies (AAT) according to industry-recognized standards is defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-10.17", "ao_id": "AAT-10.17_A02", "objective": "the organization benchmarks the verifiable lineage and origin of content used by Artificial Intelligence (AI) and Autonomous Technologies (AAT).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-10.18", "ao_id": "AAT-10.18_A01", "objective": "the organization mitigates concerns of model collapse by assessing the proportion of synthetic to non-synthetic training data.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-10.18", "ao_id": "AAT-10.18_A02", "objective": "the organization mitigates concerns of model collapse by verifying training data is not overly homogenous or Artificial Intelligence (AI) and Autonomous Technologies (AAT) system-produced.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-10.19", "ao_id": "AAT-10.19_A01", "objective": "Third-party Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related components are assessed, approved and continuously monitored.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-10.19", "ao_id": "AAT-10.19_A02", "objective": "Third-party Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related Application Programming Interfaces (APIs) are assessed, approved and continuously monitored.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-10.19", "ao_id": "AAT-10.19_A03", "objective": "Third-party Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related services used by AI agents for security, privacy and compliance are assessed, approved and continuously monitored.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-11", "ao_id": "AAT-11_A01", "objective": "roles and responsibilities exist to compel data and/or process owners to compel robust, ongoing engagement with relevant Artificial Intelligence (AI) and Autonomous Technologies (AAT) stakeholders to encourage feedback about positive, negative and unanticipated impacts.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-11", "ao_id": "AAT-11_A02", "objective": "Individual Contributor (IC) performance reviews cover how data and/or process owners conducted engagement with relevant Artificial Intelligence (AI) and Autonomous Technologies (AAT) stakeholders to encourage feedback about positive, negative and unanticipated impacts.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-11.1", "ao_id": "AAT-11.1_A01", "objective": "roles and responsibilities exist to compel data and/or process owners to regularly collect, consider, prioritize and integrate risk-related feedback from those external to the team that developed or deployed Artificial Intelligence (AI) and Autonomous Technologies (AAT).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-11.1", "ao_id": "AAT-11.1_A02", "objective": "Individual Contributor (IC) performance reviews cover how data and/or process owners regularly collected, considered, prioritized and integrated risk-related feedback on Artificial Intelligence (AI) and Autonomous Technologies (AAT).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-11.2", "ao_id": "AAT-11.2_A01", "objective": "independent assessors and/or internal stakeholders, who did not serve as front-line developers, are utilized for regular assessments and updates of deployed Artificial Intelligence (AI) and Autonomous Technologies (AAT).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-11.3", "ao_id": "AAT-11.3_A01", "objective": "the organization collects feedback from end users and impacted communities into Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related system evaluation metrics.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-11.3", "ao_id": "AAT-11.3_A02", "objective": "evaluation metrics from end users and impacted communities are integrated into Artificial Intelligence (AI) and Autonomous Technologies (AAT) developments.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-11.4", "ao_id": "AAT-11.4_A01", "objective": "pertinent information from Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related incidents and/or errors are communicated to relevant stakeholders, including affected communities.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-12", "ao_id": "AAT-12_A01", "objective": "an executive steering committee, or advisory board, evaluates business practices that want to or currently use Artificial Intelligence (AI) and Autonomous Technologies (AAT).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-12", "ao_id": "AAT-12_A02", "objective": "measures exist for the executive steering committee, or advisory board, to proactively identify and evaluate third-party Intellectual Property (IP) infringement risks from Artificial Intelligence (AI) and Autonomous Technologies (AAT) usage.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-12", "ao_id": "AAT-12_A03", "objective": "actions are taken to prevent and/or block Artificial Intelligence (AI) and Autonomous Technologies (AAT) capabilities that infringe upon another party's Intellectual Property (IP).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-12.1", "ao_id": "AAT-12.1_A01", "objective": "data sources utilized in the training and/or operation of Artificial Intelligence and Autonomous Technologies (AAT) are documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-12.2", "ao_id": "AAT-12.2_A01", "objective": "sources of data used by Artificial Intelligence and Autonomous Technologies (AAT) are evaluated for susceptibility to compromise.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-12.2", "ao_id": "AAT-12.2_A02", "objective": "methods to protect integrity of source data to prevent accidental contamination or malicious corruption (e.g., data poisoning) that could compromise the performance of Artificial Intelligence and Autonomous Technologies (AAT) are implemented.", "pptdf": "Data", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-12.3", "ao_id": "AAT-12.3_A01", "objective": "the organization publicly discloses information about Artificial Intelligence and Autonomous Technologies (AAT) in sufficient detail to assess content lineage.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-12.3", "ao_id": "AAT-12.3_A02", "objective": "the organization publicly discloses information about Artificial Intelligence and Autonomous Technologies (AAT) in sufficient detail to assess the origin of data used by the AAT.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-12.4", "ao_id": "AAT-12.4_A01", "objective": "Artificial Intelligence and Autonomous Technologies (AAT) are configured to enable auditing of content modifications.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-12.4", "ao_id": "AAT-12.4_A02", "objective": "Artificial Intelligence and Autonomous Technologies (AAT) are configured to generate event logs for content-related changes.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-13", "ao_id": "AAT-13_A01", "objective": "stakeholder competencies, skills and capacities incorporate demographic diversity.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-13", "ao_id": "AAT-13_A02", "objective": "stakeholder competencies, skills and capacities incorporate broad domain expertise.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-13", "ao_id": "AAT-13_A03", "objective": "stakeholder competencies, skills and capacities incorporate broad user experience expertise.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-13.1", "ao_id": "AAT-13.1_A01", "objective": "roles and responsibilities exist to compel data and/or process owners to be proficient in Artificial Intelligence (AI) and Autonomous Technologies (AAT).", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-13.1", "ao_id": "AAT-13.1_A02", "objective": "the organization routinely assesses Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related operator and practitioner proficiency requirements.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-13.1", "ao_id": "AAT-13.1_A03", "objective": "roles and responsibilities are updated as Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related operator and practitioner proficiency requirements evolve.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-14", "ao_id": "AAT-14_A01", "objective": "the organization takes socio-technical implications into account to address risks associated with Artificial Intelligence (AI) and Autonomous Technologies (AAT).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-14.1", "ao_id": "AAT-14.1_A01", "objective": "Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related stakeholders define the tasks that AAT will support (e.g., classifiers, generative models, recommenders).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-14.2", "ao_id": "AAT-14.2_A01", "objective": "the knowledge limits of Artificial Intelligence (AI) and Autonomous Technologies (AAT) are identified and documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-14.2", "ao_id": "AAT-14.2_A02", "objective": "stakeholders are provided the knowledge limits of Artificial Intelligence (AI) and Autonomous Technologies (AAT) to assist in decision making.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-15", "ao_id": "AAT-15_A01", "objective": "an executive steering committee, or advisory board, defines criteria as to whether Artificial Intelligence (AI) and Autonomous Technologies (AAT) achieved intended purposes and stated objectives.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-15", "ao_id": "AAT-15_A02", "objective": "measures exist for the executive steering committee, or advisory board, to determine whether Artificial Intelligence (AI) and Autonomous Technologies (AAT) development or deployment should proceed.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-15.1", "ao_id": "AAT-15.1_A01", "objective": "residual risks (defined as the sum of all unmitigated risks) to both downstream acquirers and end users of Artificial Intelligence (AI) and Autonomous Technologies (AAT) are identified.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-15.1", "ao_id": "AAT-15.1_A02", "objective": "residual risks (defined as the sum of all unmitigated risks) to both downstream acquirers and end users of Artificial Intelligence (AI) and Autonomous Technologies (AAT) documented in a Plan of Action & Milestones (POA&M), or similar risk register.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-15.2", "ao_id": "AAT-15.2_A01", "objective": "an executive steering committee, or advisory board, defines criteria for superseding, disengaging or deactivating Artificial Intelligence (AI) and Autonomous Technologies (AAT).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-15.2", "ao_id": "AAT-15.2_A02", "objective": "an executive steering committee, or advisory board, assigns responsibility to responsible party(ies) for superseding, disengaging or deactivating Artificial Intelligence (AI) and Autonomous Technologies (AAT) when designated criteria are demonstrated.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-16", "ao_id": "AAT-16_A01", "objective": "responsible party(ies) monitor the functionality and behavior of deployed Artificial Intelligence (AI) and Autonomous Technologies (AAT) for anomalous performance or outcomes inconsistent with intended use.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-16.1", "ao_id": "AAT-16.1_A01", "objective": "a risk catalog of Artificial Intelligence (AI) and Autonomous Technologies (AAT)-specific risks is documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-16.1", "ao_id": "AAT-16.1_A02", "objective": "Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks are identified through consultation with domain experts and other end users.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-16.2", "ao_id": "AAT-16.2_A01", "objective": "cybersecurity / data privacy controls for Artificial Intelligence (AI) and Autonomous Technologies (AAT) are regularly assessed for errors and potential impacts on affected communities.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-16.3", "ao_id": "AAT-16.3_A01", "objective": "responsible party(ies) that monitor the functionality and behavior of deployed Artificial Intelligence (AI) and Autonomous Technologies (AAT) are trained on identifying unmeasurable risks or trustworthiness characteristics.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-16.3", "ao_id": "AAT-16.3_A02", "objective": "unmeasurable risks or trustworthiness characteristics are reported in accordance with the organization's Incident Response Plan (IRP).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-16.4", "ao_id": "AAT-16.4_A01", "objective": "responsible party(ies) gather feedback about efficacy of Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related measurements.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-16.4", "ao_id": "AAT-16.4_A02", "objective": "an executive steering committee, or advisory board, assesses the efficacy of Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related measurements.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-16.5", "ao_id": "AAT-16.5_A01", "objective": "input from domain experts and relevant stakeholders is utilized to validate whether the Artificial Intelligence (AI) and Autonomous Technologies (AAT) perform consistently, as intended.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-16.6", "ao_id": "AAT-16.6_A01", "objective": "an executive steering committee, or advisory board, evaluates performance improvements or declines with domain experts and relevant stakeholders to define context-relevant risks and trustworthiness issues.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-16.7", "ao_id": "AAT-16.7_A01", "objective": "the organization utilizes pre-trained models for Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related monitoring and maintenance.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-16.8", "ao_id": "AAT-16.8_A01", "objective": "Artificial Intelligence (AI) and Autonomous Technologies (AAT) system event logging capabilities are configured to provide start date, start time, end date and end time for each use.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-16.8", "ao_id": "AAT-16.8_A02", "objective": "Artificial Intelligence (AI) and Autonomous Technologies (AAT) system event logging capabilities are configured to provide database(s) against which input data has been checked by the system.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-16.8", "ao_id": "AAT-16.8_A03", "objective": "Artificial Intelligence (AI) and Autonomous Technologies (AAT) system event logging capabilities are configured to provide input data for which the search has led to a match.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-16.8", "ao_id": "AAT-16.8_A04", "objective": "Artificial Intelligence (AI) and Autonomous Technologies (AAT) system event logging capabilities are configured to provide identification of individual(s) involved in the verification of the results.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-16.9", "ao_id": "AAT-16.9_A01", "objective": "criteria to define a \"serious incident\" involving operational Artificial Intelligence (AI) and Autonomous Technologies (AAT) is defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-16.9", "ao_id": "AAT-16.9_A02", "objective": "the organization report any serious incident involving operational Artificial Intelligence (AI) and Autonomous Technologies (AAT) to relevant authorities as to when and where the serious incident occurred, in accordance with mandated reporting timelines.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-16.10", "ao_id": "AAT-16.10_A01", "objective": "investigations for a \"serious incident\" of operational Artificial Intelligence (AI) and Autonomous Technologies (AAT) documents a Root Cause Analysis (RCA).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-16.10", "ao_id": "AAT-16.10_A02", "objective": "investigations for a \"serious incident\" of operational Artificial Intelligence (AI) and Autonomous Technologies (AAT) documents a risk assessment of the incident.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-16.10", "ao_id": "AAT-16.10_A03", "objective": "investigations for a \"serious incident\" of operational Artificial Intelligence (AI) and Autonomous Technologies (AAT) documents a description of corrective actions taken, including measures implemented to prevent a recurrence of the incident.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-16.11", "ao_id": "AAT-16.11_A01", "objective": "a real-time review feature allows personnel to analyze anomalous Artificial Intelligence (AI) and Autonomous Technologies (AAT) behavior and provide escalation paths.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-16.11", "ao_id": "AAT-16.11_A02", "objective": "escalation paths enable human intervention to address AAT anomalies.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-16.12", "ao_id": "AAT-16.12_A01", "objective": "human reviews are performed to determine the root cause of high-risk or ambiguous Artificial Intelligence (AI) and Autonomous Technologies (AAT) actions.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-16.12", "ao_id": "AAT-16.12_A02", "objective": "clear escalation paths for approval exist for instances involving high-risk or ambiguous AAT actions.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-16.13", "ao_id": "AAT-16.13_A01", "objective": "the organization has the ability to detect emergent or collusive behaviors among multiple Artificial Intelligence (AI) and Autonomous Technologies (AAT).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-16.13", "ao_id": "AAT-16.13_A02", "objective": "the organization has the ability to contain emergent or collusive behaviors among multiple AAT through automated or human-triggered means.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-16.13", "ao_id": "AAT-16.13_A03", "objective": "formal investigation determines the root cause of agentic cascades or collusion.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-16.14", "ao_id": "AAT-16.14_A01", "objective": "AI agent to AI agent communications to are validated to detect poisoning or consensus manipulation.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-16.14", "ao_id": "AAT-16.14_A02", "objective": "AI agent to AI agent communications to are validated to identify rogue or compromised AI agents in distributed or multi-agent environments.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-17", "ao_id": "AAT-17_A01", "objective": "the organization proactively identifies unanticipated and emergent Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-17", "ao_id": "AAT-17_A02", "objective": "the organization tracks existing, unanticipated and emergent Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks in a Plan of Action & Milestones (POA&M), or similar risk register.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-17.1", "ao_id": "AAT-17.1_A01", "objective": "an executive steering committee, or advisory board, evaluates business practices that could pose harm to human subjects from Artificial Intelligence (AI) and Autonomous Technologies (AAT).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-17.1", "ao_id": "AAT-17.1_A02", "objective": "measures exist for the executive steering committee, or advisory board, to implement safeguards to protect human subjects from harm due to Artificial Intelligence (AI) and Autonomous Technologies (AAT).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-17.2", "ao_id": "AAT-17.2_A01", "objective": "an executive steering committee, or advisory board, evaluates the environmental impacts of Artificial Intelligence (AI) and Autonomous Technologies (AAT).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-17.2", "ao_id": "AAT-17.2_A02", "objective": "an executive steering committee, or advisory board, evaluates the sustainability of Artificial Intelligence (AI) and Autonomous Technologies (AAT).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-17.3", "ao_id": "AAT-17.3_A01", "objective": "an incident response capability exists to appropriately respond to previously unknown Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risk when it is identified.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-17.4", "ao_id": "AAT-17.4_A01", "objective": "novel methods and technologies for the measurement of Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks are defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-17.4", "ao_id": "AAT-17.4_A02", "objective": "novel methods and technologies for the measurement of Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks to evaluate content provenance.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-17.4", "ao_id": "AAT-17.4_A03", "objective": "novel methods and technologies for the measurement of Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks to evaluate offensive cyber capabilities.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-17.4", "ao_id": "AAT-17.4_A04", "objective": "novel methods and technologies for the measurement of Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks to evaluate Chemical, Biological, Radiological or Nuclear (CBRN) weapons.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-17.4", "ao_id": "AAT-17.4_A05", "objective": "novel methods and technologies for the measurement of Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks to evaluate other dangerous materials or agents.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-17.5", "ao_id": "AAT-17.5_A01", "objective": "actions to fine-tune Artificial Intelligence (AI) and Autonomous Technologies (AAT) that do not compromise existing safety and/or security controls are defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-17.5", "ao_id": "AAT-17.5_A02", "objective": "the organization ensures actions to fine-tune Artificial Intelligence (AI) and Autonomous Technologies (AAT) do not compromise existing safety and/or security controls.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-18", "ao_id": "AAT-18_A01", "objective": "an executive steering committee, or advisory board, tracks Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks are difficult to assess using currently available measurement techniques or where metrics are not yet available.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-18.1", "ao_id": "AAT-18.1_A01", "objective": "responsible party(ies) prioritize, respond to and remediate Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks based on assessments and other analytical output.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-19", "ao_id": "AAT-19_A01", "objective": "the organization defines use cases for Artificial Intelligence (AI) and Autonomous Technologies (AAT).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-19", "ao_id": "AAT-19_A02", "objective": "the organization defines geographic markets for Artificial Intelligence (AI) and Autonomous Technologies (AAT).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-19", "ao_id": "AAT-19_A03", "objective": "the organization defines the use of Intellectual Property (IP) for Artificial Intelligence (AI) and Autonomous Technologies (AAT).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-19", "ao_id": "AAT-19_A04", "objective": "the organization ensures deployed Artificial Intelligence (AI) and Autonomous Technologies (AAT) conform to applicable statutory and regulatory requirements, based on defined use cases.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-19", "ao_id": "AAT-19_A05", "objective": "the organization ensures deployed Artificial Intelligence (AI) and Autonomous Technologies (AAT) conform to applicable statutory and regulatory requirements, based on geographic markets.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-19", "ao_id": "AAT-19_A06", "objective": "the organization ensures deployed Artificial Intelligence (AI) and Autonomous Technologies (AAT) conform to applicable statutory and regulatory requirements, based on the use of Intellectual Property (IP).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-19.1", "ao_id": "AAT-19.1_A01", "objective": "the organization defines manipulative or deceptive techniques that Artificial Intelligence (AI) and Autonomous Technologies (AAT) could use to impair an individual's ability to make a reasonably informed decision.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-19.1", "ao_id": "AAT-19.1_A02", "objective": "the organization prohibits the sale, deployment and/or use of Artificial Intelligence (AI) and Autonomous Technologies (AAT) that utilizes manipulative or deceptive techniques (including biased data) to impair an individual's ability to make a reasonably informed decision.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-19.2", "ao_id": "AAT-19.2_A01", "objective": "the organization prohibits the sale, deployment and/or use of Artificial Intelligence (AI) and Autonomous Technologies (AAT) that exploits a human subject to materially affect a targeted behavior due to their age.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-19.2", "ao_id": "AAT-19.2_A02", "objective": "the organization prohibits the sale, deployment and/or use of Artificial Intelligence (AI) and Autonomous Technologies (AAT) that exploits a human subject to materially affect a targeted behavior due to their disability.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-19.2", "ao_id": "AAT-19.2_A03", "objective": "the organization prohibits the sale, deployment and/or use of Artificial Intelligence (AI) and Autonomous Technologies (AAT) that exploits a human subject to materially affect a targeted behavior due to their specific social or economic situation.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-19.3", "ao_id": "AAT-19.3_A01", "objective": "the organization prohibits the sale, deployment and/or use of Artificial Intelligence (AI) and Autonomous Technologies (AAT) that evaluate human subjects over a certain period of time based on their social behavior or known, inferred or predicted personal or personality characteristics.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-19.3", "ao_id": "AAT-19.3_A02", "objective": "the organization prohibits the sale, deployment and/or use of Artificial Intelligence (AI) and Autonomous Technologies (AAT) that assign a \"social score\" branding or equivalent classification.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-19.4", "ao_id": "AAT-19.4_A01", "objective": "the organization prohibits the sale, deployment and/or use of Artificial Intelligence (AI) and Autonomous Technologies (AAT) that lead to the detrimental or unfavorable treatment of certain data subjects, or groups of data subjects, in social contexts that are unrelated to the contexts in which the data was originally generated or collected.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-19.4", "ao_id": "AAT-19.4_A02", "objective": "the organization prohibits the sale, deployment and/or use of Artificial Intelligence (AI) and Autonomous Technologies (AAT) that lead to the detrimental or unfavorable treatment of certain data subjects, or groups of data subjects, in social contexts that are unjustified or disproportionate to their social behavior or its gravity.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-19.5", "ao_id": "AAT-19.5_A01", "objective": "the organization prohibits the sale, deployment and/or use of Artificial Intelligence (AI) and Autonomous Technologies (AAT) that assess the risk of an individual committing a criminal offence.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-19.5", "ao_id": "AAT-19.5_A02", "objective": "the organization prohibits the sale, deployment and/or use of Artificial Intelligence (AI) and Autonomous Technologies (AAT) that predicts risk based solely on the profiling of personality traits and characteristics.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-19.6", "ao_id": "AAT-19.6_A01", "objective": "the organization prohibits the sale, deployment and/or use of Artificial Intelligence (AI) and Autonomous Technologies (AAT) that create, or expand, facial recognition databases through scraping facial images from the Internet.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-19.6", "ao_id": "AAT-19.6_A02", "objective": "the organization prohibits the sale, deployment and/or use of Artificial Intelligence (AI) and Autonomous Technologies (AAT) that create, or expand, facial recognition databases through scraping facial images from the Internet or Closed-Circuit Television (CCTV) footage.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-19.7", "ao_id": "AAT-19.7_A01", "objective": "the organization prohibits the sale, deployment and/or use of Artificial Intelligence (AI) and Autonomous Technologies (AAT) that infer human emotions of an individual based on observed characteristics.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-19.8", "ao_id": "AAT-19.8_A01", "objective": "the organization prohibits the sale, deployment and/or use of Artificial Intelligence (AI) and Autonomous Technologies (AAT) that categorize an individual based on their biometric data to deduce, or infer, the individual's race.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-19.8", "ao_id": "AAT-19.8_A02", "objective": "the organization prohibits the sale, deployment and/or use of Artificial Intelligence (AI) and Autonomous Technologies (AAT) that categorize an individual based on their biometric data to deduce, or infer, the individual's political opinions.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-19.8", "ao_id": "AAT-19.8_A03", "objective": "the organization prohibits the sale, deployment and/or use of Artificial Intelligence (AI) and Autonomous Technologies (AAT) that categorize an individual based on their biometric data to deduce, or infer, the individual's trade union membership.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-19.8", "ao_id": "AAT-19.8_A04", "objective": "the organization prohibits the sale, deployment and/or use of Artificial Intelligence (AI) and Autonomous Technologies (AAT) that categorize an individual based on their biometric data to deduce, or infer, the individual's religious or philosophical beliefs.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-19.8", "ao_id": "AAT-19.8_A05", "objective": "the organization prohibits the sale, deployment and/or use of Artificial Intelligence (AI) and Autonomous Technologies (AAT) that categorize an individual based on their biometric data to deduce, or infer, the individual's sex life or sexual orientation.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-19.8", "ao_id": "AAT-19.8_A06", "objective": "the organization prohibits the sale, deployment and/or use of Artificial Intelligence (AI) and Autonomous Technologies (AAT) that categorize an individual based on their biometric data to deduce, or infer, the individual's age.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-20", "ao_id": "AAT-20_A01", "objective": "Artificial Intelligence (AI) and Autonomous Technologies (AAT) are designed and developed to achieve an appropriate level of accuracy, robustness, and cybersecurity.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-20", "ao_id": "AAT-20_A02", "objective": "Artificial Intelligence (AI) and Autonomous Technologies (AAT) are designed and developed to perform consistently in those respects throughout the AAT system's lifecycle.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-20", "ao_id": "AAT-20_A03", "objective": "Artificial Intelligence (AI) and Autonomous Technologies (AAT) are designed and developed to be effectively overseen by competent individuals.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-20.1", "ao_id": "AAT-20.1_A01", "objective": "Artificial Intelligence (AI) and Autonomous Technologies (AAT) are designed and developed so its operation is sufficiently transparent such that output can be easily interpreted by personnel implementing the AAT.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-20.2", "ao_id": "AAT-20.2_A01", "objective": "Artificial Intelligence (AI) and Autonomous Technologies (AAT) supporting documentation contains contact details of the provider.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-20.2", "ao_id": "AAT-20.2_A02", "objective": "Artificial Intelligence (AI) and Autonomous Technologies (AAT) supporting documentation contains characteristics, capabilities and limitations of performance of the AAT.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-20.2", "ao_id": "AAT-20.2_A03", "objective": "Artificial Intelligence (AI) and Autonomous Technologies (AAT) supporting documentation contains errata from the AAT's initial conformity assessment.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-20.2", "ao_id": "AAT-20.2_A04", "objective": "Artificial Intelligence (AI) and Autonomous Technologies (AAT) supporting documentation contains details necessary to interpret the outputs of the AAT.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-20.2", "ao_id": "AAT-20.2_A05", "objective": "Artificial Intelligence (AI) and Autonomous Technologies (AAT) supporting documentation contains human oversight measures necessary to facilitate the interpretation of the outputs of the AAT.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-20.2", "ao_id": "AAT-20.2_A06", "objective": "Artificial Intelligence (AI) and Autonomous Technologies (AAT) supporting documentation contains computational and hardware resources needed to operate the AAT.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-20.2", "ao_id": "AAT-20.2_A07", "objective": "Artificial Intelligence (AI) and Autonomous Technologies (AAT) supporting documentation contains projected useable lifetime of the AAT.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-20.2", "ao_id": "AAT-20.2_A08", "objective": "Artificial Intelligence (AI) and Autonomous Technologies (AAT) supporting documentation contains a description of the mechanisms included within the AAT system to properly collect, store and interpret event logs.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-20.3", "ao_id": "AAT-20.3_A01", "objective": "documentation covering the extent to which human domain knowledge is employed to improve Artificial Intelligence (AI) and Autonomous Technologies (AAT) performance includes reinforcement Learning from Human Feedback (RLHF).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-20.3", "ao_id": "AAT-20.3_A02", "objective": "documentation covering the extent to which human domain knowledge is employed to improve Artificial Intelligence (AI) and Autonomous Technologies (AAT) performance includes fine-tuning.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-20.3", "ao_id": "AAT-20.3_A03", "objective": "documentation covering the extent to which human domain knowledge is employed to improve Artificial Intelligence (AI) and Autonomous Technologies (AAT) performance includes retrieval- augmented generation.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-20.3", "ao_id": "AAT-20.3_A04", "objective": "documentation covering the extent to which human domain knowledge is employed to improve Artificial Intelligence (AI) and Autonomous Technologies (AAT) performance includes content moderation.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-20.3", "ao_id": "AAT-20.3_A05", "objective": "documentation covering the extent to which human domain knowledge is employed to improve Artificial Intelligence (AI) and Autonomous Technologies (AAT) performance includes business rules.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-21", "ao_id": "AAT-21_A01", "objective": "the organization identifies appropriate governing bodies that require the registration of Artificial Intelligence (AI) and Autonomous Technologies (AAT).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-21", "ao_id": "AAT-21_A02", "objective": "the organization maintains a current registration for Artificial Intelligence (AI) and Autonomous Technologies (AAT) with the appropriate governing body, as required by statutory or regulatory requirements.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-22", "ao_id": "AAT-22_A01", "objective": "Artificial Intelligence (AI) and Autonomous Technologies (AAT) includes appropriate technical and organizational measures so that AAT are used in accordance with the AAT developer-provided instructions for use.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-22.1", "ao_id": "AAT-22.1_A01", "objective": "human oversight of Artificial Intelligence (AI) and Autonomous Technologies (AAT) to prevent or minimize the risks is assigned to one, or more, individuals.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-22.1", "ao_id": "AAT-22.1_A02", "objective": "human oversight of Artificial Intelligence (AI) and Autonomous Technologies (AAT) focuses on preventing, or minimizing, risks associated with an individual's health.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-22.1", "ao_id": "AAT-22.1_A03", "objective": "human oversight of Artificial Intelligence (AI) and Autonomous Technologies (AAT) focuses on preventing, or minimizing, risks associated with an individual's safety.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-22.1", "ao_id": "AAT-22.1_A04", "objective": "human oversight of Artificial Intelligence (AI) and Autonomous Technologies (AAT) focuses on preventing, or minimizing, risks associated with an individual's fundamental rights.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-22.2", "ao_id": "AAT-22.2_A01", "objective": "oversight measures for Artificial Intelligence (AI) and Autonomous Technologies (AAT) are commensurate with the AAT's assessed risk(s).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-22.2", "ao_id": "AAT-22.2_A02", "objective": "oversight measures for Artificial Intelligence (AI) and Autonomous Technologies (AAT) are commensurate with the AAT's level of autonomy.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-22.2", "ao_id": "AAT-22.2_A03", "objective": "oversight measures for Artificial Intelligence (AI) and Autonomous Technologies (AAT) are commensurate with the AAT's context of use.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-22.3", "ao_id": "AAT-22.3_A01", "objective": "no action or decision able to be taken by the deployer of an Artificial Intelligence (AI) and Autonomous Technologies (AAT) based solely on the basis of AAT-generated evidence, unless that evidence has been separately verified and confirmed by at least two (2) individuals with the necessary competence, training and authority.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-22.4", "ao_id": "AAT-22.4_A01", "objective": "human oversight of Artificial Intelligence (AI) and Autonomous Technologies (AAT) is assigned to individuals who have the necessary competence.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-22.4", "ao_id": "AAT-22.4_A02", "objective": "human oversight of Artificial Intelligence (AI) and Autonomous Technologies (AAT) is assigned to individuals who have the necessary training.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-22.4", "ao_id": "AAT-22.4_A03", "objective": "human oversight of Artificial Intelligence (AI) and Autonomous Technologies (AAT) is assigned to individuals who have the necessary authority.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-22.4", "ao_id": "AAT-22.4_A04", "objective": "human oversight of Artificial Intelligence (AI) and Autonomous Technologies (AAT) is assigned to individuals who have the necessary resources.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-22.5", "ao_id": "AAT-22.5_A01", "objective": "input to Artificial Intelligence (AI) and Autonomous Technologies (AAT) limited to what is relevant to the intended purpose of the AAT.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-22.6", "ao_id": "AAT-22.6_A01", "objective": "serious incidents and/or irregularities associated with the deployment of Artificial Intelligence (AI) and Autonomous Technologies (AAT) are reported without delay to the AAT provider.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-22.6", "ao_id": "AAT-22.6_A02", "objective": "serious incidents and/or irregularities associated with the deployment of Artificial Intelligence (AI) and Autonomous Technologies (AAT) are reported without delay to the AAT importer or distributor, if applicable.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-22.6", "ao_id": "AAT-22.6_A03", "objective": "serious incidents and/or irregularities associated with the deployment of Artificial Intelligence (AI) and Autonomous Technologies (AAT) are reported without delay to local law authorities and/or governmental agency, as required.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-22.7", "ao_id": "AAT-22.7_A01", "objective": "methods to identify employees, including workers' representatives, are defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-22.7", "ao_id": "AAT-22.7_A02", "objective": "employees, including workers' representatives, are identified.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-22.7", "ao_id": "AAT-22.7_A03", "objective": "ensure employees, including workers' representatives, are informed about Artificial Intelligence (AI) and Autonomous Technologies (AAT) deployments, prior to the use of the AAT in a production environment.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-22.8", "ao_id": "AAT-22.8_A01", "objective": "when Artificial Intelligence (AI) and Autonomous Technologies (AAT) are used to make decisions, or assist in making decisions, affected people are notified in a clear manner that they are utilizing an AAT solution.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-22.8", "ao_id": "AAT-22.8_A02", "objective": "when AAT are used to make decisions, or assist in making decisions, affected people are notified in a clear manner that they are expected to validate the output for relevance and accuracy.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-23", "ao_id": "AAT-23_A01", "objective": "Artificial Intelligence (AI) and Autonomous Technologies (AAT) output is marked in a machine-readable format so it is detectable as artificially generated or manipulated.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-24", "ao_id": "AAT-24_A01", "objective": "consent is obtained from the subjects of testing Artificial Intelligence (AI) and Autonomous Technologies (AAT) prior to their participation in such testing.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-24", "ao_id": "AAT-24_A02", "objective": "consent is obtained from the subjects of testing Artificial Intelligence (AI) and Autonomous Technologies (AAT) after their having been provided with clear and concise information regarding the testing.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-25", "ao_id": "AAT-25_A01", "objective": "the sequence of events involved in creating and deploying Artificial Intelligence (AI) and Autonomous Technologies (AAT) is documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-25", "ao_id": "AAT-25_A02", "objective": "the relevant stakeholders involved in creating and deploying Artificial Intelligence (AI) and Autonomous Technologies (AAT) is documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-25.1", "ao_id": "AAT-25.1_A01", "objective": "over-reliance on third-party data with Artificial Intelligence (AI) and Autonomous Technologies (AAT) is identified.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-25.1", "ao_id": "AAT-25.1_A02", "objective": "fallback methods are identified to address the inability to access third-party data, as necessary.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-26", "ao_id": "AAT-26_A01", "objective": "fact-checking techniques are developed to verify the accuracy and veracity of information generated by Artificial Intelligence (AI) and Autonomous Technologies (AAT).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-26", "ao_id": "AAT-26_A02", "objective": "fact-checking techniques are implemented to verify the accuracy and veracity of information generated by Artificial Intelligence (AI) and Autonomous Technologies (AAT).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-26.1", "ao_id": "AAT-26.1_A01", "objective": "testing techniques are developed to identify Generative Artificial Intelligence (GAI) produced content (e.g., synthetic media).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-26.1", "ao_id": "AAT-26.1_A02", "objective": "testing techniques are implemented to identify Generative Artificial Intelligence (GAI) produced content (e.g., synthetic media).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-26.2", "ao_id": "AAT-26.2_A01", "objective": "techniques to delineate human proficiency tests from tests of Artificial Intelligence (AI) and Autonomous Technologies (AAT) capabilities are developed.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-26.2", "ao_id": "AAT-26.2_A02", "objective": "techniques to delineate human proficiency tests from tests of Artificial Intelligence (AI) and Autonomous Technologies (AAT) capabilities are implemented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-26.3", "ao_id": "AAT-26.3_A01", "objective": "relevant end-users, practitioners and operators in Artificial Intelligence (AI) and Autonomous Technologies (AAT) prototyping and testing activities are included to cover applicable use case scenarios.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-26.3", "ao_id": "AAT-26.3_A02", "objective": "relevant end-users, practitioners and operators in Artificial Intelligence (AI) and Autonomous Technologies (AAT) prototyping and testing activities are included to cover crisis situations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-26.3", "ao_id": "AAT-26.3_A03", "objective": "relevant end-users, practitioners and operators in Artificial Intelligence (AI) and Autonomous Technologies (AAT) prototyping and testing activities are included to cover ethically sensitive contexts.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-26.4", "ao_id": "AAT-26.4_A01", "objective": "instructions for data annotators are documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-26.4", "ao_id": "AAT-26.4_A02", "objective": "instructions for Artificial Intelligence (AI) and Autonomous Technologies (AAT) red-teamers are documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-27", "ao_id": "AAT-27_A01", "objective": "Artificial Intelligence (AI) and Autonomous Technologies (AAT) are prevented from generating content that is inappropriate.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-27", "ao_id": "AAT-27_A02", "objective": "Artificial Intelligence (AI) and Autonomous Technologies (AAT) are prevented from generating content that is harmful.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-27", "ao_id": "AAT-27_A03", "objective": "Artificial Intelligence (AI) and Autonomous Technologies (AAT) are prevented from generating content that is false.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-27", "ao_id": "AAT-27_A04", "objective": "Artificial Intelligence (AI) and Autonomous Technologies (AAT) are prevented from generating content that is illegal.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-27", "ao_id": "AAT-27_A05", "objective": "Artificial Intelligence (AI) and Autonomous Technologies (AAT) are prevented from generating content that is violent.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-27.1", "ao_id": "AAT-27.1_A01", "objective": "competent personnel are assigned the task to review Artificial Intelligence (AI) and Autonomous Technologies (AAT)-generated content for alignment with culturally accepted norms.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-28", "ao_id": "AAT-28_A01", "objective": "evidence supports the claim that AI models are designed with resilience capabilities that are sufficient to withstand reasonable threats.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-28.1", "ao_id": "AAT-28.1_A01", "objective": "technical controls prevent \"model pollution\" due to accidental and/or malicious inputs by an AI agent that can negatively alter the AI model.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-28.2", "ao_id": "AAT-28.2_A01", "objective": "a capability exists to detect false data (e.g., hallucinations) within the AI model or between AI agents.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-28.2", "ao_id": "AAT-28.2_A02", "objective": "a capability exists to prevent the propagation of false data (e.g., hallucinations) within the AI model or between AI agents.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-28.3", "ao_id": "AAT-28.3_A01", "objective": "Denial of Service (DoS) conditions are monitored.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-28.3", "ao_id": "AAT-28.3_A02", "objective": "Denial of Service (DoS) conditions are prevented through enforcement of quotas.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-28.3", "ao_id": "AAT-28.3_A03", "objective": "Denial of Service (DoS) conditions are prevented through workload controls.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-28.3", "ao_id": "AAT-28.3_A04", "objective": "Denial of Service (DoS) conditions are prevented through auto-suspension of runaway AI agent processes.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-29", "ao_id": "AAT-29_A01", "objective": "AI agents are designed to securely operate under human oversight.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-29", "ao_id": "AAT-29_A02", "objective": "AI agents are developed to securely operate under human oversight.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-29", "ao_id": "AAT-29_A03", "objective": "AI agents are deployed to securely operate under human oversight.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-29.1", "ao_id": "AAT-29.1_A01", "objective": "infrastructure resources used by AI agents are protected through resource allocation.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-29.1", "ao_id": "AAT-29.1_A02", "objective": "infrastructure resources used by AI agents are protected through privilege management.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-29.1", "ao_id": "AAT-29.1_A03", "objective": "infrastructure resources used by AI agents are protected through network segmentation.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-29.1", "ao_id": "AAT-29.1_A04", "objective": "infrastructure resources used by AI agents are protected through workload isolation.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-29.2", "ao_id": "AAT-29.2_A01", "objective": "AI agents implement limitations according to least privileges, where the AI agent operates with the minimal permissions necessary to perform designated tasks.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-29.2", "ao_id": "AAT-29.2_A02", "objective": "AI agents implement limitations according to least functionality, where the AI agent is restricted to communicate with the minimal Assets, Applications & Services (AAS) and networks necessary to perform designated tasks.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-29.3", "ao_id": "AAT-29.3_A01", "objective": "tool and Application Programming Interface (API) invocations by AI agents include schema validation.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-29.3", "ao_id": "AAT-29.3_A02", "objective": "tool and API invocations by AI agents include rate limiting.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-29.3", "ao_id": "AAT-29.3_A03", "objective": "tool and API invocations by AI agents include access controls.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-29.3", "ao_id": "AAT-29.3_A04", "objective": "tool and API invocations by AI agents include output validation.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-29.4", "ao_id": "AAT-29.4_A01", "objective": "AI agent orchestration protocols are configured to prevent unauthorized tool chaining.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-29.4", "ao_id": "AAT-29.4_A02", "objective": "AI agent orchestration protocols are configured to prevent context manipulation.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-29.4", "ao_id": "AAT-29.4_A03", "objective": "AI agent orchestration protocols are configured to prevent protocol-based escalation.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-29.5", "ao_id": "AAT-29.5_A01", "objective": "data inputs and retrieval pipelines for AI agents ensure data provenance.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-29.5", "ao_id": "AAT-29.5_A02", "objective": "data inputs and retrieval pipelines for AI agents prevent unauthorized access risks (e.g., injection, manipulation or exfiltration).", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-29.6", "ao_id": "AAT-29.6_A01", "objective": "instances of privilege escalation or unauthorized delegation by AI agents is monitored for.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-29.6", "ao_id": "AAT-29.6_A02", "objective": "privilege escalation or unauthorized delegation by AI agents is prevented dynamic role enforcement.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-29.6", "ao_id": "AAT-29.6_A03", "objective": "privilege escalation or unauthorized delegation by AI agents is prevented through establishing cross-agent delegation boundaries and privileged actions.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-29.7", "ao_id": "AAT-29.7_A01", "objective": "AI agent access to sensitive/regulated data is restricted so that AI agents cannot ingest, generate or act on unauthorized data.", "pptdf": "Data", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-29.8", "ao_id": "AAT-29.8_A01", "objective": "AI agents are prevented from extracting sensitive/regulated data from volatile memory.", "pptdf": "Data", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-29.9", "ao_id": "AAT-29.9_A01", "objective": "user identification and authentication methods are capable of preventing AI agents from spoofing.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-29.9", "ao_id": "AAT-29.9_A02", "objective": "user identification and authentication methods are capable of preventing AI agents from mimicry.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-29.9", "ao_id": "AAT-29.9_A03", "objective": "user identification and authentication methods are capable of preventing AI agents from impersonation attacks.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-29.10", "ao_id": "AAT-29.10_A01", "objective": "AI agent logic is protected from being subverted or manipulated.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-29.11", "ao_id": "AAT-29.11_A01", "objective": "a \"sandbox\" capability restricts AI agents from unrestricted access to local resources (e.g., Data, Assets, Applications & Services (DAAS) on the local LAN).", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-29.11", "ao_id": "AAT-29.11_A02", "objective": "a \"sandbox\" capability restricts AI agents from unrestricted access to remote resources (e.g., Internet-based DAAS).", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-29.12", "ao_id": "AAT-29.12_A01", "objective": "prompt injection / input attacks that seek to manipulate AI agent instructions, bypass controls or result in unauthorized actions can be detected.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-29.12", "ao_id": "AAT-29.12_A02", "objective": "means to prevent or mitigate prompt injection / input attacks that seek to manipulate AI agent instructions, bypass controls or result in unauthorized actions are implemented.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-29.13", "ao_id": "AAT-29.13_A01", "objective": "authorized users or operators have the ability to immediately halt or disable AI agent activity in case of unexpected behavior or harm.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-29.14", "ao_id": "AAT-29.14_A01", "objective": "adversarial testing that simulates attacks against AI agents to identify and mitigate vulnerabilities is regularly conducted.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-29.15", "ao_id": "AAT-29.15_A01", "objective": "AI agent self-modification is controlled / restricted.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-29.15", "ao_id": "AAT-29.15_A02", "objective": "AI agent self-modification actions are logged.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-29.16", "ao_id": "AAT-29.16_A01", "objective": "unauthorized purging of persistent memory or long-term data used by AI agents is prevented.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-29.17", "ao_id": "AAT-29.17_A01", "objective": "agentic delegation, chaining and/or multi-agent communication is controlled to prevent unauthorized task escalation or emergent risks.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-29.18", "ao_id": "AAT-29.18_A01", "objective": "indicators of behavioral drift or deviation from established AI agent baselines is continuously monitor for.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-29.19", "ao_id": "AAT-29.19_A01", "objective": "AI agent-initiated actions are properly mapped to authenticated user or system identities, with enforced authorization checks.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-29.20", "ao_id": "AAT-29.20_A01", "objective": "comprehensive audit trails of AI agent actions provide rationales.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-29.20", "ao_id": "AAT-29.20_A02", "objective": "comprehensive audit trails of AI agent actions provide user/trigger mappings.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-29.21", "ao_id": "AAT-29.21_A01", "objective": "human-understandable explanations for significant AI agent actions or decisions are provided to users.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-29.21", "ao_id": "AAT-29.21_A02", "objective": "end users are able to contest AI agent-generated outcomes.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-29.22", "ao_id": "AAT-29.22_A01", "objective": "the organization has the capability to identify unfair, unethical or biased AI agent actions.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-29.23", "ao_id": "AAT-29.23_A01", "objective": "AI agent-generated outputs are validated through content scanning.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-29.23", "ao_id": "AAT-29.23_A02", "objective": "AI agent-generated outputs are validated through output vetting that uses human approvals, where appropriate.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-30", "ao_id": "AAT-30_A01", "objective": "AI agent actions include non-repudiation to determine accountability.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-30", "ao_id": "AAT-30_A02", "objective": "AI agent actions are able to be forensically examined to determine accountability.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-30.1", "ao_id": "AAT-30.1_A01", "objective": "event logs are generated in an industry-supported format for Artificial Intelligence (AI) and Autonomous Technologies (AAT) actions.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-30.2", "ao_id": "AAT-30.2_A01", "objective": "AI agent sessions are controlled by embedding session IDs into the requests to the AI model.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-30.2", "ao_id": "AAT-30.2_A02", "objective": "AI agent sessions are controlled by implementing capabilities to correlate sessions.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-30.2", "ao_id": "AAT-30.2_A03", "objective": "AI agent sessions are controlled by terminating sessions after a defined time period.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-31", "ao_id": "AAT-31_A01", "objective": "risk-based prioritization is implemented to prevent cognitive overload or decision fatigue for humans-in-the-loop (HITL).", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-32", "ao_id": "AAT-32_A01", "objective": "Robotic Process Automation (RPA) is implemented to improve efficiency, accuracy and speed in instances of high-volume, repetitive and rules-based business processes.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-32.1", "ao_id": "AAT-32.1_A01", "objective": "business process task activities that can be executed both manually and in an automated fashion are identified.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AAT-32.1", "ao_id": "AAT-32.1_A02", "objective": "business process task activities that can be executed both manually and in an automated fashion are categorized.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-01", "ao_id": "AST-01_A01", "objective": "an authoritative source and repository are established to provide a trusted source and accountability for approved and implemented systems and system components.", "pptdf": "Process", "origin": "172A_3.4.1e[c]\n172A_3.4.1e[d]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-01", "ao_id": "AST-01_A02", "objective": "the frequency at which to review / update the system and system component inventory is defined.", "pptdf": "Process", "origin": "53A_R5_CM-08_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "AST-01", "ao_id": "AST-01_A03", "objective": "an inventory of systems and system components that is at the level of granularity deemed necessary for tracking and reporting is developed and documented.", "pptdf": "Process", "origin": "53A_R5_CM-08a.04", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-01", "ao_id": "AST-01_A04", "objective": "IT Asset Management (ITAM) operations are conducted according to documented policies, standards, procedures and/or other organizational directives.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-01", "ao_id": "AST-01_A05", "objective": "adequate resources (e.g., people, processes, technologies, data and/or facilities) are provided to support IT Asset Management (ITAM) operations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-01", "ao_id": "AST-01_A06", "objective": "responsibility and authority for the performance of IT Asset Management (ITAM)-related activities are assigned to designated personnel.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-01", "ao_id": "AST-01_A07", "objective": "personnel performing IT Asset Management (ITAM)-related activities have the skills and knowledge needed to perform their assigned duties.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-01.1", "ao_id": "AST-01.1_A01", "objective": "asset-service dependencies are identified and documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-01.1", "ao_id": "AST-01.1_A02", "objective": "asset-service dependencies are assessed to evaluate cybersecurity / data privacy concerns for technology assets that support more than one critical business function.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-01.2", "ao_id": "AST-01.2_A01", "objective": "pertinent stakeholders of critical systems, applications and services are identified and documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-01.2", "ao_id": "AST-01.2_A02", "objective": "pertinent stakeholders of critical systems, applications and services are involved in supporting the ongoing secure management of those assets.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-01.3", "ao_id": "AST-01.3_A01", "objective": "a scalable, standardized naming convention exists for systems, applications and services that avoids asset naming conflicts.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-01.4", "ao_id": "AST-01.4_A01", "objective": "the list of authorized software programs is reviewed / updated per an organization-defined frequency.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "AST-01.4", "ao_id": "AST-01.4_A02", "objective": "the list of authorized software programs is reviewed and updated .", "pptdf": "Process", "origin": "171A_R3_A.03.04.08.c", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "at least quarterly", "org_defined_parameters": "" }, { "scf_control_id": "AST-01.5", "ao_id": "AST-01.5_A01", "objective": "Technology Asset, Application and/or Service (TAAS) that are authorized to connect to organizational Technology Assets, Applications, Services and/or Data (TAASD) are identified.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-01.5", "ao_id": "AST-01.5_A02", "objective": "Identity & Access Management (IAM) personnel maintain a list of TAAS that are authorized to connect to organizational TAASD.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-02", "ao_id": "AST-02_A01", "objective": "a documented, up-to-date, complete, accurate and readily available inventory of systems and system components exists.", "pptdf": "Process", "origin": "172A_3.4.3e[b]\n171A_3.4.1[d]\n172A_3.4.1e[b]\n53A_R5_CM-08a.01\n53A_R5_CM-08a.02\n53A_R5_CM-08a.05\n53A_R5_PM-05[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-02", "ao_id": "AST-02_A02", "objective": "the system inventory includes hardware, software, firmware and documentation.", "pptdf": "Process", "origin": "171A_3.4.1[e]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-02", "ao_id": "AST-02_A03", "objective": "the inventory is maintained (reviewed / updated) throughout the system development life cycle.", "pptdf": "Process", "origin": "171A_3.4.1[f]\n53A_R5_CM-08b.", "assessment_rigor": "1", "scf_defined_parameters": "at least monthly", "org_defined_parameters": "" }, { "scf_control_id": "AST-02", "ao_id": "AST-02_A04", "objective": "approved systems and system components are identified.", "pptdf": "Process", "origin": "172A_3.4.1e[a]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-02", "ao_id": "AST-02_A05", "objective": "information deemed necessary to achieve effective systems and system component accountability is defined.", "pptdf": "Process", "origin": "53A_R5_CM-08_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-02", "ao_id": "AST-02_A06", "objective": "the frequency at which to update the inventory of systems and system components is defined.", "pptdf": "Process", "origin": "53A_R5_PM-05_ODP", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "AST-02", "ao_id": "AST-02_A07", "objective": "the inventory of systems and system components is updated per an organization-defined frequency.", "pptdf": "Process", "origin": "53A_R5_PM-05[02]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "AST-02", "ao_id": "AST-02_A08", "objective": "the frequency at which to review and update the system component inventory is defined.", "pptdf": "Process", "origin": "171A_R3_A.03.04.10.ODP[01]", "assessment_rigor": "2", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "AST-02", "ao_id": "AST-02_A09", "objective": "an inventory of system components is developed and documented.", "pptdf": "Process", "origin": "171A_R3_A.03.04.10.a", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-02", "ao_id": "AST-02_A10", "objective": "the system component inventory is reviewed .", "pptdf": "Process", "origin": "171A_R3_A.03.04.10.b[01]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "at least quarterly", "org_defined_parameters": "" }, { "scf_control_id": "AST-02", "ao_id": "AST-02_A11", "objective": "the system component inventory is updated .", "pptdf": "Process", "origin": "171A_R3_A.03.04.10.b[02]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "at least quarterly", "org_defined_parameters": "" }, { "scf_control_id": "AST-02.1", "ao_id": "AST-02.1_A01", "objective": "the system component inventory is updated as part of component installations.", "pptdf": "Process", "origin": "171A_R3_A.03.04.10.c[01]\n53A_R5_CM-08(01)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-02.1", "ao_id": "AST-02.1_A02", "objective": "the system component inventory is updated as part of component removals.", "pptdf": "Process", "origin": "171A_R3_A.03.04.10.c[02]\n53A_R5_CM-08(01)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-02.1", "ao_id": "AST-02.1_A03", "objective": "the system component inventory is updated as part of system updates.", "pptdf": "Process", "origin": "171A_R3_A.03.04.10.c[03]\n53A_R5_CM-08(01)[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-02.2", "ao_id": "AST-02.2_A01", "objective": "automated mechanisms used to detect the presence of unauthorized hardware within the system are defined.", "pptdf": "Process", "origin": "53A_R5_CM-08(03)_ODP[01]\n53A_R5_CM-08(03)_ODP[02]\n53A_R5_CM-08(03)_ODP[03]\n53A_R5_CM-08(03)(a)[01]\n53A_R5_CM-08(03)(a)[02]\n53A_R5_CM-08(03)(a)[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-02.2", "ao_id": "AST-02.2_A02", "objective": "the frequency at which automated mechanisms are used to detect the presence of unauthorized hardware, software and/or firmware within the system is defined.", "pptdf": "Process", "origin": "53A_R5_CM-08(03)_ODP[04]", "assessment_rigor": "1", "scf_defined_parameters": "automated mechanisms with a maximum five-minute delay in detection", "org_defined_parameters": "" }, { "scf_control_id": "AST-02.2", "ao_id": "AST-02.2_A03", "objective": "automated mechanisms disable network access by unauthorized components, isolate unauthorized components and/or notify organization-defined personnel or roles.", "pptdf": "People", "origin": "53A_R5_CM-08(03)_ODP[05]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-02.2", "ao_id": "AST-02.2_A04", "objective": "personnel or roles to be notified when unauthorized components are detected is/are defined.", "pptdf": "Process", "origin": "53A_R5_CM-08(03)_ODP[06]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-02.2", "ao_id": "AST-02.2_A05", "objective": "organization-defined actions are taken when unauthorized hardware, software and/or firmware is/are detected.", "pptdf": "Process", "origin": "53A_R5_CM-08(03)(b)[01]\n53A_R5_CM-08(03)(b)[02]\n53A_R5_CM-08(03)(b)[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-02.3", "ao_id": "AST-02.3_A01", "objective": "an inventory of system components that accurately reflects the system is developed and documented.", "pptdf": "Process", "origin": "53A_R5_CM-08a.01", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-02.3", "ao_id": "AST-02.3_A02", "objective": "an inventory of system components that includes all components within the system is developed and documented.", "pptdf": "Process", "origin": "53A_R5_CM-08a.02", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-02.3", "ao_id": "AST-02.3_A03", "objective": "an inventory of system components that does not include duplicate accounting of components or components assigned to any other system is developed and documented.", "pptdf": "Process", "origin": "53A_R5_CM-08a.03", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-02.3", "ao_id": "AST-02.3_A04", "objective": "an inventory of system components that includes information is developed and documented.", "pptdf": "Process", "origin": "53A_R5_CM-08a.05", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-02.3", "ao_id": "AST-02.3_A05", "objective": "the system component inventory is reviewed / updated frequently.", "pptdf": "Process", "origin": "53A_R5_CM-08b.", "assessment_rigor": "3", "scf_defined_parameters": "at least monthly", "org_defined_parameters": "" }, { "scf_control_id": "AST-02.4", "ao_id": "AST-02.4_A01", "objective": "assessed component configurations are included in the system component inventory.", "pptdf": "Process", "origin": "53A_R5_CM-08(06)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-02.4", "ao_id": "AST-02.4_A02", "objective": "any approved deviations to current deployed configurations are included in the system component inventory.", "pptdf": "Process", "origin": "53A_R5_CM-08(06)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-02.5", "ao_id": "AST-02.5_A01", "objective": "system components that are known, authenticated, in a properly configured state or in a trust profile are identified.", "pptdf": "Process", "origin": "172A_3.5.3e[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-02.5", "ao_id": "AST-02.5_A02", "objective": "automated or manual/procedural mechanisms to prohibit system components from connecting to organizational systems are identified.", "pptdf": "Process", "origin": "172A_3.5.3e[b]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-02.5", "ao_id": "AST-02.5_A03", "objective": "automated or manual/procedural mechanisms are employed to prohibit system components from connecting to organizational systems unless the components are known, authenticated, in a properly configured state or in a trust profile.", "pptdf": "Technology", "origin": "172A_3.5.3e[c]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-02.5", "ao_id": "AST-02.5_A04", "objective": "configuration management process to be employed to handle device identification and authentication based on attestation is defined.", "pptdf": "Process", "origin": "53A_R5_IA-03(04)_ODP", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-02.5", "ao_id": "AST-02.5_A05", "objective": "device identification and authentication are handled based on attestation by configuration management process.", "pptdf": "Technology", "origin": "53A_R5_IA-03(04)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-02.6", "ao_id": "AST-02.6_A01", "objective": "Dynamic Host Configuration Protocol (DHCP) server logging is implemented.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-02.6", "ao_id": "AST-02.6_A02", "objective": "DHCP server logging is utilized to detect unknown systems.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-02.7", "ao_id": "AST-02.7_A01", "objective": "administrative practices identify software licensing restrictions to ensure compliance with End User Licensing Agreements (EULA).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-02.7", "ao_id": "AST-02.7_A02", "objective": "software inventories are automatically or manually reviewed for software licensing compliance.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-02.8", "ao_id": "AST-02.8_A01", "objective": "a map of system data actions is developed and documented.", "pptdf": "Process", "origin": "53A_R5_CM-13", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-02.8", "ao_id": "AST-02.8_A02", "objective": "the location of sensitive / regulated data is identified and documented.", "pptdf": "Data", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-02.8", "ao_id": "AST-02.8_A03", "objective": "the system components on which sensitive / regulated data is processed are identified and documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-02.8", "ao_id": "AST-02.8_A04", "objective": "the system components on which sensitive / regulated data is stored are identified and documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-02.8", "ao_id": "AST-02.8_A05", "objective": "changes to the system or system component location where sensitive / regulated data is processed are documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-02.8", "ao_id": "AST-02.8_A06", "objective": "changes to the system or system component location where sensitive / regulated data is stored are documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-02.8", "ao_id": "AST-02.8_A07", "objective": "the location of CUI is identified and documented.", "pptdf": "Data", "origin": "171A_R3_A.03.04.11.a[01]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-02.8", "ao_id": "AST-02.8_A08", "objective": "the system components on which CUI is processed are identified and documented.", "pptdf": "Process", "origin": "171A_R3_A.03.04.11.a[02]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-02.8", "ao_id": "AST-02.8_A09", "objective": "the system components on which CUI is stored are identified and documented.", "pptdf": "Process", "origin": "171A_R3_A.03.04.11.a[03]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-02.8", "ao_id": "AST-02.8_A10", "objective": "changes to the system or system component location where CUI is processed are documented.", "pptdf": "Process", "origin": "171A_R3_A.03.04.11.b[01]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-02.8", "ao_id": "AST-02.8_A11", "objective": "changes to the system or system component location where CUI is stored are documented.", "pptdf": "Process", "origin": "171A_R3_A.03.04.11.b[02]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-02.9", "ao_id": "AST-02.9_A01", "objective": "a centralized repository for the system and system component inventory is provided.", "pptdf": "Process", "origin": "53A_R5_CM-08(07)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-02.9", "ao_id": "AST-02.9_A02", "objective": "automated mechanisms used to maintain the currency of the system component inventory are defined.", "pptdf": "Process", "origin": "53A_R5_CM-08(02)_ODP[01]\n53A_R5_CM-08(02)[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-02.9", "ao_id": "AST-02.9_A03", "objective": "automated mechanisms used to maintain the completeness of the system component inventory are defined.", "pptdf": "Process", "origin": "53A_R5_CM-08(02)_ODP[02]\n53A_R5_CM-08(02)[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-02.9", "ao_id": "AST-02.9_A04", "objective": "automated mechanisms used to maintain the accuracy of the system component inventory are defined.", "pptdf": "Process", "origin": "53A_R5_CM-08(02)_ODP[03]\n53A_R5_CM-08(02)[03]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-02.9", "ao_id": "AST-02.9_A05", "objective": "automated mechanisms used to maintain the availability of the system component inventory are defined.", "pptdf": "Process", "origin": "53A_R5_CM-08(02)_ODP[04]\n53A_R5_CM-08(02)[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-02.10", "ao_id": "AST-02.10_A01", "objective": "automated mechanisms for tracking components are defined.", "pptdf": "Process", "origin": "53A_R5_CM-08(08)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-02.10", "ao_id": "AST-02.10_A02", "objective": "organization-defined automated mechanisms are used to support the tracking of system components by geographic location.", "pptdf": "Technology", "origin": "53A_R5_CM-08(08)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-02.11", "ao_id": "AST-02.11_A01", "objective": "personnel or roles from which to receive an acknowledgement is/are defined.", "pptdf": "Process", "origin": "53A_R5_CM-08(09)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-02.11", "ao_id": "AST-02.11_A02", "objective": "system components are assigned to a system.", "pptdf": "Process", "origin": "53A_R5_CM-08(09)(a)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-02.11", "ao_id": "AST-02.11_A03", "objective": "an acknowledgement of the component assignment is received from organization-defined personnel or roles.", "pptdf": "People", "origin": "53A_R5_CM-08(09)(b)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-03", "ao_id": "AST-03_A01", "objective": "name, position and/or role of data ownership is documented.", "pptdf": "Process", "origin": "53A_R5_CM-08(04)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-03.1", "ao_id": "AST-03.1_A01", "objective": "individuals responsible and accountable for administering system components are identified by organization-defined criteria in the system component inventory.", "pptdf": "Process", "origin": "53A_R5_CM-08(04)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-03.2", "ao_id": "AST-03.2_A01", "objective": "systems, system components and associated data that require valid provenance are defined.", "pptdf": "Process", "origin": "53A_R5_SR-04_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-03.2", "ao_id": "AST-03.2_A02", "objective": "valid provenance is documented for systems, system components and associated data.", "pptdf": "Process", "origin": "53A_R5_SR-04[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-03.2", "ao_id": "AST-03.2_A03", "objective": "valid provenance is monitored for systems, system components and associated data.", "pptdf": "Process", "origin": "53A_R5_SR-04[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-03.2", "ao_id": "AST-03.2_A04", "objective": "valid provenance is maintained for systems, system components and associated data.", "pptdf": "Process", "origin": "53A_R5_SR-04[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-03.2", "ao_id": "AST-03.2_A05", "objective": "supply chain elements, processes and personnel associated with systems and critical system components that require unique identification are defined.", "pptdf": "Process", "origin": "53A_R5_SR-04(01)_ODP", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-03.2", "ao_id": "AST-03.2_A06", "objective": "unique identification of supply chain elements, processes and personnel is established.", "pptdf": "Process", "origin": "53A_R5_SR-04(01)[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-03.2", "ao_id": "AST-03.2_A07", "objective": "unique identification of supply chain elements, processes and personnel is maintained.", "pptdf": "Process", "origin": "53A_R5_SR-04(01)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-03.2", "ao_id": "AST-03.2_A08", "objective": "systems and critical system components that require unique identification for tracking through the supply chain are defined.", "pptdf": "Process", "origin": "53A_R5_SR-04(02)_ODP", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-03.2", "ao_id": "AST-03.2_A09", "objective": "the unique identification of systems and critical system components is established for tracking through the supply chain.", "pptdf": "Process", "origin": "53A_R5_SR-04(02)[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-03.2", "ao_id": "AST-03.2_A10", "objective": "the unique identification of systems and critical system components is maintained for tracking through the supply chain.", "pptdf": "Process", "origin": "53A_R5_SR-04(02)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-04", "ao_id": "AST-04_A01", "objective": "sensitive data flows are identified and documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-04", "ao_id": "AST-04_A02", "objective": "a Data Flow Diagram (DFD) exists for each type of sensitive / regulated data that is stored, processed and/or transmitted.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-04", "ao_id": "AST-04_A03", "objective": "a process exists to review DFDs for accuracy.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-04", "ao_id": "AST-04_A04", "objective": "a process exists to update DFDs upon technology or business practice changes that affect where sensitive / regulated data is stored, processed and/or transmitted.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-04", "ao_id": "AST-04_A05", "objective": "one or more high-level network diagrams exist as a schematic to identify the logical placement of systems, applications and services at a conceptual level.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-04", "ao_id": "AST-04_A06", "objective": "one or more low-level network diagrams exist as a schematic to identify the detailed logical and physical placement of systems, applications and services.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-04", "ao_id": "AST-04_A07", "objective": "a process exists to review network diagrams for accuracy.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-04", "ao_id": "AST-04_A08", "objective": "a process exists to update network diagrams upon technologies change.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-04.1", "ao_id": "AST-04.1_A01", "objective": "system hardware components to be marked indicating the impact level or classification level of the information permitted to be processed, stored, or transmitted by the hardware component are defined.", "pptdf": "Process", "origin": "53A_R5_PE-22_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-04.1", "ao_id": "AST-04.1_A02", "objective": "system hardware components are marked indicating the impact level or classification level of the information permitted to be processed, stored, or transmitted by the hardware component.", "pptdf": "Process", "origin": "53A_R5_PE-22", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-04.2", "ao_id": "AST-04.2_A01", "objective": "one or more diagrams graphically depict control applicability boundaries for systems, applications, services and third parties to clarify \"in-scope versus out-of-scope\" determinations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-04.3", "ao_id": "AST-04.3_A01", "objective": "an inventory of systems, applications and services exists for each specific statutory, regulatory and/or contractual compliance obligations that provides sufficient detail to determine control applicability, based on asset scope categorization.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-04.3", "ao_id": "AST-04.3_A02", "objective": "inventories of systems, applications and services are kept current for each specific statutory, regulatory and/or contractual compliance obligations that provides sufficient detail to determine control applicability, based on asset scope categorization.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-05", "ao_id": "AST-05_A01", "objective": "strict control is maintained over the internal or external distribution of any kind of sensitive / regulated media.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-05.1", "ao_id": "AST-05.1_A01", "objective": "written management approval is obtained prior to the transfer of any sensitive / regulated media outside of the organization's facilities.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-06", "ao_id": "AST-06_A01", "objective": "enhanced protection measures for unattended systems are implemented to protect against tampering and unauthorized access.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-06.1", "ao_id": "AST-06.1_A01", "objective": "users are educated on the need to physically secure laptops and other mobile devices out of site when traveling, preferably in the trunk of a vehicle.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-07", "ao_id": "AST-07_A01", "objective": "devices that capture sensitive / regulated data via direct physical interaction are appropriately protected from tampering and substitution.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-08", "ao_id": "AST-08_A01", "objective": "mobile devices are inspected for evidence of tampering upon return from geographic regions of concern or other known hostile environments that could lead to device compromise.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-08", "ao_id": "AST-08_A02", "objective": "mobile devices that show signs of tampering are confiscated for forensic examination.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-09", "ao_id": "AST-09_A01", "objective": "data, documentation, tools or system components to be disposed of are defined.", "pptdf": "Process", "origin": "53A_R5_SR-12_ODP[01]\n53A_R5_MP-06_ODP[01]\n53A_R5_MP-06_ODP[02]\n53A_R5_MP-06_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-09", "ao_id": "AST-09_A02", "objective": "techniques and methods for disposing of data, documentation, tools or system components are defined.", "pptdf": "Process", "origin": "53A_R5_SR-12_ODP[02]\n53A_R5_MP-06_ODP[04]\n53A_R5_MP-06_ODP[05]\n53A_R5_MP-06_ODP[06]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-09", "ao_id": "AST-09_A03", "objective": "data, documentation, tools or system components are disposed of using techniques and methods.", "pptdf": "Process", "origin": "53A_R5_SR-12", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-09", "ao_id": "AST-09_A04", "objective": "system media is sanitized using sanitization techniques and procedures prior to disposal.", "pptdf": "Process", "origin": "53A_R5_MP-06a.[01]", "assessment_rigor": "1", "scf_defined_parameters": "techniques and procedures IAW NIST SP 800-088 Section 4: Reuse and Disposal of Storage Media and Hardware", "org_defined_parameters": "" }, { "scf_control_id": "AST-09", "ao_id": "AST-09_A05", "objective": "system media is sanitized using sanitization techniques and procedures prior to release from organizational control.", "pptdf": "Process", "origin": "53A_R5_MP-06a.[02]", "assessment_rigor": "3", "scf_defined_parameters": "techniques and procedures IAW NIST SP 800-088 Section 4: Reuse and Disposal of Storage Media and Hardware", "org_defined_parameters": "" }, { "scf_control_id": "AST-09", "ao_id": "AST-09_A06", "objective": "system media is sanitized using sanitization techniques and procedures prior to release for reuse.", "pptdf": "Process", "origin": "53A_R5_MP-06a.[03]", "assessment_rigor": "3", "scf_defined_parameters": "techniques and procedures IAW NIST SP 800-088 Section 4: Reuse and Disposal of Storage Media and Hardware", "org_defined_parameters": "" }, { "scf_control_id": "AST-09", "ao_id": "AST-09_A07", "objective": "sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed.", "pptdf": "Technology", "origin": "53A_R5_MP-06b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-10", "ao_id": "AST-10_A01", "objective": "the organization governs a process to ensure that employees return all organizational assets in their possession upon termination of employment.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-10", "ao_id": "AST-10_A02", "objective": "the organization governs a process to ensure that third-party users return all organizational assets in their possession upon termination of contract or agreement.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-10", "ao_id": "AST-10_A03", "objective": "upon termination of individual employment, security-related system property is retrieved.", "pptdf": "People", "origin": "171A_R3_A.03.09.02.a.03", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-11", "ao_id": "AST-11_A01", "objective": "facility egress points are controlled by physical security measures.", "pptdf": "Facility", "origin": "SCF Created", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-11", "ao_id": "AST-11_A02", "objective": "prior management authorization is required for the removal of technology assets from organizational facilities.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-11", "ao_id": "AST-11_A03", "objective": "the organization controls and tracks technology assets entering and exiting organizational facilities.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-12", "ao_id": "AST-12_A01", "objective": "the possession of personally-owned technology devices is restricted within organization-controlled facilities.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-12", "ao_id": "AST-12_A02", "objective": "the usage of personally-owned technology devices is restricted within organization-controlled facilities.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-13", "ao_id": "AST-13_A01", "objective": "technology configurations prohibit third-party technology assets from connecting to the organization's internal network(s).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-14", "ao_id": "AST-14_A01", "objective": "the components for which usage restrictions and implementation guidance are to be established are defined.", "pptdf": "Process", "origin": "53A_R5_SC-43_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-14", "ao_id": "AST-14_A02", "objective": "usage restrictions and implementation guidelines are established for components.", "pptdf": "Process", "origin": "53A_R5_SC-43a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-14", "ao_id": "AST-14_A03", "objective": "the use of components is authorized within the system.", "pptdf": "Technology", "origin": "53A_R5_SC-43b.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-14", "ao_id": "AST-14_A04", "objective": "the use of components is monitored within the system.", "pptdf": "Technology", "origin": "53A_R5_SC-43b.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-14", "ao_id": "AST-14_A05", "objective": "the use of components is controlled within the system.", "pptdf": "Technology", "origin": "53A_R5_SC-43b.[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-14.1", "ao_id": "AST-14.1_A01", "objective": "the possession of unauthorized Bluetooth and wireless devices (e.g., Near Field Communications (NFC)) is prohibited in sensitive areas.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-14.1", "ao_id": "AST-14.1_A02", "objective": "the usage of Bluetooth and wireless devices (e.g., Near Field Communications (NFC)) is prohibited in sensitive areas, unless use is in a Radio Frequency (RF)-screened building.", "pptdf": "Facility", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-14.2", "ao_id": "AST-14.2_A01", "objective": "the possession of unauthorized Infrared (IR) communications devices is prohibited in sensitive areas.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-14.2", "ao_id": "AST-14.2_A02", "objective": "Infrared (IR) communications are configured to prevent line of sight and reflected use in unsecured spaces.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-15", "ao_id": "AST-15_A01", "objective": "a tamper protection program is implemented for the system, system component or system service.", "pptdf": "Process", "origin": "53A_R5_SR-09", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-15", "ao_id": "AST-15_A02", "objective": "anti-tamper technologies, tools and techniques are employed throughout the system development life cycle.", "pptdf": "Process", "origin": "53A_R5_SR-09(01)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-15.1", "ao_id": "AST-15.1_A01", "objective": "systems or system components that require inspection are defined.", "pptdf": "Process", "origin": "53A_R5_SR-10_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-15.1", "ao_id": "AST-15.1_A02", "objective": "the frequency at which to inspect systems or system components is defined.", "pptdf": "Process", "origin": "53A_R5_SR-10_ODP[02]\n53A_R5_SR-10_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "AST-15.1", "ao_id": "AST-15.1_A03", "objective": "indications of the need for an inspection of systems or system components are defined.", "pptdf": "Process", "origin": "53A_R5_SR-10_ODP[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-15.1", "ao_id": "AST-15.1_A04", "objective": "systems or system components are inspected to detect tampering.", "pptdf": "Process", "origin": "53A_R5_SR-10", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-16", "ao_id": "AST-16_A01", "objective": "a Bring Your Own Device (BYOD) program is implemented and governed to reduce risk associated with personally-owned devices in the workplace.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-17", "ao_id": "AST-17_A01", "objective": "Supply Chain Risk Management (SCRM) practices require the removal and prohibition of certain technology services and/or equipment that are designated as supply chain threats by a statutory or regulatory body.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-18", "ao_id": "AST-18_A01", "objective": "security-critical or essential software is defined.", "pptdf": "Process", "origin": "172A_3.14.1e_ODP[1]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-18", "ao_id": "AST-18_A02", "objective": "root of trust mechanisms or cryptographic signatures are identified.", "pptdf": "Process", "origin": "172A_3.14.1e[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-18", "ao_id": "AST-18_A03", "objective": "the integrity of security critical or essential software is verified using root of trust mechanisms or cryptographic signatures.", "pptdf": "Process", "origin": "172A_3.14.1e[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-19", "ao_id": "AST-19_A01", "objective": "implementation guidance for telecommunication equipment is established to prevent damage, unauthorized modification and potential eavesdropping.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-20", "ao_id": "AST-20_A01", "objective": "Video Teleconference (VTC) capabilities are secured in designated conference rooms to prevent potential eavesdropping.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-20", "ao_id": "AST-20_A02", "objective": "personnel are trained to use Video Teleconference (VTC) capabilities on endpoint devices outside of conference rooms in a secure manner that prevents eavesdropping.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-21", "ao_id": "AST-21_A01", "objective": "Internet Protocol Telephony (IPT) is securely implemented that logically or physically separates Voice Over Internet Protocol (VoIP) traffic from data networks.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-22", "ao_id": "AST-22_A01", "objective": "assets are configured to prohibit the use of endpoint-based microphones and/or web cameras in secure areas or where sensitive information is discussed.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-23", "ao_id": "AST-23_A01", "objective": "Multi-Function Devices (MFD) are securely configured according to industry-recognized secure practices for the type of device.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-24", "ao_id": "AST-24_A01", "objective": "the organization maintains a pool of temporary, loaner or \"travel-only\" end user technology (e.g., laptops and mobile devices).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-24", "ao_id": "AST-24_A02", "objective": "personnel travelling overseas request and are issued a temporary, loaner or \"travel-only\" end user technology (e.g., laptops and mobile devices) when travelling to authoritarian countries with a higher-than average risk for Intellectual Property (IP) theft or espionage against individuals and private companies.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-24", "ao_id": "AST-24_A03", "objective": "systems or system components with organization-defined configurations are issued to individuals traveling to high-risk locations.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-24", "ao_id": "AST-24_A04", "objective": "systems or system components with the following configurations are issued to individuals traveling to high-risk locations: .", "pptdf": "Technology", "origin": "171A_R3_A.03.04.12.a", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "a configuration that has no CUI or FCI stored on the system and prevents the processing, storing, and transmission of CUI and FCI, unless a specific exception is granted in writing by the Contracting Officer", "org_defined_parameters": "" }, { "scf_control_id": "AST-25", "ao_id": "AST-25_A01", "objective": "upon return from travel to authoritarian counties, the issued temporary, loaner or \"travel-only\" end user technology (e.g., laptops and mobile devices) is wiped / re-imaged before being re-issued.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-25", "ao_id": "AST-25_A02", "objective": "organization-defined security requirements are applied to the system or system components when the individuals return from travel.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-25", "ao_id": "AST-25_A03", "objective": "the following security requirements are applied to the system or system components when the individuals return from travel: .", "pptdf": "Technology", "origin": "171A_R3_A.03.04.12.b", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "examine the system for signs of physical tampering and take the appropriate actions, and then either purge and reimage all storage media or destroy the system", "org_defined_parameters": "" }, { "scf_control_id": "AST-26", "ao_id": "AST-26_A01", "objective": "system administration processes, with corresponding Standardized Operating Procedures (SOP), are developed, implemented and governed for operating and maintaining systems, applications and services.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-27", "ao_id": "AST-27_A01", "objective": "a \"jump box\" or \"jump server\" is established in secure enclaves that are in a separate network zone to user workstations.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-27", "ao_id": "AST-27_A02", "objective": "non-console system administrative functions are restricted to connect to secure enclaves via a \"jump box\" or \"jump server\" that is located in a separate network zone to user workstations.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-28", "ao_id": "AST-28_A01", "objective": "database management processes, with corresponding Standardized Operating Procedures (SOP), are developed, implemented and governed for operating and maintaining databases.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-28.1", "ao_id": "AST-28.1_A01", "objective": "Database Management Systems (DBMSs) are implemented and maintained.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-29", "ao_id": "AST-29_A01", "objective": "secure baseline configurations exist for Radio Frequency Identification (RFID) devices to protect the confidentiality and integrity of data being stored, processed and/or transmitted.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-29", "ao_id": "AST-29_A02", "objective": "Radio Frequency Identification (RFID) devices are secured according to defined secure baseline configurations.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-29.1", "ao_id": "AST-29.1_A01", "objective": "secure baseline configurations exist for contactless access control systems to protect the confidentiality and integrity of data being stored, processed and/or transmitted.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-29.1", "ao_id": "AST-29.1_A02", "objective": "contactless access control systems that are secured according to defined secure baseline configurations.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-30", "ao_id": "AST-30_A01", "objective": "systems, applications and services are properly decommissioned so that data is properly transitioned to new systems or archived in accordance with applicable organizational standards, as well as statutory, regulatory and contractual obligations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-31", "ao_id": "AST-31_A01", "objective": "the organization utilizes a defined methodology to categorize its technology assets based on data sensitivity and criticality.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-31.1", "ao_id": "AST-31.1_A01", "objective": "the organization utilizes a defined methodology to categorize Artificial Intelligence (AI) and Autonomous Technologies (AAT) based on data sensitivity and criticality.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-31.2", "ao_id": "AST-31.2_A01", "objective": "a system and/or service is categorized as \"High Risk\" if it poses a significant risk of harm to an individual's health.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-31.2", "ao_id": "AST-31.2_A02", "objective": "a system and/or service is categorized as \"High Risk\" if it poses a significant risk of harm to an individual's safety.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-31.2", "ao_id": "AST-31.2_A03", "objective": "a system and/or service is categorized as \"High Risk\" if it poses a significant risk of harm to an individual's fundamental human rights.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-31.3", "ao_id": "AST-31.3_A01", "objective": "a capability exists to dynamically associate asset-specific attributes to enable Attribute-Based Access Control (ABAC).", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-32", "ao_id": "AST-32_A01", "objective": "Software Defined Networking (SDN), or similar technologies, analyzes network traffic to identify devices.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-32", "ao_id": "AST-32_A02", "objective": "Software Defined Networking (SDN), or similar technologies, analyzes network traffic to document devices.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "AST-32", "ao_id": "AST-32_A03", "objective": "Software Defined Networking (SDN), or similar technologies, analyzes network traffic to track devices.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-01", "ao_id": "BCD-01_A01", "objective": "cybersecurity issues are addressed in the development of a critical infrastructure and key resources protection plan.", "pptdf": "Process", "origin": "53A_R5_PM-08[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-01", "ao_id": "BCD-01_A02", "objective": "privacy issues are addressed in the development of a critical infrastructure and key resources protection plan.", "pptdf": "Process", "origin": "53A_R5_PM-08[04]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-01", "ao_id": "BCD-01_A03", "objective": "cybersecurity issues are addressed in the documentation of a critical infrastructure and key resources protection plan.", "pptdf": "Process", "origin": "53A_R5_PM-08[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-01", "ao_id": "BCD-01_A04", "objective": "privacy issues are addressed in the documentation of a critical infrastructure and key resources protection plan.", "pptdf": "Process", "origin": "53A_R5_PM-08[05]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-01", "ao_id": "BCD-01_A05", "objective": "cybersecurity issues are addressed in the update of a critical infrastructure and key resources protection plan.", "pptdf": "Process", "origin": "53A_R5_PM-08[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-01", "ao_id": "BCD-01_A06", "objective": "privacy issues are addressed in the update of a critical infrastructure and key resources protection plan.", "pptdf": "Process", "origin": "53A_R5_PM-08[06]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-01", "ao_id": "BCD-01_A07", "objective": "Business Continuity & Disaster Recovery (BC/DR) operations are conducted according to documented policies, standards, procedures and/or other organizational directives.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-01", "ao_id": "BCD-01_A08", "objective": "adequate resources (e.g., people, processes, technologies, data and/or facilities) are provided to support Business Continuity & Disaster Recovery (BC/DR) operations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-01", "ao_id": "BCD-01_A09", "objective": "responsibility and authority for the performance of Business Continuity & Disaster Recovery (BC/DR)-related activities are assigned to designated personnel.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-01", "ao_id": "BCD-01_A10", "objective": "personnel performing Business Continuity & Disaster Recovery (BC/DR)-related activities have the skills and knowledge needed to perform their assigned duties.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-01.1", "ao_id": "BCD-01.1_A01", "objective": "contingency plan development is coordinated with organizational elements responsible for related plans.", "pptdf": "Process", "origin": "53A_R5_CP-02(01)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-01.2", "ao_id": "BCD-01.2_A01", "objective": "the contingency plan is coordinated with the contingency plans of external service providers to ensure that contingency requirements can be satisfied.", "pptdf": "Process", "origin": "53A_R5_CP-02(07)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-01.3", "ao_id": "BCD-01.3_A01", "objective": "the transfer of organization-defined criteria mission and business functions to alternate processing and/or storage sites with minimal or no loss of operational continuity is planned for.", "pptdf": "Process", "origin": "53A_R5_CP-02(06)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-01.3", "ao_id": "BCD-01.3_A02", "objective": "operational continuity is sustained until full system restoration at primary processing and/or storage sites.", "pptdf": "Process", "origin": "53A_R5_CP-02(06)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-01.4", "ao_id": "BCD-01.4_A01", "objective": "time period consistent with Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) for the recovery of the system is determined.", "pptdf": "Process", "origin": "53A_R5_CP-10_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-01.4", "ao_id": "BCD-01.4_A02", "objective": "the alternate storage site is configured to facilitate recovery operations in accordance with Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).", "pptdf": "Technology", "origin": "53A_R5_CP-06(02)[01]\n53A_R5_CP-06(02)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-01.4", "ao_id": "BCD-01.4_A03", "objective": "time period consistent with Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) for the reconstitution of the system is determined.", "pptdf": "Process", "origin": "53A_R5_CP-10_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-01.4", "ao_id": "BCD-01.4_A04", "objective": "the recovery of the system to a known state is provided within a specified time period after a disruption, compromise or failure.", "pptdf": "Technology", "origin": "53A_R5_CP-10[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-01.4", "ao_id": "BCD-01.4_A05", "objective": "a reconstitution of the system to a known state is provided within an organization-defined time period after a disruption, compromise or failure.", "pptdf": "Technology", "origin": "53A_R5_CP-10[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-01.5", "ao_id": "BCD-01.5_A01", "objective": "criteria that must be met to initiate Business Continuity / Disaster Recovery (BC/DR) plans that facilitate business continuity operations capable of meeting applicable Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) is defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-01.6", "ao_id": "BCD-01.6_A01", "objective": "internal and external stakeholders requiring notification of recovery activities and progress in restoring operational capabilities are identified.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-01.6", "ao_id": "BCD-01.6_A02", "objective": "based on the type of incident, methods to contact internal and external stakeholders requiring notification of recovery activities and progress in restoring operational capabilities are identified.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-01.6", "ao_id": "BCD-01.6_A03", "objective": "processes exist to communicate the status of recovery activities and progress in restoring operational capabilities to designated internal and external stakeholders.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-01.7", "ao_id": "BCD-01.7_A01", "objective": "Documented roles and responsibilities exist that direct process owners to establish and maintain formal Business Continuity & Disaster Recovery (BC/DR) plans.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-01.7", "ao_id": "BCD-01.7_A02", "objective": "Process owners to establish and maintain formal BC/DR plans to ensure information is detailed enough, accurate and representative of current operations in order to sustain and/or restore operations under adverse conditions.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-02", "ao_id": "BCD-02_A01", "objective": "systems, applications and services that support essential missions and business functions are identified.", "pptdf": "Process", "origin": "53A_R5_CP-02(03)_ODP[01]\n53A_R5_CP-02(05)_ODP\n53A_R5_CP-02(06)_ODP\n53A_R5_CP-02(08)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-02", "ao_id": "BCD-02_A02", "objective": "critical system assets supporting organization-defined criteria mission and business functions are identified.", "pptdf": "Process", "origin": "53A_R5_CP-02(08)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-02.1", "ao_id": "BCD-02.1_A01", "objective": "the contingency plan activation time period within which to resume all mission and business functions is defined.", "pptdf": "Process", "origin": "53A_R5_CP-02(03)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "Recovery Time Objective (RTO)", "org_defined_parameters": "" }, { "scf_control_id": "BCD-02.1", "ao_id": "BCD-02.1_A02", "objective": "the resumption of all mission and business functions are planned for within an organization-defined time period of contingency plan activation.", "pptdf": "Process", "origin": "53A_R5_CP-02(03)", "assessment_rigor": "1", "scf_defined_parameters": "time period defined in service provider and organization SLA", "org_defined_parameters": "" }, { "scf_control_id": "BCD-02.2", "ao_id": "BCD-02.2_A01", "objective": "the continuance of organization-defined criteria mission and business functions with minimal or no loss of operational continuity is planned for.", "pptdf": "Process", "origin": "53A_R5_CP-02(05)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-02.2", "ao_id": "BCD-02.2_A02", "objective": "continuity is sustained until full system restoration at primary processing and/or storage sites.", "pptdf": "Process", "origin": "53A_R5_CP-02(05)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-02.3", "ao_id": "BCD-02.3_A01", "objective": "the contingency plan activation time period within which to resume essential mission and business functions is defined.", "pptdf": "Process", "origin": "53A_R5_CP-02(03)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "Recovery Time Objective (RTO)", "org_defined_parameters": "" }, { "scf_control_id": "BCD-02.3", "ao_id": "BCD-02.3_A02", "objective": "the resumption of essential mission and business functions are planned for within an organization-defined time period of contingency plan activation.", "pptdf": "Process", "origin": "53A_R5_CP-02(03)", "assessment_rigor": "1", "scf_defined_parameters": "Recovery Time Objective (RTO)", "org_defined_parameters": "" }, { "scf_control_id": "BCD-02.4", "ao_id": "BCD-02.4_A01", "objective": "periodic security reviews of storage locations that contain sensitive / regulated data are performed.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-02.4", "ao_id": "BCD-02.4_A02", "objective": "identified deficiencies identified during reviews of storage locations are tracked via a Plan of Action and Milestones (POA&M), or risk register, through remediation.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-03", "ao_id": "BCD-03_A01", "objective": "the time period within which to provide contingency training after assuming a contingency role or responsibility is defined.", "pptdf": "Process", "origin": "53A_R5_CP-03_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-03", "ao_id": "BCD-03_A02", "objective": "the frequency at which to provide training to system users with a contingency role or responsibility is defined.", "pptdf": "Process", "origin": "53A_R5_CP-03_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "BCD-03", "ao_id": "BCD-03_A03", "objective": "the frequency at which to review / update contingency training content is defined.", "pptdf": "Process", "origin": "53A_R5_CP-03_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "BCD-03", "ao_id": "BCD-03_A04", "objective": "events necessitating review / update of contingency training are defined.", "pptdf": "Process", "origin": "53A_R5_CP-03_ODP[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-03", "ao_id": "BCD-03_A05", "objective": "contingency training is provided to system users consistent with assigned roles and responsibilities within an organization-defined time period of assuming a contingency role or responsibility.", "pptdf": "People", "origin": "53A_R5_CP-03a.01", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "BCD-03", "ao_id": "BCD-03_A06", "objective": "contingency training is provided to system users consistent with assigned roles and responsibilities when required by system changes.", "pptdf": "People", "origin": "53A_R5_CP-03a.02", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "BCD-03", "ao_id": "BCD-03_A07", "objective": "contingency training is provided to system users consistent with assigned roles and responsibilities and frequency thereafter.", "pptdf": "People", "origin": "53A_R5_CP-03a.03", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "BCD-03", "ao_id": "BCD-03_A08", "objective": "the contingency plan training content is reviewed / updated frequently.", "pptdf": "Process", "origin": "53A_R5_CP-03b.[01]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "BCD-03", "ao_id": "BCD-03_A09", "objective": "the contingency plan training content is reviewed / updated following events.", "pptdf": "Process", "origin": "53A_R5_CP-03b.[02]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "BCD-03.1", "ao_id": "BCD-03.1_A01", "objective": "simulated events are incorporated into contingency training to facilitate effective response by personnel in crisis situations.", "pptdf": "People", "origin": "53A_R5_CP-03(01)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-03.2", "ao_id": "BCD-03.2_A01", "objective": "mechanisms used in operations are employed to provide a more thorough and realistic contingency training environment.", "pptdf": "Process", "origin": "53A_R5_CP-03(02)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-04", "ao_id": "BCD-04_A01", "objective": "the frequency of testing the contingency plan for the system is defined.", "pptdf": "Process", "origin": "53A_R5_CP-04_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "BCD-04", "ao_id": "BCD-04_A02", "objective": "tests for determining the effectiveness of the contingency plan are defined.", "pptdf": "Process", "origin": "53A_R5_CP-04_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-04", "ao_id": "BCD-04_A03", "objective": "tests for determining readiness to execute the contingency plan are defined.", "pptdf": "Process", "origin": "53A_R5_CP-04_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-04", "ao_id": "BCD-04_A04", "objective": "the contingency plan for the system is tested frequently.", "pptdf": "Process", "origin": "53A_R5_CP-04a.[01]", "assessment_rigor": "1", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "BCD-04", "ao_id": "BCD-04_A05", "objective": "tests are used to determine the effectiveness of the plan.", "pptdf": "Process", "origin": "53A_R5_CP-04a.[02]", "assessment_rigor": "3", "scf_defined_parameters": "functional exercises", "org_defined_parameters": "" }, { "scf_control_id": "BCD-04", "ao_id": "BCD-04_A06", "objective": "tests are used to determine the readiness to execute the plan.", "pptdf": "Process", "origin": "53A_R5_CP-04a.[03]", "assessment_rigor": "3", "scf_defined_parameters": "functional exercises", "org_defined_parameters": "" }, { "scf_control_id": "BCD-04.1", "ao_id": "BCD-04.1_A01", "objective": "contingency plan testing is coordinated with organizational elements responsible for related plans.", "pptdf": "Process", "origin": "53A_R5_CP-04(01)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-04.2", "ao_id": "BCD-04.2_A01", "objective": "the contingency plan is tested at the alternate processing site to familiarize contingency personnel with the facility and available resources.", "pptdf": "Process", "origin": "53A_R5_CP-04(02)(a)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-04.2", "ao_id": "BCD-04.2_A02", "objective": "the contingency plan is tested at the alternate processing site to evaluate the capabilities of the alternate processing site to support contingency operations.", "pptdf": "Process", "origin": "53A_R5_CP-04(02)(b)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-05", "ao_id": "BCD-05_A01", "objective": "the contingency plan test results are reviewed.", "pptdf": "Process", "origin": "53A_R5_CP-04b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-05", "ao_id": "BCD-05_A02", "objective": "corrective actions to remediate contingency plan deficiencies are initiated, if needed.", "pptdf": "Process", "origin": "53A_R5_CP-04c.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-06", "ao_id": "BCD-06_A01", "objective": "a contingency plan is developed that identifies essential mission and business functions and associated contingency requirements.", "pptdf": "Process", "origin": "53A_R5_CP-02a.01", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-06", "ao_id": "BCD-06_A02", "objective": "personnel or roles to review a contingency plan is/are defined.", "pptdf": "Process", "origin": "53A_R5_CP-02_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-06", "ao_id": "BCD-06_A03", "objective": "the contingency plan is updated to address changes to the organization, system or environment of operation.", "pptdf": "Process", "origin": "53A_R5_CP-02e.[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-06", "ao_id": "BCD-06_A04", "objective": "contingency plan changes are communicated to key contingency personnel.", "pptdf": "Process", "origin": "53A_R5_CP-02f.[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-06", "ao_id": "BCD-06_A05", "objective": "the contingency plan is updated to address problems encountered during contingency plan implementation, execution or testing.", "pptdf": "Process", "origin": "53A_R5_CP-02e.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-06", "ao_id": "BCD-06_A06", "objective": "personnel or roles to approve a contingency plan is/are defined.", "pptdf": "Process", "origin": "53A_R5_CP-02_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-06", "ao_id": "BCD-06_A07", "objective": "key contingency personnel (identified by name and/or by role) to whom copies of the contingency plan are distributed are defined.", "pptdf": "Process", "origin": "53A_R5_CP-02_ODP[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-06", "ao_id": "BCD-06_A08", "objective": "key contingency organizational elements to which copies of the contingency plan are distributed are defined.", "pptdf": "Process", "origin": "53A_R5_CP-02_ODP[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-06", "ao_id": "BCD-06_A09", "objective": "the frequency of contingency plan review is defined.", "pptdf": "Process", "origin": "53A_R5_CP-02_ODP[05]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "BCD-06", "ao_id": "BCD-06_A10", "objective": "key contingency personnel (identified by name and/or by role) to communicate changes to are defined.", "pptdf": "Process", "origin": "53A_R5_CP-02_ODP[06]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-06", "ao_id": "BCD-06_A11", "objective": "key contingency organizational elements to communicate changes to are defined.", "pptdf": "Process", "origin": "53A_R5_CP-02_ODP[07]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-06", "ao_id": "BCD-06_A12", "objective": "a contingency plan for the system is developed that provides recovery objectives.", "pptdf": "Process", "origin": "53A_R5_CP-02a.02[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-06", "ao_id": "BCD-06_A13", "objective": "a contingency plan for the system is developed that provides restoration priorities.", "pptdf": "Process", "origin": "53A_R5_CP-02a.02[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-06", "ao_id": "BCD-06_A14", "objective": "a contingency plan for the system is developed that provides metrics.", "pptdf": "Process", "origin": "53A_R5_CP-02a.02[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-06", "ao_id": "BCD-06_A15", "objective": "a contingency plan for the system is developed that addresses contingency roles.", "pptdf": "Process", "origin": "53A_R5_CP-02a.03[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-06", "ao_id": "BCD-06_A16", "objective": "a contingency plan for the system is developed that addresses contingency responsibilities.", "pptdf": "Process", "origin": "53A_R5_CP-02a.03[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-06", "ao_id": "BCD-06_A17", "objective": "a contingency plan for the system is developed that addresses assigned individuals with contact information.", "pptdf": "Process", "origin": "53A_R5_CP-02a.03[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-06", "ao_id": "BCD-06_A18", "objective": "a contingency plan for the system is developed that addresses maintaining essential mission and business functions despite a disruption, compromise or failure of a system, application or service.", "pptdf": "Process", "origin": "53A_R5_CP-02a.04", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-06", "ao_id": "BCD-06_A19", "objective": "a contingency plan for the system is developed that addresses eventual, full-system restoration without deterioration of the controls originally planned and implemented.", "pptdf": "Process", "origin": "53A_R5_CP-02a.05", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-06", "ao_id": "BCD-06_A20", "objective": "a contingency plan for the system is developed that addresses the sharing of contingency information.", "pptdf": "Process", "origin": "53A_R5_CP-02a.06", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-06", "ao_id": "BCD-06_A21", "objective": "a contingency plan for the system is developed that is reviewed by personnel or roles.", "pptdf": "Process", "origin": "53A_R5_CP-02a.07[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-06", "ao_id": "BCD-06_A22", "objective": "a contingency plan for the system is developed that is approved by personnel or roles.", "pptdf": "Process", "origin": "53A_R5_CP-02a.07[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-06", "ao_id": "BCD-06_A23", "objective": "copies of the contingency plan are distributed to key contingency personnel.", "pptdf": "Process", "origin": "53A_R5_CP-02b.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-06", "ao_id": "BCD-06_A24", "objective": "copies of the contingency plan are distributed to organizational elements.", "pptdf": "Process", "origin": "53A_R5_CP-02b.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-06", "ao_id": "BCD-06_A25", "objective": "contingency planning activities are coordinated with incident handling activities.", "pptdf": "Process", "origin": "53A_R5_CP-02c.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-06", "ao_id": "BCD-06_A26", "objective": "the contingency plan for the system is reviewed frequently.", "pptdf": "Process", "origin": "53A_R5_CP-02d.", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "BCD-06", "ao_id": "BCD-06_A27", "objective": "contingency plan changes are communicated to organizational elements.", "pptdf": "Process", "origin": "53A_R5_CP-02f.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-06", "ao_id": "BCD-06_A28", "objective": "lessons learned from contingency plan testing or actual contingency activities are incorporated into contingency testing.", "pptdf": "Process", "origin": "53A_R5_CP-02g.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-06", "ao_id": "BCD-06_A29", "objective": "lessons learned from contingency plan training or actual contingency activities are incorporated into contingency testing and training.", "pptdf": "Process", "origin": "53A_R5_CP-02g.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-06", "ao_id": "BCD-06_A30", "objective": "the contingency plan is protected from unauthorized disclosure.", "pptdf": "Technology", "origin": "53A_R5_CP-02h.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-06", "ao_id": "BCD-06_A31", "objective": "the contingency plan is protected from unauthorized modification.", "pptdf": "Technology", "origin": "53A_R5_CP-02h.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-06.1", "ao_id": "BCD-06.1_A01", "objective": "the organization identifies components that, if changed, potentially impact the organization's ability to execute contingency plans.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-06.2", "ao_id": "BCD-06.2_A01", "objective": "stakeholders for contingency plans are identified.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-06.2", "ao_id": "BCD-06.2_A02", "objective": "stakeholders are informed of changes to contingency plans.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-07", "ao_id": "BCD-07_A01", "objective": "alternative or supplemental security mechanisms are defined.", "pptdf": "Process", "origin": "53A_R5_CP-13_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-07", "ao_id": "BCD-07_A02", "objective": "alternative or supplemental security mechanisms are employed for satisfying security functions when the primary means of implementing the security function is unavailable or compromised.", "pptdf": "Process", "origin": "53A_R5_CP-13", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-07", "ao_id": "BCD-07_A03", "objective": "security functions are defined.", "pptdf": "Process", "origin": "53A_R5_CP-13_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-08", "ao_id": "BCD-08_A01", "objective": "an alternate storage site is established.", "pptdf": "Technology", "origin": "53A_R5_CP-06a.[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-08", "ao_id": "BCD-08_A02", "objective": "establishment of the alternate storage site includes necessary agreements to permit the storage and retrieval of system backup information.", "pptdf": "Facility", "origin": "53A_R5_CP-06a.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-08", "ao_id": "BCD-08_A03", "objective": "the alternate storage site provides controls equivalent to that of the primary site.", "pptdf": "Facility", "origin": "53A_R5_CP-06b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-08", "ao_id": "BCD-08_A04", "objective": "the location or site of the facility where the system resides is planned considering physical and environmental hazards.", "pptdf": "Facility", "origin": "53A_R5_PE-23a.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-08.1", "ao_id": "BCD-08.1_A01", "objective": "an alternate storage site that is sufficiently separated from the primary storage site is identified to reduce susceptibility to the same threats.", "pptdf": "Process", "origin": "53A_R5_CP-06(01)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-08.2", "ao_id": "BCD-08.2_A01", "objective": "potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster are identified.", "pptdf": "Process", "origin": "53A_R5_CP-06(03)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-08.2", "ao_id": "BCD-08.2_A02", "objective": "explicit mitigation actions to address identified accessibility problems are outlined.", "pptdf": "Process", "origin": "53A_R5_CP-06(03)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-09", "ao_id": "BCD-09_A01", "objective": "system operations for essential mission and business functions are defined.", "pptdf": "Process", "origin": "53A_R5_CP-07_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-09", "ao_id": "BCD-09_A02", "objective": "time period consistent with recovery time and recovery point objectives is defined.", "pptdf": "Process", "origin": "53A_R5_CP-07_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-09", "ao_id": "BCD-09_A03", "objective": "an alternate processing site, including necessary agreements to permit the transfer and resumption of system operations for essential mission and business functions, is established within an organization-defined time period when the primary processing capabilities are unavailable.", "pptdf": "Process", "origin": "53A_R5_CP-07a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-09", "ao_id": "BCD-09_A04", "objective": "the equipment and supplies required to transfer operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within an organization-specified time period for transfer.", "pptdf": "Process", "origin": "53A_R5_CP-07b.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-09", "ao_id": "BCD-09_A05", "objective": "the equipment and supplies required to resume operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within an organization-defined time period for resumption.", "pptdf": "Process", "origin": "53A_R5_CP-07b.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-09", "ao_id": "BCD-09_A06", "objective": "controls provided at the alternate processing site are equivalent to those at the primary site.", "pptdf": "Process", "origin": "53A_R5_CP-07c.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-09", "ao_id": "BCD-09_A07", "objective": "the location or site of the facility where the system resides is planned considering physical and environmental hazards.", "pptdf": "Facility", "origin": "53A_R5_PE-23a.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-09.1", "ao_id": "BCD-09.1_A01", "objective": "an alternate processing site is sufficiently separated from the primary processing site to reduce susceptibility to the same threats is identified.", "pptdf": "Process", "origin": "53A_R5_CP-07(01)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-09.2", "ao_id": "BCD-09.2_A01", "objective": "potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster are identified.", "pptdf": "Process", "origin": "53A_R5_CP-07(02)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-09.2", "ao_id": "BCD-09.2_A02", "objective": "explicit mitigation actions to address identified accessibility problems are outlined.", "pptdf": "Process", "origin": "53A_R5_CP-07(02)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-09.3", "ao_id": "BCD-09.3_A01", "objective": "alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed.", "pptdf": "Process", "origin": "53A_R5_CP-07(03)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-09.4", "ao_id": "BCD-09.4_A01", "objective": "the alternate processing site is prepared so that the site can serve as the operational site supporting essential mission and business functions.", "pptdf": "Process", "origin": "53A_R5_CP-07(04)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-09.5", "ao_id": "BCD-09.5_A01", "objective": "circumstances that preclude returning to the primary processing site are planned for.", "pptdf": "Process", "origin": "53A_R5_CP-07(06)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-09.5", "ao_id": "BCD-09.5_A02", "objective": "circumstances that preclude returning to the primary processing site are prepared for.", "pptdf": "Process", "origin": "53A_R5_CP-07(06)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-10", "ao_id": "BCD-10_A01", "objective": "alternative communications protocols in support of maintaining continuity of operations are defined.", "pptdf": "Process", "origin": "53A_R5_CP-11_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-10", "ao_id": "BCD-10_A02", "objective": "the capability to employ alternative communications protocols are provided in support of maintaining continuity of operations.", "pptdf": "Process", "origin": "53A_R5_CP-11", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-10", "ao_id": "BCD-10_A03", "objective": "system operations to be resumed for essential mission and business functions are defined.", "pptdf": "Process", "origin": "53A_R5_CP-08_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-10", "ao_id": "BCD-10_A04", "objective": "time period within which to resume essential mission and business functions when the primary telecommunications capabilities are unavailable is defined.", "pptdf": "Process", "origin": "53A_R5_CP-08_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-10", "ao_id": "BCD-10_A05", "objective": "alternate telecommunications services, including necessary agreements to permit the resumption of system operations, are established for essential mission and business functions within an organization-defined time period when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.", "pptdf": "Process", "origin": "53A_R5_CP-08", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-10", "ao_id": "BCD-10_A06", "objective": "alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services are obtained.", "pptdf": "Technology", "origin": "53A_R5_CP-08(02)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-10.1", "ao_id": "BCD-10.1_A01", "objective": "primary telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed.", "pptdf": "Process", "origin": "53A_R5_CP-08(01)(a)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-10.1", "ao_id": "BCD-10.1_A02", "objective": "alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed.", "pptdf": "Process", "origin": "53A_R5_CP-08(01)(a)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-10.1", "ao_id": "BCD-10.1_A03", "objective": "Telecommunications Service Priority is requested for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier.", "pptdf": "Process", "origin": "53A_R5_CP-08(01)(b)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-10.2", "ao_id": "BCD-10.2_A01", "objective": "alternate telecommunications services from providers that are separated from primary service providers are obtained to reduce susceptibility to the same threats.", "pptdf": "Technology", "origin": "53A_R5_CP-08(03)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-10.3", "ao_id": "BCD-10.3_A01", "objective": "the frequency at which to obtain evidence of contingency testing by providers is defined.", "pptdf": "Process", "origin": "53A_R5_CP-08(04)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "BCD-10.3", "ao_id": "BCD-10.3_A02", "objective": "the frequency at which to obtain evidence of contingency training by providers is defined.", "pptdf": "Process", "origin": "53A_R5_CP-08(04)_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "BCD-10.3", "ao_id": "BCD-10.3_A03", "objective": "primary telecommunications service providers are required to have contingency plans.", "pptdf": "Technology", "origin": "53A_R5_CP-08(04)(a)[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-10.3", "ao_id": "BCD-10.3_A04", "objective": "alternate telecommunications service providers are required to have contingency plans.", "pptdf": "Technology", "origin": "53A_R5_CP-08(04)(a)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-10.3", "ao_id": "BCD-10.3_A05", "objective": "provider contingency plans are reviewed to ensure that the plans meet organizational contingency requirements.", "pptdf": "Process", "origin": "53A_R5_CP-08(04)(b)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-10.3", "ao_id": "BCD-10.3_A06", "objective": "evidence of contingency testing by providers is obtained.", "pptdf": "Process", "origin": "53A_R5_CP-08(04)(c)[01]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "BCD-10.3", "ao_id": "BCD-10.3_A07", "objective": "evidence of contingency training by providers is obtained.", "pptdf": "Process", "origin": "53A_R5_CP-08(04)(c)[02]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "BCD-10.4", "ao_id": "BCD-10.4_A01", "objective": "alternate communication paths for system operations and operational command and control are defined.", "pptdf": "Process", "origin": "53A_R5_SC-47_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-10.4", "ao_id": "BCD-10.4_A02", "objective": "alternate communication paths are established for system operations and operational command and control.", "pptdf": "Technology", "origin": "53A_R5_SC-47", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-11", "ao_id": "BCD-11_A01", "objective": "the confidentiality of backup sensitive / regulated data is protected at storage locations.", "pptdf": "Technology", "origin": "171A_3.8.9", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-11", "ao_id": "BCD-11_A02", "objective": "system components for which to conduct backups of user-level information are defined.", "pptdf": "Process", "origin": "53A_R5_CP-09_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-11", "ao_id": "BCD-11_A03", "objective": "the frequency at which to conduct backups of user-level information consistent with recovery time and recovery point objectives is defined.", "pptdf": "Process", "origin": "53A_R5_CP-09_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "daily incremental; weekly full", "org_defined_parameters": "" }, { "scf_control_id": "BCD-11", "ao_id": "BCD-11_A04", "objective": "the frequency at which to conduct backups of system-level information consistent with recovery time and recovery point objectives is defined.", "pptdf": "Process", "origin": "53A_R5_CP-09_ODP[03]", "assessment_rigor": "3", "scf_defined_parameters": "daily incremental; weekly full", "org_defined_parameters": "" }, { "scf_control_id": "BCD-11", "ao_id": "BCD-11_A05", "objective": "the frequency at which to conduct backups of system documentation consistent with recovery time and recovery point objectives is defined.", "pptdf": "Process", "origin": "53A_R5_CP-09_ODP[04]", "assessment_rigor": "3", "scf_defined_parameters": "daily incremental; weekly full", "org_defined_parameters": "" }, { "scf_control_id": "BCD-11", "ao_id": "BCD-11_A06", "objective": "backups of user-level information contained in system components are conducted frequently.", "pptdf": "Process", "origin": "53A_R5_CP-09a.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-11", "ao_id": "BCD-11_A07", "objective": "backups of system-level information contained in the system are conducted frequently.", "pptdf": "Process", "origin": "53A_R5_CP-09b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-11", "ao_id": "BCD-11_A08", "objective": "backups of system documentation, including security- and privacy-related documentation are conducted frequently.", "pptdf": "Process", "origin": "53A_R5_CP-09c.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-11", "ao_id": "BCD-11_A09", "objective": "the confidentiality of backup information is protected.", "pptdf": "Technology", "origin": "53A_R5_CP-09d.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-11", "ao_id": "BCD-11_A10", "objective": "the integrity of backup information is protected.", "pptdf": "Technology", "origin": "53A_R5_CP-09d.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-11", "ao_id": "BCD-11_A11", "objective": "the availability of backup information is protected.", "pptdf": "Technology", "origin": "53A_R5_CP-09d.[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-11.1", "ao_id": "BCD-11.1_A01", "objective": "the frequency at which to test backup information for media reliability is defined.", "pptdf": "Process", "origin": "53A_R5_CP-09(01)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "BCD-11.1", "ao_id": "BCD-11.1_A02", "objective": "the frequency at which to test backup information for information integrity is defined.", "pptdf": "Process", "origin": "53A_R5_CP-09(01)_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "BCD-11.1", "ao_id": "BCD-11.1_A03", "objective": "backup information is tested frequently to verify media reliability.", "pptdf": "Process", "origin": "53A_R5_CP-09(01)[01]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "BCD-11.1", "ao_id": "BCD-11.1_A04", "objective": "backup information is tested frequently to verify information integrity.", "pptdf": "Process", "origin": "53A_R5_CP-09(01)[02]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "BCD-11.10", "ao_id": "BCD-11.10_A01", "objective": "Role Based Access Controls (RBAC) are utilized to logically restrict access to modify and/or delete backups to privileged users with assigned data backup and recovery operations roles.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-11.2", "ao_id": "BCD-11.2_A01", "objective": "critical system software and other security-related information backups to be stored in a separate facility are defined.", "pptdf": "Process", "origin": "53A_R5_CP-09(03)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-11.2", "ao_id": "BCD-11.2_A02", "objective": "backup copies of critical system software and other security-related information are stored in a separate facility or in a fire rated container that is not collocated with the operational system.", "pptdf": "Process", "origin": "53A_R5_CP-09(03)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-11.3", "ao_id": "BCD-11.3_A01", "objective": "assets are reimaged from configuration-controlled images.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-11.3", "ao_id": "BCD-11.3_A02", "objective": "images are integrity-protected that represent a secure, operational state.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-11.4", "ao_id": "BCD-11.4_A01", "objective": "the confidentiality of backup information is protected.", "pptdf": "Technology", "origin": "171A_3.8.9\n171A_R3_A.03.08.09.a", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-11.4", "ao_id": "BCD-11.4_A02", "objective": "backup information to protect against unauthorized disclosure and modification is defined.", "pptdf": "Process", "origin": "53A_R5_CP-09(08)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-11.4", "ao_id": "BCD-11.4_A03", "objective": "cryptographic mechanisms are implemented to prevent the unauthorized disclosure of sensitive / regulated data at backup storage locations.", "pptdf": "Technology", "origin": "53A_R5_CP-09(08)", "assessment_rigor": "3", "scf_defined_parameters": "all backup files", "org_defined_parameters": "" }, { "scf_control_id": "BCD-11.4", "ao_id": "BCD-11.4_A04", "objective": "cryptographic mechanisms are implemented to prevent the unauthorized disclosure of CUI at backup storage locations.", "pptdf": "Data", "origin": "171A_R3_A.03.08.09.b", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-11.5", "ao_id": "BCD-11.5_A01", "objective": "a sample of backup information in the restoration of selected system functions is used as part of contingency plan testing.", "pptdf": "Process", "origin": "53A_R5_CP-09(02)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-11.6", "ao_id": "BCD-11.6_A01", "objective": "system backup information is transferred to the alternate storage site for an organization-defined time period.", "pptdf": "Process", "origin": "53A_R5_CP-09(05)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-11.6", "ao_id": "BCD-11.6_A02", "objective": "time period consistent with recovery time and recovery point objectives is defined.", "pptdf": "Process", "origin": "53A_R5_CP-09(05)_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-11.6", "ao_id": "BCD-11.6_A03", "objective": "transfer rate consistent with recovery time and recovery point objectives is defined.", "pptdf": "Process", "origin": "53A_R5_CP-09(05)_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-11.6", "ao_id": "BCD-11.6_A04", "objective": "system backup information is transferred to the alternate storage site transfer rate.", "pptdf": "Technology", "origin": "53A_R5_CP-09(05)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-11.7", "ao_id": "BCD-11.7_A01", "objective": "system backup is conducted by maintaining a redundant secondary system that can be activated without loss of information or disruption to operations.", "pptdf": "Process", "origin": "53A_R5_CP-09(06)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-11.7", "ao_id": "BCD-11.7_A02", "objective": "system backup is conducted by maintaining a redundant secondary system that is not collocated with the primary system.", "pptdf": "Process", "origin": "53A_R5_CP-09(06)[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-11.8", "ao_id": "BCD-11.8_A01", "objective": "critical or sensitive system and organizational operations for which dual authorization is to be enforced are identified.", "pptdf": "Process", "origin": "172A_3.1.1e[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-11.8", "ao_id": "BCD-11.8_A02", "objective": "dual authorization is employed to execute critical or sensitive system and organizational operations.", "pptdf": "Process", "origin": "172A_3.1.1e[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-11.8", "ao_id": "BCD-11.8_A03", "objective": "backup information for which to enforce dual authorization in order to delete or destroy is defined.", "pptdf": "Process", "origin": "53A_R5_CP-09(07)_ODP", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-11.8", "ao_id": "BCD-11.8_A04", "objective": "dual authorization for the deletion or destruction of backup information is enforced.", "pptdf": "Technology", "origin": "53A_R5_CP-09(07)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-11.9", "ao_id": "BCD-11.9_A01", "objective": "Role Based Access Controls (RBAC) are utilized to logically restrict access to backups to privileged users with assigned roles for data backup and recovery operations.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-11.9", "ao_id": "BCD-11.9_A02", "objective": "Physical Access Controls (PAC) are utilized to physically restrict access to backups to privileged users with assigned roles for data backup and recovery operations.", "pptdf": "Facility", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-12", "ao_id": "BCD-12_A01", "objective": "secure baseline configurations exist for systems, applications and/or services protect the confidentiality and integrity of data being stored, processed and/or transmitted.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-12", "ao_id": "BCD-12_A02", "objective": "systems, applications and/or services are securely recovered / reconstituted to a known, trusted state after a disruption, compromise or failure.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-12.1", "ao_id": "BCD-12.1_A01", "objective": "transaction recovery is implemented for systems that are transaction-based.", "pptdf": "Technology", "origin": "53A_R5_CP-10(02)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-12.2", "ao_id": "BCD-12.2_A01", "objective": "system components for which Mean Time to Failure (MTTF) should be determined are defined.", "pptdf": "Process", "origin": "53A_R5_SI-13_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-12.2", "ao_id": "BCD-12.2_A02", "objective": "Mean Time to Failure (MTTF) is determined for system components in specific environments of operation.", "pptdf": "Process", "origin": "53A_R5_SI-13a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-12.2", "ao_id": "BCD-12.2_A03", "objective": "Mean Time to Failure (MTTF) substitution criteria to be used as a means to exchange active and standby components are defined.", "pptdf": "Process", "origin": "53A_R5_SI-13_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-12.2", "ao_id": "BCD-12.2_A04", "objective": "substitute system components and a means to exchange active and standby components are provided in accordance with Mean Time to Failure (MTTF) substitution criteria.", "pptdf": "Process", "origin": "53A_R5_SI-13b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-12.3", "ao_id": "BCD-12.3_A01", "objective": "electronic discovery (eDiscovery) capabilities cover current and archived communication transactions.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-12.4", "ao_id": "BCD-12.4_A01", "objective": "the capability to restore system components within organization-defined restoration time periods from configuration-controlled and integrity-protected information representing a known, operational state for the components is provided.", "pptdf": "Technology", "origin": "53A_R5_CP-10(04)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-12.4", "ao_id": "BCD-12.4_A02", "objective": "restoration time period within which to restore system components to a known, operational state is defined.", "pptdf": "Process", "origin": "53A_R5_CP-10(04)_ODP", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-13", "ao_id": "BCD-13_A01", "objective": "system components used for recovery and reconstitution are protected.", "pptdf": "Technology", "origin": "53A_R5_CP-10(06)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-13.1", "ao_id": "BCD-13.1_A01", "objective": "methods to verify the integrity of backups and other restoration assets are defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-13.1", "ao_id": "BCD-13.1_A02", "objective": "the integrity of backups and other restoration assets is verified, prior to using them for restoration.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-14", "ao_id": "BCD-14_A01", "objective": "the organization utilizes an isolated, non-production environment to perform data backups via offline, cloud or off-site capabilities.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-14", "ao_id": "BCD-14_A02", "objective": "the organization utilizes an isolated, non-production environment to perform recovery operations through offline, cloud or off-site capabilities.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-15", "ao_id": "BCD-15_A01", "objective": "systems and system components that are or may be hard to replace in a supply chain disruption are identified.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-15", "ao_id": "BCD-15_A02", "objective": "resources are allocated to obtain hard to replace identified systems and system components for critical business functions.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-15", "ao_id": "BCD-15_A03", "objective": "a pool of hard to replace identified systems and system components for critical business functions is maintained.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-16", "ao_id": "BCD-16_A01", "objective": "an incident handling capability for incidents involving Artificial Intelligence (AI) and Autonomous Technologies (AAT) exists.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "BCD-16", "ao_id": "BCD-16_A02", "objective": "processes are in place to handle failures or incidents in third-party data or Artificial Intelligence (AI) and Autonomous Technologies (AAT) deemed to be high-risk.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CAP-01", "ao_id": "CAP-01_A01", "objective": "resources to be allocated to protect the availability of resources are defined.", "pptdf": "Process", "origin": "53A_R5_SC-06_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CAP-01", "ao_id": "CAP-01_A02", "objective": "controls to protect the availability of resources are defined.", "pptdf": "Process", "origin": "53A_R5_SC-06_ODP[02]\n53A_R5_SC-06_ODP[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CAP-01", "ao_id": "CAP-01_A03", "objective": "the availability of resources is protected by allocating resources per organization-defined criteria.", "pptdf": "Process", "origin": "53A_R5_SC-06", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CAP-01", "ao_id": "CAP-01_A04", "objective": "capacity & performance planning operations are conducted according to documented policies, standards, procedures and/or other organizational directives.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CAP-01", "ao_id": "CAP-01_A05", "objective": "adequate resources (e.g., people, processes, technologies, data and/or facilities) are provided to support capacity & performance planning operations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CAP-01", "ao_id": "CAP-01_A06", "objective": "responsibility and authority for the performance of capacity & performance planning-related activities are assigned to designated personnel.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CAP-01", "ao_id": "CAP-01_A07", "objective": "personnel performing capacity & performance planning-related activities have the skills and knowledge needed to perform their assigned duties.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CAP-02", "ao_id": "CAP-02_A01", "objective": "types of denial-of-service events to be protected against or limited are defined.", "pptdf": "Process", "origin": "53A_R5_SC-05_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CAP-02", "ao_id": "CAP-02_A02", "objective": "controls by type of denial-of-service event are employed to achieve the denial-of-service protection objective.", "pptdf": "Technology", "origin": "53A_R5_SC-05b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CAP-02", "ao_id": "CAP-02_A03", "objective": "resource prioritization is designed to limit negative effects of denial-of-service events.", "pptdf": "Process", "origin": "53A_R5_SC-05_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CAP-02", "ao_id": "CAP-02_A04", "objective": "controls to achieve the denial-of-service objective by type of denial-of-service event are defined.", "pptdf": "Process", "origin": "53A_R5_SC-05_ODP[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CAP-02", "ao_id": "CAP-02_A05", "objective": "the effects of types of denial-of-service events are organizationally-defined.", "pptdf": "Process", "origin": "53A_R5_SC-05a.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CAP-03", "ao_id": "CAP-03_A01", "objective": "capacity planning is conducted so that the necessary capacity exists during contingency operations for information processing.", "pptdf": "Process", "origin": "53A_R5_CP-02(02)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CAP-03", "ao_id": "CAP-03_A02", "objective": "capacity planning is conducted so that the necessary capacity exists during contingency operations for telecommunications.", "pptdf": "Process", "origin": "53A_R5_CP-02(02)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CAP-03", "ao_id": "CAP-03_A03", "objective": "capacity planning is conducted so that the necessary capacity exists during contingency operations for environmental support.", "pptdf": "Process", "origin": "53A_R5_CP-02(02)[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CAP-04", "ao_id": "CAP-04_A01", "objective": "the operating state and health status of critical systems, applications and services is centrally-monitored.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CAP-05", "ao_id": "CAP-05_A01", "objective": "resources needing dynamic expansion (e.g., elasticity) are defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CAP-05", "ao_id": "CAP-05_A02", "objective": "applicable services are configured to dynamically expand the resources available for services, as demand conditions change.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CAP-06", "ao_id": "CAP-06_A01", "objective": "business processes requiring regional delivery of technological services are identified.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CAP-06", "ao_id": "CAP-06_A02", "objective": "applicable services are configured to support geographically dispersed business processes requiring regional delivery of technological services.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-01", "ao_id": "CFG-01_A01", "objective": "the scope for the configuration management plan is organization-wide.", "pptdf": "Process", "origin": "53A_R5_CM-01_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-01", "ao_id": "CFG-01_A02", "objective": "the types of changes to the system that are configuration-controlled are defined.", "pptdf": "Process", "origin": "171A_R3_A.03.04.03.a", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-01", "ao_id": "CFG-01_A03", "objective": "a configuration management plan for systems, applications and services is developed and documented.", "pptdf": "Process", "origin": "53A_R5_CM-09[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-01", "ao_id": "CFG-01_A04", "objective": "a configuration management plan for systems, applications and services is implemented.", "pptdf": "Process", "origin": "53A_R5_CM-09[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-01", "ao_id": "CFG-01_A05", "objective": "the current configuration management policy is reviewed / updated organization-defined frequency.", "pptdf": "Process", "origin": "53A_R5_CM-01c.01[01]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "CFG-01", "ao_id": "CFG-01_A06", "objective": "the current configuration management policy is reviewed / updated following organization-defined events.", "pptdf": "Process", "origin": "53A_R5_CM-01c.01[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-01", "ao_id": "CFG-01_A07", "objective": "personnel or roles to review and approve the configuration management plan is/are defined.", "pptdf": "Process", "origin": "53A_R5_CM-09_ODP", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-01", "ao_id": "CFG-01_A08", "objective": "the configuration management plan addresses roles.", "pptdf": "Process", "origin": "53A_R5_CM-09a.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-01", "ao_id": "CFG-01_A09", "objective": "the configuration management plan addresses responsibilities.", "pptdf": "Process", "origin": "53A_R5_CM-09a.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-01", "ao_id": "CFG-01_A10", "objective": "the configuration management plan addresses configuration management processes and procedures.", "pptdf": "Process", "origin": "53A_R5_CM-09a.[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-01", "ao_id": "CFG-01_A11", "objective": "the configuration management plan establishes a process for identifying configuration items throughout the system development life cycle.", "pptdf": "Process", "origin": "53A_R5_CM-09b.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-01", "ao_id": "CFG-01_A12", "objective": "the configuration management plan establishes a process for managing the configuration of the configuration items.", "pptdf": "Process", "origin": "53A_R5_CM-09b.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-01", "ao_id": "CFG-01_A13", "objective": "the configuration management plan defines the configuration items for the system.", "pptdf": "Process", "origin": "53A_R5_CM-09c.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-01", "ao_id": "CFG-01_A14", "objective": "the configuration management plan places the configuration items under configuration management.", "pptdf": "Process", "origin": "53A_R5_CM-09c.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-01", "ao_id": "CFG-01_A15", "objective": "the configuration management plan is reviewed and approved by organization-defined personnel or roles.", "pptdf": "Process", "origin": "53A_R5_CM-09d.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-01", "ao_id": "CFG-01_A16", "objective": "the configuration management plan is protected from unauthorized disclosure.", "pptdf": "Process", "origin": "53A_R5_CM-09e.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-01", "ao_id": "CFG-01_A17", "objective": "the configuration management plan is protected from unauthorized modification.", "pptdf": "Process", "origin": "53A_R5_CM-09e.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-01", "ao_id": "CFG-01_A18", "objective": "configuration management operations are conducted according to documented policies, standards, procedures and/or other organizational directives.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-01", "ao_id": "CFG-01_A19", "objective": "adequate resources (e.g., people, processes, technologies, data and/or facilities) are provided to support configuration management operations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-01", "ao_id": "CFG-01_A20", "objective": "responsibility and authority for the performance of configuration management-related activities are assigned to designated personnel.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-01", "ao_id": "CFG-01_A21", "objective": "personnel performing configuration management-related activities have the skills and knowledge needed to perform their assigned duties.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-01.1", "ao_id": "CFG-01.1_A01", "objective": "the responsibility for developing the configuration management process is assigned to organizational personnel who are not directly involved in system development.", "pptdf": "People", "origin": "53A_R5_CM-09(01)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02", "ao_id": "CFG-02_A01", "objective": "a current baseline configuration for systems, applications and services is developed and documented.", "pptdf": "Process", "origin": "171A_3.4.1[a]\n171A_3.4.2[a]\n53A_R5_CM-02a.[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02", "ao_id": "CFG-02_A02", "objective": "the baseline configuration includes hardware, software, firmware and documentation.", "pptdf": "Technology", "origin": "171A_3.4.1[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02", "ao_id": "CFG-02_A03", "objective": "security configuration settings for information technology products employed in the system are enforced.", "pptdf": "Technology", "origin": "171A_3.4.2[b]\n53A_R5_CM-06b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02", "ao_id": "CFG-02_A04", "objective": "the baseline configuration is maintained (reviewed / updated) throughout the system development life cycle under configuration control.", "pptdf": "Process", "origin": "171A_3.4.1[c]\n53A_R5_CM-02a.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02", "ao_id": "CFG-02_A05", "objective": "configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using organization-defined common secure configurations.", "pptdf": "Process", "origin": "53A_R5_CM-06a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02", "ao_id": "CFG-02_A06", "objective": "thresholds to which attack surfaces are to be reduced are defined.", "pptdf": "Process", "origin": "53A_R5_SA-15(05)_ODP", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02", "ao_id": "CFG-02_A07", "objective": "the developer of the system, system component or system service is required to reduce attack surfaces to organization-defined thresholds.", "pptdf": "Process", "origin": "53A_R5_SA-15(05)", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02", "ao_id": "CFG-02_A08", "objective": "a control baseline for the system is selected.", "pptdf": "Technology", "origin": "53A_R5_PL-10", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02", "ao_id": "CFG-02_A09", "objective": "approved authorizations are enforced for controlling the flow of CUI within the system.", "pptdf": "Data", "origin": "171A_R3_A.03.01.03[01]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02", "ao_id": "CFG-02_A10", "objective": "configuration requirements are established for each type of wireless access to the system.", "pptdf": "Technology", "origin": "171A_R3_A.03.01.16.a[03]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02", "ao_id": "CFG-02_A11", "objective": "wireless networking capabilities not intended for use are disabled prior to issuance and deployment.", "pptdf": "Technology", "origin": "171A_R3_A.03.01.16.c", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02", "ao_id": "CFG-02_A12", "objective": "configuration requirements are established for mobile devices.", "pptdf": "Technology", "origin": "171A_R3_A.03.01.18.a[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02", "ao_id": "CFG-02_A13", "objective": "audit logging tools are protected from unauthorized access, modification, and deletion.", "pptdf": "Technology", "origin": "171A_3.3.8[d]\n171A_3.3.8[e]\n171A_3.3.8[f]\n171A_R3_A.03.03.08.a[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02", "ao_id": "CFG-02_A14", "objective": "a current baseline configuration of the system is developed.", "pptdf": "Technology", "origin": "171A_R3_A.03.04.01.a[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02", "ao_id": "CFG-02_A15", "objective": "a current baseline configuration of the system is maintained under configuration control.", "pptdf": "Technology", "origin": "171A_R3_A.03.04.01.a[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02", "ao_id": "CFG-02_A16", "objective": "the following configuration settings for the system that reflect the most restrictive mode consistent with operational requirements are established and documented: .", "pptdf": "Process", "origin": "171A_R3_A.03.04.02.a[01]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "Apply the appropriate use of common security configurations available from the National Institute of Standards and Technology’s National Checklist Program (NCP) website (https://ncp.nist.gov/repository) and prevent remote devices from simultaneously establishing nonremote connections with organizational systems and communicating via some other unauthorized connection to\nresources in external networks. Document any deviations from the published standard or source document.", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02", "ao_id": "CFG-02_A17", "objective": "the following configuration settings for the system are implemented: .", "pptdf": "Technology", "origin": "171A_R3_A.03.04.02.a[02]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "Apply the appropriate use of common security configurations available from the National Institute of Standards and Technology’s National Checklist Program (NCP) website (https://ncp.nist.gov/repository) and prevent remote devices from simultaneously establishing nonremote connections with organizational systems and communicating via some other unauthorized connection to\nresources in external networks. Document any deviations from the published standard or source document.", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02", "ao_id": "CFG-02_A18", "objective": "functions to be prohibited or restricted are defined.", "pptdf": "Process", "origin": "171A_R3_A.03.04.06.ODP[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02", "ao_id": "CFG-02_A19", "objective": "ports to be prohibited or restricted are defined.", "pptdf": "Process", "origin": "171A_R3_A.03.04.06.ODP[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02", "ao_id": "CFG-02_A20", "objective": "protocols to be prohibited or restricted are defined.", "pptdf": "Process", "origin": "171A_R3_A.03.04.06.ODP[03]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02", "ao_id": "CFG-02_A21", "objective": "connections to be prohibited or restricted are defined.", "pptdf": "Process", "origin": "171A_R3_A.03.04.06.ODP[04]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02", "ao_id": "CFG-02_A22", "objective": "services to be prohibited or restricted are defined.", "pptdf": "Process", "origin": "171A_R3_A.03.04.06.ODP[05]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02", "ao_id": "CFG-02_A23", "objective": "the use of the following functions is prohibited or restricted: .", "pptdf": "Technology", "origin": "171A_R3_A.03.04.06.b[01]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "Guidance: Where feasible, organizations should limit component functionality to a single function per component. Organizations should consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations should employ network scanning tools, intrusion detection and prevention systems, and endpoint protection technologies, such as firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality should also be achieved as part of the fundamental design and development of the system.", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02", "ao_id": "CFG-02_A24", "objective": "the use of the following ports is prohibited or restricted: .", "pptdf": "Technology", "origin": "171A_R3_A.03.04.06.b[02]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "Guidance: Where feasible, organizations should limit component functionality to a single function per component. Organizations should consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations should employ network scanning tools, intrusion detection and prevention systems, and endpoint protection technologies, such as firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality should also be achieved as part of the fundamental design and development of the system.", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02", "ao_id": "CFG-02_A25", "objective": "the use of the following protocols is prohibited or restricted: .", "pptdf": "Technology", "origin": "171A_R3_A.03.04.06.b[03]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "Guidance: Where feasible, organizations should limit component functionality to a single function per component. Organizations should consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations should employ network scanning tools, intrusion detection and prevention systems, and endpoint protection technologies, such as firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality should also be achieved as part of the fundamental design and development of the system.", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02", "ao_id": "CFG-02_A26", "objective": "the use of the following connections is prohibited or restricted: .", "pptdf": "Technology", "origin": "171A_R3_A.03.04.06.b[04]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "Guidance: Where feasible, organizations should limit component functionality to a single function per component. Organizations should consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations should employ network scanning tools, intrusion detection and prevention systems, and endpoint protection technologies, such as firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality should also be achieved as part of the fundamental design and development of the system.", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02", "ao_id": "CFG-02_A27", "objective": "the use of the following services is prohibited or restricted: .", "pptdf": "Technology", "origin": "171A_R3_A.03.04.06.b[05]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "Guidance: Where feasible, organizations should limit component functionality to a single function per component. Organizations should consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations should employ network scanning tools, intrusion detection and prevention systems, and endpoint protection technologies, such as firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality should also be achieved as part of the fundamental design and development of the system.", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02", "ao_id": "CFG-02_A28", "objective": "replay-resistant authentication mechanisms for access to privileged accounts are implemented.", "pptdf": "Technology", "origin": "171A_R3_A.03.05.04[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02", "ao_id": "CFG-02_A29", "objective": "replay-resistant authentication mechanisms for access to non-privileged accounts are implemented.", "pptdf": "Technology", "origin": "171A_R3_A.03.05.04[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02", "ao_id": "CFG-02_A30", "objective": "passwords are only transmitted over cryptographically protected channels.", "pptdf": "Technology", "origin": "171A_R3_A.03.05.07.c", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02", "ao_id": "CFG-02_A31", "objective": "passwords are stored in a cryptographically protected form.", "pptdf": "Technology", "origin": "171A_R3_A.03.05.07.d", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02", "ao_id": "CFG-02_A32", "objective": "a new password is selected upon first use after account recovery.", "pptdf": "Technology", "origin": "171A_R3_A.03.05.07.e", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02", "ao_id": "CFG-02_A33", "objective": "organization-defined composition and complexity rules for passwords are enforced.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02", "ao_id": "CFG-02_A34", "objective": "replay resistance is implemented in the establishment of nonlocal maintenance and diagnostic sessions.", "pptdf": "Technology", "origin": "171A_R3_A.03.07.05.b[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02", "ao_id": "CFG-02_A35", "objective": "the following composition and complexity rules for passwords are enforced: .", "pptdf": "Technology", "origin": "171A_R3_A.03.05.07.f", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "SDP values:\n(1) Must have a minimum length of 16 characters.\n(2) Contains a string of characters that does not include the user’s account name or full name.", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02.1", "ao_id": "CFG-02.1_A01", "objective": "the circumstances requiring baseline configuration review / update are defined.", "pptdf": "Process", "origin": "53A_R5_CM-02_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02.1", "ao_id": "CFG-02.1_A02", "objective": "the baseline configuration of the system is reviewed / updated when required due to organization-defined circumstances.", "pptdf": "Technology", "origin": "53A_R5_CM-02b.02", "assessment_rigor": "1", "scf_defined_parameters": "at least annually and when a significant change occurs", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02.1", "ao_id": "CFG-02.1_A03", "objective": "the frequency of baseline configuration review / update is defined.", "pptdf": "Process", "origin": "171A_R3_A.03.04.01.ODP[01]\n53A_R5_CM-02_ODP[01]", "assessment_rigor": "2", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02.1", "ao_id": "CFG-02.1_A04", "objective": "the baseline configuration of the system is reviewed per an organization-defined frequency.", "pptdf": "Process", "origin": "53A_R5_CM-02b.01", "assessment_rigor": "3", "scf_defined_parameters": "at least annually and when a significant change occurs", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02.1", "ao_id": "CFG-02.1_A05", "objective": "the baseline configuration of the system is updated per an organization-defined frequency.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "when a significant change occurs", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02.1", "ao_id": "CFG-02.1_A06", "objective": "the baseline configuration of the system is reviewed when system components are installed or modified.", "pptdf": "Technology", "origin": "171A_R3_A.03.04.01.b[03]\n53A_R5_CM-02b.03", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02.1", "ao_id": "CFG-02.1_A07", "objective": "the baseline configuration of the system is updated when system components are installed or modified.", "pptdf": "Technology", "origin": "171A_R3_A.03.04.01.b[04]\n53A_R5_CM-02b.03", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02.1", "ao_id": "CFG-02.1_A08", "objective": "the system is reviewed to identify unnecessary or nonsecure functions, ports, protocols, connections, and services.", "pptdf": "Process", "origin": "171A_R3_A.03.04.06.c", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "at least every 12 months, when any system functions, ports, protocols, or services changes are made, and after any significant incidents or significant changes to risks", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02.1", "ao_id": "CFG-02.1_A09", "objective": "the baseline configuration of the system is reviewed .", "pptdf": "Process", "origin": "171A_R3_A.03.04.01.b[01]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "at least every 12 months and after any significant incidents or significant changes occur", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02.1", "ao_id": "CFG-02.1_A10", "objective": "the baseline configuration of the system is updated .", "pptdf": "Process", "origin": "171A_R3_A.03.04.01.b[02]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "at least every 12 months and after any significant incidents or significant changes occur", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02.2", "ao_id": "CFG-02.2_A01", "objective": "system components for which to manage, apply and verify configuration settings are defined.", "pptdf": "Process", "origin": "53A_R5_CM-06(01)_ODP[01]\n53A_R5_CM-06(01)_ODP[03]\n53A_R5_CM-06(01)_ODP[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02.2", "ao_id": "CFG-02.2_A02", "objective": "automated discovery and management tools are employed to maintain an up-to-date, complete, accurate and readily available inventory of system components.", "pptdf": "Technology", "origin": "172A_3.4.3e[c]\n53A_R5_CM-02(02)[03]\n53A_R5_CM-02(02)[04]\n53A_R5_CM-06(01)[01]\n53A_R5_CM-06(01)[02]\n53A_R5_CM-06(01)[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02.2", "ao_id": "CFG-02.2_A03", "objective": "automated discovery and management tools for the inventory of system components are identified.", "pptdf": "Process", "origin": "172A_3.4.3e[a]\n53A_R5_CM-02(02)_ODP\n53A_R5_CM-06(01)_ODP[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02.2", "ao_id": "CFG-02.2_A04", "objective": "an up-to-date, complete, accurate and readily available inventory of system components exists.", "pptdf": "Technology", "origin": "172A_3.4.3e[b]\n53A_R5_CM-02(02)[01]\n53A_R5_CM-02(02)[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02.2", "ao_id": "CFG-02.2_A05", "objective": "activities associated with configuration-controlled changes to the system are monitored.", "pptdf": "Process", "origin": "171A_R3_A.03.04.03.d[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02.2", "ao_id": "CFG-02.2_A06", "objective": "activities associated with configuration-controlled changes to the system are reviewed.", "pptdf": "Process", "origin": "171A_R3_A.03.04.03.d[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02.3", "ao_id": "CFG-02.3_A01", "objective": "the number of previous baseline configuration versions to be retained is defined.", "pptdf": "Process", "origin": "53A_R5_CM-02(03)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02.3", "ao_id": "CFG-02.3_A02", "objective": "organization-defined number of previous baseline configuration version(s) of the system is/are retained to support rollback.", "pptdf": "Data", "origin": "53A_R5_CM-02(03)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02.4", "ao_id": "CFG-02.4_A01", "objective": "a baseline configuration for system development environments that is managed separately from the operational baseline configuration is maintained.", "pptdf": "Technology", "origin": "53A_R5_CM-02(06)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02.4", "ao_id": "CFG-02.4_A02", "objective": "a baseline configuration for test environments that is managed separately from the operational baseline configuration is maintained.", "pptdf": "Technology", "origin": "53A_R5_CM-02(06)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02.5", "ao_id": "CFG-02.5_A01", "objective": "security requirements to be applied to the system or system components when individuals return from travel are defined.", "pptdf": "Process", "origin": "53A_R5_CM-02(07)_ODP[01]\n171A_R3_A.03.04.12.ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02.5", "ao_id": "CFG-02.5_A02", "objective": "organization-defined systems or system components with organization-defined configurations are issued to individuals traveling to locations that the organization deems to be of significant risk.", "pptdf": "Technology", "origin": "53A_R5_CM-02(07)(a)\n53A_R5_CM-02(07)_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02.5", "ao_id": "CFG-02.5_A03", "objective": "organization-defined controls are applied to the systems or system components when the individuals return from travel.", "pptdf": "Technology", "origin": "53A_R5_CM-02(07)(b)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02.5", "ao_id": "CFG-02.5_A04", "objective": "configurations for systems or system components to be issued to individuals traveling to high-risk locations are defined.", "pptdf": "Process", "origin": "53A_R5_CM-02(07)_ODP[02]\n172A_3.14.3e_ODP[1]\n172A_3.14.3e[a]\n172A_3.14.3e[b]\n171A_R3_A.03.04.12.ODP[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02.6", "ao_id": "CFG-02.6_A01", "objective": "network devices are configured to synchronize startup and running configuration files.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02.7", "ao_id": "CFG-02.7_A01", "objective": "configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using common secure configurations.", "pptdf": "Technology", "origin": "53A_R5_CM-06a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02.7", "ao_id": "CFG-02.7_A02", "objective": "changes to the configuration settings are controlled in accordance with organizational policies and procedures.", "pptdf": "Technology", "origin": "53A_R5_CM-06d.[02]\n53A_R5_CM-06b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02.7", "ao_id": "CFG-02.7_A03", "objective": "any deviations from established configuration settings are identified and documented.", "pptdf": "Process", "origin": "53A_R5_CM-06c.[01]\n171A_R3_A.03.04.02.b[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02.7", "ao_id": "CFG-02.7_A04", "objective": "any deviations from established configuration settings are approved.", "pptdf": "Process", "origin": "53A_R5_CM-06c.[02]\n171A_R3_A.03.04.02.b[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02.7", "ao_id": "CFG-02.7_A05", "objective": "common secure configurations to establish and document configuration settings for components employed within the system are defined.", "pptdf": "Process", "origin": "53A_R5_CM-06_ODP[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02.7", "ao_id": "CFG-02.7_A06", "objective": "system components for which approval of deviations is needed are defined.", "pptdf": "Process", "origin": "53A_R5_CM-06_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02.7", "ao_id": "CFG-02.7_A07", "objective": "operational requirements necessitating approval of deviations are defined.", "pptdf": "Process", "origin": "53A_R5_CM-06_ODP[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02.7", "ao_id": "CFG-02.7_A08", "objective": "changes to the configuration settings are monitored in accordance with organizational policies and procedures.", "pptdf": "Process", "origin": "53A_R5_CM-06d.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02.8", "ao_id": "CFG-02.8_A01", "objective": "actions to be taken upon an unauthorized change are defined.", "pptdf": "Process", "origin": "53A_R5_CM-06(02)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02.8", "ao_id": "CFG-02.8_A02", "objective": "organization-defined actions are taken in response to unauthorized changes to organization-defined configuration settings.", "pptdf": "Process", "origin": "53A_R5_CM-06(02)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02.8", "ao_id": "CFG-02.8_A03", "objective": "configuration settings requiring action upon an unauthorized change are defined.", "pptdf": "Process", "origin": "53A_R5_CM-06(02)_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02.9", "ao_id": "CFG-02.9_A01", "objective": "the selected control baseline is tailored by applying specified tailoring actions.", "pptdf": "Technology", "origin": "53A_R5_PL-11", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-02.9", "ao_id": "CFG-02.9_A02", "objective": "additional information for audit records is provided, as needed.", "pptdf": "Technology", "origin": "171A_R3_A.03.03.02.b", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03", "ao_id": "CFG-03_A01", "objective": "configuration settings for the system that reflect the most restrictive mode consistent with operational requirements are defined (e.g., principle of least functionality).", "pptdf": "Process", "origin": "171A_3.4.6[a]\n53A_R5_CM-07_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03", "ao_id": "CFG-03_A02", "objective": "systems are configured to provide only the defined essential capabilities, where unnecessary or nonsecure functions, ports, protocols, connections, and services are disabled or removed.", "pptdf": "Technology", "origin": "171A_3.4.6[b]\n53A_R5_CM-07a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03", "ao_id": "CFG-03_A03", "objective": "functions to be prohibited or restricted are defined.", "pptdf": "Process", "origin": "53A_R5_CM-07_ODP[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03", "ao_id": "CFG-03_A04", "objective": "ports to be prohibited or restricted are defined.", "pptdf": "Process", "origin": "53A_R5_CM-07_ODP[03]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03", "ao_id": "CFG-03_A05", "objective": "protocols to be prohibited or restricted are defined.", "pptdf": "Process", "origin": "53A_R5_CM-07_ODP[04]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03", "ao_id": "CFG-03_A06", "objective": "software to be prohibited or restricted is defined.", "pptdf": "Process", "origin": "53A_R5_CM-07_ODP[05]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03", "ao_id": "CFG-03_A07", "objective": "services to be prohibited or restricted are defined.", "pptdf": "Process", "origin": "53A_R5_CM-07_ODP[06]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03", "ao_id": "CFG-03_A08", "objective": "the use of organization-defined functions is prohibited or restricted.", "pptdf": "Technology", "origin": "53A_R5_CM-07b.[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03", "ao_id": "CFG-03_A09", "objective": "the use of organization-defined ports is prohibited or restricted.", "pptdf": "Technology", "origin": "53A_R5_CM-07b.[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03", "ao_id": "CFG-03_A10", "objective": "the use of organization-defined protocols is prohibited or restricted.", "pptdf": "Technology", "origin": "53A_R5_CM-07b.[03]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03", "ao_id": "CFG-03_A11", "objective": "the use of organization-defined software is prohibited or restricted.", "pptdf": "Technology", "origin": "53A_R5_CM-07b.[04]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03", "ao_id": "CFG-03_A12", "objective": "the use of organization-defined services is prohibited or restricted.", "pptdf": "Technology", "origin": "53A_R5_CM-07b.[05]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03", "ao_id": "CFG-03_A13", "objective": "configuration settings for the system reflect the most restrictive mode consistent with operational requirements are defined.", "pptdf": "Process", "origin": "171A_R3_A.03.04.02.ODP[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03", "ao_id": "CFG-03_A14", "objective": "unnecessary or nonsecure functions, ports, protocols, connections, and services are disabled or removed.", "pptdf": "Technology", "origin": "171A_R3_A.03.04.06.d", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03.1", "ao_id": "CFG-03.1_A01", "objective": "the frequency at which to review the system to identify unnecessary or nonsecure functions, ports, protocols, connections, or services is defined.", "pptdf": "Process", "origin": "53A_R5_CM-07(01)(a)\n53A_R5_CM-07(01)_ODP[01]\n171A_R3_A.03.04.06.ODP[06]", "assessment_rigor": "1", "scf_defined_parameters": "at least quarterly or when there is a change", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03.1", "ao_id": "CFG-03.1_A02", "objective": "organization-defined functions, ports, protocols, software and services deemed to be unnecessary and/or non-secure are disabled or removed.", "pptdf": "Technology", "origin": "53A_R5_CM-07(01)(b)[01]\n53A_R5_CM-07(01)(b)[02]\n53A_R5_CM-07(01)(b)[03]\n53A_R5_CM-07(01)(b)[04]\n53A_R5_CM-07(01)(b)[05]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03.1", "ao_id": "CFG-03.1_A03", "objective": "essential programs are defined.", "pptdf": "Process", "origin": "171A_3.4.7[a]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03.1", "ao_id": "CFG-03.1_A04", "objective": "essential functions are defined.", "pptdf": "Process", "origin": "171A_3.4.7[d]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03.1", "ao_id": "CFG-03.1_A05", "objective": "essential ports are defined.", "pptdf": "Process", "origin": "171A_3.4.7[g]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03.1", "ao_id": "CFG-03.1_A06", "objective": "essential protocols are defined.", "pptdf": "Process", "origin": "171A_3.4.7[j]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03.1", "ao_id": "CFG-03.1_A07", "objective": "essential services are defined.", "pptdf": "Process", "origin": "171A_3.4.7[m]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03.1", "ao_id": "CFG-03.1_A08", "objective": "the use of nonessential programs is defined.", "pptdf": "Process", "origin": "171A_3.4.7[b]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03.1", "ao_id": "CFG-03.1_A09", "objective": "the use of nonessential programs is restricted, disabled or prevented as defined.", "pptdf": "Technology", "origin": "171A_3.4.7[c]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03.1", "ao_id": "CFG-03.1_A10", "objective": "the use of nonessential functions is defined.", "pptdf": "Process", "origin": "171A_3.4.7[e]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03.1", "ao_id": "CFG-03.1_A11", "objective": "the use of nonessential functions is restricted, disabled or prevented as defined.", "pptdf": "Technology", "origin": "171A_3.4.7[f]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03.1", "ao_id": "CFG-03.1_A12", "objective": "the use of nonessential ports is defined.", "pptdf": "Process", "origin": "171A_3.4.7[h]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03.1", "ao_id": "CFG-03.1_A13", "objective": "the use of nonessential protocols is defined.", "pptdf": "Process", "origin": "171A_3.4.7[k]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03.1", "ao_id": "CFG-03.1_A14", "objective": "the use of nonessential ports is restricted, disabled or prevented as defined.", "pptdf": "Technology", "origin": "171A_3.4.7[i]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03.1", "ao_id": "CFG-03.1_A15", "objective": "the use of nonessential protocols is restricted, disabled or prevented as defined.", "pptdf": "Technology", "origin": "171A_3.4.7[l]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03.1", "ao_id": "CFG-03.1_A16", "objective": "the use of nonessential services is defined.", "pptdf": "Process", "origin": "171A_3.4.7[n]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03.1", "ao_id": "CFG-03.1_A17", "objective": "the use of nonessential services is restricted, disabled or prevented as defined.", "pptdf": "Technology", "origin": "171A_3.4.7[o]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03.1", "ao_id": "CFG-03.1_A18", "objective": "functions to be disabled or removed when deemed unnecessary or non-secure are defined.", "pptdf": "Process", "origin": "53A_R5_CM-07(01)_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03.1", "ao_id": "CFG-03.1_A19", "objective": "ports to be disabled or removed when deemed unnecessary or non-secure are defined.", "pptdf": "Process", "origin": "53A_R5_CM-07(01)_ODP[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03.1", "ao_id": "CFG-03.1_A20", "objective": "protocols to be disabled or removed when deemed unnecessary or non-secure are defined.", "pptdf": "Process", "origin": "53A_R5_CM-07(01)_ODP[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03.1", "ao_id": "CFG-03.1_A21", "objective": "software to be disabled or removed when deemed unnecessary or non-secure is defined.", "pptdf": "Process", "origin": "53A_R5_CM-07(01)_ODP[05]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03.1", "ao_id": "CFG-03.1_A22", "objective": "services to be disabled or removed when deemed unnecessary or non-secure are defined.", "pptdf": "Process", "origin": "53A_R5_CM-07(01)_ODP[06]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03.2", "ao_id": "CFG-03.2_A01", "objective": "policies, rules of behavior, and/or access agreements regarding unauthorized software program usage and restrictions are defined.", "pptdf": "Process", "origin": "53A_R5_CM-07(02)_ODP[01]\n53A_R5_CM-07(02)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03.2", "ao_id": "CFG-03.2_A02", "objective": "program execution is prevented in accordance with organization-defined criteria (e.g., policies, rules of behavior, and/or access agreements).", "pptdf": "Technology", "origin": "53A_R5_CM-07(02)\n53A_R5_CM-07(02)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03.3", "ao_id": "CFG-03.3_A01", "objective": "a policy and/or process specifying whether whitelisting or blacklisting is to be implemented is specified.", "pptdf": "Process", "origin": "171A_3.4.8[a]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03.3", "ao_id": "CFG-03.3_A02", "objective": "the software allowed to execute under whitelisting or denied use under blacklisting is specified.", "pptdf": "Technology", "origin": "171A_3.4.8[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03.3", "ao_id": "CFG-03.3_A03", "objective": "whitelisting to allow the execution of authorized software or blacklisting to prevent the use of unauthorized software is implemented as specified.", "pptdf": "Technology", "origin": "171A_3.4.8[c]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03.3", "ao_id": "CFG-03.3_A04", "objective": "registration requirements for functions, ports, protocols and services are defined.", "pptdf": "Process", "origin": "53A_R5_CM-07(03)_ODP", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03.3", "ao_id": "CFG-03.3_A05", "objective": "an allow-all, deny-by-exception policy is employed to prohibit the execution of unauthorized software programs on the system.", "pptdf": "Technology", "origin": "53A_R5_CM-07(04)(b)", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03.3", "ao_id": "CFG-03.3_A06", "objective": "the list of unauthorized software programs is reviewed / updated organization-defined frequency.", "pptdf": "Process", "origin": "53A_R5_CM-07(04)(c)", "assessment_rigor": "2", "scf_defined_parameters": "at least quarterly or when there is a change", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03.3", "ao_id": "CFG-03.3_A07", "objective": "organization-defined registration requirements are complied with.", "pptdf": "Technology", "origin": "53A_R5_CM-07(03)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03.3", "ao_id": "CFG-03.3_A08", "objective": "software programs not authorized to execute on the system are defined.", "pptdf": "Process", "origin": "53A_R5_CM-07(04)_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03.3", "ao_id": "CFG-03.3_A09", "objective": "frequency at which to review / update the list of unauthorized software programs is defined.", "pptdf": "Process", "origin": "53A_R5_CM-07(04)_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "at least quarterly or when there is a change", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03.3", "ao_id": "CFG-03.3_A10", "objective": "organization-defined software programs are identified.", "pptdf": "Process", "origin": "53A_R5_CM-07(04)(a)\n53A_R5_CM-07(05)(a)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03.3", "ao_id": "CFG-03.3_A11", "objective": "software programs authorized to execute on the system are identified.", "pptdf": "Process", "origin": "53A_R5_CM-07(05)_ODP[01]\n171A_R3_A.03.04.08.a", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03.3", "ao_id": "CFG-03.3_A12", "objective": "the frequency at which to review and update the list of authorized software programs is defined.", "pptdf": "Process", "origin": "53A_R5_CM-07(05)_ODP[02]\n171A_R3_A.03.04.08.ODP[01]", "assessment_rigor": "2", "scf_defined_parameters": "at least quarterly or when there is a change", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03.3", "ao_id": "CFG-03.3_A13", "objective": "a deny-all, allow-by-exception policy for the execution of authorized software programs on the system is implemented.", "pptdf": "Technology", "origin": "53A_R5_CM-07(05)(b)\n171A_R3_A.03.04.08.b", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03.3", "ao_id": "CFG-03.3_A14", "objective": "the list of authorized software programs is reviewed / updated organization-defined frequency.", "pptdf": "Process", "origin": "53A_R5_CM-07(05)(c)", "assessment_rigor": "3", "scf_defined_parameters": "at least quarterly or when there is a change", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03.3", "ao_id": "CFG-03.3_A15", "objective": "the automatic execution of mobile code in organization-defined software applications is prevented.", "pptdf": "Technology", "origin": "53A_R5_SC-18(04)[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03.3", "ao_id": "CFG-03.3_A16", "objective": "organization-defined actions are enforced prior to executing mobile code.", "pptdf": "Technology", "origin": "53A_R5_SC-18(04)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03.3", "ao_id": "CFG-03.3_A17", "objective": "the use of mobile code is controlled.", "pptdf": "Technology", "origin": "171A_R3_A.03.13.13.b[03]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03.4", "ao_id": "CFG-03.4_A01", "objective": "safeguards to securely provision split tunneling are defined.", "pptdf": "Process", "origin": "53A_R5_SC-07(07)_ODP", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-03.4", "ao_id": "CFG-03.4_A02", "objective": "remote devices are prevented from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks (e.g., split tunneling).", "pptdf": "Technology", "origin": "171A_3.13.7\n53A_R5_SC-07(07)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-04", "ao_id": "CFG-04_A01", "objective": "software and associated documentation are used in accordance with contract agreements and copyright laws.", "pptdf": "Technology", "origin": "53A_R5_CM-10a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-04", "ao_id": "CFG-04_A02", "objective": "the use of software and associated documentation protected by quantity licenses is tracked to control copying and distribution.", "pptdf": "Technology", "origin": "53A_R5_CM-10b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-04", "ao_id": "CFG-04_A03", "objective": "the use of peer-to-peer file sharing technology is controlled and documented to ensure that peer-to-peer file sharing is not used for the unauthorized distribution, display, performance or reproduction of copyrighted work.", "pptdf": "Process", "origin": "53A_R5_CM-10c.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-04.1", "ao_id": "CFG-04.1_A01", "objective": "restrictions on the use of open-source software are defined.", "pptdf": "Process", "origin": "53A_R5_CM-10(01)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-04.1", "ao_id": "CFG-04.1_A02", "objective": "organization-defined restrictions are established for the use of open-source software.", "pptdf": "Technology", "origin": "53A_R5_CM-10(01)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-04.2", "ao_id": "CFG-04.2_A01", "objective": "security configuration settings for authorized Internet browsers are established.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-04.2", "ao_id": "CFG-04.2_A02", "objective": "security configuration settings for authorized email clients are established.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-04.2", "ao_id": "CFG-04.2_A03", "objective": "users are prevented from installing unauthorized Internet browsers and/or email clients through technical and/or administrative mechanisms.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-04.2", "ao_id": "CFG-04.2_A04", "objective": "unauthorized Internet browsers and/or email clients are responded to a security incident, per established incident response procedures.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-05", "ao_id": "CFG-05_A01", "objective": "policies governing the installation of software by users are defined.", "pptdf": "Process", "origin": "171A_3.4.9[b]\n53A_R5_CM-11_ODP[01]\n53A_R5_CM-11a.", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-05", "ao_id": "CFG-05_A02", "objective": "methods used to enforce software installation policies are defined.", "pptdf": "Process", "origin": "53A_R5_CM-11_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-05", "ao_id": "CFG-05_A03", "objective": "software installation policies are enforced through organization-defined methods.", "pptdf": "Technology", "origin": "53A_R5_CM-11b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-05", "ao_id": "CFG-05_A04", "objective": "installation of software by users is monitored.", "pptdf": "Technology", "origin": "171A_3.4.9[c]\n53A_R5_CM-11_ODP[03]\n53A_R5_CM-11c.", "assessment_rigor": "2", "scf_defined_parameters": "Continuously", "org_defined_parameters": "" }, { "scf_control_id": "CFG-05", "ao_id": "CFG-05_A05", "objective": "configuration settings prevent the ability of non-privileged users to install unauthorized software.", "pptdf": "Technology", "origin": "171A_3.4.9[a]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-05.1", "ao_id": "CFG-05.1_A01", "objective": "compliance with software installation policies is enforced using organization-defined automated mechanisms.", "pptdf": "Technology", "origin": "53A_R5_CM-11(03)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-05.1", "ao_id": "CFG-05.1_A02", "objective": "the frequency at which automated mechanisms are used to detect the presence of unauthorized hardware, software and/or firmware within the system is defined.", "pptdf": "Process", "origin": "53A_R5_CM-08(03)_ODP[04]", "assessment_rigor": "3", "scf_defined_parameters": "automated mechanisms with a maximum five-minute delay in detection", "org_defined_parameters": "" }, { "scf_control_id": "CFG-05.1", "ao_id": "CFG-05.1_A03", "objective": "automated mechanisms used to monitor compliance are defined.", "pptdf": "Process", "origin": "53A_R5_CM-11(03)_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-05.2", "ao_id": "CFG-05.2_A01", "objective": "user installation of software is allowed only with explicit privileged status.", "pptdf": "Technology", "origin": "53A_R5_CM-11(02)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-06", "ao_id": "CFG-06_A01", "objective": "the circumstances under which changes are to be prevented or restricted are defined.", "pptdf": "Process", "origin": "53A_R5_CM-03(08)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-06", "ao_id": "CFG-06_A02", "objective": "changes to the configuration of the system are prevented or restricted under organization-defined circumstances.", "pptdf": "Technology", "origin": "53A_R5_CM-03(08)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-06", "ao_id": "CFG-06_A03", "objective": "automated mechanisms used to enforce configuration enforcement are defined.", "pptdf": "Process", "origin": "53A_R5_CM-11(03)_ODP[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-06", "ao_id": "CFG-06_A04", "objective": "automated mechanisms used to monitor configuration enforcement are defined.", "pptdf": "Process", "origin": "53A_R5_CM-11(03)_ODP[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-06", "ao_id": "CFG-06_A05", "objective": "compliance with software installation policies is enforced using automated mechanisms.", "pptdf": "Technology", "origin": "53A_R5_CM-11(03)[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-06", "ao_id": "CFG-06_A06", "objective": "compliance with software installation policies is monitored using automated mechanisms.", "pptdf": "Technology", "origin": "53A_R5_CM-11(03)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-06.1", "ao_id": "CFG-06.1_A01", "objective": "unauthorized deviations from an approved baseline are identified and automated resiliency actions are implemented to remediate the unauthorized change.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-07", "ao_id": "CFG-07_A01", "objective": "automated mechanisms used to perform Zero-Touch Provisioning (ZTP) are defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-07", "ao_id": "CFG-07_A02", "objective": "an automated mechanism performs Zero-Touch Provisioning (ZTP) to deploy secure baseline configurations upon devices being added to a network.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-08", "ao_id": "CFG-08_A01", "objective": "information types requiring restricted access to data repositories are defined.", "pptdf": "Process", "origin": "53A_R5_AC-03(11)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-08", "ao_id": "CFG-08_A02", "objective": "access to data repositories containing organization-defined information types is restricted.", "pptdf": "Technology", "origin": "53A_R5_AC-03(11)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-08", "ao_id": "CFG-08_A03", "objective": "approved authorizations for logical access to CUI are enforced in accordance with applicable access control policies.", "pptdf": "Data", "origin": "171A_R3_A.03.01.02[01]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CFG-08.1", "ao_id": "CFG-08.1_A01", "objective": "an automated mechanism generates event logs whenever sensitive / regulated data is collected, created, updated, deleted and/or archived.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-01", "ao_id": "CHG-01_A01", "objective": "configuration change control activities are coordinated and overseen by organization-defined configuration change control element.", "pptdf": "Technology", "origin": "53A_R5_CM-03g.[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-01", "ao_id": "CHG-01_A02", "objective": "configuration change decisions associated with the system are documented.", "pptdf": "Process", "origin": "53A_R5_CM-03c.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-01", "ao_id": "CHG-01_A03", "objective": "approved configuration-controlled changes to the system are implemented.", "pptdf": "Process", "origin": "53A_R5_CM-03d.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-01", "ao_id": "CHG-01_A04", "objective": "the time period to retain records of configuration-controlled changes is defined.", "pptdf": "Process", "origin": "53A_R5_CM-03_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-01", "ao_id": "CHG-01_A05", "objective": "proposed configuration-controlled changes to the system are reviewed.", "pptdf": "Process", "origin": "53A_R5_CM-03b.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-01", "ao_id": "CHG-01_A06", "objective": "the configuration change control element responsible for coordinating and overseeing change control activities is defined.", "pptdf": "Process", "origin": "53A_R5_CM-03_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-01", "ao_id": "CHG-01_A07", "objective": "the frequency at which the configuration control element convenes is defined.", "pptdf": "Process", "origin": "53A_R5_CM-03_ODP[03]\n53A_R5_CM-03_ODP[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-01", "ao_id": "CHG-01_A08", "objective": "configuration change conditions that prompt the configuration control element to convene are defined.", "pptdf": "Process", "origin": "53A_R5_CM-03_ODP[05]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-01", "ao_id": "CHG-01_A09", "objective": "the types of changes to the system that are configuration-controlled are determined and documented.", "pptdf": "Process", "origin": "53A_R5_CM-03a.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-01", "ao_id": "CHG-01_A10", "objective": "proposed configuration-controlled changes to the system are approved or disapproved with explicit consideration for cybersecurity / data privacy impact analyses.", "pptdf": "Process", "origin": "53A_R5_CM-03b.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-01", "ao_id": "CHG-01_A11", "objective": "records of configuration-controlled changes to the system are retained for an organization-defined time period.", "pptdf": "Data", "origin": "53A_R5_CM-03e.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-01", "ao_id": "CHG-01_A12", "objective": "activities associated with configuration-controlled changes to the system are monitored.", "pptdf": "Process", "origin": "53A_R5_CM-03f.[01]\n171A_R3_A.03.04.03.d[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-01", "ao_id": "CHG-01_A13", "objective": "activities associated with configuration-controlled changes to the system are reviewed.", "pptdf": "Process", "origin": "53A_R5_CM-03f.[02]\n171A_R3_A.03.04.03.d[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-01", "ao_id": "CHG-01_A14", "objective": "the configuration control element convenes organization-defined criteria.", "pptdf": "Technology", "origin": "53A_R5_CM-03g.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-01", "ao_id": "CHG-01_A15", "objective": "change management operations are conducted according to documented policies, standards, procedures and/or other organizational directives.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-01", "ao_id": "CHG-01_A16", "objective": "adequate resources (e.g., people, processes, technologies, data and/or facilities) are provided to support change management operations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-01", "ao_id": "CHG-01_A17", "objective": "responsibility and authority for the performance of change management-related activities are assigned to designated personnel.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-01", "ao_id": "CHG-01_A18", "objective": "personnel performing change management-related activities have the skills and knowledge needed to perform their assigned duties.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-02", "ao_id": "CHG-02_A01", "objective": "changes to the system are reviewed.", "pptdf": "Process", "origin": "171A_3.4.3[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-02", "ao_id": "CHG-02_A02", "objective": "changes to the system are approved or disapproved.", "pptdf": "Process", "origin": "171A_3.4.3[c]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-02", "ao_id": "CHG-02_A03", "objective": "approved configuration-controlled changes to the system are implemented.", "pptdf": "Process", "origin": "171A_R3_A.03.04.03.c[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-02", "ao_id": "CHG-02_A04", "objective": "changes to the system are logged.", "pptdf": "Process", "origin": "171A_3.4.3[d]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-02", "ao_id": "CHG-02_A05", "objective": "changes to the system are tracked.", "pptdf": "Process", "origin": "171A_3.4.3[a]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-02", "ao_id": "CHG-02_A06", "objective": "the types of changes to the system that are configuration-controlled are defined.", "pptdf": "Process", "origin": "171A_R3_A.03.04.03.a", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-02.1", "ao_id": "CHG-02.1_A01", "objective": "mechanisms used to automate configuration change control are defined.", "pptdf": "Process", "origin": "53A_R5_CM-03(01)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-02.1", "ao_id": "CHG-02.1_A02", "objective": "organization-defined automated mechanisms are used to prohibit changes to the system until designated approvals are received.", "pptdf": "Process", "origin": "53A_R5_CM-03(01)(d)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-02.1", "ao_id": "CHG-02.1_A03", "objective": "approval authorities to be notified of and request approval for proposed changes to the system are defined.", "pptdf": "Process", "origin": "53A_R5_CM-03(01)_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-02.1", "ao_id": "CHG-02.1_A04", "objective": "the time period after which to highlight changes that have not been approved or disapproved is defined.", "pptdf": "Process", "origin": "53A_R5_CM-03(01)_ODP[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-02.1", "ao_id": "CHG-02.1_A05", "objective": "personnel to be notified when approved changes are complete is/are defined.", "pptdf": "Process", "origin": "53A_R5_CM-03(01)_ODP[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-02.1", "ao_id": "CHG-02.1_A06", "objective": "organization-defined automated mechanisms are used to document proposed changes to the system.", "pptdf": "Process", "origin": "53A_R5_CM-03(01)(a)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-02.1", "ao_id": "CHG-02.1_A07", "objective": "organization-defined automated mechanisms are used to notify organization-defined approval authorities of proposed changes to the system and request change approval.", "pptdf": "Process", "origin": "53A_R5_CM-03(01)(b)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-02.1", "ao_id": "CHG-02.1_A08", "objective": "organization-defined automated mechanisms are used to highlight proposed changes to the system that have not been approved or disapproved within an organization-defined time period.", "pptdf": "Process", "origin": "53A_R5_CM-03(01)(c)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-02.1", "ao_id": "CHG-02.1_A09", "objective": "organization-defined automated mechanisms are used to document all changes to the system.", "pptdf": "Process", "origin": "53A_R5_CM-03(01)(e)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-02.1", "ao_id": "CHG-02.1_A10", "objective": "organization-defined automated mechanisms are used to notify organization-defined personnel when approved changes to the system are completed.", "pptdf": "Process", "origin": "53A_R5_CM-03(01)(f)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-02.1", "ao_id": "CHG-02.1_A11", "objective": "proposed configuration-controlled changes to the system are approved or disapproved with explicit consideration for security impacts.", "pptdf": "Process", "origin": "171A_R3_A.03.04.03.b[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-02.1", "ao_id": "CHG-02.1_A12", "objective": "logical access restrictions associated with changes to the system are approved.", "pptdf": "Process", "origin": "171A_R3_A.03.04.05[05]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-02.2", "ao_id": "CHG-02.2_A01", "objective": "changes to the system are tested before finalizing the implementation of the changes.", "pptdf": "Process", "origin": "53A_R5_CM-03(02)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-02.2", "ao_id": "CHG-02.2_A02", "objective": "changes to the system are validated before finalizing the implementation of the changes.", "pptdf": "Process", "origin": "53A_R5_CM-03(02)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-02.2", "ao_id": "CHG-02.2_A03", "objective": "changes to the system are documented before finalizing the implementation of the changes.", "pptdf": "Process", "origin": "53A_R5_CM-03(02)[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-02.2", "ao_id": "CHG-02.2_A04", "objective": "the frequency at which changes are to be reviewed is defined.", "pptdf": "Process", "origin": "53A_R5_CM-03(07)_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-02.2", "ao_id": "CHG-02.2_A05", "objective": "the circumstances under which changes are to be reviewed are defined.", "pptdf": "Process", "origin": "53A_R5_CM-03(07)_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-02.2", "ao_id": "CHG-02.2_A06", "objective": "changes to the system are reviewed organization-defined frequency or when organization-defined circumstances to determine whether unauthorized changes have occurred.", "pptdf": "Process", "origin": "53A_R5_CM-03(07)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-02.2", "ao_id": "CHG-02.2_A07", "objective": "systems or system components that implement the security design principle of secure system modification are defined.", "pptdf": "Process", "origin": "53A_R5_SA-08(31)_ODP", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-02.2", "ao_id": "CHG-02.2_A08", "objective": "systems or system components implement the security design principle of secure system modification.", "pptdf": "Technology", "origin": "53A_R5_SA-08(31)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-02.2", "ao_id": "CHG-02.2_A09", "objective": "approved configuration-controlled changes to the system are documented.", "pptdf": "Process", "origin": "171A_R3_A.03.04.03.c[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-02.3", "ao_id": "CHG-02.3_A01", "objective": "the configuration change control element of which the cybersecurity / data privacy representatives are to be members is defined.", "pptdf": "Process", "origin": "53A_R5_CM-03(04)_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "Configuration Control Board (CCB) or similar function", "org_defined_parameters": "" }, { "scf_control_id": "CHG-02.3", "ao_id": "CHG-02.3_A02", "objective": "security representatives required to be members of the change control element are defined.", "pptdf": "Process", "origin": "53A_R5_CM-03(04)_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-02.3", "ao_id": "CHG-02.3_A03", "objective": "privacy representatives required to be members of the change control element are defined.", "pptdf": "Process", "origin": "53A_R5_CM-03(04)_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-02.3", "ao_id": "CHG-02.3_A04", "objective": "organization-defined security representatives are required to be members of the organization-defined configuration change control element.", "pptdf": "Process", "origin": "53A_R5_CM-03(04)[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-02.3", "ao_id": "CHG-02.3_A05", "objective": "organization-defined privacy representatives are required to be members of the organization-defined configuration change control element.", "pptdf": "Process", "origin": "53A_R5_CM-03(04)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-02.4", "ao_id": "CHG-02.4_A01", "objective": "security responses to be automatically implemented are defined.", "pptdf": "Process", "origin": "53A_R5_CM-03(05)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-02.4", "ao_id": "CHG-02.4_A02", "objective": "organization-defined security responses are automatically implemented if baseline configurations are changed in an unauthorized manner.", "pptdf": "Process", "origin": "53A_R5_CM-03(05)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-02.4", "ao_id": "CHG-02.4_A03", "objective": "automated mechanisms place misconfigured or unauthorized system components in a quarantine or remediation network.", "pptdf": "Technology", "origin": "172A_3.4.2e_ODP[1]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-02.4", "ao_id": "CHG-02.4_A04", "objective": "automated mechanisms to detect misconfigured or unauthorized system components are identified.", "pptdf": "Process", "origin": "172A_3.4.2e[a]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-02.4", "ao_id": "CHG-02.4_A05", "objective": "automated mechanisms are employed to detect misconfigured or unauthorized system components.", "pptdf": "Technology", "origin": "172A_3.4.2e[b]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-02.4", "ao_id": "CHG-02.4_A06", "objective": "misconfigured or unauthorized system components are detected.", "pptdf": "Technology", "origin": "172A_3.4.2e[c]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-02.4", "ao_id": "CHG-02.4_A07", "objective": "after detection, system components are removed and/or placed in a quarantine or remediation network to facilitate patching, re-configuration or other mitigations.", "pptdf": "Process", "origin": "172A_3.4.2e[d]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-02.5", "ao_id": "CHG-02.5_A01", "objective": "controls provided by cryptographic mechanisms that are to be under configuration management are defined.", "pptdf": "Process", "origin": "53A_R5_CM-03(06)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-02.5", "ao_id": "CHG-02.5_A02", "objective": "cryptographic mechanisms used to provide organization-defined controls are under configuration management.", "pptdf": "Technology", "origin": "53A_R5_CM-03(06)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-03", "ao_id": "CHG-03_A01", "objective": "proposed configuration-controlled changes to the system are reviewed with explicit consideration for security impacts.", "pptdf": "Process", "origin": "171A_3.4.4\n171A_R3_A.03.04.03.b[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-03", "ao_id": "CHG-03_A02", "objective": "changes to the system are analyzed to determine potential security impacts prior to change implementation.", "pptdf": "Process", "origin": "53A_R5_CM-04[01]\n171A_R3_A.03.04.04.a", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-03", "ao_id": "CHG-03_A03", "objective": "changes to the system are analyzed to determine potential privacy impacts prior to change implementation.", "pptdf": "Process", "origin": "53A_R5_CM-04[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-04", "ao_id": "CHG-04_A01", "objective": "logical access restrictions associated with changes to the system are defined and documented.", "pptdf": "Process", "origin": "171A_3.4.5[e]\n171A_3.4.5[f]\n53A_R5_CM-05[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-04", "ao_id": "CHG-04_A02", "objective": "logical access restrictions associated with changes to the system are enforced.", "pptdf": "Process", "origin": "171A_3.4.5[h]\n53A_R5_CM-05[06]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-04", "ao_id": "CHG-04_A03", "objective": "logical access restrictions associated with changes to the system are approved.", "pptdf": "Process", "origin": "171A_3.4.5[g]\n53A_R5_CM-05[05]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-04", "ao_id": "CHG-04_A04", "objective": "physical access restrictions associated with changes to the system are defined and documented.", "pptdf": "Process", "origin": "171A_3.4.5[a]\n171A_3.4.5[b]\n53A_R5_CM-05[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-04", "ao_id": "CHG-04_A05", "objective": "physical access restrictions associated with changes to the system are approved.", "pptdf": "Process", "origin": "171A_3.4.5[c]\n53A_R5_CM-05[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-04", "ao_id": "CHG-04_A06", "objective": "physical access restrictions associated with changes to the system are enforced.", "pptdf": "Process", "origin": "171A_3.4.5[d]\n53A_R5_CM-05[03]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-04.1", "ao_id": "CHG-04.1_A01", "objective": "mechanisms used to automate the enforcement of access restrictions are defined.", "pptdf": "Process", "origin": "53A_R5_CM-05(01)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-04.1", "ao_id": "CHG-04.1_A02", "objective": "access restrictions for change are enforced using organization-defined automated mechanisms.", "pptdf": "Technology", "origin": "53A_R5_CM-05(01)(a)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-04.1", "ao_id": "CHG-04.1_A03", "objective": "audit records of enforcement actions are automatically generated.", "pptdf": "Technology", "origin": "53A_R5_CM-05(01)(b)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-04.2", "ao_id": "CHG-04.2_A01", "objective": "software or firmware components requiring verification of a digitally signed certificate before installation are defined.", "pptdf": "Process", "origin": "53A_R5_CM-14_ODP[01]\n53A_R5_CM-14_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-04.2", "ao_id": "CHG-04.2_A02", "objective": "the installation of software or firmware components is prevented unless it is verified that the software has been digitally signed using a certificate recognized and approved by the organization.", "pptdf": "Technology", "origin": "53A_R5_CM-14[01]\n53A_R5_CM-14[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-04.2", "ao_id": "CHG-04.2_A03", "objective": "software or firmware components to be authenticated by cryptographic mechanisms prior to installation are defined.", "pptdf": "Process", "origin": "53A_R5_SI-07(15)_ODP", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-04.2", "ao_id": "CHG-04.2_A04", "objective": "cryptographic mechanisms are implemented to authenticate software or firmware components prior to installation.", "pptdf": "Technology", "origin": "53A_R5_SI-07(15)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-04.3", "ao_id": "CHG-04.3_A01", "objective": "critical or sensitive system and organizational operations for which dual authorization is to be enforced are identified.", "pptdf": "Process", "origin": "172A_3.1.1e[a]\n53A_R5_CM-05(04)_ODP[01]\n53A_R5_CM-05(04)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-04.3", "ao_id": "CHG-04.3_A02", "objective": "dual authorization is employed to execute critical or sensitive system and organizational operations.", "pptdf": "Technology", "origin": "172A_3.1.1e[b]\n53A_R5_CM-05(04)[01]\n53A_R5_CM-05(04)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-04.4", "ao_id": "CHG-04.4_A01", "objective": "privileges to change system components within a production or operational environment are limited.", "pptdf": "Technology", "origin": "53A_R5_CM-05(05)(a)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-04.4", "ao_id": "CHG-04.4_A02", "objective": "logical access restrictions associated with changes to the system are enforced.", "pptdf": "Process", "origin": "171A_R3_A.03.04.05[06]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-04.4", "ao_id": "CHG-04.4_A03", "objective": "the frequency at which to review privileges is defined.", "pptdf": "Process", "origin": "53A_R5_CM-05(05)_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "at least quarterly", "org_defined_parameters": "" }, { "scf_control_id": "CHG-04.4", "ao_id": "CHG-04.4_A04", "objective": "the frequency at which to reevaluate privileges is defined.", "pptdf": "Process", "origin": "53A_R5_CM-05(05)_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "at least quarterly", "org_defined_parameters": "" }, { "scf_control_id": "CHG-04.4", "ao_id": "CHG-04.4_A05", "objective": "privileges to change system-related information within a production or operational environment are limited.", "pptdf": "Technology", "origin": "53A_R5_CM-05(05)(a)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-04.4", "ao_id": "CHG-04.4_A06", "objective": "privileges are reviewed per an organization-defined frequency.", "pptdf": "Process", "origin": "53A_R5_CM-05(05)(b)[01]", "assessment_rigor": "3", "scf_defined_parameters": "at least quarterly", "org_defined_parameters": "" }, { "scf_control_id": "CHG-04.4", "ao_id": "CHG-04.4_A07", "objective": "privileges are reevaluated per an organization-defined frequency.", "pptdf": "Process", "origin": "53A_R5_CM-05(05)(b)[02]", "assessment_rigor": "3", "scf_defined_parameters": "at least quarterly", "org_defined_parameters": "" }, { "scf_control_id": "CHG-04.5", "ao_id": "CHG-04.5_A01", "objective": "privileges to change software resident within software libraries are limited.", "pptdf": "Technology", "origin": "53A_R5_CM-05(06)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-05", "ao_id": "CHG-05_A01", "objective": "as part of the organization's change management processes, stakeholders are alerted to spread awareness of the potential impact(s) from proposed changes.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-05", "ao_id": "CHG-05_A02", "objective": "changes to the system or system component location where sensitive / regulated data is processed are documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-05", "ao_id": "CHG-05_A03", "objective": "changes to the system or system component location where sensitive / regulated data is stored are documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-05", "ao_id": "CHG-05_A04", "objective": "changes to the system or system component location where CUI is processed are documented.", "pptdf": "Process", "origin": "171A_R3_A.03.04.11.b[01]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-05", "ao_id": "CHG-05_A05", "objective": "changes to the system or system component location where CUI is stored are documented.", "pptdf": "Process", "origin": "171A_R3_A.03.04.11.b[02]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-06", "ao_id": "CHG-06_A01", "objective": "security functions to be verified for correct operation are defined.", "pptdf": "Process", "origin": "53A_R5_SI-06_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-06", "ao_id": "CHG-06_A02", "objective": "organization-defined activities are initiated when anomalies are discovered.", "pptdf": "Technology", "origin": "53A_R5_SI-06d.\n53A_R5_SI-06_ODP[07]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-06", "ao_id": "CHG-06_A03", "objective": "the security requirements for the system continue to be satisfied after the system changes have been implemented.", "pptdf": "Technology", "origin": "171A_R3_A.03.04.04.b", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-06", "ao_id": "CHG-06_A04", "objective": "privacy functions to be verified for correct operation are defined.", "pptdf": "Process", "origin": "53A_R5_SI-06_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-06", "ao_id": "CHG-06_A05", "objective": "system transitional states requiring the verification of cybersecurity / data privacy functions are defined.", "pptdf": "Process", "origin": "53A_R5_SI-06_ODP[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-06", "ao_id": "CHG-06_A06", "objective": "the frequency at which to verify the correct operation of cybersecurity / data privacy functions is defined.", "pptdf": "Process", "origin": "53A_R5_SI-06_ODP[05]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-06", "ao_id": "CHG-06_A07", "objective": "alternative action(s) to be performed when anomalies are discovered are defined.", "pptdf": "Process", "origin": "53A_R5_SI-06_ODP[08]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-06", "ao_id": "CHG-06_A08", "objective": "cybersecurity / data privacy functions are verified to be operating correctly.", "pptdf": "Technology", "origin": "53A_R5_SI-06a.[01]\n53A_R5_SI-06b.[01]\n53A_R5_CM-03(02)[01]\n53A_R5_CM-03(02)[02]", "assessment_rigor": "3", "scf_defined_parameters": "to include upon system startup and/or restart", "org_defined_parameters": "" }, { "scf_control_id": "CHG-06", "ao_id": "CHG-06_A09", "objective": "personnel or roles to be alerted of failed cybersecurity / data privacy verification tests is/are defined.", "pptdf": "Process", "origin": "53A_R5_SI-06_ODP[06]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-06", "ao_id": "CHG-06_A10", "objective": "pertinent personnel or roles is/are alerted to failed cybersecurity / data privacy verification tests.", "pptdf": "Process", "origin": "53A_R5_SI-06c.[01]\n53A_R5_SI-06c.[02]", "assessment_rigor": "3", "scf_defined_parameters": "to include system administrators and security personnel", "org_defined_parameters": "" }, { "scf_control_id": "CHG-06.1", "ao_id": "CHG-06.1_A01", "objective": "personnel or roles designated to receive the results of cybersecurity / data privacy function verification is/are defined.", "pptdf": "Process", "origin": "53A_R5_SI-06(03)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-06.1", "ao_id": "CHG-06.1_A02", "objective": "the results of security and/or function verification are reported to pertinent personnel or roles.", "pptdf": "Process", "origin": "53A_R5_SI-06(03)[01]\n53A_R5_SI-06(03)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-07", "ao_id": "CHG-07_A01", "objective": "criteria to \"emergency\" changes are defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-07", "ao_id": "CHG-07_A02", "objective": "change management procedures govern \"emergency\" changes.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-07.1", "ao_id": "CHG-07.1_A01", "objective": "the documented results of \"emergency\" changes include an explanation for why standard change management procedures could not be followed.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-08", "ao_id": "CHG-08_A01", "objective": "Business processes that require dual approval for any changes that might result in a serious, but adverse impact are identified.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-08", "ao_id": "CHG-08_A02", "objective": "Technology Assets, Applications, Services and/or Data (TAASD) that require dual approval for any changes that might result in a serious, but adverse impact are identified.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CHG-08", "ao_id": "CHG-08_A03", "objective": "Processes and/or technologies are implemented for instances that require dual approval for any changes that might result in a serious incident that could adversely impact operations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CLD-01", "ao_id": "CLD-01_A01", "objective": "the organization facilitates the implementation of cloud management controls to ensure cloud instances are securely configured and maintained.", "pptdf": "Facility", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CLD-01", "ao_id": "CLD-01_A02", "objective": "secure baseline configurations exist for cloud-based systems, applications and services to protect the confidentiality, integrity and availability of data being stored, processed and/or transmitted.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CLD-01", "ao_id": "CLD-01_A03", "objective": "cloud management operations are conducted according to documented policies, standards, procedures and/or other organizational directives.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CLD-01", "ao_id": "CLD-01_A04", "objective": "adequate resources (e.g., people, processes, technologies, data and/or facilities) are provided to support cloud management operations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CLD-01", "ao_id": "CLD-01_A05", "objective": "responsibility and authority for the performance of cloud management-related activities are assigned to designated personnel.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CLD-01", "ao_id": "CLD-01_A06", "objective": "personnel performing cloud management-related activities have the skills and knowledge needed to perform their assigned duties.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CLD-01.1", "ao_id": "CLD-01.1_A01", "objective": "the design and configuration process for cloud services is formally governed so systems, applications and processes are secured in accordance with applicable organizational standards, as well as statutory, regulatory and contractual obligations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CLD-01.2", "ao_id": "CLD-01.2_A01", "objective": "the decommission process for cloud services is formally governed so that data is securely transitioned to new systems or archived in accordance with applicable organizational standards, as well as statutory, regulatory and contractual obligations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CLD-02", "ao_id": "CLD-02_A01", "objective": "a cloud security architecture is defined to address cloud employments that support the organization's mission.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CLD-02", "ao_id": "CLD-02_A02", "objective": "the cloud security architecture supports the organization's technology strategy to securely design, configure and maintain cloud employments.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CLD-03", "ao_id": "CLD-03_A01", "objective": "cloud security management subnets are logically isolated.", "pptdf": "Technology", "origin": "53A_R5_SC-07(29)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CLD-03", "ao_id": "CLD-03_A02", "objective": "cloud security management subnet system components and functions to be isolated are defined.", "pptdf": "Process", "origin": "53A_R5_SC-07(29)_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CLD-03", "ao_id": "CLD-03_A03", "objective": "organization-defined criteria are used to isolate cloud security management subnets.", "pptdf": "Technology", "origin": "53A_R5_SC-07(29)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CLD-04", "ao_id": "CLD-04_A01", "objective": "information/data exchange supports secure data portability.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CLD-04", "ao_id": "CLD-04_A02", "objective": "information processing interoperability is supported.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CLD-04.1", "ao_id": "CLD-04.1_A01", "objective": "an Application Programming Interface (API) Gateway, or similar technology, serves as a controlled entry point that manages interactions between client-facing requests and backend services.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CLD-05", "ao_id": "CLD-05_A01", "objective": "virtual machine images are protected to ensure continued integrity.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CLD-05", "ao_id": "CLD-05_A02", "objective": "virtual machine images are governed according to the organization's established change control processes.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CLD-06", "ao_id": "CLD-06_A01", "objective": "multi-tenant owned / managed assets (physical and virtual) are designed and governed such that provider and customer (tenant) user access is appropriately segmented from other tenant users.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CLD-06.1", "ao_id": "CLD-06.1_A01", "objective": "a documented Customer Responsibility Matrix (CRM) delineates assigned responsibilities for controls between the Cloud Service Provider (CSP) and its customers.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CLD-06.2", "ao_id": "CLD-06.2_A01", "objective": "for Multi-Tenant Service Providers (MTSP), established security event logging capabilities for its customers are consistent with the customer's applicable statutory, regulatory and/or contractual obligations.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CLD-06.3", "ao_id": "CLD-06.3_A01", "objective": "for Multi-Tenant Service Providers (MTSP), there is a capability to conduct prompt forensic investigations in the event of a suspected or confirmed security incident.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CLD-06.4", "ao_id": "CLD-06.4_A01", "objective": "for Multi-Tenant Service Providers (MTSP), there is a capability to conduct prompt response to suspected or confirmed security incidents and vulnerabilities, including timely notification to affected customers.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CLD-07", "ao_id": "CLD-07_A01", "objective": "cloud providers use secure protocols for information/data exchange to support secure data portability.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CLD-08", "ao_id": "CLD-08_A01", "objective": "cloud providers use industry-recognized formats to support secure interoperability.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CLD-08", "ao_id": "CLD-08_A02", "objective": "cloud providers provide documentation of custom changes to virtualization formats for review by affected stakeholders.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CLD-09", "ao_id": "CLD-09_A01", "objective": "locations where information processing and data storage is/are to be restricted are defined.", "pptdf": "Process", "origin": "53A_R5_SA-09(05)_ODP[01]\n53A_R5_SA-09(05)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CLD-09", "ao_id": "CLD-09_A02", "objective": "requirements or conditions for restricting the location of information processing, information storage or information services are defined.", "pptdf": "Process", "origin": "53A_R5_SA-09(05)_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CLD-09", "ao_id": "CLD-09_A03", "objective": "based on requirements, information processing, information storage or information services is/are restricted to locations.", "pptdf": "Process", "origin": "53A_R5_SA-09(05)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CLD-09", "ao_id": "CLD-09_A04", "objective": "the geographic location of information processing and data storage is restricted to facilities located within the legal jurisdictional boundary of the United States.", "pptdf": "Data", "origin": "53A_R5_SA-09(08)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CLD-10", "ao_id": "CLD-10_A01", "objective": "sensitive / regulated data in public cloud providers is identified and documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CLD-10", "ao_id": "CLD-10_A02", "objective": "the storage of sensitive / regulated data in public cloud providers is controlled.", "pptdf": "Data", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CLD-11", "ao_id": "CLD-11_A01", "objective": "a Cloud Access Security Broker (CASB), or similar technology, is utilized to provide boundary protection and monitoring functions that both provide access to the cloud and protect the organization from the cloud.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CLD-12", "ao_id": "CLD-12_A01", "objective": "Content Delivery Networks (CDNs) are configured to prevent side channel attacks by restricting access from the origin server's IP address to the CDN and authorized management networks.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CLD-13", "ao_id": "CLD-13_A01", "objective": "applicable cybersecurity & data protection controls are specified that must be implemented on external systems, consistent with the contractual obligations established with the External Service Providers (ESP) owning, operating and/or maintaining external systems, applications and/or services.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CLD-13.1", "ao_id": "CLD-13.1_A01", "objective": "specified individuals are authorized to access External Service Providers (ESP) owned, operated and/or maintained external systems, applications and/or services.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CLD-13.2", "ao_id": "CLD-13.2_A01", "objective": "formal processes are defined to store, process and/or transmit sensitive / regulated data using External Service Providers (ESP) owned, operated and/or maintained external systems, applications and/or services , in accordance with all applicable statutory, regulatory and/or contractual obligations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CLD-14", "ao_id": "CLD-14_A01", "objective": "access to, or usage of, hosted systems, applications and/or services is prohibited until applicable cybersecurity & data protection control implementation is verified.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CLD-15", "ao_id": "CLD-15_A01", "objective": "Software Defined Storage (SDS) is used to automatically scale access management permissions to Data, Assets, Applications & Services (DAAS).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-01", "ao_id": "CPL-01_A01", "objective": "the organization analyzes its business practices to determine applicable statutory, regulatory and/or contractual obligations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-01", "ao_id": "CPL-01_A02", "objective": "compliance management operations are conducted according to documented policies, standards, procedures and/or other organizational directives.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-01", "ao_id": "CPL-01_A03", "objective": "adequate resources (e.g., people, processes, technologies, data and/or facilities) are provided to support compliance management operations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-01", "ao_id": "CPL-01_A04", "objective": "responsibility and authority for the performance of compliance management-related activities are assigned to designated personnel.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-01", "ao_id": "CPL-01_A05", "objective": "personnel performing compliance management-related activities have the skills and knowledge needed to perform their assigned duties.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-01.1", "ao_id": "CPL-01.1_A01", "objective": "instances of non-compliance with statutory, regulatory and/or contractual obligations are documented, including the reason(s) for non-compliance.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-01.1", "ao_id": "CPL-01.1_A02", "objective": "instances of non-compliance with statutory, regulatory and/or contractual obligations are formally-reviewed.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-01.1", "ao_id": "CPL-01.1_A03", "objective": "instances of non-compliance with statutory, regulatory and/or contractual obligations are centrally-governed to maintain appropriate situational awareness.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-01.1", "ao_id": "CPL-01.1_A04", "objective": "instances of non-compliance with statutory, regulatory and/or contractual obligations are assigned to individuals or teams for remediation.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-01.1", "ao_id": "CPL-01.1_A05", "objective": "remediation plans for instances of non-compliance with statutory, regulatory and/or contractual obligations are documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-01.2", "ao_id": "CPL-01.2_A01", "objective": "the organization's applicable cybersecurity / data privacy controls are determined through the analysis of business practices to determine required statutory, regulatory and/or contractual compliance obligations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-01.2", "ao_id": "CPL-01.2_A02", "objective": "a recurring process exists to validate the scope of cybersecurity / data privacy controls that are determined to meet statutory, regulatory and/or contractual compliance obligations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-01.3", "ao_id": "CPL-01.3_A01", "objective": "a capability exists to demonstrate conformity with applicable cybersecurity and data protection laws, regulations and/or contractual obligations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-01.3", "ao_id": "CPL-01.3_A02", "objective": "personnel or roles to whom the assignment of being able to demonstrate conformity is assigned.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-01.4", "ao_id": "CPL-01.4_A01", "objective": "assessments are conducted to demonstrate conformity with applicable cybersecurity and data protection laws, regulations and/or contractual obligations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-01.5", "ao_id": "CPL-01.5_A01", "objective": "a declaration of conformity is generated for each conformity assessment.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-01.6", "ao_id": "CPL-01.6_A01", "objective": "based on the scope of an audit/assessment, necessary subject matter expertise is defined to perform review, interview and/or test activities for in-scope People, Processes, Technologies, Data and/or Facilities (PPTDF).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-01.6", "ao_id": "CPL-01.6_A02", "objective": "minimum professional qualifications to participate in an audit and/or assessment are defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-01.6", "ao_id": "CPL-01.6_A03", "objective": "auditors/assessors are evaluated for necessary subject matter expertise to perform an audit/assessment.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-01.6", "ao_id": "CPL-01.6_A04", "objective": "auditors/assessors are required to have minimum professional qualifications to participate in an audit/assessment.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-01.7", "ao_id": "CPL-01.7_A01", "objective": "a designate an individual is assigned authority to make statements of conformity on behalf of the organization.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-01.7", "ao_id": "CPL-01.7_A02", "objective": "the designated individual is provided formal guidance on the limitations of statements of conformity that can be made on behalf of the organization.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-01.8", "ao_id": "CPL-01.8_A01", "objective": "the process for the certifying official to attest to the accuracy of conformity attestations is defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-01.8", "ao_id": "CPL-01.8_A02", "objective": "the certifying official attests to the accuracy of conformity attestations, based on applicable laws, regulations and/or contractual criteria.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-02", "ao_id": "CPL-02_A01", "objective": "a compliance catalog of applicable laws, regulations and contractual obligations are documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-02", "ao_id": "CPL-02_A02", "objective": "a continuous monitoring strategy is developed for cybersecurity / data privacy controls.", "pptdf": "Process", "origin": "53A_R5_CA-07[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-02", "ao_id": "CPL-02_A03", "objective": "continuous control monitoring is implemented in accordance with the organization's continuous monitoring strategy.", "pptdf": "Process", "origin": "53A_R5_CA-07[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-02", "ao_id": "CPL-02_A04", "objective": "the frequency of cybersecurity / data privacy control assessments is defined.", "pptdf": "Process", "origin": "171A_3.12.1[a]\n53A_R5_CA-07_ODP[02]\n53A_R5_CA-07_ODP[03]\n53A_R5_CA-07b.[01]\n53A_R5_CA-07b.[02]", "assessment_rigor": "2", "scf_defined_parameters": "at least every 12 months and after any significant incidents or significant changes occur", "org_defined_parameters": "" }, { "scf_control_id": "CPL-02", "ao_id": "CPL-02_A05", "objective": "cybersecurity / data privacy controls are assessed with the defined frequency to determine if the controls are effective in their application.", "pptdf": "Process", "origin": "171A_3.12.1[b]\n53A_R5_CA-07c.", "assessment_rigor": "2", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "CPL-02", "ao_id": "CPL-02_A06", "objective": "cybersecurity / data privacy controls are monitored on an ongoing basis to ensure the continued effectiveness of those controls.", "pptdf": "Process", "origin": "171A_3.12.3", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-02", "ao_id": "CPL-02_A07", "objective": "personnel or roles to whom the cybersecurity / data privacy status of the system is reported are defined.", "pptdf": "Process", "origin": "53A_R5_CA-07_ODP[04]\n53A_R5_CA-07_ODP[06]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-02", "ao_id": "CPL-02_A08", "objective": "the frequency at which the cybersecurity / data privacy status of the system is reported is defined.", "pptdf": "Process", "origin": "53A_R5_CA-07_ODP[05]\n53A_R5_CA-07_ODP[07]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "CPL-02", "ao_id": "CPL-02_A09", "objective": "system-level continuous monitoring includes reporting the cybersecurity / data privacy status of the system to pertinent personnel or roles according to an organization-defined frequency.", "pptdf": "Process", "origin": "53A_R5_CA-07g.[01]\n53A_R5_CA-07g.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-02", "ao_id": "CPL-02_A10", "objective": "control monitoring metrics are defined.", "pptdf": "Process", "origin": "53A_R5_CA-07_ODP[01]\n53A_R5_CA-07a.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-02", "ao_id": "CPL-02_A11", "objective": "system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy.", "pptdf": "Process", "origin": "53A_R5_CA-07d.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-02", "ao_id": "CPL-02_A12", "objective": "system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring.", "pptdf": "Process", "origin": "53A_R5_CA-07e.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-02", "ao_id": "CPL-02_A13", "objective": "system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information.", "pptdf": "Process", "origin": "53A_R5_CA-07f.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-02", "ao_id": "CPL-02_A14", "objective": "the personnel or roles for reporting the security status of organizational systems to is/are defined.", "pptdf": "Process", "origin": "53A_R5_PM-31_ODP[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-02", "ao_id": "CPL-02_A15", "objective": "the personnel or roles for reporting the privacy status of organizational systems to is/are defined.", "pptdf": "Process", "origin": "53A_R5_PM-31_ODP[05]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-02", "ao_id": "CPL-02_A16", "objective": "the frequency at which to report the security status of organizational systems is defined.", "pptdf": "Process", "origin": "53A_R5_PM-31_ODP[06]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-02", "ao_id": "CPL-02_A17", "objective": "the frequency at which to report the privacy status of organizational systems is defined.", "pptdf": "Process", "origin": "53A_R5_PM-31_ODP[07]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-02", "ao_id": "CPL-02_A18", "objective": "an organization-wide continuous monitoring strategy is developed.", "pptdf": "Process", "origin": "53A_R5_PM-31\n53A_R5_PM-31_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-02", "ao_id": "CPL-02_A19", "objective": "continuous monitoring programs are implemented that include establishing metrics to be monitored.", "pptdf": "Process", "origin": "53A_R5_PM-31a.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-02", "ao_id": "CPL-02_A20", "objective": "continuous monitoring programs are implemented that establish frequency for monitoring.", "pptdf": "Process", "origin": "53A_R5_PM-31b.[01]\n53A_R5_PM-31_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-02", "ao_id": "CPL-02_A21", "objective": "continuous monitoring programs are implemented that establish frequency for assessment of control effectiveness.", "pptdf": "Process", "origin": "53A_R5_PM-31b.[02]\n53A_R5_PM-31_ODP[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-02", "ao_id": "CPL-02_A22", "objective": "continuous monitoring programs are implemented that include monitoring metrics on an ongoing basis in accordance with the continuous monitoring strategy.", "pptdf": "Process", "origin": "53A_R5_PM-31c.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-02", "ao_id": "CPL-02_A23", "objective": "continuous monitoring programs are implemented that include correlating information generated by control assessments and monitoring.", "pptdf": "Process", "origin": "53A_R5_PM-31d.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-02", "ao_id": "CPL-02_A24", "objective": "continuous monitoring programs are implemented that include analyzing information generated by control assessments and monitoring.", "pptdf": "Process", "origin": "53A_R5_PM-31d.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-02", "ao_id": "CPL-02_A25", "objective": "continuous monitoring programs are implemented that include response actions to address the analysis of control assessment information.", "pptdf": "Process", "origin": "53A_R5_PM-31e.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-02", "ao_id": "CPL-02_A26", "objective": "continuous monitoring programs are implemented that include response actions to address the analysis of monitoring information.", "pptdf": "Process", "origin": "53A_R5_PM-31e.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-02", "ao_id": "CPL-02_A27", "objective": "continuous monitoring programs are implemented that include reporting the security status of organizational systems to personnel or roles frequency.", "pptdf": "Process", "origin": "53A_R5_PM-31f.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-02", "ao_id": "CPL-02_A28", "objective": "continuous monitoring programs are implemented that include reporting the privacy status of organizational systems to personnel or roles frequency.", "pptdf": "Process", "origin": "53A_R5_PM-31f.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-02", "ao_id": "CPL-02_A29", "objective": "a system-level continuous monitoring strategy is developed.", "pptdf": "Process", "origin": "171A_R3_A.03.12.03[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-02", "ao_id": "CPL-02_A30", "objective": "ongoing monitoring is included in the continuous monitoring strategy.", "pptdf": "Process", "origin": "171A_R3_A.03.12.03[03]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-02", "ao_id": "CPL-02_A31", "objective": "security assessments are included in the continuous monitoring strategy.", "pptdf": "Process", "origin": "171A_R3_A.03.12.03[04]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-02.1", "ao_id": "CPL-02.1_A01", "objective": "an internal audit function exists that is comprised of stakeholders who have the subject matter expertise to serve in an advisory capability on audit-related matters.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-02.1", "ao_id": "CPL-02.1_A02", "objective": "an internal audit function formally defines audit-related priorities for the organization.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-02.1", "ao_id": "CPL-02.1_A03", "objective": "an internal audit function tracks audit findings that require remediation efforts.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-02.1", "ao_id": "CPL-02.1_A04", "objective": "an internal audit function provides the organization's executive leadership with insights into the appropriateness of the organization's technology and information governance processes.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-02.1", "ao_id": "CPL-02.1_A05", "objective": "the frequency at which to assess the security requirements for the system and its environment of operation is defined.", "pptdf": "Process", "origin": "171A_R3_A.03.12.01.ODP[01]", "assessment_rigor": "2", "scf_defined_parameters": "at least every 12 months and after any significant incidents or significant changes occur", "org_defined_parameters": "" }, { "scf_control_id": "CPL-02.2", "ao_id": "CPL-02.2_A01", "objective": "the organization conducts periodic, formal audits of cybersecurity & data protection controls for conformity with the organization's policies, standards and procedures.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-02.2", "ao_id": "CPL-02.2_A02", "objective": "personnel or roles to whom the assignment conformity assessments are assigned.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-02.3", "ao_id": "CPL-02.3_A01", "objective": "corrective action is taken to remediate instances of non-conformity with applicable statutory, regulatory, and/or contractual compliance obligations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-03", "ao_id": "CPL-03_A01", "objective": "the frequency at which to assess controls in the system and its environment of operation is defined.", "pptdf": "Process", "origin": "53A_R5_CA-02_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "CPL-03", "ao_id": "CPL-03_A02", "objective": "an appropriate assessor or assessment team is selected for the type of assessment to be conducted.", "pptdf": "Process", "origin": "53A_R5_CA-02a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-03", "ao_id": "CPL-03_A03", "objective": "the security requirements for the system and its environment of operation are assessed per an organization-defined frequency to determine if the requirements have been satisfied.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "CPL-03", "ao_id": "CPL-03_A04", "objective": "individuals or roles to whom control assessment results are to be provided are defined.", "pptdf": "Process", "origin": "53A_R5_CA-02_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-03", "ao_id": "CPL-03_A05", "objective": "a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment.", "pptdf": "Process", "origin": "53A_R5_CA-02b.01", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-03", "ao_id": "CPL-03_A06", "objective": "a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness.", "pptdf": "Process", "origin": "53A_R5_CA-02b.02", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-03", "ao_id": "CPL-03_A07", "objective": "a control assessment plan is developed that describes the scope of the assessment, including the assessment environment.", "pptdf": "Process", "origin": "53A_R5_CA-02b.03[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-03", "ao_id": "CPL-03_A08", "objective": "a control assessment plan is developed that describes the scope of the assessment, including the assessment team.", "pptdf": "Process", "origin": "53A_R5_CA-02b.03[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-03", "ao_id": "CPL-03_A09", "objective": "a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities.", "pptdf": "Process", "origin": "53A_R5_CA-02b.03[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-03", "ao_id": "CPL-03_A10", "objective": "the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment.", "pptdf": "Process", "origin": "53A_R5_CA-02c.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-03", "ao_id": "CPL-03_A11", "objective": "the security requirements for the system and its environment of operation are assessed to determine if the requirements have been satisfied.", "pptdf": "Process", "origin": "171A_R3_A.03.12.01", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "at least every 12 months, or when there are significant incidents or significant changes to risks", "org_defined_parameters": "" }, { "scf_control_id": "CPL-03.1", "ao_id": "CPL-03.1_A01", "objective": "independent assessors or assessment teams are employed to monitor in-scope controls on an ongoing basis.", "pptdf": "Process", "origin": "53A_R5_CA-07(01)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-03.2", "ao_id": "CPL-03.2_A01", "objective": "controls are assessed in the system and its environment of operation per an organization-defined assessment frequency to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting established security requirements.", "pptdf": "Process", "origin": "53A_R5_CA-02d.[01]", "assessment_rigor": "1", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "CPL-03.2", "ao_id": "CPL-03.2_A02", "objective": "a control assessment report is produced that documents the results of the assessment.", "pptdf": "Process", "origin": "53A_R5_CA-02e.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-03.2", "ao_id": "CPL-03.2_A03", "objective": "controls are assessed in the system and its environment of operation per an organization-defined assessment frequency to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting established privacy requirements.", "pptdf": "Process", "origin": "53A_R5_CA-02d.[02]", "assessment_rigor": "1", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "CPL-03.2", "ao_id": "CPL-03.2_A04", "objective": "the results of the control assessment are provided to individuals or roles.", "pptdf": "Process", "origin": "53A_R5_CA-02f.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-03.2", "ao_id": "CPL-03.2_A05", "objective": "a system-level continuous monitoring strategy is implemented.", "pptdf": "Process", "origin": "171A_R3_A.03.12.03[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-03.3", "ao_id": "CPL-03.3_A01", "objective": "assessors are granted the minimum logical access authorizations necessary to conduct conformity assessments.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-03.3", "ao_id": "CPL-03.3_A02", "objective": "assessors are granted the minimum physical access authorizations necessary to conduct conformity assessments.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-03.4", "ao_id": "CPL-03.4_A01", "objective": "acceptable methods to conduct a cybersecurity and/or data protection assessment are defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-03.5", "ao_id": "CPL-03.5_A01", "objective": "the level of assessment rigor necessary to conduct a cybersecurity and/or data protection assessment is defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-03.6", "ao_id": "CPL-03.6_A01", "objective": "an Evidence Request List (ERL) prior to the start of a cybersecurity and/or data protection assessment is defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-03.7", "ao_id": "CPL-03.7_A01", "objective": "evidence sampling criteria for cybersecurity and/or data protection assessments are defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-04", "ao_id": "CPL-04_A01", "objective": "an internal audit function formally defines audit-related priorities for the organization.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-04", "ao_id": "CPL-04_A02", "objective": "audits are thoughtfully planned to minimize the impact of audit-related activities on business operations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-05", "ao_id": "CPL-05_A01", "objective": "a formal process exists to intake requests, document the request and determine whether a government agency has an applicable and valid legal basis to request data from the organization.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-05", "ao_id": "CPL-05_A02", "objective": "based on an applicable and valid legal basis for a data request by a government agency, data request fulfillment actions are formally assigned to an individual or group with explicitly-specified criteria to minimize inappropriate data sharing.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-05.1", "ao_id": "CPL-05.1_A01", "objective": "a formal process exists to intake and document government investigation requests.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-05.1", "ao_id": "CPL-05.1_A02", "objective": "a formal process exists to evaluate government investigation requests for legal requirements the organization must comply with.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-05.1", "ao_id": "CPL-05.1_A03", "objective": "processes exist to notify affected customer(s) about investigation requests, unless the applicable legal basis for a government agency's action prohibits notification (e.g., potential criminal prosecution).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-05.2", "ao_id": "CPL-05.2_A01", "objective": "a formal process exists to intake and document government access requests.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-05.2", "ao_id": "CPL-05.2_A02", "objective": "a formal process exists to evaluate government access requests for legal requirements the organization must comply with.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-05.2", "ao_id": "CPL-05.2_A03", "objective": "the organization supports official investigations by provisioning government investigators with \"least privileges\" and \"least functionality\" to ensure that government investigators only have access to the data and systems needed to perform the investigation.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-06", "ao_id": "CPL-06_A01", "objective": "a formal process exists to intake and document access requests from host governments for unrestricted and non-monitored access to the organization's systems, applications and services that could potentially violate other applicable statutory, regulatory and/or contractual obligations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-06", "ao_id": "CPL-06_A02", "objective": "executive leadership, along with legal counsel, formally identifies risks associated with non-compliance (e.g., fines, operational impacts, etc.).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-06", "ao_id": "CPL-06_A03", "objective": "executive leadership, along with legal counsel, formally identifies primary risks associated with compliance (e.g., loss of confidentiality and/or integrity considerations with data governance).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-06", "ao_id": "CPL-06_A04", "objective": "executive leadership, along with legal counsel, formally identifies secondary risks associated with compliance (e.g., non-compliance with other laws, regulations and contractual agreements).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-06", "ao_id": "CPL-06_A05", "objective": "executive leadership, along with legal counsel, formally identifies tertiary risks associated with compliance (e.g., human rights abuses, theft of intellectual property, espionage, etc.).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-06", "ao_id": "CPL-06_A06", "objective": "executive leadership, along with legal counsel, formally adopts an action plan to respond to host government requests for unrestricted and non-monitored access to the organization's systems, applications and services that could potentially violate other applicable statutory, regulatory and/or contractual obligations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-07", "ao_id": "CPL-07_A01", "objective": "an intake mechanism exists to receive grievances related to the organization's cybersecurity and/or data protection practices.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-07", "ao_id": "CPL-07_A02", "objective": "received grievances are assigned to specific roles to investigate the legitimacy of the complaint.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-07", "ao_id": "CPL-07_A03", "objective": "the analysis of received grievances is documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-07", "ao_id": "CPL-07_A04", "objective": "upon validation of a grievance from a data subject, a process assigns the remediation task to an individual, or team.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-07.1", "ao_id": "CPL-07.1_A01", "objective": "a response mechanism exists to respond to legitimate grievances related to the organization's cybersecurity and/or data protection practices.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-08", "ao_id": "CPL-08_A01", "objective": "localized representation with a physical presence in localities is appointed to represent the organization, as required by applicable laws and/or regulations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-08.1", "ao_id": "CPL-08.1_A01", "objective": "localized representation is contracted to perform specified functions in regard to representing statutory and/or regulatory compliance matters.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-09", "ao_id": "CPL-09_A01", "objective": "instances of control reciprocity within assessment boundaries are defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-10", "ao_id": "CPL-10_A01", "objective": "instances of control inheritance within assessment boundaries are defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-11", "ao_id": "CPL-11_A01", "objective": "technologies and/or data that have potential \"dual-use” capabilities for civil and military are identified.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-11", "ao_id": "CPL-11_A02", "objective": "technologies and/or data that have potential use by terrorists are identified.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-11", "ao_id": "CPL-11_A03", "objective": "technologies and/or data that have potential Weapons of Mass Destruction (WMD) applications are identified.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-11.1", "ao_id": "CPL-11.1_A01", "objective": "a legal requirement to comply with the United States Munitions List (USML) or Commerce Control List (CCL) is determined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-11.2", "ao_id": "CPL-11.2_A01", "objective": "logical access to United States (US) export-controlled data is restricted US citizens.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-11.2", "ao_id": "CPL-11.2_A02", "objective": "logical access to United States (US) export-controlled data is restricted US Green Card holders.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-11.2", "ao_id": "CPL-11.2_A03", "objective": "physical access to United States (US) export-controlled data is restricted US citizens.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-11.2", "ao_id": "CPL-11.2_A04", "objective": "physical access to United States (US) export-controlled data is restricted US Green Card holders.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-11.3", "ao_id": "CPL-11.3_A01", "objective": "detailed logs of export-controlled data are generated to document logical and physical access.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-11.3", "ao_id": "CPL-11.3_A02", "objective": "detailed logs of export-controlled data are generated to document export activities.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-12", "ao_id": "CPL-12_A01", "objective": "applicable controls for an audit/assessment are identified.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-12", "ao_id": "CPL-12_A02", "objective": "a Statement of Applicability (SOA), or similar document, is generated to formalize audit/assessment control scoping.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-13", "ao_id": "CPL-13_A01", "objective": "work products (e.g., process artifacts) necessary to demonstrate conformity with applicable requirements are defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-13", "ao_id": "CPL-13_A02", "objective": "work products (e.g., process artifacts) necessary to generated and retained to demonstrate conformity with applicable requirements.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-13.1", "ao_id": "CPL-13.1_A01", "objective": "the minimum threshold for evidence of due diligence activities capable of withstanding external audit or regulatory scrutiny is defined", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-13.1", "ao_id": "CPL-13.1_A02", "objective": "evidence of due diligence activities is generated and retained to demonstrate conformity with applicable requirements.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-13.2", "ao_id": "CPL-13.2_A01", "objective": "the minimum threshold for evidence of due care activities capable of withstanding external audit or regulatory scrutiny is defined", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CPL-13.2", "ao_id": "CPL-13.2_A02", "objective": "evidence of due care activities is generated and retained to demonstrate conformity with applicable requirements.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-01", "ao_id": "CRY-01_A01", "objective": "cryptographic uses are identified / defined.", "pptdf": "Process", "origin": "53A_R5_SC-08(02)_ODP\n53A_R5_SC-13_ODP[01]\n53A_R5_SC-13a.", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-01", "ao_id": "CRY-01_A02", "objective": "cryptographic mechanisms intended to prevent unauthorized disclosure of sensitive / regulated data are identified.", "pptdf": "Process", "origin": "53A_R5_SC-13_ODP[02]\n171A_3.13.8[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-01", "ao_id": "CRY-01_A03", "objective": "organization-defined types of cryptography are implemented to protect the confidentiality of sensitive / regulated data.", "pptdf": "Technology", "origin": "53A_R5_SC-13b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-01", "ao_id": "CRY-01_A04", "objective": "as necessary for compliance requirements, FIPS-validated cryptography is employed to protect the confidentiality of sensitive / regulated data.", "pptdf": "Technology", "origin": "171A_3.13.11", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-01", "ao_id": "CRY-01_A05", "objective": "security critical or essential software is defined.", "pptdf": "Process", "origin": "172A_3.14.1e_ODP[1]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-01", "ao_id": "CRY-01_A06", "objective": "root of trust mechanisms or cryptographic signatures are identified.", "pptdf": "Process", "origin": "172A_3.14.1e[a]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-01", "ao_id": "CRY-01_A07", "objective": "the integrity of security critical or essential software is verified using root of trust mechanisms or cryptographic signatures.", "pptdf": "Technology", "origin": "172A_3.14.1e[b]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-01", "ao_id": "CRY-01_A08", "objective": "cryptographic mechanisms are implemented to prevent the unauthorized disclosure of sensitive / regulated data during transmission.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-01", "ao_id": "CRY-01_A09", "objective": "cryptographic mechanisms are implemented to prevent the unauthorized disclosure of sensitive / regulated data while in storage.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-01", "ao_id": "CRY-01_A10", "objective": "cryptographic mechanisms are implemented to detect unauthorized changes to software.", "pptdf": "Technology", "origin": "53A_R5_SI-07(06)[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-01", "ao_id": "CRY-01_A11", "objective": "cryptographic mechanisms are implemented to detect unauthorized changes to firmware.", "pptdf": "Technology", "origin": "53A_R5_SI-07(06)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-01", "ao_id": "CRY-01_A12", "objective": "cryptographic mechanisms are implemented to detect unauthorized changes to information.", "pptdf": "Technology", "origin": "53A_R5_SI-07(06)[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-01", "ao_id": "CRY-01_A13", "objective": "cryptographic mechanisms are implemented to prevent the unauthorized disclosure of CUI during transmission.", "pptdf": "Data", "origin": "171A_R3_A.03.13.08[01]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-01", "ao_id": "CRY-01_A14", "objective": "cryptographic mechanisms are implemented to prevent the unauthorized disclosure of CUI while in storage.", "pptdf": "Data", "origin": "171A_R3_A.03.13.08[02]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-01", "ao_id": "CRY-01_A15", "objective": "the types of cryptography for protecting the confidentiality of CUI are defined.", "pptdf": "Process", "origin": "171A_R3_A.03.13.11.ODP[01]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-01", "ao_id": "CRY-01_A16", "objective": "the following types of cryptography are implemented to protect the confidentiality of CUI: .", "pptdf": "Data", "origin": "171A_R3_A.03.13.11", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "FIPS Validated Cryptography\n(https://csrc.nist.gov/Projects/Cryptographic-ModuleValidation-Program/Validated-Modules)", "org_defined_parameters": "" }, { "scf_control_id": "CRY-01", "ao_id": "CRY-01_A17", "objective": "cryptographic protections management operations are conducted according to documented policies, standards, procedures and/or other organizational directives.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-01", "ao_id": "CRY-01_A18", "objective": "adequate resources (e.g., people, processes, technologies, data and/or facilities) are provided to support cryptographic protections management operations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-01", "ao_id": "CRY-01_A19", "objective": "responsibility and authority for the performance of cryptographic protections management-related activities are assigned to designated personnel.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-01", "ao_id": "CRY-01_A20", "objective": "personnel performing cryptographic protections management-related activities have the skills and knowledge needed to perform their assigned duties.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-01.1", "ao_id": "CRY-01.1_A01", "objective": "either cryptographic mechanisms or alternative physical safeguards are implemented to prevent unauthorized disclosure of sensitive / regulated data during transmission.", "pptdf": "Technology", "origin": "171A_3.13.8[c]\n53A_R5_SC-08(04)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-01.1", "ao_id": "CRY-01.1_A02", "objective": "alternative physical safeguards intended to prevent unauthorized disclosure of sensitive / regulated are identified.", "pptdf": "Process", "origin": "53A_R5_SC-08(04)_ODP\n171A_3.13.8[b]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-01.2", "ao_id": "CRY-01.2_A01", "objective": "a legal opinion regarding exporting cryptographic technologies is obtained.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-01.2", "ao_id": "CRY-01.2_A02", "objective": "cryptographic uses are defined.", "pptdf": "Process", "origin": "53A_R5_SC-13_ODP[01]\n53A_R5_SC-13a.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-01.2", "ao_id": "CRY-01.2_A03", "objective": "types of cryptography for each specified cryptographic use are defined.", "pptdf": "Process", "origin": "53A_R5_SC-13_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-01.3", "ao_id": "CRY-01.3_A01", "objective": "the confidentiality and integrity of information is maintained during preparation for transmission.", "pptdf": "Technology", "origin": "53A_R5_SC-08(02)[01]\n53A_R5_SC-08(02)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-01.3", "ao_id": "CRY-01.3_A02", "objective": "the confidentiality and integrity of information is maintained during reception.", "pptdf": "Technology", "origin": "53A_R5_SC-08(02)[02]\n53A_R5_SC-08(02)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-01.4", "ao_id": "CRY-01.4_A01", "objective": "technical and procedural means to confuse and mislead adversaries are defined.", "pptdf": "Process", "origin": "172A_3.13.3e_ODP[1]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-01.4", "ao_id": "CRY-01.4_A02", "objective": "technical and procedural means are employed to confuse and mislead adversaries.", "pptdf": "Process", "origin": "172A_3.13.3e[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-01.5", "ao_id": "CRY-01.5_A01", "objective": "cryptographic uses are defined.", "pptdf": "Process", "origin": "53A_R5_SC-13_ODP[01]\n53A_R5_SC-13a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-01.5", "ao_id": "CRY-01.5_A02", "objective": "types of cryptography for each specified cryptographic use are defined.", "pptdf": "Process", "origin": "53A_R5_SC-13_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-01.5", "ao_id": "CRY-01.5_A03", "objective": "an inventory of cryptographic cipher suites and protocols is maintained.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-01.5", "ao_id": "CRY-01.5_A04", "objective": "deployed cryptographic cipher suites and protocols are periodically reviewed to identify industry trends regarding the continued viability of utilized cryptographic cipher suites and protocols.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-01.5", "ao_id": "CRY-01.5_A05", "objective": "proactive measures are taken to respond to industry trends regarding the continued viability of utilized cryptographic cipher suites and protocols.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-02", "ao_id": "CRY-02_A01", "objective": "mechanisms for authentication to a cryptographic module are implemented that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards and guidelines for such authentication.", "pptdf": "Technology", "origin": "53A_R5_IA-07", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-03", "ao_id": "CRY-03_A01", "objective": "the types of cryptography for protecting the confidentiality of data are defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-03", "ao_id": "CRY-03_A02", "objective": "cryptographic mechanisms are implemented to prevent the unauthorized disclosure of data during transmission.", "pptdf": "Technology", "origin": "53A_R5_SC-08\n53A_R5_SC-08_ODP\n53A_R5_SC-08(01)\n53A_R5_SC-08(01)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-03", "ao_id": "CRY-03_A03", "objective": "organization-defined types of cryptography are implemented to protect the confidentiality of sensitive / regulated data.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-03", "ao_id": "CRY-03_A04", "objective": "cryptographic mechanisms are implemented to prevent the unauthorized disclosure of CUI during transmission.", "pptdf": "Data", "origin": "171A_R3_A.03.13.08[01]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-03", "ao_id": "CRY-03_A05", "objective": "the types of cryptography for protecting the confidentiality of CUI are defined.", "pptdf": "Process", "origin": "171A_R3_A.03.13.11.ODP[01]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-03", "ao_id": "CRY-03_A06", "objective": "the following types of cryptography are implemented to protect the confidentiality of CUI: .", "pptdf": "Data", "origin": "171A_R3_A.03.13.11", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "FIPS Validated Cryptography\n(https://csrc.nist.gov/Projects/Cryptographic-ModuleValidation-Program/Validated-Modules)", "org_defined_parameters": "" }, { "scf_control_id": "CRY-04", "ao_id": "CRY-04_A01", "objective": "the integrity of transmitted information is/are protected.", "pptdf": "Technology", "origin": "53A_R5_SC-08\n53A_R5_SC-08_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-04", "ao_id": "CRY-04_A02", "objective": "cryptographic uses are defined.", "pptdf": "Process", "origin": "53A_R5_SC-13_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-04", "ao_id": "CRY-04_A03", "objective": "information requiring cryptographic protection is defined.", "pptdf": "Process", "origin": "53A_R5_SC-28(01)_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-04", "ao_id": "CRY-04_A04", "objective": "system components or media requiring cryptographic protection is/are defined.", "pptdf": "Process", "origin": "53A_R5_SC-28(01)_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-04", "ao_id": "CRY-04_A05", "objective": "types of cryptography for each specified cryptographic use are defined.", "pptdf": "Process", "origin": "53A_R5_SC-13_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-04", "ao_id": "CRY-04_A06", "objective": "the integrity of transmitted cybersecurity / data privacy attributes is verified.", "pptdf": "Technology", "origin": "53A_R5_SC-16(01)[01]\n53A_R5_SC-16(01)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-04", "ao_id": "CRY-04_A07", "objective": "cryptographic mechanisms are implemented to prevent unauthorized disclosure of information at rest on system components or media.", "pptdf": "Technology", "origin": "53A_R5_SC-28(01)[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-04", "ao_id": "CRY-04_A08", "objective": "cryptographic mechanisms are implemented to prevent unauthorized modification of information at rest on system components or media.", "pptdf": "Technology", "origin": "53A_R5_SC-28(01)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-05", "ao_id": "CRY-05_A01", "objective": "the confidentiality of sensitive / regulated data stored on digital media is protected during transport using cryptographic mechanisms or alternative physical safeguards.", "pptdf": "Technology", "origin": "171A_3.8.6\n53A_R5_SC-13b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-05", "ao_id": "CRY-05_A02", "objective": "cryptographic mechanisms are implemented to prevent the unauthorized disclosure of sensitive / regulated data while in storage.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-05", "ao_id": "CRY-05_A03", "objective": "cryptographic uses are defined.", "pptdf": "Process", "origin": "53A_R5_SC-13_ODP[01]\n53A_R5_SC-13a.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-05", "ao_id": "CRY-05_A04", "objective": "information requiring cryptographic protection is defined.", "pptdf": "Process", "origin": "53A_R5_SC-28(01)_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-05", "ao_id": "CRY-05_A05", "objective": "system components or media requiring cryptographic protection is/are defined.", "pptdf": "Process", "origin": "53A_R5_SC-28(01)_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-05", "ao_id": "CRY-05_A06", "objective": "the types of cryptography for protecting the confidentiality of sensitive / regulated data are defined.", "pptdf": "Process", "origin": "53A_R5_SC-13_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-05", "ao_id": "CRY-05_A07", "objective": "organization-defined types of cryptography are implemented to protect the confidentiality of sensitive / regulated data.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-05", "ao_id": "CRY-05_A08", "objective": "cryptographic mechanisms are implemented to prevent the unauthorized disclosure of CUI while in storage.", "pptdf": "Data", "origin": "171A_R3_A.03.13.08[02]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-05", "ao_id": "CRY-05_A09", "objective": "the types of cryptography for protecting the confidentiality of CUI are defined.", "pptdf": "Process", "origin": "171A_R3_A.03.13.11.ODP[01]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-05", "ao_id": "CRY-05_A10", "objective": "the following types of cryptography are implemented to protect the confidentiality of CUI: .", "pptdf": "Data", "origin": "171A_R3_A.03.13.11", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "FIPS Validated Cryptography\n(https://csrc.nist.gov/Projects/Cryptographic-ModuleValidation-Program/Validated-Modules)", "org_defined_parameters": "" }, { "scf_control_id": "CRY-05.1", "ao_id": "CRY-05.1_A01", "objective": "storage media types are defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-05.1", "ao_id": "CRY-05.1_A02", "objective": "cryptographic mechanisms protect the confidentiality and integrity of the sensitive data residing on storage media.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-05.2", "ao_id": "CRY-05.2_A01", "objective": "persistent organizational storage locations are identified.", "pptdf": "Process", "origin": "172A_3.14.5e[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-05.2", "ao_id": "CRY-05.2_A02", "objective": "recurring reviews of persistent organizational storage locations are conducted to identify sensitive / regulated data that is no longer needed.", "pptdf": "Process", "origin": "172A_3.14.5e[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-05.2", "ao_id": "CRY-05.2_A03", "objective": "the frequency with which to conduct reviews of persistent organizational storage locations is defined.", "pptdf": "Process", "origin": "172A_3.14.5e_ODP[1]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "CRY-05.2", "ao_id": "CRY-05.2_A04", "objective": "information to be removed from online storage and stored offline in a secure location is defined.", "pptdf": "Process", "origin": "53A_R5_SC-28(02)_ODP", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-05.2", "ao_id": "CRY-05.2_A05", "objective": "information is removed from online storage.", "pptdf": "Technology", "origin": "53A_R5_SC-28(02)[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-05.2", "ao_id": "CRY-05.2_A06", "objective": "information is stored offline in a secure location.", "pptdf": "Technology", "origin": "53A_R5_SC-28(02)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-05.3", "ao_id": "CRY-05.3_A01", "objective": "secure baseline configurations require database servers to utilize cryptographic mechanisms that are appropriate to protect the confidentiality of sensitive data within its databases.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-06", "ao_id": "CRY-06_A01", "objective": "cryptographic mechanisms are utilized to protect the confidentiality and integrity of non-console administrative access.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-07", "ao_id": "CRY-07_A01", "objective": "configuration requirements are established for each type of wireless access.", "pptdf": "Technology", "origin": "53A_R5_AC-18a.[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-07", "ao_id": "CRY-07_A02", "objective": "connection requirements are established for each type of wireless access.", "pptdf": "Technology", "origin": "53A_R5_AC-18a.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-07", "ao_id": "CRY-07_A03", "objective": "implementation guidance is established for each type of wireless access.", "pptdf": "Process", "origin": "53A_R5_AC-18a.[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-08", "ao_id": "CRY-08_A01", "objective": "requirements for key generation, distribution, storage, access and destruction are defined.", "pptdf": "Process", "origin": "53A_R5_SC-12_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-08", "ao_id": "CRY-08_A02", "objective": "a certificate policy for issuing public key certificates is defined.", "pptdf": "Process", "origin": "53A_R5_SC-17_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-08", "ao_id": "CRY-08_A03", "objective": "public key certificates are issued under an organization-defined certificate policy or public key certificates are obtained from an approved service provider.", "pptdf": "Technology", "origin": "53A_R5_SC-17a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-08", "ao_id": "CRY-08_A04", "objective": "only approved trust anchors are included in trust stores or certificate stores managed by the organization.", "pptdf": "Technology", "origin": "53A_R5_SC-17b.", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-08", "ao_id": "CRY-08_A05", "objective": "cryptographic keys are established whenever cryptography is employed.", "pptdf": "Technology", "origin": "53A_R5_SC-12[01]\n171A_3.13.10[a]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-08", "ao_id": "CRY-08_A06", "objective": "cryptographic keys are managed whenever cryptography is employed.", "pptdf": "Technology", "origin": "53A_R5_SC-12[02]\n171A_3.13.10[b]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-08.1", "ao_id": "CRY-08.1_A01", "objective": "resiliency mechanisms ensure the availability of data in the event of the loss of cryptographic keys when utilizing a centrally-managed cryptographic key management solution.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-09", "ao_id": "CRY-09_A01", "objective": "requirements for key generation, distribution, storage, access, and destruction are defined.", "pptdf": "Process", "origin": "53A_R5_SC-28(03)_ODP[02]\n171A_R3_A.03.13.10.ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-09", "ao_id": "CRY-09_A02", "objective": "protected storage for cryptographic keys is provided using organization-defined criteria.", "pptdf": "Technology", "origin": "53A_R5_SC-28(03)\n53A_R5_SC-28(03)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-09", "ao_id": "CRY-09_A03", "objective": "cryptographic keys are established in the system in accordance with organization-defined key management requirements.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-09", "ao_id": "CRY-09_A04", "objective": "cryptographic keys are managed in the system in accordance with organization-defined key management requirements.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-09", "ao_id": "CRY-09_A05", "objective": "cryptographic keys are established in the system in accordance with the following key management requirements: .", "pptdf": "Technology", "origin": "171A_R3_A.03.13.10[01]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "Guidance: At a minimum, establish a policy and procedure in line with the latest Cryptographic key management guidance", "org_defined_parameters": "" }, { "scf_control_id": "CRY-09", "ao_id": "CRY-09_A06", "objective": "cryptographic keys are managed in the system in accordance with the following key management requirements: .", "pptdf": "Technology", "origin": "171A_R3_A.03.13.10[02]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "Guidance: At a minimum, establish a policy and procedure in line with the latest Cryptographic key management guidance", "org_defined_parameters": "" }, { "scf_control_id": "CRY-09.1", "ao_id": "CRY-09.1_A01", "objective": "symmetric cryptographic keys are produced using organization-defined values key management technology and processes.", "pptdf": "Process", "origin": "53A_R5_SC-12(02)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-09.1", "ao_id": "CRY-09.1_A02", "objective": "symmetric cryptographic keys are controlled using organization-defined values for key management technology and processes.", "pptdf": "Process", "origin": "53A_R5_SC-12(02)[02]\n53A_R5_SC-12(02)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-09.1", "ao_id": "CRY-09.1_A03", "objective": "symmetric cryptographic keys are distributed using organization-defined values key management technology and processes.", "pptdf": "Process", "origin": "53A_R5_SC-12(02)[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-09.2", "ao_id": "CRY-09.2_A01", "objective": "asymmetric cryptographic keys are produced using organization-defined criteria.", "pptdf": "Technology", "origin": "53A_R5_SC-12(03)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-09.2", "ao_id": "CRY-09.2_A02", "objective": "asymmetric cryptographic keys are controlled using organization-defined criteria.", "pptdf": "Technology", "origin": "53A_R5_SC-12(03)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-09.2", "ao_id": "CRY-09.2_A03", "objective": "asymmetric cryptographic keys are distributed using organization-defined criteria.", "pptdf": "Technology", "origin": "53A_R5_SC-12(03)[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-09.2", "ao_id": "CRY-09.2_A04", "objective": "one of the following organization-defined values is selected: \n(1) NSA-approved key management technology and processes. \n(2) prepositioned keying material. \n(3) DoD-approved or DoD-issued Medium Assurance PKI certificates. \n(4) DoD-approved or DoD-issued Medium Hardware Assurance PKI certificates and hardware security tokens that protect the user’s private key. or \n(5) certificates issued in accordance with organization-defined requirements.", "pptdf": "Process", "origin": "53A_R5_SC-12(03)_ODP", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-09.3", "ao_id": "CRY-09.3_A01", "objective": "information availability is maintained in the event of the loss of cryptographic keys by users.", "pptdf": "Technology", "origin": "53A_R5_SC-12(01)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-09.4", "ao_id": "CRY-09.4_A01", "objective": "a centrally-managed cryptographic key management solution facilitates the secure distribution of symmetric and asymmetric cryptographic keys.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-09.5", "ao_id": "CRY-09.5_A01", "objective": "secure baseline configurations ensure cryptographic keys are bound to individual identities.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-09.6", "ao_id": "CRY-09.6_A01", "objective": "customers are provided with appropriate key management guidance whenever cryptographic keys are shared.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-09.7", "ao_id": "CRY-09.7_A01", "objective": "exclusive control of cryptographic keys is maintained for encrypted material stored or transmitted through an external system.", "pptdf": "Technology", "origin": "53A_R5_SA-09(06)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-10", "ao_id": "CRY-10_A01", "objective": "cybersecurity / data privacy attributes associated with information exchanged are defined.", "pptdf": "Process", "origin": "53A_R5_SC-16_ODP[01]\n53A_R5_SC-16_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-10", "ao_id": "CRY-10_A02", "objective": "cybersecurity / data privacy attributes are associated with information exchanged between systems.", "pptdf": "Technology", "origin": "53A_R5_SC-16[01]\n53A_R5_SC-16[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-10", "ao_id": "CRY-10_A03", "objective": "security /privacy attributes are associated with information exchanged between system components.", "pptdf": "Technology", "origin": "53A_R5_SC-16[02]\n53A_R5_SC-16[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-10", "ao_id": "CRY-10_A04", "objective": "the integrity of transmitted cybersecurity / data privacy attributes is verified.", "pptdf": "Technology", "origin": "53A_R5_SC-16(01)[01]\n53A_R5_SC-16(01)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-11", "ao_id": "CRY-11_A01", "objective": "certificate authorities to be allowed for verification of the establishment of protected sessions are defined.", "pptdf": "Process", "origin": "53A_R5_SC-23(05)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-11", "ao_id": "CRY-11_A02", "objective": "only the use of organization-defined certificated authorities for verification of the establishment of protected sessions is allowed.", "pptdf": "Technology", "origin": "53A_R5_SC-23(05)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-12", "ao_id": "CRY-12_A01", "objective": "processes exist to proactively discover when new certificates are issued for organization-controlled domains.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-12", "ao_id": "CRY-12_A02", "objective": "incident response operations are initiated when new certificates are issued without authorization.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-13", "ao_id": "CRY-13_A01", "objective": "approved hash algorithms are defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "CRY-13", "ao_id": "CRY-13_A02", "objective": "hash algorithms are to generate a hash value that can be used to validate the integrity of data and/or software.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-01", "ao_id": "DCH-01_A01", "objective": "paper media containing sensitive / regulated data is physically controlled.", "pptdf": "Data", "origin": "171A_3.8.1[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-01", "ao_id": "DCH-01_A02", "objective": "digital media containing sensitive / regulated data is physically controlled.", "pptdf": "Data", "origin": "171A_3.8.1[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-01", "ao_id": "DCH-01_A03", "objective": "paper media containing sensitive / regulated data is securely stored.", "pptdf": "Data", "origin": "171A_3.8.1[c]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-01", "ao_id": "DCH-01_A04", "objective": "digital media containing sensitive / regulated data is securely stored.", "pptdf": "Data", "origin": "171A_3.8.1[d]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-01", "ao_id": "DCH-01_A05", "objective": "data classification & handling management operations are conducted according to documented policies, standards, procedures and/or other organizational directives.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-01", "ao_id": "DCH-01_A06", "objective": "adequate resources (e.g., people, processes, technologies, data and/or facilities) are provided to support data classification & handling management operations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-01", "ao_id": "DCH-01_A07", "objective": "responsibility and authority for the performance of data classification & handling management-related activities are assigned to designated personnel.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-01", "ao_id": "DCH-01_A08", "objective": "personnel performing data classification & handling management-related activities have the skills and knowledge needed to perform their assigned duties.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-01.1", "ao_id": "DCH-01.1_A01", "objective": "organizational data ownership requirements are defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-01.1", "ao_id": "DCH-01.1_A02", "objective": "data ownership is formally assigned to an individual through defined roles and responsibilities.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-01.2", "ao_id": "DCH-01.2_A01", "objective": "sensitive / regulated data inventories exist.", "pptdf": "Data", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-01.2", "ao_id": "DCH-01.2_A02", "objective": "protection mechanisms are defined for each type of sensitive / regulated data.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-01.2", "ao_id": "DCH-01.2_A03", "objective": "organization-defined mechanisms protect sensitive / regulated data wherever it is stored.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-01.3", "ao_id": "DCH-01.3_A01", "objective": "data stewards document the potential impact in the event of a data loss incident.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-01.4", "ao_id": "DCH-01.4_A01", "objective": "specific individuals and/or roles for logical and /or physical access to sensitive / regulated data are defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-01.4", "ao_id": "DCH-01.4_A02", "objective": "only authorized individuals are provided logical and /or physical access to sensitive / regulated data.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-01.4", "ao_id": "DCH-01.4_A03", "objective": "the system security plan is protected from unauthorized disclosure.", "pptdf": "Technology", "origin": "171A_R3_A.03.15.02.c", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-01.4", "ao_id": "DCH-01.4_A04", "objective": "the SCRM plan is protected from unauthorized disclosure.", "pptdf": "Technology", "origin": "53A_R5_SR-02c.[01]\n171A_R3_A.03.17.01.c", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-02", "ao_id": "DCH-02_A01", "objective": "a data classification scheme is defined that covers reasonable data types to address the organization's operational needs.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-02", "ao_id": "DCH-02_A02", "objective": "data and assets are categorized in accordance with the data classification scheme that addresses applicable statutory, regulatory and contractual requirements.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-02.1", "ao_id": "DCH-02.1_A01", "objective": "data stewards formally categorize systems, applications and services in a System Security & Privacy Plan (SSPP) or similar documentation, according to the highest level of data sensitivity that is stored, transmitted and/or processed.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-02.1", "ao_id": "DCH-02.1_A02", "objective": "a validation process exists to ensure that systems, applications and services are classified according to the highest level of data sensitivity that is stored, transmitted and/or processed.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-03", "ao_id": "DCH-03_A01", "objective": "access to sensitive / regulated data on system media is restricted to authorized personnel or roles.", "pptdf": "Technology", "origin": "53A_R5_MP-02[01]\n171A_3.8.2", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-03", "ao_id": "DCH-03_A02", "objective": "types of digital media to which access is restricted are defined.", "pptdf": "Process", "origin": "53A_R5_MP-02_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-03", "ao_id": "DCH-03_A03", "objective": "personnel or roles authorized to access digital media is/are defined.", "pptdf": "Process", "origin": "53A_R5_MP-02_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-03", "ao_id": "DCH-03_A04", "objective": "types of non-digital media to which access is restricted are defined.", "pptdf": "Process", "origin": "53A_R5_MP-02_ODP[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-03", "ao_id": "DCH-03_A05", "objective": "personnel or roles authorized to access non-digital media is/are defined.", "pptdf": "Process", "origin": "53A_R5_MP-02_ODP[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-03", "ao_id": "DCH-03_A06", "objective": "access to types of non-digital media is restricted to personnel or roles.", "pptdf": "Data", "origin": "53A_R5_MP-02[02]\n171A_3.8.2", "assessment_rigor": "2", "scf_defined_parameters": "all types of digital and/or non-digital media containing sensitive information", "org_defined_parameters": "" }, { "scf_control_id": "DCH-03", "ao_id": "DCH-03_A07", "objective": "access to CUI on system media is restricted to authorized personnel or roles.", "pptdf": "Data", "origin": "171A_R3_A.03.08.02", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-03.1", "ao_id": "DCH-03.1_A01", "objective": "a documented data classification scheme exists that covers data protection controls associated with sharing information with third-parties.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-03.1", "ao_id": "DCH-03.1_A02", "objective": "data stewards establish formalized business process-specific procedures to limit the disclosure of data to authorized parties.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-03.1", "ao_id": "DCH-03.1_A03", "objective": "the system security plan is protected from unauthorized disclosure.", "pptdf": "Technology", "origin": "171A_R3_A.03.15.02.c", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-03.1", "ao_id": "DCH-03.1_A04", "objective": "the SCRM plan is protected from unauthorized disclosure.", "pptdf": "Technology", "origin": "53A_R5_SR-02c.[01]\n171A_R3_A.03.17.01.c", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-03.2", "ao_id": "DCH-03.2_A01", "objective": "automated mechanisms apply data masking to sensitive information that is displayed or printed, where technically feasible.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-03.3", "ao_id": "DCH-03.3_A01", "objective": "the external system or system component to which to release information is/are defined.", "pptdf": "Process", "origin": "53A_R5_AC-03(09)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-03.3", "ao_id": "DCH-03.3_A02", "objective": "controls to be provided by the external system or system component are defined.", "pptdf": "Process", "origin": "53A_R5_AC-03(09)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-03.3", "ao_id": "DCH-03.3_A03", "objective": "controls used to validate appropriateness of information to be released are defined.", "pptdf": "Process", "origin": "53A_R5_AC-03(09)_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-03.3", "ao_id": "DCH-03.3_A04", "objective": "information is released outside of the system only if the receiving system or system component provides organization-defined controls.", "pptdf": "Process", "origin": "53A_R5_AC-03(09)(a)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-03.3", "ao_id": "DCH-03.3_A05", "objective": "information is released outside of the system only if organization-defined controls are used to validate the appropriateness of the information designated for release.", "pptdf": "Process", "origin": "53A_R5_AC-03(09)(b)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-04", "ao_id": "DCH-04_A01", "objective": "types of media exempt from marking when remaining in controlled areas are defined.", "pptdf": "Process", "origin": "53A_R5_MP-03_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-04", "ao_id": "DCH-04_A02", "objective": "media is marked with applicable sensitive / regulated data markings.", "pptdf": "Data", "origin": "171A_3.8.4[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-04", "ao_id": "DCH-04_A03", "objective": "media is marked to indicate distribution limitations, handling caveats and applicable security markings (if any) of the information.", "pptdf": "Process", "origin": "171A_3.8.4[b]\n53A_R5_MP-03a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-04", "ao_id": "DCH-04_A04", "objective": "controlled areas where media is exempt from marking are defined.", "pptdf": "Process", "origin": "53A_R5_MP-03_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-04", "ao_id": "DCH-04_A05", "objective": "types of media exempted from marking remain within controlled areas.", "pptdf": "Process", "origin": "53A_R5_MP-03b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-04", "ao_id": "DCH-04_A06", "objective": "system media that contain sensitive / regulated data are marked to indicate distribution limitations.", "pptdf": "Data", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-04", "ao_id": "DCH-04_A07", "objective": "system media that contain sensitive / regulated data are marked to indicate handling caveats.", "pptdf": "Data", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-04", "ao_id": "DCH-04_A08", "objective": "system media that contain sensitive / regulated data are marked to indicate applicable sensitive / regulated data markings.", "pptdf": "Data", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-04", "ao_id": "DCH-04_A09", "objective": "system media that contain CUI are marked to indicate distribution limitations.", "pptdf": "Data", "origin": "171A_R3_A.03.08.04[01]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-04", "ao_id": "DCH-04_A10", "objective": "system media that contain CUI are marked to indicate handling caveats.", "pptdf": "Data", "origin": "171A_R3_A.03.08.04[02]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-04", "ao_id": "DCH-04_A11", "objective": "system media that contain CUI are marked to indicate applicable CUI markings.", "pptdf": "Data", "origin": "171A_R3_A.03.08.04[03]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-04.1", "ao_id": "DCH-04.1_A01", "objective": "automated mechanisms mark media and system output to indicate the distribution limitations, handling requirements and applicable security markings (if any) of the information to enable the use of Data Loss Prevention (DLP) and similar automated data protection technologies.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-05", "ao_id": "DCH-05_A01", "objective": "types of security / privacy attributes associated with cybersecurity attribute values for information in storage, in process, and/or in transmission are defined.", "pptdf": "Process", "origin": "53A_R5_AC-16_ODP[01] \n53A_R5_AC-16_ODP[02]\n53A_R5_AC-16_ODP[03]\n53A_R5_AC-16_ODP[04]\n53A_R5_AC-16_ODP[05]\n53A_R5_AC-16_ODP[06]\n53A_R5_AC-16_ODP[07]\n53A_R5_AC-16_ODP[08]\n53A_R5_AC-16_ODP[09]\n53A_R5_AC-16c.[01]\n53A_R5_AC-16c.[02]\n53A_R5_AC-16d.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-05", "ao_id": "DCH-05_A02", "objective": "the means to associate organization-defined types of security / privacy attributes with organization-defined security attribute values for information in storage, in process, and/or in transmission are provided.", "pptdf": "Process", "origin": "53A_R5_AC-16a.[01]\n53A_R5_AC-16a.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-05", "ao_id": "DCH-05_A03", "objective": "the frequency at which to review cybersecurity / data privacy attributes for applicability is defined.", "pptdf": "Process", "origin": "53A_R5_AC-16_ODP[10]\n53A_R5_AC-16_ODP[11]", "assessment_rigor": "2", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "DCH-05", "ao_id": "DCH-05_A04", "objective": "attributes are reviewed according to an organization-defined frequency.", "pptdf": "Process", "origin": "53A_R5_AC-16f.[01]\n53A_R5_AC-16f.[02]", "assessment_rigor": "2", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "DCH-05", "ao_id": "DCH-05_A05", "objective": "attribute associations are made.", "pptdf": "Technology", "origin": "53A_R5_AC-16b.[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-05", "ao_id": "DCH-05_A06", "objective": "changes to attributes are audited.", "pptdf": "Process", "origin": "53A_R5_AC-16e.", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-05", "ao_id": "DCH-05_A07", "objective": "attribute associations are retained with the information.", "pptdf": "Data", "origin": "53A_R5_AC-16b.[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-05.1", "ao_id": "DCH-05.1_A01", "objective": "subjects or objects with which cybersecurity / data privacy attributes are to be dynamically associated as information is created and combined are defined.", "pptdf": "Process", "origin": "53A_R5_AC-16(01)_ODP[01]\n53A_R5_AC-16(01)_ODP[02]\n53A_R5_AC-16(01)_ODP[03]\n53A_R5_AC-16(01)_ODP[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-05.1", "ao_id": "DCH-05.1_A02", "objective": "cybersecurity / data privacy policies requiring dynamic association of cybersecurity / data privacy attributes with subjects and objects are defined.", "pptdf": "Process", "origin": "53A_R5_AC-16(01)_ODP[05]\n53A_R5_AC-16(01)_ODP[06]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-05.1", "ao_id": "DCH-05.1_A03", "objective": "cybersecurity / data privacy attributes are dynamically associated with organization-defined subjects or objects as information is created or combined.", "pptdf": "Technology", "origin": "53A_R5_AC-16(01)[01]\n53A_R5_AC-16(01)[02]\n53A_R5_AC-16(01)[03]\n53A_R5_AC-16(01)[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-05.2", "ao_id": "DCH-05.2_A01", "objective": "authorized individuals (or processes acting on behalf of individuals) are provided with the capability to define or change the value of associated cybersecurity / data privacy attributes.", "pptdf": "Process", "origin": "53A_R5_AC-16(02)[01]\n53A_R5_AC-16(02)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-05.3", "ao_id": "DCH-05.3_A01", "objective": "cybersecurity / data privacy attributes that require association and integrity maintenance are defined.", "pptdf": "Process", "origin": "53A_R5_AC-16(03)_ODP[01]\n53A_R5_AC-16(03)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-05.3", "ao_id": "DCH-05.3_A02", "objective": "subjects requiring the association and integrity of cybersecurity / data privacy attributes to such subjects to be maintained are defined.", "pptdf": "Process", "origin": "53A_R5_AC-16(03)_ODP[03]\n53A_R5_AC-16(03)_ODP[05]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-05.3", "ao_id": "DCH-05.3_A03", "objective": "objects requiring the association and integrity of cybersecurity / data privacy attributes to such objects to be maintained are defined.", "pptdf": "Process", "origin": "53A_R5_AC-16(03)_ODP[04]\n53A_R5_AC-16(03)_ODP[06]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-05.3", "ao_id": "DCH-05.3_A04", "objective": "the association and integrity of organization-defined cybersecurity / data privacy attributes to organization-defined subjects is maintained.", "pptdf": "Technology", "origin": "53A_R5_AC-16(03)[01]\n53A_R5_AC-16(03)[03]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-05.3", "ao_id": "DCH-05.3_A05", "objective": "the association and integrity of organization-defined cybersecurity / data privacy attributes to organization-defined objects is maintained.", "pptdf": "Technology", "origin": "53A_R5_AC-16(03)[02]\n53A_R5_AC-16(03)[04]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-05.4", "ao_id": "DCH-05.4_A01", "objective": "cybersecurity / data privacy attributes associated with subjects by authorized individuals (or processes acting on behalf of individuals) are defined.", "pptdf": "Process", "origin": "53A_R5_AC-16(04)_ODP[01]\n53A_R5_AC-16(04)_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-05.4", "ao_id": "DCH-05.4_A02", "objective": "cybersecurity / data privacy attributes associated with objects by authorized individuals (or processes acting on behalf of individuals) are defined.", "pptdf": "Process", "origin": "53A_R5_AC-16(04)_ODP[02]\n53A_R5_AC-16(04)_ODP[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-05.4", "ao_id": "DCH-05.4_A03", "objective": "subjects requiring the association of cybersecurity / data privacy attributes by authorized individuals (or processes acting on behalf of individuals) are defined.", "pptdf": "Process", "origin": "53A_R5_AC-16(04)_ODP[05]\n53A_R5_AC-16(04)_ODP[07]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-05.4", "ao_id": "DCH-05.4_A04", "objective": "objects requiring the association of cybersecurity / data privacy attributes by authorized individuals (or processes acting on behalf of individuals) are defined.", "pptdf": "Process", "origin": "53A_R5_AC-16(04)_ODP[06]\n53A_R5_AC-16(04)_ODP[08]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-05.4", "ao_id": "DCH-05.4_A05", "objective": "authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate organization-defined cybersecurity / data privacy attributes with organization-defined subjects.", "pptdf": "Process", "origin": "53A_R5_AC-16(04)[01]\n53A_R5_AC-16(04)[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-05.4", "ao_id": "DCH-05.4_A06", "objective": "authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate organization-defined cybersecurity / data privacy attributes with organization-defined objects.", "pptdf": "Process", "origin": "53A_R5_AC-16(04)[02]\n53A_R5_AC-16(04)[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-05.5", "ao_id": "DCH-05.5_A01", "objective": "special dissemination, handling or distribution instructions to be used for each object that the system transmits to output devices are defined.", "pptdf": "Process", "origin": "53A_R5_AC-16(05)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-05.5", "ao_id": "DCH-05.5_A02", "objective": "human-readable, standard naming conventions for the cybersecurity / data privacy attributes to be displayed in human-readable form on each object that the system transmits to output devices are defined.", "pptdf": "Process", "origin": "53A_R5_AC-16(05)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-05.5", "ao_id": "DCH-05.5_A03", "objective": "cybersecurity / data privacy attributes are displayed in human-readable form on each object that the system transmits to output devices to identify organization-defined instructions using organization-defined naming conventions.", "pptdf": "Technology", "origin": "53A_R5_AC-16(05)[01]\n53A_R5_AC-16(05)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-05.6", "ao_id": "DCH-05.6_A01", "objective": "cybersecurity / data privacy attributes associated with subjects are defined.", "pptdf": "Process", "origin": "53A_R5_AC-16(06)_ODP[01]\n53A_R5_AC-16(06)_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-05.6", "ao_id": "DCH-05.6_A02", "objective": "cybersecurity / data privacy attributes associated with objects are defined.", "pptdf": "Process", "origin": "53A_R5_AC-16(06)_ODP[02]\n53A_R5_AC-16(06)_ODP[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-05.6", "ao_id": "DCH-05.6_A03", "objective": "subjects to be associated with cybersecurity / data privacy attributes are defined.", "pptdf": "Process", "origin": "53A_R5_AC-16(06)_ODP[05]\n53A_R5_AC-16(06)_ODP[07]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-05.6", "ao_id": "DCH-05.6_A04", "objective": "objects to be associated with cybersecurity / data privacy attributes are defined.", "pptdf": "Process", "origin": "53A_R5_AC-16(06)_ODP[06]\n53A_R5_AC-16(06)_ODP[08]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-05.6", "ao_id": "DCH-05.6_A05", "objective": "cybersecurity / data privacy policies that require personnel to associate and maintain the association of cybersecurity / data privacy attributes with subjects and objects.", "pptdf": "Process", "origin": "53A_R5_AC-16(06)_ODP[09]\n53A_R5_AC-16(06)_ODP[10]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-05.6", "ao_id": "DCH-05.6_A06", "objective": "personnel are required to associate and maintain the association of organization-defined cybersecurity / data privacy attributes with organization-defined subjects in accordance with organization-defined policies.", "pptdf": "Process", "origin": "53A_R5_AC-16(06)[01]\n53A_R5_AC-16(06)[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-05.6", "ao_id": "DCH-05.6_A07", "objective": "personnel are required to associate and maintain the association of organization-defined cybersecurity / data privacy attributes with organization-defined objects in accordance with organization-defined policies.", "pptdf": "Process", "origin": "53A_R5_AC-16(06)[02]\n53A_R5_AC-16(06)[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-05.7", "ao_id": "DCH-05.7_A01", "objective": "a consistent interpretation of cybersecurity / data privacy attributes transmitted between distributed system components is provided.", "pptdf": "Technology", "origin": "53A_R5_AC-16(07)[01]\n53A_R5_AC-16(07)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-05.8", "ao_id": "DCH-05.8_A01", "objective": "techniques and technologies to be implemented in associating cybersecurity / data privacy attributes to information are defined.", "pptdf": "Process", "origin": "53A_R5_AC-16(08)_ODP[01]\n53A_R5_AC-16(08)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-05.8", "ao_id": "DCH-05.8_A02", "objective": "organization-defined techniques and technologies are implemented in associating cybersecurity / data privacy attributes to information.", "pptdf": "Technology", "origin": "53A_R5_AC-16(08)[01]\n53A_R5_AC-16(08)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-05.9", "ao_id": "DCH-05.9_A01", "objective": "techniques or procedures used to validate regarding mechanisms for cybersecurity / data privacy attributes are defined.", "pptdf": "Process", "origin": "53A_R5_AC-16(09)_ODP[01]\n53A_R5_AC-16(09)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-05.9", "ao_id": "DCH-05.9_A02", "objective": "cybersecurity / data privacy attributes associated with information are changed only via regarding mechanisms validated using organization-defined techniques or procedures.", "pptdf": "Technology", "origin": "53A_R5_AC-16(09)[01]\n53A_R5_AC-16(09)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-05.10", "ao_id": "DCH-05.10_A01", "objective": "authorized individuals are provided with the capability to define or change the type and value of cybersecurity / data privacy attributes available for association with subjects and objects.", "pptdf": "Process", "origin": "53A_R5_AC-16(10)[01]\n53A_R5_AC-16(10)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-05.11", "ao_id": "DCH-05.11_A01", "objective": "documented procedures exist to perform reviews of changes to cybersecurity / data privacy attributes.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-05.11", "ao_id": "DCH-05.11_A02", "objective": "actions taken to respond to unauthorized changes are per the organization's Incident Response Plan (IRP) or similar documented procedures.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-06", "ao_id": "DCH-06_A01", "objective": "types of digital media to be securely stored are defined.", "pptdf": "Process", "origin": "53A_R5_MP-04_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-06", "ao_id": "DCH-06_A02", "objective": "types of non-digital media to be securely stored are defined.", "pptdf": "Process", "origin": "53A_R5_MP-04_ODP[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-06", "ao_id": "DCH-06_A03", "objective": "controlled areas within which to securely store digital media are defined.", "pptdf": "Process", "origin": "53A_R5_MP-04_ODP[05]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-06", "ao_id": "DCH-06_A04", "objective": "controlled areas within which to securely store non-digital media are defined.", "pptdf": "Process", "origin": "53A_R5_MP-04_ODP[06]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-06", "ao_id": "DCH-06_A05", "objective": "types of digital media are securely stored within controlled areas.", "pptdf": "Facility", "origin": "53A_R5_MP-04a.[03]", "assessment_rigor": "1", "scf_defined_parameters": "all types of digital and non-digital media with sensitive information", "org_defined_parameters": "" }, { "scf_control_id": "DCH-06", "ao_id": "DCH-06_A06", "objective": "types of non-digital media are securely stored within controlled areas.", "pptdf": "Facility", "origin": "53A_R5_MP-04a.[04]", "assessment_rigor": "1", "scf_defined_parameters": "all types of digital and non-digital media with sensitive information", "org_defined_parameters": "" }, { "scf_control_id": "DCH-06", "ao_id": "DCH-06_A07", "objective": "system media types are protected until the media are destroyed or sanitized using approved equipment, techniques and procedures.", "pptdf": "Process", "origin": "53A_R5_MP-04b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-06", "ao_id": "DCH-06_A08", "objective": "system media that contain sensitive / regulated data are physically controlled.", "pptdf": "Data", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-06", "ao_id": "DCH-06_A09", "objective": "system media that contain sensitive / regulated data are securely stored.", "pptdf": "Data", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-06", "ao_id": "DCH-06_A10", "objective": "system media that contain CUI are physically controlled.", "pptdf": "Data", "origin": "171A_R3_A.03.08.01[01]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-06", "ao_id": "DCH-06_A11", "objective": "system media that contain CUI are securely stored.", "pptdf": "Data", "origin": "171A_R3_A.03.08.01[02]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-06.1", "ao_id": "DCH-06.1_A01", "objective": "types of digital media to be physically controlled are defined.", "pptdf": "Process", "origin": "53A_R5_MP-04_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-06.1", "ao_id": "DCH-06.1_A02", "objective": "types of non-digital media to be physically controlled are defined.", "pptdf": "Process", "origin": "53A_R5_MP-04_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-06.1", "ao_id": "DCH-06.1_A03", "objective": "types of digital media are physically controlled.", "pptdf": "Process", "origin": "53A_R5_MP-04a.[01]", "assessment_rigor": "1", "scf_defined_parameters": "all types of digital and non-digital media with sensitive information", "org_defined_parameters": "" }, { "scf_control_id": "DCH-06.1", "ao_id": "DCH-06.1_A04", "objective": "types of non-digital media are physically controlled.", "pptdf": "Process", "origin": "53A_R5_MP-04a.[02]", "assessment_rigor": "1", "scf_defined_parameters": "all types of digital and non-digital media with sensitive information", "org_defined_parameters": "" }, { "scf_control_id": "DCH-06.1", "ao_id": "DCH-06.1_A05", "objective": "system media types are protected until the media are destroyed or sanitized using approved equipment, techniques and procedures.", "pptdf": "Process", "origin": "53A_R5_MP-04b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-06.2", "ao_id": "DCH-06.2_A01", "objective": "an inventory is maintained for all sensitive / regulated data.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-06.2", "ao_id": "DCH-06.2_A02", "objective": "recurring inventories keep sensitive / regulated data inventories current and accurate.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-06.3", "ao_id": "DCH-06.3_A01", "objective": "periodic scans of unstructured data sources are used to identify sensitive / regulated data, or data requiring special protection measures, per statutory, regulatory or contractual obligations.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-06.3", "ao_id": "DCH-06.3_A02", "objective": "actions are taken to respond to the discovery of unauthorized sensitive / regulated data repositories are per the organization's Incident Response Plan (IRP), or similar documented procedures.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-06.4", "ao_id": "DCH-06.4_A01", "objective": "the organization only uses current and supported technologies that are capable of implementing secure configurations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-06.4", "ao_id": "DCH-06.4_A02", "objective": "secure baseline configurations ensure sensitive / regulated data is rendered human unreadable anywhere that data is stored.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-06.5", "ao_id": "DCH-06.5_A01", "objective": "the storage of sensitive authentication data after authorization is prohibited.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-06.5", "ao_id": "DCH-06.5_A02", "objective": "secure baseline configurations ensure authentication data is not stored after authorization.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-07", "ao_id": "DCH-07_A01", "objective": "access to media containing sensitive / regulated data is controlled.", "pptdf": "Data", "origin": "171A_3.8.5[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-07", "ao_id": "DCH-07_A02", "objective": "accountability for media containing sensitive / regulated data is maintained during transport outside of controlled areas.", "pptdf": "People", "origin": "171A_3.8.5[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-07", "ao_id": "DCH-07_A03", "objective": "types of system media to protect and control during transport outside of controlled areas are defined.", "pptdf": "Process", "origin": "53A_R5_MP-05_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-07", "ao_id": "DCH-07_A04", "objective": "personnel authorized to conduct media transport activities is/are identified.", "pptdf": "Process", "origin": "53A_R5_MP-05d.[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-07", "ao_id": "DCH-07_A05", "objective": "activities associated with the transport of system media are restricted to identified authorized personnel.", "pptdf": "Process", "origin": "53A_R5_MP-05d.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-07", "ao_id": "DCH-07_A06", "objective": "controls used to protect system media outside of controlled areas are defined.", "pptdf": "Process", "origin": "53A_R5_MP-05_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-07", "ao_id": "DCH-07_A07", "objective": "controls used to control system media outside of controlled areas are defined.", "pptdf": "Process", "origin": "53A_R5_MP-05_ODP[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-07", "ao_id": "DCH-07_A08", "objective": "system media that contain sensitive / regulated data are protected during transport outside of controlled areas.", "pptdf": "Data", "origin": "53A_R5_MP-05a.[01]", "assessment_rigor": "3", "scf_defined_parameters": "prior to leaving secure/controlled environment: for digital media, encryption in compliance with applicable requirements.", "org_defined_parameters": "" }, { "scf_control_id": "DCH-07", "ao_id": "DCH-07_A09", "objective": "system media that contain sensitive / regulated data are controlled during transport outside of controlled areas.", "pptdf": "Data", "origin": "53A_R5_MP-05a.[02]", "assessment_rigor": "3", "scf_defined_parameters": "prior to leaving secure/controlled environment: for digital media, encryption in compliance with applicable requirements.", "org_defined_parameters": "" }, { "scf_control_id": "DCH-07", "ao_id": "DCH-07_A10", "objective": "accountability for system media that contain sensitive / regulated data is maintained during transport outside of controlled areas.", "pptdf": "People", "origin": "53A_R5_MP-05b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-07", "ao_id": "DCH-07_A11", "objective": "activities associated with the transport of system media that contain sensitive / regulated data are documented.", "pptdf": "Process", "origin": "53A_R5_MP-05c.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-07", "ao_id": "DCH-07_A12", "objective": "system media that contain CUI are protected during transport outside of controlled areas.", "pptdf": "Data", "origin": "171A_R3_A.03.08.05.a[01]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-07", "ao_id": "DCH-07_A13", "objective": "system media that contain CUI are controlled during transport outside of controlled areas.", "pptdf": "Data", "origin": "171A_R3_A.03.08.05.a[02]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-07", "ao_id": "DCH-07_A14", "objective": "accountability for system media that contain CUI is maintained during transport outside of controlled areas.", "pptdf": "Data", "origin": "171A_R3_A.03.08.05.b", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-07", "ao_id": "DCH-07_A15", "objective": "activities associated with the transport of system media that contain CUI are documented.", "pptdf": "Data", "origin": "171A_R3_A.03.08.05.c", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-07.1", "ao_id": "DCH-07.1_A01", "objective": "a custodian to transport system media outside of controlled areas is identified.", "pptdf": "Process", "origin": "53A_R5_MP-05(03)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-07.1", "ao_id": "DCH-07.1_A02", "objective": "the identified custodian is employed during the transport of system media outside of controlled areas.", "pptdf": "People", "origin": "53A_R5_MP-05(03)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-07.2", "ao_id": "DCH-07.2_A01", "objective": "information requiring cryptographic protection is defined.", "pptdf": "Process", "origin": "53A_R5_SC-28(01)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-07.2", "ao_id": "DCH-07.2_A02", "objective": "system components or media requiring cryptographic protection is/are defined.", "pptdf": "Process", "origin": "53A_R5_SC-28(01)_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-07.2", "ao_id": "DCH-07.2_A03", "objective": "cryptographic mechanisms are implemented to prevent unauthorized disclosure and/or modification of information at rest on organization-defined system components or media.", "pptdf": "Technology", "origin": "53A_R5_SC-28(01)[01]\n53A_R5_SC-28(01)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-08", "ao_id": "DCH-08_A01", "objective": "system media to be sanitized prior to disposal is defined.", "pptdf": "Process", "origin": "53A_R5_MP-06_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-08", "ao_id": "DCH-08_A02", "objective": "system media to be sanitized prior to release from organizational control is defined.", "pptdf": "Process", "origin": "53A_R5_MP-06_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-08", "ao_id": "DCH-08_A03", "objective": "system media to be sanitized prior to release for reuse is defined.", "pptdf": "Process", "origin": "53A_R5_MP-06_ODP[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-08", "ao_id": "DCH-08_A04", "objective": "sanitization techniques and procedures to be used for sanitization prior to disposal are defined.", "pptdf": "Process", "origin": "53A_R5_MP-06_ODP[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-08", "ao_id": "DCH-08_A05", "objective": "sanitization techniques and procedures to be used for sanitization prior to release from organizational control are defined.", "pptdf": "Process", "origin": "53A_R5_MP-06_ODP[05]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-08", "ao_id": "DCH-08_A06", "objective": "sanitization techniques and procedures to be used for sanitization prior to release for reuse are defined.", "pptdf": "Process", "origin": "53A_R5_MP-06_ODP[06]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-08", "ao_id": "DCH-08_A07", "objective": "system media is sanitized using sanitization techniques and procedures prior to disposal.", "pptdf": "Technology", "origin": "53A_R5_MP-06a.[01]", "assessment_rigor": "3", "scf_defined_parameters": "techniques and procedures IAW NIST SP 800-088 Section 4: Reuse and Disposal of Storage Media and Hardware", "org_defined_parameters": "" }, { "scf_control_id": "DCH-08", "ao_id": "DCH-08_A08", "objective": "system media is sanitized using sanitization techniques and procedures prior to release from organizational control.", "pptdf": "Technology", "origin": "53A_R5_MP-06a.[02]", "assessment_rigor": "3", "scf_defined_parameters": "techniques and procedures IAW NIST SP 800-088 Section 4: Reuse and Disposal of Storage Media and Hardware", "org_defined_parameters": "" }, { "scf_control_id": "DCH-08", "ao_id": "DCH-08_A09", "objective": "system media is sanitized using sanitization techniques and procedures prior to release for reuse.", "pptdf": "Technology", "origin": "53A_R5_MP-06a.[03]", "assessment_rigor": "3", "scf_defined_parameters": "techniques and procedures IAW NIST SP 800-088 Section 4: Reuse and Disposal of Storage Media and Hardware", "org_defined_parameters": "" }, { "scf_control_id": "DCH-08", "ao_id": "DCH-08_A10", "objective": "sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed.", "pptdf": "Technology", "origin": "53A_R5_MP-06b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-09", "ao_id": "DCH-09_A01", "objective": "system media to be sanitized prior to disposal, release and/or reuse is defined.", "pptdf": "Process", "origin": "53A_R5_MP-06_ODP[01]\n53A_R5_MP-06_ODP[02]\n53A_R5_MP-06_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-09", "ao_id": "DCH-09_A02", "objective": "sanitization techniques and procedures to be used for sanitization prior to disposal, release and/or reuse are defined.", "pptdf": "Process", "origin": "53A_R5_MP-06_ODP[04]\n53A_R5_MP-06_ODP[05]\n53A_R5_MP-06_ODP[06]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-09", "ao_id": "DCH-09_A03", "objective": "system media is sanitized using sanitization techniques and procedures prior to disposal, release and/or reuse.", "pptdf": "Technology", "origin": "53A_R5_MP-06a.[01]\n53A_R5_MP-06a.[02]\n53A_R5_MP-06a.[03]\n171A_3.7.3", "assessment_rigor": "1", "scf_defined_parameters": "techniques and procedures IAW NIST SP 800-088 Section 4: Reuse and Disposal of Storage Media and Hardware", "org_defined_parameters": "" }, { "scf_control_id": "DCH-09", "ao_id": "DCH-09_A04", "objective": "sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed.", "pptdf": "Technology", "origin": "53A_R5_MP-06b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-09", "ao_id": "DCH-09_A05", "objective": "circumstances requiring sanitization of portable storage devices are defined.", "pptdf": "Process", "origin": "53A_R5_MP-06(03)_ODP", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-09", "ao_id": "DCH-09_A06", "objective": "non-destructive sanitization techniques are applied to portable storage devices prior to connecting such devices to the system under circumstances.", "pptdf": "Process", "origin": "53A_R5_MP-06(03)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-09", "ao_id": "DCH-09_A07", "objective": "equipment containing sensitive / regulated data is sanitized prior to disposal, reuse, or release out of organizational control.", "pptdf": "Technology", "origin": "171A_3.8.3[a]\n171A_3.8.3[b]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-09", "ao_id": "DCH-09_A08", "objective": "system media that contain CUI are sanitized prior to disposal, release out of organizational control, or release for reuse.", "pptdf": "Data", "origin": "171A_R3_A.03.08.03", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-09", "ao_id": "DCH-09_A09", "objective": "system media containing sensitive/regulated data is sanitized or destroyed before disposal.", "pptdf": "Data", "origin": "CMMC L1 Assessment Guide", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-09", "ao_id": "DCH-09_A10", "objective": "system media containing sensitive/regulated data is sanitized before it is released for reuse.", "pptdf": "Data", "origin": "CMMC L1 Assessment Guide", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-09.1", "ao_id": "DCH-09.1_A01", "objective": "media sanitization and disposal actions are reviewed.", "pptdf": "Process", "origin": "53A_R5_MP-06(01)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-09.1", "ao_id": "DCH-09.1_A02", "objective": "media sanitization and disposal actions are approved.", "pptdf": "Technology", "origin": "53A_R5_MP-06(01)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-09.1", "ao_id": "DCH-09.1_A03", "objective": "media sanitization and disposal actions are documented.", "pptdf": "Process", "origin": "53A_R5_MP-06(01)[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-09.1", "ao_id": "DCH-09.1_A04", "objective": "media sanitization and disposal actions are tracked.", "pptdf": "Technology", "origin": "53A_R5_MP-06(01)[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-09.1", "ao_id": "DCH-09.1_A05", "objective": "media sanitization and disposal actions are verified.", "pptdf": "Technology", "origin": "53A_R5_MP-06(01)[05]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-09.2", "ao_id": "DCH-09.2_A01", "objective": "the frequency with which to test sanitization equipment / procedures is defined.", "pptdf": "Process", "origin": "53A_R5_MP-06(02)_ODP[01]\n53A_R5_MP-06(02)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "DCH-09.2", "ao_id": "DCH-09.2_A02", "objective": "sanitization equipment / procedures are tested frequently to ensure that the intended sanitization is achieved.", "pptdf": "Technology", "origin": "53A_R5_MP-06(02)[01]\n53A_R5_MP-06(02)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-09.3", "ao_id": "DCH-09.3_A01", "objective": "system media to be sanitized prior to disposal is defined.", "pptdf": "Process", "origin": "53A_R5_MP-06_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-09.3", "ao_id": "DCH-09.3_A02", "objective": "types of Personal Data (PD) to be sanitized prior to disposal are defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-09.3", "ao_id": "DCH-09.3_A03", "objective": "sanitization techniques and procedures to be used for sanitization of Personal Data (PD) are defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-09.3", "ao_id": "DCH-09.3_A04", "objective": "sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed for the sanitization of Personal Data.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-09.4", "ao_id": "DCH-09.4_A01", "objective": "circumstances requiring sanitization of portable storage devices are defined.", "pptdf": "Process", "origin": "53A_R5_MP-06(03)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-09.4", "ao_id": "DCH-09.4_A02", "objective": "non-destructive sanitization techniques are applied to portable storage devices prior to connecting such devices to the system under circumstances.", "pptdf": "Process", "origin": "53A_R5_MP-06(03)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-09.5", "ao_id": "DCH-09.5_A01", "objective": "system media to be sanitized using dual authorization is defined.", "pptdf": "Process", "origin": "53A_R5_MP-06(07)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-09.5", "ao_id": "DCH-09.5_A02", "objective": "dual authorization for sanitization of system media is enforced.", "pptdf": "Process", "origin": "53A_R5_MP-06(07)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-10", "ao_id": "DCH-10_A01", "objective": "the use of removable media on system components is controlled.", "pptdf": "Technology", "origin": "171A_3.8.7\n53A_R5_MP-07_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-10", "ao_id": "DCH-10_A02", "objective": "organization-defined types of system media are restricted or prohibited.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-10", "ao_id": "DCH-10_A03", "objective": "types of system media with usage restrictions or that are prohibited from use are defined.", "pptdf": "Process", "origin": "53A_R5_MP-07_ODP[01]\n171A_R3_A.03.08.07.ODP[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-10", "ao_id": "DCH-10_A04", "objective": "systems or system components on which the use of specific types of system media to be restricted or prohibited are defined.", "pptdf": "Process", "origin": "53A_R5_MP-07_ODP[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-10", "ao_id": "DCH-10_A05", "objective": "controls to restrict or prohibit the use of specific types of system media on systems or system components are defined.", "pptdf": "Process", "origin": "53A_R5_MP-07_ODP[04]\n53A_R5_MP-07_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-10", "ao_id": "DCH-10_A06", "objective": "the use of types of system media is organization-defined criteria on systems or system components using controls.", "pptdf": "Technology", "origin": "53A_R5_MP-07a.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-10", "ao_id": "DCH-10_A07", "objective": "the use of portable storage devices in organizational systems is prohibited when such devices have no identifiable owner.", "pptdf": "Technology", "origin": "53A_R5_MP-07b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-10", "ao_id": "DCH-10_A08", "objective": "the use of the following types of system media is restricted or prohibited: .", "pptdf": "Technology", "origin": "171A_R3_A.03.08.07.a", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "any removable media not managed by or on behalf of the organization", "org_defined_parameters": "" }, { "scf_control_id": "DCH-10.1", "ao_id": "DCH-10.1_A01", "objective": "the use of sensitive / regulated data is restricted to approved business practices.", "pptdf": "Data", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-10.1", "ao_id": "DCH-10.1_A02", "objective": "the distribution of sensitive / regulated data is restricted to authorized personnel.", "pptdf": "Data", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-10.2", "ao_id": "DCH-10.2_A01", "objective": "the use of portable storage devices is prohibited when such devices have no identifiable owner.", "pptdf": "Technology", "origin": "171A_3.8.8", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-10.2", "ao_id": "DCH-10.2_A02", "objective": "the use of removable system media without an identifiable owner is prohibited.", "pptdf": "Technology", "origin": "171A_R3_A.03.08.07.b", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-11", "ao_id": "DCH-11_A01", "objective": "a system media downgrading process is defined.", "pptdf": "Process", "origin": "53A_R5_MP-08_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-11", "ao_id": "DCH-11_A02", "objective": "system media requiring downgrading is defined.", "pptdf": "Process", "origin": "53A_R5_MP-08_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-11", "ao_id": "DCH-11_A03", "objective": "a system media downgrading process is established.", "pptdf": "Process", "origin": "53A_R5_MP-08a.[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-11", "ao_id": "DCH-11_A04", "objective": "the system media downgrading process includes employing downgrading mechanisms with strength and integrity commensurate with the security category or classification of the information.", "pptdf": "Process", "origin": "53A_R5_MP-08a.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-11", "ao_id": "DCH-11_A05", "objective": "there is verification that the system media downgrading process is commensurate with the security category and/or classification level of the information to be removed.", "pptdf": "Process", "origin": "53A_R5_MP-08b.[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-11", "ao_id": "DCH-11_A06", "objective": "there is verification that the system media downgrading process is commensurate with the access authorizations of the potential recipients of the downgraded information.", "pptdf": "Process", "origin": "53A_R5_MP-08b.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-11", "ao_id": "DCH-11_A07", "objective": "system media requiring downgrading is identified.", "pptdf": "Process", "origin": "53A_R5_MP-08c.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-11", "ao_id": "DCH-11_A08", "objective": "the identified system media is downgraded using the system media downgrading process.", "pptdf": "Process", "origin": "53A_R5_MP-08d.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-11", "ao_id": "DCH-11_A09", "objective": "system media containing sensitive and/or regulated information is identified.", "pptdf": "Process", "origin": "53A_R5_MP-08(03)[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-11", "ao_id": "DCH-11_A10", "objective": "system media containing sensitive and/or regulated information is downgraded prior to public release.", "pptdf": "Technology", "origin": "53A_R5_MP-08(03)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-12", "ao_id": "DCH-12_A01", "objective": "removable media restrictions are in accordance with data handling and acceptable usage requirements.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-13", "ao_id": "DCH-13_A01", "objective": "connections to external systems are identified.", "pptdf": "Process", "origin": "171A_3.1.20[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-13", "ao_id": "DCH-13_A02", "objective": "the use of external systems is identified.", "pptdf": "Process", "origin": "171A_3.1.20[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-13", "ao_id": "DCH-13_A03", "objective": "connections to external systems are verified.", "pptdf": "Process", "origin": "171A_3.1.20[c]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-13", "ao_id": "DCH-13_A04", "objective": "the use of external systems is verified.", "pptdf": "Process", "origin": "171A_3.1.20[d]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-13", "ao_id": "DCH-13_A05", "objective": "connections to external systems are controlled/limited.", "pptdf": "Technology", "origin": "171A_3.1.20[e]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-13", "ao_id": "DCH-13_A06", "objective": "the use of external systems is controlled/limited.", "pptdf": "Technology", "origin": "171A_3.1.20[f]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-13", "ao_id": "DCH-13_A07", "objective": "terms and conditions consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems are defined.", "pptdf": "Process", "origin": "53A_R5_AC-20_ODP[01]\n53A_R5_AC-20_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-13", "ao_id": "DCH-13_A08", "objective": "controls asserted to be implemented on external systems consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems are defined.", "pptdf": "Process", "origin": "53A_R5_AC-20_ODP[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-13", "ao_id": "DCH-13_A09", "objective": "types of external systems prohibited from use are defined.", "pptdf": "Process", "origin": "53A_R5_AC-20_ODP[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-13", "ao_id": "DCH-13_A10", "objective": "organization-defined criteria are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to access the system from external systems (if applicable).", "pptdf": "Technology", "origin": "53A_R5_AC-20a.01", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-13", "ao_id": "DCH-13_A11", "objective": "organization-defined criteria consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to process, store or transmit organization-controlled information using external systems (if applicable).", "pptdf": "Process", "origin": "53A_R5_AC-20a.02", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-13", "ao_id": "DCH-13_A12", "objective": "the use of organization-defined prohibited types of external systems is prohibited (if applicable).", "pptdf": "Technology", "origin": "53A_R5_AC-20b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-13", "ao_id": "DCH-13_A13", "objective": "security requirements to be satisfied on external systems prior to allowing the use of or access to those systems by authorized individuals are defined.", "pptdf": "Process", "origin": "171A_R3_A.03.01.20.ODP[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-13", "ao_id": "DCH-13_A14", "objective": "the use of external systems is prohibited unless the systems are specifically authorized.", "pptdf": "Technology", "origin": "171A_R3_A.03.01.20.a", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-13", "ao_id": "DCH-13_A15", "objective": "the following security requirements to be satisfied on external systems prior to allowing the use of or access to those systems by authorized individuals are established: .", "pptdf": "Technology", "origin": "171A_R3_A.03.01.20.b", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "Guidance: Organizations establish specific terms and conditions for the use of external systems in accordance with organizational security policies and procedures. At a minimum, terms and conditions address the specific types of applications that can be accessed on organizational systems from external systems and the highest security category of information that can be processed, stored, or transmitted on external systems. If the terms and conditions with the owners of the external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems. If applicable, use NIST SP 800-47 as a guide for establishing information exchanges between organizations.", "org_defined_parameters": "" }, { "scf_control_id": "DCH-13", "ao_id": "DCH-13_A16", "objective": "authorized individuals are permitted to use external systems to access the organizational system or to process, store, or transmit CUI only after verifying that the security requirements on the external systems as specified in the organization’s system security plans have been satisfied.", "pptdf": "Data", "origin": "171A_R3_A.03.01.20.c.01", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-13", "ao_id": "DCH-13_A17", "objective": "authorized individuals are permitted to use external systems to access the organizational system or to process, store, or transmit CUI only after retaining approved system connection or processing agreements with the organizational entity hosting the external systems.", "pptdf": "Data", "origin": "171A_R3_A.03.01.20.c.02", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-13.1", "ao_id": "DCH-13.1_A01", "objective": "authorized individuals are permitted to use an external system to access the system or to process, store or transmit organization-controlled information only after verification of the implementation of controls on the external system as specified in the organization's cybersecurity / data privacy policies and cybersecurity / data privacy plans (if applicable).", "pptdf": "Data", "origin": "53A_R5_AC-20(01)(a)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-13.1", "ao_id": "DCH-13.1_A02", "objective": "authorized individuals are permitted to use an external system to access the system or to process, store or transmit organization-controlled information only after retention of approved system connection or processing agreements with the organizational entity hosting the external system (if applicable).", "pptdf": "Data", "origin": "53A_R5_AC-20(01)(b)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-13.2", "ao_id": "DCH-13.2_A01", "objective": "the use of portable storage devices containing sensitive / regulated data on external systems is identified and documented.", "pptdf": "Process", "origin": "171A_3.1.21[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-13.2", "ao_id": "DCH-13.2_A02", "objective": "limits on the use of portable storage devices containing sensitive / regulated data on external systems are defined.", "pptdf": "Process", "origin": "171A_3.1.21[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-13.2", "ao_id": "DCH-13.2_A03", "objective": "the use of portable storage devices containing sensitive / regulated data on external systems is limited as defined.", "pptdf": "Technology", "origin": "171A_3.1.21[c]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-13.2", "ao_id": "DCH-13.2_A04", "objective": "restrictions on the use of organization-controlled portable storage devices by authorized individuals on external systems are defined.", "pptdf": "Process", "origin": "53A_R5_AC-20(02)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-13.2", "ao_id": "DCH-13.2_A05", "objective": "the use of organization-controlled portable storage devices by authorized individuals on external systems is restricted.", "pptdf": "Technology", "origin": "53A_R5_AC-20(02)\n171A_R3_A.03.01.20.d", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-13.3", "ao_id": "DCH-13.3_A01", "objective": "the frequency at which to review / update the procedures is defined.", "pptdf": "Process", "origin": "53A_R5_PM-17_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "DCH-13.3", "ao_id": "DCH-13.3_A02", "objective": "organizational controls ensure that requirements for the protection of sensitive and/or regulated information that is processed, stored or transmitted on external systems are implemented in accordance with applicable laws, executive orders, directives, policies, regulations and standards.", "pptdf": "Process", "origin": "53A_R5_PM-17a.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-13.3", "ao_id": "DCH-13.3_A03", "objective": "procedures are established to ensure that requirements for the protection of sensitive and/or regulated information that is processed, stored or transmitted on external systems are implemented in accordance with applicable laws, executive orders, directives, policies, regulations and standards.", "pptdf": "Process", "origin": "53A_R5_PM-17a.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-13.3", "ao_id": "DCH-13.3_A04", "objective": "procedures are reviewed / updated frequently", "pptdf": "Process", "origin": "53A_R5_PM-17b.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-13.4", "ao_id": "DCH-13.4_A01", "objective": "restrictions on the use of non-organizationally owned systems or system components to process, store or transmit organizational information are defined.", "pptdf": "Process", "origin": "53A_R5_AC-20(03)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-13.4", "ao_id": "DCH-13.4_A02", "objective": "the use of non-organizationally owned systems or system components to process, store or transmit organizational information is restricted using organization-defined restrictions.", "pptdf": "Process", "origin": "53A_R5_AC-20(03)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-13.4", "ao_id": "DCH-13.4_A03", "objective": "information resources that are owned, provisioned or issued by the organization are identified.", "pptdf": "Process", "origin": "172A_3.1.2e[a]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-13.4", "ao_id": "DCH-13.4_A04", "objective": "access to systems and system components is restricted to only those information resources that are owned, provisioned or issued by the organization.", "pptdf": "Technology", "origin": "172A_3.1.2e[b]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-14", "ao_id": "DCH-14_A01", "objective": "information-sharing circumstances where user discretion is required to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions are defined.", "pptdf": "Process", "origin": "53A_R5_AC-21_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-14", "ao_id": "DCH-14_A02", "objective": "authorized users are enabled to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for organization-defined information-sharing circumstances.", "pptdf": "Technology", "origin": "53A_R5_AC-21a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-14", "ao_id": "DCH-14_A03", "objective": "automated mechanisms or manual processes that assist users in making information-sharing and collaboration decisions are defined.", "pptdf": "Process", "origin": "53A_R5_AC-21_ODP[02]\n53A_R5_AC-21b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-14.1", "ao_id": "DCH-14.1_A01", "objective": "information-sharing restrictions to be enforced by information search and retrieval services are defined.", "pptdf": "Process", "origin": "53A_R5_AC-21(02)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-14.1", "ao_id": "DCH-14.1_A02", "objective": "information search and retrieval services that enforce organization-defined information-sharing restrictions are implemented.", "pptdf": "Technology", "origin": "53A_R5_AC-21(02)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-14.2", "ao_id": "DCH-14.2_A01", "objective": "individuals or systems transferring data between interconnecting systems have the requisite authorizations (e.g., write permissions or privileges) prior to accepting such data.", "pptdf": "Technology", "origin": "53A_R5_CA-03(06)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-14.3", "ao_id": "DCH-14.3_A01", "objective": "a data-specific Access Control List (ACL) or Data Information Sharing Agreement (DISA) is documented to determine the personnel with whom sensitive / regulated data is shared.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-15", "ao_id": "DCH-15_A01", "objective": "individuals authorized to post or process information on publicly accessible systems are identified.", "pptdf": "Process", "origin": "171A_3.1.22[a]\n53A_R5_AC-22a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-15", "ao_id": "DCH-15_A02", "objective": "procedures to ensure sensitive / regulated data is not posted or processed on publicly accessible systems are identified.", "pptdf": "Process", "origin": "171A_3.1.22[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-15", "ao_id": "DCH-15_A03", "objective": "the proposed content of information is reviewed prior to posting onto the publicly accessible system to ensure that non-public information is not included.", "pptdf": "Process", "origin": "171A_3.1.22[c]\n53A_R5_AC-22c.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-15", "ao_id": "DCH-15_A04", "objective": "the content on publicly accessible systems is reviewed for sensitive / regulated data.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-15", "ao_id": "DCH-15_A05", "objective": "mechanisms are in place to remove and address improper posting of sensitive / regulated data.", "pptdf": "Process", "origin": "171A_3.1.22[e]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-15", "ao_id": "DCH-15_A06", "objective": "the frequency at which to review the content on the publicly accessible system for non-public information is defined.", "pptdf": "Process", "origin": "53A_R5_AC-22_ODP", "assessment_rigor": "1", "scf_defined_parameters": "at least quarterly", "org_defined_parameters": "" }, { "scf_control_id": "DCH-15", "ao_id": "DCH-15_A07", "objective": "authorized individuals are trained to ensure that publicly accessible information does not contain non-public information.", "pptdf": "People", "origin": "53A_R5_AC-22b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-15", "ao_id": "DCH-15_A08", "objective": "authorized individuals are trained to ensure that publicly accessible information does not contain CUI.", "pptdf": "Data", "origin": "171A_R3_A.03.01.22.a", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-15", "ao_id": "DCH-15_A09", "objective": "CUI is removed from publicly accessible systems, if discovered.", "pptdf": "Data", "origin": "171A_R3_A.03.01.22.b[02]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-15", "ao_id": "DCH-15_A10", "objective": "content on publicly accessible systems is reviewed to ensure that it does not include CUI.", "pptdf": "Data", "origin": "171A_3.1.22[d]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-15", "ao_id": "DCH-15_A11", "objective": "the content on publicly accessible systems is reviewed for CUI.", "pptdf": "Data", "origin": "171A_R3_A.03.01.22.b[01]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-15", "ao_id": "DCH-15_A12", "objective": "a review process is in place prior to posting of any content to publicly accessible systems.", "pptdf": "Process", "origin": "CMMC L1 Assessment Guide", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-15", "ao_id": "DCH-15_A13", "objective": "content on publicly accessible systems is reviewed to ensure that it does not include sensitive/regulated data.", "pptdf": "Data", "origin": "CMMC L1 Assessment Guide", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-16", "ao_id": "DCH-16_A01", "objective": "data mining prevention and detection techniques are defined.", "pptdf": "Process", "origin": "53A_R5_AC-23_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-16", "ao_id": "DCH-16_A02", "objective": "data storage objects to be protected against unauthorized data mining are defined.", "pptdf": "Process", "origin": "53A_R5_AC-23_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-16", "ao_id": "DCH-16_A03", "objective": "mechanisms are employed for organization-defined data storage objects to detect and protect against unauthorized data mining.", "pptdf": "Technology", "origin": "53A_R5_AC-23", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-17", "ao_id": "DCH-17_A01", "objective": "ad-hoc exchanges of large digital files with internal or external parties are secured according to organization-defined protection criteria.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-18", "ao_id": "DCH-18_A01", "objective": "the frequency with which to conduct reviews of persistent organizational storage locations is defined.", "pptdf": "Process", "origin": "172A_3.14.5e_ODP[1]", "assessment_rigor": "1", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "DCH-18", "ao_id": "DCH-18_A02", "objective": "persistent organizational storage locations are identified.", "pptdf": "Process", "origin": "172A_3.14.5e[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-18", "ao_id": "DCH-18_A03", "objective": "reviews of persistent organizational storage locations are conducted per an organization-defined frequency to identify sensitive / regulated data that is no longer needed.", "pptdf": "Process", "origin": "172A_3.14.5e[b]", "assessment_rigor": "1", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "DCH-18", "ao_id": "DCH-18_A04", "objective": "sensitive / regulated data that is no longer needed is removed.", "pptdf": "Data", "origin": "172A_3.14.5e[c]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-18", "ao_id": "DCH-18_A05", "objective": "sensitive / regulated data within the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements.", "pptdf": "Data", "origin": "53A_R5_SI-12[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-18", "ao_id": "DCH-18_A06", "objective": "sensitive / regulated data within the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements.", "pptdf": "Data", "origin": "53A_R5_SI-12[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-18", "ao_id": "DCH-18_A07", "objective": "sensitive / regulated data output from the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements.", "pptdf": "Data", "origin": "53A_R5_SI-12[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-18", "ao_id": "DCH-18_A08", "objective": "sensitive / regulated data output from the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements.", "pptdf": "Data", "origin": "53A_R5_SI-12[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-18", "ao_id": "DCH-18_A09", "objective": "CUI within the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements.", "pptdf": "Data", "origin": "171A_R3_A.03.14.08[01]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-18", "ao_id": "DCH-18_A10", "objective": "CUI within the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements.", "pptdf": "Data", "origin": "171A_R3_A.03.14.08[02]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-18", "ao_id": "DCH-18_A11", "objective": "CUI output from the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements.", "pptdf": "Data", "origin": "171A_R3_A.03.14.08[03]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-18", "ao_id": "DCH-18_A12", "objective": "CUI output from the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements.", "pptdf": "Data", "origin": "171A_R3_A.03.14.08[04]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-18.1", "ao_id": "DCH-18.1_A01", "objective": "elements of Personal Data (PD) being processed in the information life cycle are defined.", "pptdf": "Process", "origin": "53A_R5_SI-12(01)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-18.1", "ao_id": "DCH-18.1_A02", "objective": "Personal Data (PD) being processed in the information life cycle is limited to organization-defined elements of Personal Data (PD).", "pptdf": "Process", "origin": "53A_R5_SI-12(01)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-18.2", "ao_id": "DCH-18.2_A01", "objective": "the developer of the system or system component is required to minimize the use of Personal Data (PD) in development and test environments.", "pptdf": "Process", "origin": "53A_R5_SA-15(12)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-18.2", "ao_id": "DCH-18.2_A02", "objective": "techniques used to minimize the use of Personal Data (PD) for research, testing and training are defined.", "pptdf": "Process", "origin": "53A_R5_SI-12(02)_ODP[01]\n53A_R5_SI-12(02)_ODP[02]\n53A_R5_SI-12(02)_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-18.2", "ao_id": "DCH-18.2_A03", "objective": "organization-defined techniques are used to minimize the use of Personal Data (PD) for research, testing and training.", "pptdf": "Process", "origin": "53A_R5_SI-12(02)[01]\n53A_R5_SI-12(02)[02]\n53A_R5_SI-12(02)[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-18.2", "ao_id": "DCH-18.2_A04", "objective": "processes that implement the privacy principle of minimization are defined.", "pptdf": "Process", "origin": "53A_R5_SA-08(33)_ODP", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-18.2", "ao_id": "DCH-18.2_A05", "objective": "the privacy principle of minimization is implemented using organization-defined processes.", "pptdf": "Process", "origin": "53A_R5_SA-08(33)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-18.3", "ao_id": "DCH-18.3_A01", "objective": "periodic checks of temporary files for the existence of Personal Data (PD) are performed.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-19", "ao_id": "DCH-19_A01", "objective": "locations where information processing and data storage is/are to be restricted are defined.", "pptdf": "Process", "origin": "53A_R5_SA-09(05)_ODP[01]\n53A_R5_SA-09(05)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-19", "ao_id": "DCH-19_A02", "objective": "requirements or conditions for restricting the location of information processing, information storage or information services are defined.", "pptdf": "Process", "origin": "53A_R5_SA-09(05)_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-19", "ao_id": "DCH-19_A03", "objective": "based on requirements, information processing, information storage or information services is/are restricted to locations.", "pptdf": "Process", "origin": "53A_R5_SA-09(05)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-19", "ao_id": "DCH-19_A04", "objective": "the geographic location of information processing and data storage is restricted to facilities located within the legal jurisdictional boundary of the United States.", "pptdf": "Data", "origin": "53A_R5_SA-09(08)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-20", "ao_id": "DCH-20_A01", "objective": "archived data is protected in accordance with applicable statutory, regulatory and contractual obligations.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-21", "ao_id": "DCH-21_A01", "objective": "techniques used to dispose of, destroy and/or erase information following the retention period are defined.", "pptdf": "Process", "origin": "53A_R5_SI-12(03)_ODP[01]\n53A_R5_SI-12(03)_ODP[02]\n53A_R5_SI-12(03)_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-21", "ao_id": "DCH-21_A02", "objective": "organization-defined techniques are used to dispose of, destroy and/or erase following the retention period.", "pptdf": "Process", "origin": "53A_R5_SI-12(03)[01]\n53A_R5_SI-12(03)[02]\n53A_R5_SI-12(03)[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-22", "ao_id": "DCH-22_A01", "objective": "organization-wide policies for Personal Data (PD) quality management are developed and documented.", "pptdf": "Process", "origin": "53A_R5_PM-22[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-22", "ao_id": "DCH-22_A02", "objective": "organization-wide procedures for Personal Data (PD) quality management are developed and documented.", "pptdf": "Process", "origin": "53A_R5_PM-22[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-22", "ao_id": "DCH-22_A03", "objective": "the policies address reviewing the accuracy of Personal Data (PD) across the information life cycle.", "pptdf": "Process", "origin": "53A_R5_PM-22a.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-22", "ao_id": "DCH-22_A04", "objective": "the policies address reviewing the relevance of Personal Data (PD) across the information life cycle.", "pptdf": "Process", "origin": "53A_R5_PM-22a.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-22", "ao_id": "DCH-22_A05", "objective": "the policies address reviewing the timeliness of Personal Data (PD) across the information life cycle.", "pptdf": "Process", "origin": "53A_R5_PM-22a.[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-22", "ao_id": "DCH-22_A06", "objective": "the policies address reviewing the completeness of Personal Data (PD) across the information life cycle.", "pptdf": "Process", "origin": "53A_R5_PM-22a.[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-22", "ao_id": "DCH-22_A07", "objective": "the procedures address reviewing the accuracy of Personal Data (PD) across the information life cycle.", "pptdf": "Process", "origin": "53A_R5_PM-22a.[05]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-22", "ao_id": "DCH-22_A08", "objective": "the procedures address reviewing the relevance of Personal Data (PD) across the information life cycle.", "pptdf": "Process", "origin": "53A_R5_PM-22a.[06]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-22", "ao_id": "DCH-22_A09", "objective": "the procedures address reviewing the timeliness of Personal Data (PD) across the information life cycle.", "pptdf": "Process", "origin": "53A_R5_PM-22a.[07]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-22", "ao_id": "DCH-22_A10", "objective": "the procedures address reviewing the completeness of Personal Data (PD) across the information life cycle.", "pptdf": "Process", "origin": "53A_R5_PM-22a.[08]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-22", "ao_id": "DCH-22_A11", "objective": "the policies address correcting or deleting inaccurate or outdated Personal Data (PD).", "pptdf": "Process", "origin": "53A_R5_PM-22b.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-22", "ao_id": "DCH-22_A12", "objective": "the procedures address correcting or deleting inaccurate or outdated Personal Data (PD).", "pptdf": "Process", "origin": "53A_R5_PM-22b.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-22", "ao_id": "DCH-22_A13", "objective": "the policies address disseminating notice of corrected or deleted Personal Data (PD) to individuals or other appropriate entities.", "pptdf": "Process", "origin": "53A_R5_PM-22c.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-22", "ao_id": "DCH-22_A14", "objective": "the procedures address disseminating notice of corrected or deleted Personal Data (PD) to individuals or other appropriate entities.", "pptdf": "Process", "origin": "53A_R5_PM-22c.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-22", "ao_id": "DCH-22_A15", "objective": "the policies address appeals of adverse decisions on correction or deletion requests.", "pptdf": "Process", "origin": "53A_R5_PM-22d.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-22", "ao_id": "DCH-22_A16", "objective": "the procedures address appeals of adverse decisions on correction or deletion requests.", "pptdf": "Process", "origin": "53A_R5_PM-22d.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-22", "ao_id": "DCH-22_A17", "objective": "the frequency at which to check the accuracy of Personal Data (PD) across the information life cycle is defined.", "pptdf": "Process", "origin": "53A_R5_SI-18_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-22", "ao_id": "DCH-22_A18", "objective": "the frequency at which to check the relevance of Personal Data (PD) across the information life cycle is defined.", "pptdf": "Process", "origin": "53A_R5_SI-18_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-22", "ao_id": "DCH-22_A19", "objective": "the frequency at which to check the timeliness of Personal Data (PD) across the information life cycle is defined.", "pptdf": "Process", "origin": "53A_R5_SI-18_ODP[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-22", "ao_id": "DCH-22_A20", "objective": "the frequency at which to check the completeness of Personal Data (PD) across the information life cycle is defined.", "pptdf": "Process", "origin": "53A_R5_SI-18_ODP[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-22", "ao_id": "DCH-22_A21", "objective": "the accuracy of Personal Data (PD) across the information life cycle is checked frequency.", "pptdf": "Process", "origin": "53A_R5_SI-18a.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-22", "ao_id": "DCH-22_A22", "objective": "the relevance of Personal Data (PD) across the information life cycle is checked frequency.", "pptdf": "Process", "origin": "53A_R5_SI-18a.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-22", "ao_id": "DCH-22_A23", "objective": "the timeliness of Personal Data (PD) across the information life cycle is checked frequency.", "pptdf": "Process", "origin": "53A_R5_SI-18a.[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-22", "ao_id": "DCH-22_A24", "objective": "the completeness of Personal Data (PD) across the information life cycle is checked frequency.", "pptdf": "Process", "origin": "53A_R5_SI-18a.[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-22", "ao_id": "DCH-22_A25", "objective": "inaccurate or outdated Personal Data (PD) is corrected or deleted.", "pptdf": "Process", "origin": "53A_R5_SI-18b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-22", "ao_id": "DCH-22_A26", "objective": "automated mechanisms used to correct or delete Personal Data (PD) that is inaccurate, outdated, incorrectly determined regarding impact or incorrectly de-identified are defined.", "pptdf": "Process", "origin": "53A_R5_SI-18(01)_ODP", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-22", "ao_id": "DCH-22_A27", "objective": "automated mechanisms are used to correct or delete Personal Data (PD) that is inaccurate, outdated, incorrectly determined regarding impact or incorrectly de-identified.", "pptdf": "Technology", "origin": "53A_R5_SI-18(01)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-22.1", "ao_id": "DCH-22.1_A01", "objective": "Personal Data (PD) is corrected, or deleted, upon request by individuals or their designated representatives.", "pptdf": "Process", "origin": "53A_R5_SI-18(04)\n53A_R5_SI-18b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-22.1", "ao_id": "DCH-22.1_A02", "objective": "recipients and individuals are notified when their Personal Data (PD) has been corrected or deleted.", "pptdf": "Process", "origin": "53A_R5_SI-18(05)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-22.1", "ao_id": "DCH-22.1_A03", "objective": "recipients of Personal Data (PD) to be notified when their PD has been corrected or deleted are defined.", "pptdf": "Process", "origin": "53A_R5_SI-18(05)_ODP", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-22.1", "ao_id": "DCH-22.1_A04", "objective": "automated mechanisms used to correct or delete Personal Data (PD) that is inaccurate, outdated, incorrectly determined regarding impact or incorrectly de-identified are defined.", "pptdf": "Process", "origin": "53A_R5_SI-18(01)_ODP", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-22.1", "ao_id": "DCH-22.1_A05", "objective": "automated mechanisms are used to correct or delete Personal Data (PD) that is inaccurate, outdated, incorrectly determined regarding impact or incorrectly de-identified.", "pptdf": "Technology", "origin": "53A_R5_SI-18(01)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-22.2", "ao_id": "DCH-22.2_A01", "objective": "data tags are employed to automate the correction or deletion of Personal Data (PD) across the information life cycle within organizational systems.", "pptdf": "Technology", "origin": "53A_R5_SI-18(02)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-22.2", "ao_id": "DCH-22.2_A02", "objective": "the authorized processing of Personal Data (PD) is defined.", "pptdf": "Process", "origin": "53A_R5_PT-02(01)_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-22.2", "ao_id": "DCH-22.2_A03", "objective": "elements of Personal Data (PD) to be tagged are defined.", "pptdf": "Process", "origin": "53A_R5_PT-02(01)_ODP[02]\n53A_R5_PT-03(01)_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-22.2", "ao_id": "DCH-22.2_A04", "objective": "data tags containing authorized processing are attached to elements of Personal Data (PD).", "pptdf": "Data", "origin": "53A_R5_PT-02(01)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-22.2", "ao_id": "DCH-22.2_A05", "objective": "processing purposes to be contained in data tags are defined.", "pptdf": "Process", "origin": "53A_R5_PT-03(01)_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-22.2", "ao_id": "DCH-22.2_A06", "objective": "data tags containing processing purposes are attached to elements of Personal Data (PD).", "pptdf": "Data", "origin": "53A_R5_PT-03(01)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-22.3", "ao_id": "DCH-22.3_A01", "objective": "Personal Data (PD) is collected directly from the individual.", "pptdf": "Process", "origin": "53A_R5_SI-18(03)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-23", "ao_id": "DCH-23_A01", "objective": "elements of Personal Data (PD) to be removed from datasets are defined.", "pptdf": "Process", "origin": "53A_R5_SI-19_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-23", "ao_id": "DCH-23_A02", "objective": "the frequency at which to evaluate the effectiveness of de-identification is defined.", "pptdf": "Process", "origin": "53A_R5_SI-19_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-23", "ao_id": "DCH-23_A03", "objective": "elements are removed from datasets.", "pptdf": "Process", "origin": "53A_R5_SI-19a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-23", "ao_id": "DCH-23_A04", "objective": "the effectiveness of de-identification is evaluated frequency.", "pptdf": "Process", "origin": "53A_R5_SI-19b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-23.1", "ao_id": "DCH-23.1_A01", "objective": "the dataset is de-identified upon collection by not collecting Personal Data (PD).", "pptdf": "Technology", "origin": "53A_R5_SI-19(01)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-23.2", "ao_id": "DCH-23.2_A01", "objective": "the archiving of Personal Data (PD) elements is prohibited if those elements in a dataset will not be needed after the dataset is archived.", "pptdf": "Technology", "origin": "53A_R5_SI-19(02)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-23.3", "ao_id": "DCH-23.3_A01", "objective": "Personal Data (PD) elements are removed from a dataset prior to its release if those elements in the dataset do not need to be part of the data release.", "pptdf": "Technology", "origin": "53A_R5_SI-19(03)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-23.4", "ao_id": "DCH-23.4_A01", "objective": "direct identifiers in a dataset are removed, masked, encrypted, hashed or replaced.", "pptdf": "Technology", "origin": "53A_R5_SI-19(04)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-23.5", "ao_id": "DCH-23.5_A01", "objective": "numerical data is manipulated so that no individual or organization is identifiable in the results of the analysis.", "pptdf": "Technology", "origin": "53A_R5_SI-19(05)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-23.5", "ao_id": "DCH-23.5_A02", "objective": "contingency tables are manipulated so that no individual or organization is identifiable in the results of the analysis.", "pptdf": "Process", "origin": "53A_R5_SI-19(05)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-23.5", "ao_id": "DCH-23.5_A03", "objective": "statistical findings are manipulated so that no individual or organization is identifiable in the results of the analysis.", "pptdf": "Process", "origin": "53A_R5_SI-19(05)[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-23.6", "ao_id": "DCH-23.6_A01", "objective": "the disclosure of Personal Data (PD) is prevented by adding non-deterministic noise to the results of mathematical operations before the results are reported.", "pptdf": "Process", "origin": "53A_R5_SI-19(06)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-23.7", "ao_id": "DCH-23.7_A01", "objective": "de-identification is performed using validated algorithms.", "pptdf": "Technology", "origin": "53A_R5_SI-19(07)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-23.7", "ao_id": "DCH-23.7_A02", "objective": "de-identification is performed using software that is validated to implement the algorithms.", "pptdf": "Technology", "origin": "53A_R5_SI-19(07)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-23.8", "ao_id": "DCH-23.8_A01", "objective": "a motivated intruder test is performed on the de-identified dataset to determine if the identified data remains or if the de-identified data can be re-identified.", "pptdf": "Process", "origin": "53A_R5_SI-19(08)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-23.9", "ao_id": "DCH-23.9_A01", "objective": "aliases used to name assets that are mission-critical and/or contain highly-sensitive / regulated data that are unique and not readily associated with a product, project or type of data.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-24", "ao_id": "DCH-24_A01", "objective": "information for which the location is to be identified and documented is defined.", "pptdf": "Process", "origin": "53A_R5_CM-12_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-24", "ao_id": "DCH-24_A02", "objective": "the location of sensitive / regulated data is identified and documented.", "pptdf": "Process", "origin": "53A_R5_CM-12a.[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-24", "ao_id": "DCH-24_A03", "objective": "the specific system components on which organization-defined information is processed are identified and documented.", "pptdf": "Process", "origin": "53A_R5_CM-12a.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-24", "ao_id": "DCH-24_A04", "objective": "the specific system components on which organization-defined information is stored are identified and documented.", "pptdf": "Process", "origin": "53A_R5_CM-12a.[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-24", "ao_id": "DCH-24_A05", "objective": "changes to the location (e.g., system or system components) where organization-defined information is processed are documented.", "pptdf": "Process", "origin": "53A_R5_CM-12c.[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-24", "ao_id": "DCH-24_A06", "objective": "changes to the location (e.g., system or system components) where organization-defined information is stored are documented.", "pptdf": "Process", "origin": "53A_R5_CM-12c.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-24", "ao_id": "DCH-24_A07", "objective": "the users who have access to the system and system components where organization-defined information is processed are identified and documented.", "pptdf": "Process", "origin": "53A_R5_CM-12b.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-24", "ao_id": "DCH-24_A08", "objective": "the users who have access to the system and system components where organization-defined information is stored are identified and documented.", "pptdf": "Process", "origin": "53A_R5_CM-12b.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-24", "ao_id": "DCH-24_A09", "objective": "the location of CUI is identified and documented.", "pptdf": "Data", "origin": "171A_R3_A.03.04.11.a[01]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-24.1", "ao_id": "DCH-24.1_A01", "objective": "information to be protected is defined by information type.", "pptdf": "Process", "origin": "53A_R5_CM-12(01)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-24.1", "ao_id": "DCH-24.1_A02", "objective": "system components where the information is located are defined.", "pptdf": "Process", "origin": "53A_R5_CM-12(01)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-24.1", "ao_id": "DCH-24.1_A03", "objective": "automated tools are used to identify information by information type on system components to ensure that controls are in place to protect organizational information and individual privacy.", "pptdf": "Technology", "origin": "53A_R5_CM-12(01)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-25", "ao_id": "DCH-25_A01", "objective": "the statutory, regulatory and/or contractual basis restricts the transfer of sensitive and/or regulated data to third-countries or international organizations is identified.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-25", "ao_id": "DCH-25_A02", "objective": "mechanisms to restrict the transfer of sensitive and/or regulated data to third-countries or international organizations are defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-25", "ao_id": "DCH-25_A03", "objective": "mechanisms to restrict the transfer of sensitive and/or regulated data to third-countries or international organizations are implemented.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-25.1", "ao_id": "DCH-25.1_A01", "objective": "organization-specific \"normal business activities\" are defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-25.1", "ao_id": "DCH-25.1_A02", "objective": "mechanisms are implemented to identify anomalous transaction activities that can reduce the opportunity for sending (outbound) and/or receiving (inbound) fraudulent actions.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-26", "ao_id": "DCH-26_A01", "objective": "executive leadership, along with legal counsel, formally identifies primary risks associated with compliance (e.g., loss of confidentiality and/or integrity considerations with data governance).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-26", "ao_id": "DCH-26_A02", "objective": "executive leadership, along with legal counsel, formally identifies secondary risks associated with compliance (e.g., non-compliance with other laws, regulations and contractual agreements).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-26", "ao_id": "DCH-26_A03", "objective": "executive leadership, along with legal counsel, formally identifies tertiary risks associated with compliance (e.g., human rights abuses, theft of intellectual property, espionage, etc.).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-26", "ao_id": "DCH-26_A04", "objective": "data localization is designed with defense-in-depth architecture to prevent host nations (where data is localized) from accessing other organizational assets not in the same geographic location as the host nation.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-27", "ao_id": "DCH-27_A01", "objective": "Data Rights Management (DRM), or similar technologies, are implemented.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "DCH-27", "ao_id": "DCH-27_A02", "objective": "Data Rights Management (DRM), or similar technologies, are configured to protect Intellectual Property (IP) rights by preventing the unauthorized distribution and/or modification of sensitive IP.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "EMB-01", "ao_id": "EMB-01_A01", "objective": "embedded technology controls are implemented to protect the confidentiality of Operational Technology (OT) and/or Internet of Things (IoT) technologies.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "EMB-01", "ao_id": "EMB-01_A02", "objective": "embedded technology controls are implemented to protect the integrity of Operational Technology (OT) and/or Internet of Things (IoT) technologies.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "EMB-01", "ao_id": "EMB-01_A03", "objective": "embedded technology controls are implemented to protect the availability of Operational Technology (OT) and/or Internet of Things (IoT) technologies.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "EMB-01", "ao_id": "EMB-01_A04", "objective": "embedded technology controls are implemented to protect the safety of Operational Technology (OT) and/or Internet of Things (IoT) technologies.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "EMB-01", "ao_id": "EMB-01_A05", "objective": "embedded technology management operations are conducted according to documented policies, standards, procedures and/or other organizational directives.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "EMB-01", "ao_id": "EMB-01_A06", "objective": "adequate resources (e.g., people, processes, technologies, data and/or facilities) are provided to support embedded technology management operations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "EMB-01", "ao_id": "EMB-01_A07", "objective": "responsibility and authority for the performance of embedded technology management-related activities are assigned to designated personnel.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "EMB-01", "ao_id": "EMB-01_A08", "objective": "personnel performing embedded technology management-related activities have the skills and knowledge needed to perform their assigned duties.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "EMB-02", "ao_id": "EMB-02_A01", "objective": "cybersecurity / data privacy risks associated with Internet of Things (IoT) are proactively managed.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "EMB-03", "ao_id": "EMB-03_A01", "objective": "cybersecurity / data privacy risks associated with Operational Technology (OT) are proactively managed.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "EMB-04", "ao_id": "EMB-04_A01", "objective": "embedded devices are protected against unauthorized use of the physical factory diagnostic and test interface(s).", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "EMB-05", "ao_id": "EMB-05_A01", "objective": "embedded devices generate log entries when configuration changes or attempts to access interfaces are detected.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "EMB-06", "ao_id": "EMB-06_A01", "objective": "embedded devices are protected by preventing the unauthorized installation and execution of software.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "EMB-07", "ao_id": "EMB-07_A01", "objective": "embedded devices are capable of securely receiving software updates and upgraded functionality.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "EMB-08", "ao_id": "EMB-08_A01", "objective": "embedded technologies are configured to be resilient to data network and power outages.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "EMB-09", "ao_id": "EMB-09_A01", "objective": "power levels of embedded technologies are monitored for decreased or excessive power usage, including battery drainage.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "EMB-09", "ao_id": "EMB-09_A02", "objective": "incidents of decreased or excessive power usage, including battery drainage, are investigated for device tampering.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "EMB-10", "ao_id": "EMB-10_A01", "objective": "deployed embedded technologies are evaluated per an organization-defined interval (no less than annually) to ensure that necessary updates to mitigate the risks associated with legacy embedded technologies are identified and implemented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "EMB-11", "ao_id": "EMB-11_A01", "objective": "configurations enforce the security of Message Queuing Telemetry Transport (MQTT) traffic.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "EMB-12", "ao_id": "EMB-12_A01", "objective": "configurations for embedded technologies require the initiation of all communications and drop new, incoming communications.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "EMB-13", "ao_id": "EMB-13_A01", "objective": "configurations for embedded technologies restrict communications to authorized peers and service endpoints.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "EMB-14", "ao_id": "EMB-14_A01", "objective": "embedded technologies certifications are verified for use in the proposed operating environment.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "EMB-15", "ao_id": "EMB-15_A01", "objective": "the safety aspects of embedded technologies are evaluated via a fault tree analysis or similar method, to determine possible consequences of misuse, misconfiguration and/or failure.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "EMB-16", "ao_id": "EMB-16_A01", "objective": "certificate-based authentication is enforced for embedded technologies (e.g., IoT, OT, etc.) and their supporting services.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "EMB-17", "ao_id": "EMB-17_A01", "objective": "embedded technologies utilize pre-provisioned cloud trust anchors to support secure bootstrap and Zero Touch Provisioning (ZTP).", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "EMB-18", "ao_id": "EMB-18_A01", "objective": "embedded technologies utilize a securely configured Real-Time Operating System (RTOS).", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "EMB-19", "ao_id": "EMB-19_A01", "objective": "autonomous systems are continuously validated to trigger an automatic state change when safe operation is no longer assured.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-01", "ao_id": "END-01_A01", "objective": "security configuration settings for information technology products employed in the system are established and included in the baseline configuration.", "pptdf": "Technology", "origin": "171A_3.4.2[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-01", "ao_id": "END-01_A02", "objective": "a current baseline configuration for systems, applications and services is developed and documented.", "pptdf": "Process", "origin": "171A_3.4.1[a]\n53A_R5_CM-02a.[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-01", "ao_id": "END-01_A03", "objective": "the baseline configuration includes hardware, software, firmware and documentation.", "pptdf": "Technology", "origin": "171A_3.4.1[b]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-01", "ao_id": "END-01_A04", "objective": "the baseline configuration is maintained (reviewed / updated) throughout the system development life cycle under configuration control.", "pptdf": "Process", "origin": "171A_3.4.1[c]\n53A_R5_CM-02a.[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-01", "ao_id": "END-01_A05", "objective": "security configuration settings for information technology products employed in the system are enforced.", "pptdf": "Technology", "origin": "171A_3.4.2[b]\n53A_R5_CM-06b.", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-01", "ao_id": "END-01_A06", "objective": "configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using organization-defined common secure configurations.", "pptdf": "Technology", "origin": "53A_R5_CM-06a.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-01", "ao_id": "END-01_A07", "objective": "a control baseline for the system is selected.", "pptdf": "Technology", "origin": "53A_R5_PL-10", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-01", "ao_id": "END-01_A08", "objective": "thresholds to which attack surfaces are to be reduced are defined.", "pptdf": "Process", "origin": "53A_R5_SA-15(05)_ODP", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-01", "ao_id": "END-01_A09", "objective": "the developer of the system, system component or system service is required to reduce attack surfaces to organization-defined thresholds.", "pptdf": "Process", "origin": "53A_R5_SA-15(05)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-01", "ao_id": "END-01_A10", "objective": "approved authorizations are enforced for controlling the flow of CUI within the system.", "pptdf": "Data", "origin": "171A_R3_A.03.01.03[01]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-01", "ao_id": "END-01_A11", "objective": "endpoint security management operations are conducted according to documented policies, standards, procedures and/or other organizational directives.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-01", "ao_id": "END-01_A12", "objective": "adequate resources (e.g., people, processes, technologies, data and/or facilities) are provided to support endpoint security management operations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-01", "ao_id": "END-01_A13", "objective": "responsibility and authority for the performance of endpoint security management-related activities are assigned to designated personnel.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-01", "ao_id": "END-01_A14", "objective": "personnel performing endpoint security management-related activities have the skills and knowledge needed to perform their assigned duties.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-01.1", "ao_id": "END-01.1_A01", "objective": "a centralized Unified Endpoint Device Management (UEDM) solution is used to provide agent and/or agentless management of endpoint devices, regardless of device location.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-02", "ao_id": "END-02_A01", "objective": "the confidentiality and integrity of sensitive / regulated data at rest is protected.", "pptdf": "Technology", "origin": "171A_3.13.16\n53A_R5_SC-28_ODP[01]\n53A_R5_SC-28", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-02", "ao_id": "END-02_A02", "objective": "information at rest requiring protection is defined.", "pptdf": "Process", "origin": "53A_R5_SC-28_ODP[01]\n53A_R5_SC-28_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-03", "ao_id": "END-03_A01", "objective": "policies governing the installation of software by users are established.", "pptdf": "Process", "origin": "53A_R5_CM-11_ODP[01]\n53A_R5_CM-11a.", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-03", "ao_id": "END-03_A02", "objective": "user installation of software is allowed only with explicit privileged status.", "pptdf": "Technology", "origin": "53A_R5_CM-11(02)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-03", "ao_id": "END-03_A03", "objective": "methods used to enforce software installation policies are defined.", "pptdf": "Process", "origin": "53A_R5_CM-11_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-03", "ao_id": "END-03_A04", "objective": "the frequency with which to monitor compliance is defined.", "pptdf": "Process", "origin": "53A_R5_CM-11_ODP[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-03", "ao_id": "END-03_A05", "objective": "software installation policies are enforced through methods.", "pptdf": "Technology", "origin": "53A_R5_CM-11b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-03", "ao_id": "END-03_A06", "objective": "compliance with policies is monitored frequency.", "pptdf": "Process", "origin": "53A_R5_CM-11c.", "assessment_rigor": "3", "scf_defined_parameters": "continuously", "org_defined_parameters": "" }, { "scf_control_id": "END-03.1", "ao_id": "END-03.1_A01", "objective": "compliance with software installation policies is monitored using organization-defined automated mechanisms.", "pptdf": "Technology", "origin": "53A_R5_CM-11(03)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-03.1", "ao_id": "END-03.1_A02", "objective": "automated mechanisms used to detect the presence of unauthorized hardware, software and/or firmware within the system are defined.", "pptdf": "Process", "origin": "53A_R5_CM-08(03)_ODP[01]\n53A_R5_CM-08(03)_ODP[02]\n53A_R5_CM-08(03)_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-03.1", "ao_id": "END-03.1_A03", "objective": "the presence of unauthorized hardware, software and/or firmware within the system is detected using automated mechanisms frequency.", "pptdf": "Process", "origin": "53A_R5_CM-08(03)(a)[01]\n53A_R5_CM-08(03)(a)[02]\n53A_R5_CM-08(03)(a)[03]", "assessment_rigor": "1", "scf_defined_parameters": "continuously", "org_defined_parameters": "" }, { "scf_control_id": "END-03.1", "ao_id": "END-03.1_A04", "objective": "the frequency at which automated mechanisms are used to detect the presence of unauthorized hardware, software and/or firmware within the system is defined.", "pptdf": "Process", "origin": "53A_R5_CM-08(03)_ODP[04]", "assessment_rigor": "3", "scf_defined_parameters": "automated mechanisms with a maximum five-minute delay in detection", "org_defined_parameters": "" }, { "scf_control_id": "END-03.1", "ao_id": "END-03.1_A05", "objective": "automated mechanisms disable network access by unauthorized components, isolate unauthorized components and/or notify organization-defined personnel or roles.", "pptdf": "Technology", "origin": "53A_R5_CM-08(03)_ODP[05]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-03.1", "ao_id": "END-03.1_A06", "objective": "personnel or roles to be notified when unauthorized components are detected is/are defined.", "pptdf": "Process", "origin": "53A_R5_CM-08(03)_ODP[06]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-03.1", "ao_id": "END-03.1_A07", "objective": "organization-defined actions are taken when unauthorized hardware, software and/or firmware is detected.", "pptdf": "Technology", "origin": "53A_R5_CM-08(03)(b)[01]\n53A_R5_CM-08(03)(b)[02]\n53A_R5_CM-08(03)(b)[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-03.2", "ao_id": "END-03.2_A01", "objective": "physical access restrictions associated with changes to the system are defined and documented.", "pptdf": "Process", "origin": "171A_3.4.5[a]\n171A_3.4.5[b]\n53A_R5_CM-05[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-03.2", "ao_id": "END-03.2_A02", "objective": "physical access restrictions associated with changes to the system are approved.", "pptdf": "Process", "origin": "171A_3.4.5[c]\n53A_R5_CM-05[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-03.2", "ao_id": "END-03.2_A03", "objective": "physical access restrictions associated with changes to the system are enforced.", "pptdf": "Process", "origin": "171A_3.4.5[d]\n53A_R5_CM-05[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-03.2", "ao_id": "END-03.2_A04", "objective": "logical access restrictions associated with changes to the system are defined and documented.", "pptdf": "Process", "origin": "171A_3.4.5[e]\n171A_3.4.5[f]\n53A_R5_CM-05[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-03.2", "ao_id": "END-03.2_A05", "objective": "logical access restrictions associated with changes to the system are approved.", "pptdf": "Process", "origin": "171A_3.4.5[g]\n53A_R5_CM-05[05]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-03.2", "ao_id": "END-03.2_A06", "objective": "logical access restrictions associated with changes to the system are enforced.", "pptdf": "Process", "origin": "171A_3.4.5[h]\n53A_R5_CM-05[06]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-04", "ao_id": "END-04_A01", "objective": "the frequency for malicious code scans is defined.", "pptdf": "Process", "origin": "171A_3.14.5[a]\n53A_R5_SI-03_ODP[01]\n53A_R5_SI-03_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "at least weekly", "org_defined_parameters": "" }, { "scf_control_id": "END-04", "ao_id": "END-04_A02", "objective": "malicious code scans are performed with the defined frequency.", "pptdf": "Process", "origin": "171A_3.14.5[b]", "assessment_rigor": "1", "scf_defined_parameters": "at least weekly", "org_defined_parameters": "" }, { "scf_control_id": "END-04", "ao_id": "END-04_A03", "objective": "malicious code protection mechanisms are configured to perform real-time scans of files from external sources as the files are downloaded, opened or executed.", "pptdf": "Technology", "origin": "171A_3.14.5[c]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-04", "ao_id": "END-04_A04", "objective": "designated locations for malicious code protection are identified.", "pptdf": "Process", "origin": "171A_3.14.2[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-04", "ao_id": "END-04_A05", "objective": "protection from malicious code at designated locations is provided.", "pptdf": "Technology", "origin": "171A_3.14.2[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-04", "ao_id": "END-04_A06", "objective": "action to be taken in response to malicious code detection are defined.", "pptdf": "Process", "origin": "53A_R5_SI-03_ODP[04]\n53A_R5_SI-03_ODP[05]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-04", "ao_id": "END-04_A07", "objective": "personnel or roles to be alerted when malicious code is detected is/are defined.", "pptdf": "Process", "origin": "53A_R5_SI-03_ODP[06]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-04", "ao_id": "END-04_A08", "objective": "malicious code protection mechanisms are implemented at system entry and exit points to detect malicious code.", "pptdf": "Technology", "origin": "53A_R5_SI-03_ODP[01]\n53A_R5_SI-03a.[01]\n171A_R3_A.03.14.02.a[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-04", "ao_id": "END-04_A09", "objective": "malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code.", "pptdf": "Technology", "origin": "53A_R5_SI-03_ODP[04]\n53A_R5_SI-03a.[02]\n171A_R3_A.03.14.02.a[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-04", "ao_id": "END-04_A10", "objective": "malicious code protection mechanisms are updated automatically as new releases are available in accordance with organizational configuration management policy and procedures.", "pptdf": "Technology", "origin": "53A_R5_SI-03b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-04", "ao_id": "END-04_A11", "objective": "malicious code protection mechanisms are configured to perform periodic scans of the system frequency.", "pptdf": "Technology", "origin": "53A_R5_SI-03c.01[01]", "assessment_rigor": "3", "scf_defined_parameters": "at least weekly", "org_defined_parameters": "" }, { "scf_control_id": "END-04", "ao_id": "END-04_A12", "objective": "malicious code protection mechanisms are configured to perform real-time scans of files from external sources as the files are downloaded, opened or executed in accordance with organizational policy.", "pptdf": "Technology", "origin": "53A_R5_SI-03c.01[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-04", "ao_id": "END-04_A13", "objective": "malicious code protection mechanisms are configured to respond to malicious code detection.", "pptdf": "Technology", "origin": "53A_R5_SI-03c.02[01]\n53A_R5_SI-03_ODP[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-04", "ao_id": "END-04_A14", "objective": "malicious code protection mechanisms are configured to send alerts to personnel or roles in response to malicious code detection.", "pptdf": "Technology", "origin": "53A_R5_SI-03c.02[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-04", "ao_id": "END-04_A15", "objective": "the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system are addressed.", "pptdf": "Technology", "origin": "53A_R5_SI-03d.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-04", "ao_id": "END-04_A16", "objective": "malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code.", "pptdf": "Technology", "origin": "53A_R5_SI-03a.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-04", "ao_id": "END-04_A17", "objective": "malicious code protection mechanisms are configured to block malicious code, quarantine malicious code, or take other actions in response to malicious code detection.", "pptdf": "Technology", "origin": "171A_R3_A.03.14.02.c.02", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-04", "ao_id": "END-04_A18", "objective": "the frequency at which malicious code protection mechanisms perform scans is defined.", "pptdf": "Process", "origin": "171A_R3_A.03.14.02.ODP[01]", "assessment_rigor": "2", "scf_defined_parameters": "at least weekly", "org_defined_parameters": "" }, { "scf_control_id": "END-04.1", "ao_id": "END-04.1_A01", "objective": "malicious code protection mechanisms are updated as new releases are available.", "pptdf": "Technology", "origin": "171A_3.14.4", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-04.1", "ao_id": "END-04.1_A02", "objective": "malicious code protection mechanisms are updated as new releases are available in accordance with configuration management policy and procedures.", "pptdf": "Technology", "origin": "171A_R3_A.03.14.02.b", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-04.1", "ao_id": "END-04.1_A03", "objective": "malicious code protection mechanisms are updated when new releases are available.", "pptdf": "Technology", "origin": "CMMC L1 Assessment Guide", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-04.2", "ao_id": "END-04.2_A01", "objective": "antimalware technologies are documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-04.3", "ao_id": "END-04.3_A01", "objective": "antimalware controls and related processes to be centrally managed are defined.", "pptdf": "Process", "origin": "SCF Created\n53A_R5_PL-09_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-04.3", "ao_id": "END-04.3_A02", "objective": "antimalware controls and related processes are centrally managed.", "pptdf": "Technology", "origin": "SCF Created\n53A_R5_PL-09", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-04.4", "ao_id": "END-04.4_A01", "objective": "malicious code protection mechanisms are implemented at system entry and exit points to detect malicious code.", "pptdf": "Technology", "origin": "53A_R5_SI-03a.[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-04.4", "ao_id": "END-04.4_A02", "objective": "malicious code protection mechanisms are updated automatically as new releases are available in accordance with organizational configuration management policy and procedures.", "pptdf": "Technology", "origin": "53A_R5_SI-03b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-04.4", "ao_id": "END-04.4_A03", "objective": "malicious code protection mechanisms are configured to perform periodic scans of the system frequency.", "pptdf": "Technology", "origin": "53A_R5_SI-03c.01[01]", "assessment_rigor": "1", "scf_defined_parameters": "at least weekly", "org_defined_parameters": "" }, { "scf_control_id": "END-04.4", "ao_id": "END-04.4_A04", "objective": "malicious code protection mechanisms are configured to perform real-time scans of files from external sources as the files are downloaded, opened or executed in accordance with organizational policy.", "pptdf": "Technology", "origin": "53A_R5_SI-03c.01[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-04.5", "ao_id": "END-04.5_A01", "objective": "the frequency at which to test malicious code protection mechanisms is defined.", "pptdf": "Process", "origin": "53A_R5_SI-03(06)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-04.5", "ao_id": "END-04.5_A02", "objective": "malicious code protection mechanisms are tested frequently by introducing known benign code into the system.", "pptdf": "Technology", "origin": "53A_R5_SI-03(06)(a)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-04.5", "ao_id": "END-04.5_A03", "objective": "the detection of (benign test) code occurs.", "pptdf": "Technology", "origin": "53A_R5_SI-03(06)(b)[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-04.5", "ao_id": "END-04.5_A04", "objective": "the associated incident reporting occurs.", "pptdf": "Technology", "origin": "53A_R5_SI-03(06)(b)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-04.6", "ao_id": "END-04.6_A01", "objective": "system components that require diversity are defined.", "pptdf": "Process", "origin": "172A_3.13.1e_ODP[1]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-04.6", "ao_id": "END-04.6_A02", "objective": "diversity in system components is created to reduce the extent of malicious code propagation.", "pptdf": "Technology", "origin": "172A_3.13.1e[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-04.7", "ao_id": "END-04.7_A01", "objective": "malicious code protection mechanisms are configured to perform real-time scans of files from external sources as the files are downloaded, opened or executed.", "pptdf": "Technology", "origin": "53A_R5_SI-03c.01[02]\n171A_3.14.5[c]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-04.7", "ao_id": "END-04.7_A02", "objective": "malicious code protection mechanisms are configured to perform scans of the system per an organization-defined frequency.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "at least weekly", "org_defined_parameters": "" }, { "scf_control_id": "END-04.7", "ao_id": "END-04.7_A03", "objective": "malicious code protection mechanisms are configured to perform real-time scans of files from external sources at endpoints or system entry and exit points as the files are downloaded, opened, or executed.", "pptdf": "Technology", "origin": "171A_R3_A.03.14.02.c.01[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-04.7", "ao_id": "END-04.7_A04", "objective": "malicious code protection mechanisms are configured to perform scans of the system .", "pptdf": "Technology", "origin": "171A_R3_A.03.14.02.c.01[01]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "at least weekly", "org_defined_parameters": "" }, { "scf_control_id": "END-04.7", "ao_id": "END-04.7_A05", "objective": "real-time malicious code scans of files from external sources as files are downloaded, opened, or executed are performed.", "pptdf": "Technology", "origin": "CMMC L1 Assessment Guide", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-05", "ao_id": "END-05_A01", "objective": "host-based firewall software, or similar technologies, are used on all systems, where technically feasible.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-06", "ao_id": "END-06_A01", "objective": "software, firmware and/or information requiring integrity verification tools to be employed to detect unauthorized changes is defined.", "pptdf": "Technology", "origin": "53A_R5_SI-07_ODP[01]\n53A_R5_SI-07_ODP[02]\n53A_R5_SI-07_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-06", "ao_id": "END-06_A02", "objective": "actions to be taken when unauthorized changes to software, firmware and/or information are detected are defined.", "pptdf": "Process", "origin": "53A_R5_SI-07_ODP[04]\n53A_R5_SI-07_ODP[05]\n53A_R5_SI-07_ODP[06]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-06", "ao_id": "END-06_A03", "objective": "integrity verification tools are employed to detect unauthorized changes to software, firmware and/or information.", "pptdf": "Technology", "origin": "53A_R5_SI-07a.[01]\n53A_R5_SI-07a.[02]\n53A_R5_SI-07a.[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-06", "ao_id": "END-06_A04", "objective": "actions are taken when unauthorized changes to the software, firmware and/or information are detected.", "pptdf": "Technology", "origin": "53A_R5_SI-07b.[01]\n53A_R5_SI-07b.[02]\n53A_R5_SI-07b.[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-06.1", "ao_id": "END-06.1_A01", "objective": "software, firmware and/or information on which an integrity check is to be performed is defined.", "pptdf": "Process", "origin": "53A_R5_SI-07(01)_ODP[01]\n53A_R5_SI-07(01)_ODP[05]\n53A_R5_SI-07(01)_ODP[09]", "assessment_rigor": "1", "scf_defined_parameters": "selection to include security relevant events", "org_defined_parameters": "" }, { "scf_control_id": "END-06.1", "ao_id": "END-06.1_A02", "objective": "an integrity check of software, firmware and/or information is performed per an organization-defined time period.", "pptdf": "Technology", "origin": "53A_R5_SI-07(01)[01]\n53A_R5_SI-07(01)[02]\n53A_R5_SI-07(01)[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-06.1", "ao_id": "END-06.1_A03", "objective": "transitional states or security-relevant events requiring integrity checks software, firmware and/or information are defined.", "pptdf": "Process", "origin": "53A_R5_SI-07(01)_ODP[02]\n53A_R5_SI-07(01)_ODP[03]\n53A_R5_SI-07(01)_ODP[06]\n53A_R5_SI-07(01)_ODP[07]\n53A_R5_SI-07(01)_ODP[10]\n53A_R5_SI-07(01)_ODP[11]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-06.1", "ao_id": "END-06.1_A04", "objective": "the frequency with which to perform an integrity check software, firmware and/or information is defined.", "pptdf": "Process", "origin": "53A_R5_SI-07(01)_ODP[04]\n53A_R5_SI-07(01)_ODP[08]\n53A_R5_SI-07(01)_ODP[12]", "assessment_rigor": "3", "scf_defined_parameters": "at least monthly", "org_defined_parameters": "" }, { "scf_control_id": "END-06.2", "ao_id": "END-06.2_A01", "objective": "security-relevant changes to the system are defined.", "pptdf": "Process", "origin": "53A_R5_SI-07(07)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-06.2", "ao_id": "END-06.2_A02", "objective": "the detection of changes is incorporated into the organizational incident response capability.", "pptdf": "Process", "origin": "53A_R5_SI-07(07)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-06.3", "ao_id": "END-06.3_A01", "objective": "personnel or roles to whom notification is to be provided upon discovering discrepancies during integrity verification is/are defined.", "pptdf": "Process", "origin": "53A_R5_SI-07(02)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-06.3", "ao_id": "END-06.3_A02", "objective": "automated tools that provide notification to personnel or roles upon discovering discrepancies during integrity verification are employed.", "pptdf": "Technology", "origin": "53A_R5_SI-07(02)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-06.4", "ao_id": "END-06.4_A01", "objective": "controls to be implemented automatically when integrity violations are discovered are defined.", "pptdf": "Process", "origin": "53A_R5_SI-07(05)_ODP[01]\n53A_R5_SI-07(05)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-06.4", "ao_id": "END-06.4_A02", "objective": "organization-defined actions are automatically performed when integrity violations are discovered.", "pptdf": "Technology", "origin": "53A_R5_SI-07(05)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-06.5", "ao_id": "END-06.5_A01", "objective": "system components requiring integrity verification of the boot process are defined.", "pptdf": "Process", "origin": "53A_R5_SI-07(09)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-06.5", "ao_id": "END-06.5_A02", "objective": "the integrity of the boot process of system components is verified.", "pptdf": "Technology", "origin": "53A_R5_SI-07(09)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-06.6", "ao_id": "END-06.6_A01", "objective": "mechanisms to be implemented to protect the integrity of boot firmware in system components are defined.", "pptdf": "Process", "origin": "53A_R5_SI-07(10)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-06.6", "ao_id": "END-06.6_A02", "objective": "system components requiring mechanisms to protect the integrity of boot firmware are defined.", "pptdf": "Process", "origin": "53A_R5_SI-07(10)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-06.6", "ao_id": "END-06.6_A03", "objective": "mechanisms are implemented to protect the integrity of boot firmware in system components.", "pptdf": "Technology", "origin": "53A_R5_SI-07(10)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-06.7", "ao_id": "END-06.7_A01", "objective": "the use of binary or machine-executable code is prohibited when it originates from sources with limited or no warranty or without the provision of source code.", "pptdf": "Technology", "origin": "53A_R5_CM-07(08)(a)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-06.7", "ao_id": "END-06.7_A02", "objective": "exceptions to the prohibition of binary or machine-executable code from sources with limited or no warranty or without the provision of source code are allowed only for compelling mission or operational requirements.", "pptdf": "Process", "origin": "53A_R5_CM-07(08)(b)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-06.7", "ao_id": "END-06.7_A03", "objective": "exceptions to the prohibition of binary or machine-executable code from sources with limited or no warranty or without the provision of source code are allowed only with the approval of the authorizing official.", "pptdf": "Process", "origin": "53A_R5_CM-07(08)(b)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-06.8", "ao_id": "END-06.8_A01", "objective": "Extended Detection & Response (XDR) technologies are used to correlate data and respond to threats across multiple security layers.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-07", "ao_id": "END-07_A01", "objective": "Host-based Intrusion Detection / Prevention Systems (HIDS / HIPS), or a similar technology, is deployed on business-critical systems.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-07", "ao_id": "END-07_A02", "objective": "Host-based Intrusion Detection / Prevention Systems (HIDS / HIPS), or a similar technology, is deployed on systems that store, process and/or transmit sensitive / regulated data.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-08", "ao_id": "END-08_A01", "objective": "spam protection mechanisms are employed at system entry points to detect unsolicited messages.", "pptdf": "Technology", "origin": "53A_R5_SI-08a.[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-08", "ao_id": "END-08_A02", "objective": "spam protection mechanisms are employed at system entry points to act on unsolicited messages.", "pptdf": "Technology", "origin": "53A_R5_SI-08a.[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-08", "ao_id": "END-08_A03", "objective": "spam protection mechanisms are employed at system exit points to detect unsolicited messages.", "pptdf": "Technology", "origin": "53A_R5_SI-08a.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-08", "ao_id": "END-08_A04", "objective": "spam protection mechanisms are employed at system exit points to act on unsolicited messages.", "pptdf": "Technology", "origin": "53A_R5_SI-08a.[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-08.1", "ao_id": "END-08.1_A01", "objective": "endpoint security controls and related processes to be centrally managed are defined.", "pptdf": "Process", "origin": "53A_R5_PL-09_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-08.1", "ao_id": "END-08.1_A02", "objective": "endpoint security controls and related processes are centrally managed.", "pptdf": "Technology", "origin": "53A_R5_PL-09", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-08.2", "ao_id": "END-08.2_A01", "objective": "the frequency at which to automatically update spam protection mechanisms is defined.", "pptdf": "Process", "origin": "53A_R5_SI-08(02)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-08.2", "ao_id": "END-08.2_A02", "objective": "spam protection mechanisms are automatically updated frequently.", "pptdf": "Technology", "origin": "53A_R5_SI-08b.\n53A_R5_SI-08(02)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-09", "ao_id": "END-09_A01", "objective": "an organization-defined isolated trusted communication path (e.g., Control-Alt-Delete in Microsoft Windows) is provided for communications between the user and the trusted components of the system.", "pptdf": "Technology", "origin": "53A_R5_SC-11a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-09", "ao_id": "END-09_A02", "objective": "users are permitted to invoke the trusted communication path (e.g., Control-Alt-Delete in Microsoft Windows) for communications between the user and the security functions of the system, including authentication and re-authentication, at a minimum.", "pptdf": "Technology", "origin": "53A_R5_SC-11b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-09", "ao_id": "END-09_A03", "objective": "logical security functions of the system are defined.", "pptdf": "Process", "origin": "53A_R5_SC-11_ODP[01]\n53A_R5_SC-11_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-10", "ao_id": "END-10_A01", "objective": "acceptable mobile code technologies are defined.", "pptdf": "Process", "origin": "53A_R5_SC-18a.[01]\n53A_R5_SC-18a.[03]\n171A_R3_A.03.13.13.a[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-10", "ao_id": "END-10_A02", "objective": "unacceptable mobile code technologies are defined.", "pptdf": "Process", "origin": "53A_R5_SC-18a.[02]\n53A_R5_SC-18a.[04]\n53A_R5_SC-18(01)[01]\n53A_R5_SC-18(01)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-10", "ao_id": "END-10_A03", "objective": "the use of mobile code is authorized, monitored and controlled.", "pptdf": "Technology", "origin": "53A_R5_SC-18b.[01]\n53A_R5_SC-18b.[02]\n53A_R5_SC-18b.[03]\n171A_3.13.13[a]\n171A_3.13.13[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-10", "ao_id": "END-10_A04", "objective": "the download of unacceptable mobile code is prevented.", "pptdf": "Technology", "origin": "53A_R5_SC-18(03)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-10", "ao_id": "END-10_A05", "objective": "the execution of unacceptable mobile code is prevented.", "pptdf": "Technology", "origin": "53A_R5_SC-18(03)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-10", "ao_id": "END-10_A06", "objective": "corrective actions to be taken when unacceptable mobile code is identified are defined.", "pptdf": "Process", "origin": "53A_R5_SC-18(01)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-10", "ao_id": "END-10_A07", "objective": "corrective actions are taken if unacceptable mobile code is identified.", "pptdf": "Process", "origin": "53A_R5_SC-18(01)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-10", "ao_id": "END-10_A08", "objective": "mobile code requirements for the acquisition, development and use of mobile code to be deployed in the system are defined.", "pptdf": "Process", "origin": "53A_R5_SC-18(02)_ODP", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-10", "ao_id": "END-10_A09", "objective": "the acquisition of mobile code to be deployed in the system meets mobile code requirements.", "pptdf": "Technology", "origin": "53A_R5_SC-18(02)[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-10", "ao_id": "END-10_A10", "objective": "the development of mobile code to be deployed in the system meets mobile code requirements.", "pptdf": "Technology", "origin": "53A_R5_SC-18(02)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-10", "ao_id": "END-10_A11", "objective": "the use of mobile code to be deployed in the system meets mobile code requirements.", "pptdf": "Technology", "origin": "53A_R5_SC-18(02)[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-10", "ao_id": "END-10_A12", "objective": "unacceptable mobile code to be prevented from downloading and executing is defined.", "pptdf": "Process", "origin": "53A_R5_SC-18(03)_ODP", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-10", "ao_id": "END-10_A13", "objective": "software applications in which the automatic execution of mobile code is to be prevented are defined.", "pptdf": "Process", "origin": "53A_R5_SC-18(04)_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-10", "ao_id": "END-10_A14", "objective": "actions to be enforced by the system prior to executing mobile code are defined.", "pptdf": "Process", "origin": "53A_R5_SC-18(04)_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-10", "ao_id": "END-10_A15", "objective": "the automatic execution of mobile code in software applications is prevented.", "pptdf": "Technology", "origin": "53A_R5_SC-18(04)[01]\n53A_R5_SC-18(04)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-10", "ao_id": "END-10_A16", "objective": "platform-independent applications to be included within organizational systems are defined.", "pptdf": "Process", "origin": "53A_R5_SC-27_ODP", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-10", "ao_id": "END-10_A17", "objective": "platform-independent applications are included within organizational systems.", "pptdf": "Technology", "origin": "53A_R5_SC-27", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-10", "ao_id": "END-10_A18", "objective": "acceptable mobile code is defined.", "pptdf": "Process", "origin": "171A_R3_A.03.13.13.a[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-10", "ao_id": "END-10_A19", "objective": "the use of mobile code is authorized.", "pptdf": "Process", "origin": "171A_R3_A.03.13.13.b[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-10", "ao_id": "END-10_A20", "objective": "the use of mobile code is monitored.", "pptdf": "Technology", "origin": "171A_R3_A.03.13.13.b[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-10", "ao_id": "END-10_A21", "objective": "the use of mobile code is controlled.", "pptdf": "Technology", "origin": "171A_R3_A.03.13.13.b[03]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-11", "ao_id": "END-11_A01", "objective": "system components to be employed with minimal functionality and information storage are defined.", "pptdf": "Process", "origin": "53A_R5_SC-25_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-11", "ao_id": "END-11_A02", "objective": "minimal functionality for system components is employed.", "pptdf": "Technology", "origin": "53A_R5_SC-25[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-11", "ao_id": "END-11_A03", "objective": "minimal information storage on system components is allocated.", "pptdf": "Technology", "origin": "53A_R5_SC-25[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-11", "ao_id": "END-11_A04", "objective": "physical isolation techniques are defined.", "pptdf": "Process", "origin": "172A_3.13.4e_ODP[1]\n172A_3.13.4e_ODP[2]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-11", "ao_id": "END-11_A05", "objective": "logical isolation techniques are defined.", "pptdf": "Process", "origin": "172A_3.13.4e_ODP[1]\n172A_3.13.4e_ODP[3]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-11", "ao_id": "END-11_A06", "objective": "physical isolation techniques and/or logical isolation techniques are employed in organizational systems and system components.", "pptdf": "Technology", "origin": "172A_3.13.4e[a]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-12", "ao_id": "END-12_A01", "objective": "connection ports or input/output devices to be disabled or removed are defined.", "pptdf": "Process", "origin": "53A_R5_SC-41_ODP[01]\n53A_R5_SC-41_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-12", "ao_id": "END-12_A02", "objective": "systems or system components with connection ports or input/output devices to be disabled or removed are defined.", "pptdf": "Process", "origin": "53A_R5_SC-41_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-12", "ao_id": "END-12_A03", "objective": "connection ports or input/output devices that are prohibited are disabled or removed on systems or system components.", "pptdf": "Technology", "origin": "53A_R5_SC-41", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-13", "ao_id": "END-13_A01", "objective": "environmental sensing capabilities in devices are defined.", "pptdf": "Process", "origin": "53A_R5_SC-42_ODP[01]\n53A_R5_SC-42_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-13", "ao_id": "END-13_A02", "objective": "facilities, areas or systems where the use of devices possessing environmental sensing capabilities is prohibited are defined.", "pptdf": "Process", "origin": "53A_R5_SC-42_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-13", "ao_id": "END-13_A03", "objective": "exceptions where remote activation of sensors is allowed are defined.", "pptdf": "Process", "origin": "53A_R5_SC-42_ODP[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-13", "ao_id": "END-13_A04", "objective": "group of users to whom an explicit indication of sensor use is to be provided is defined.", "pptdf": "Process", "origin": "53A_R5_SC-42_ODP[05]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-13", "ao_id": "END-13_A05", "objective": "organization-defined parameters are prohibited.", "pptdf": "Technology", "origin": "53A_R5_SC-42a.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-13", "ao_id": "END-13_A06", "objective": "an explicit indication of sensor use is provided to a group of users.", "pptdf": "Technology", "origin": "53A_R5_SC-42b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-13.1", "ao_id": "END-13.1_A01", "objective": "measures to be employed so that data or information collected by sensors is only used for authorized purposes are defined.", "pptdf": "Process", "origin": "53A_R5_SC-42(02)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-13.1", "ao_id": "END-13.1_A02", "objective": "organization-defined measures are employed so that data or information collected by sensors is only used for authorized purposes.", "pptdf": "Process", "origin": "53A_R5_SC-42(02)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-13.2", "ao_id": "END-13.2_A01", "objective": "measures to facilitate an individual’s awareness that Personal Data (PD) is being collected are defined.", "pptdf": "Process", "origin": "53A_R5_SC-42(04)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-13.2", "ao_id": "END-13.2_A02", "objective": "sensors that collect Personal Data (PD) are defined.", "pptdf": "Process", "origin": "53A_R5_SC-42(04)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-13.2", "ao_id": "END-13.2_A03", "objective": "organization-defined measures are employed to facilitate an individual’s awareness that Personal Data (PD) is being collected by sensors", "pptdf": "Process", "origin": "53A_R5_SC-42(04)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-13.3", "ao_id": "END-13.3_A01", "objective": "processes that implement the privacy principle of minimization are defined.", "pptdf": "Process", "origin": "53A_R5_SA-08(33)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-13.3", "ao_id": "END-13.3_A02", "objective": "the privacy principle of minimization is implemented using organization-defined processes.", "pptdf": "Process", "origin": "53A_R5_SA-08(33)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-13.3", "ao_id": "END-13.3_A03", "objective": "the sensors that are configured to minimize the collection of unneeded information about individuals are defined.", "pptdf": "Technology", "origin": "53A_R5_SC-42(05)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-13.3", "ao_id": "END-13.3_A04", "objective": "sensors configured to minimize the collection of information about individuals that is not needed are employed.", "pptdf": "Technology", "origin": "53A_R5_SC-42(05)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-13.3", "ao_id": "END-13.3_A05", "objective": "the frequency for reviewing / updating policies that address the use of Personal Data (PD) for internal testing, training and research is defined.", "pptdf": "Process", "origin": "53A_R5_PM-25_ODP[01]\n53A_R5_PM-25_ODP[02]\n53A_R5_PM-25_ODP[03]\n53A_R5_PM-25_ODP[04]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "END-13.3", "ao_id": "END-13.3_A06", "objective": "policies that address the use of Personal Data (PD) for internal testing, training and research are developed and documented.", "pptdf": "Process", "origin": "53A_R5_PM-25a.[01]\n53A_R5_PM-25a.[02]\n53A_R5_PM-25a.[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-13.3", "ao_id": "END-13.3_A07", "objective": "procedures that address the use of Personal Data (PD) for internal testing, training and research are developed and documented.", "pptdf": "Process", "origin": "53A_R5_PM-25a.[04]\n53A_R5_PM-25a.[05]\n53A_R5_PM-25a.[06]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-13.3", "ao_id": "END-13.3_A08", "objective": "policies that address the use of Personal Data (PD) for internal testing, training and research are implemented.", "pptdf": "Process", "origin": "53A_R5_PM-25a.[07]\n53A_R5_PM-25a.[08]\n53A_R5_PM-25a.[09]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-13.3", "ao_id": "END-13.3_A09", "objective": "procedures that address the use of Personal Data (PD) for internal testing, training and research are implemented.", "pptdf": "Process", "origin": "53A_R5_PM-25a.[10]\n53A_R5_PM-25a.[11]\n53A_R5_PM-25a.[12]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-13.3", "ao_id": "END-13.3_A10", "objective": "the amount of Personal Data (PD) used for internal testing, training and research purposes is limited or minimized.", "pptdf": "Data", "origin": "53A_R5_PM-25b.[01]\n53A_R5_PM-25b.[02]\n53A_R5_PM-25b.[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-13.3", "ao_id": "END-13.3_A11", "objective": "the required use of Personal Data (PD) for internal testing, training and research is authorized.", "pptdf": "Process", "origin": "53A_R5_PM-25c.[01]\n53A_R5_PM-25c.[02]\n53A_R5_PM-25c.[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-13.3", "ao_id": "END-13.3_A12", "objective": "policies are reviewed / updated frequently.", "pptdf": "Process", "origin": "53A_R5_PM-25d.[01]\n53A_R5_PM-25d.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-13.3", "ao_id": "END-13.3_A13", "objective": "procedures are reviewed / updated frequently.", "pptdf": "Process", "origin": "53A_R5_PM-25d.[03]\n53A_R5_PM-25d.[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-13.4", "ao_id": "END-13.4_A01", "objective": "sensors to be used to collect data or information are defined.", "pptdf": "Process", "origin": "53A_R5_SC-42(01)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-13.4", "ao_id": "END-13.4_A02", "objective": "systems are configured so that data or information collected by the sensors is only reported to authorized individuals or roles.", "pptdf": "Technology", "origin": "53A_R5_SC-42(01)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-14", "ao_id": "END-14_A01", "objective": "collaborative computing devices are identified.", "pptdf": "Process", "origin": "171A_3.13.12[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-14", "ao_id": "END-14_A02", "objective": "collaborative computing devices provide indication to users of devices in use.", "pptdf": "Technology", "origin": "171A_3.13.12[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-14", "ao_id": "END-14_A03", "objective": "remote activation of collaborative computing devices is prohibited.", "pptdf": "Technology", "origin": "171A_3.13.12[c]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-14", "ao_id": "END-14_A04", "objective": "exceptions where remote activation is to be allowed are defined.", "pptdf": "Process", "origin": "53A_R5_SC-15_ODP\n171A_R3_A.03.13.12.ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-14", "ao_id": "END-14_A05", "objective": "the remote activation of collaborative computing devices and applications is prohibited with organization-defined exceptions.", "pptdf": "Technology", "origin": "53A_R5_SC-15a.", "assessment_rigor": "2", "scf_defined_parameters": "no exceptions for computing devices", "org_defined_parameters": "" }, { "scf_control_id": "END-14", "ao_id": "END-14_A06", "objective": "an explicit indication of use is provided to users physically present at the devices.", "pptdf": "Technology", "origin": "53A_R5_SC-15b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-14", "ao_id": "END-14_A07", "objective": "collaborative computing devices are logically or physically disconnected.", "pptdf": "Technology", "origin": "53A_R5_SC-15(01)_ODP", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-14", "ao_id": "END-14_A08", "objective": "disconnect of collaborative computing devices is/are provided in a manner that supports ease of use.", "pptdf": "Process", "origin": "53A_R5_SC-15(01)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-14", "ao_id": "END-14_A09", "objective": "the remote activation of collaborative computing devices and applications is prohibited with the following exceptions: .", "pptdf": "Technology", "origin": "171A_R3_A.03.13.12.a", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "only as enumerated and justified in the System Security Plan before such remote activation occurs, and only when there are no other options, and the remote activation is operationally critical", "org_defined_parameters": "" }, { "scf_control_id": "END-14.1", "ao_id": "END-14.1_A01", "objective": "systems or system components from which collaborative computing devices are to be disabled or removed are defined.", "pptdf": "Process", "origin": "53A_R5_SC-15(03)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-14.1", "ao_id": "END-14.1_A02", "objective": "secure work areas where collaborative computing devices are to be disabled or removed from systems or system components are defined.", "pptdf": "Process", "origin": "53A_R5_SC-15(03)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-14.1", "ao_id": "END-14.1_A03", "objective": "collaborative computing devices and applications are disabled or removed from systems or system components in secure work areas.", "pptdf": "Technology", "origin": "53A_R5_SC-15(03)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-14.2", "ao_id": "END-14.2_A01", "objective": "online meetings and teleconferences for which an explicit indication of current participants is to be provided are defined.", "pptdf": "Process", "origin": "53A_R5_SC-15(04)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-14.2", "ao_id": "END-14.2_A02", "objective": "an explicit indication of current participants in online meetings and teleconferences is provided.", "pptdf": "Technology", "origin": "53A_R5_SC-15(04)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-14.3", "ao_id": "END-14.3_A01", "objective": "personnel are trained to limit access to virtual meetings to appropriate individuals.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-14.3", "ao_id": "END-14.3_A02", "objective": "technologies used to conduct virtual meetings can verify individual identities.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-14.3", "ao_id": "END-14.3_A03", "objective": "individual identities are verified to ensure that access to virtual meetings is limited to appropriate individuals.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-14.4", "ao_id": "END-14.4_A01", "objective": "technologies used to conduct virtual meetings allow the host to positively control an individual's participation.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-14.5", "ao_id": "END-14.5_A01", "objective": "antimalware technologies can detect malicious links and/or files in communications.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-14.5", "ao_id": "END-14.5_A02", "objective": "antimalware technologies can prevent users from accessing malicious links and/or files sent in communications.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-14.6", "ao_id": "END-14.6_A01", "objective": "an explicit indication of use is provided to users who are physically present at the devices.", "pptdf": "Technology", "origin": "171A_R3_A.03.13.12.b", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-15", "ao_id": "END-15_A01", "objective": "access to hypervisor management functions or administrative consoles for systems hosting virtualized systems is restricted.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-16", "ao_id": "END-16_A01", "objective": "system configurations isolate security functions from non-security functions.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-16.1", "ao_id": "END-16.1_A01", "objective": "host-based boundary protection mechanisms to be implemented are defined.", "pptdf": "Process", "origin": "53A_R5_SC-07(12)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "Host Intrusion Prevention System(hIPS), Host Intrusion Detection System(hIDS), or minimally a host-based firewall", "org_defined_parameters": "" }, { "scf_control_id": "END-16.1", "ao_id": "END-16.1_A02", "objective": "system components where host-based boundary protection mechanisms are to be implemented are defined.", "pptdf": "Process", "origin": "53A_R5_SC-07(12)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "END-16.1", "ao_id": "END-16.1_A03", "objective": "host-based boundary protection mechanisms are implemented at system components.", "pptdf": "Technology", "origin": "53A_R5_SC-07(12)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-01", "ao_id": "GOV-01_A01", "objective": "an organization-wide cybersecurity / data privacy governance program is developed.", "pptdf": "Process", "origin": "53A_R5_PM-01a.[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-01", "ao_id": "GOV-01_A02", "objective": "the cybersecurity / data privacy governance program addresses management commitment.", "pptdf": "Process", "origin": "53A_R5_PM-01a.02[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-01", "ao_id": "GOV-01_A03", "objective": "the cybersecurity / data privacy governance program addresses statutory, regulatory and/or contractual compliance obligations.", "pptdf": "Process", "origin": "53A_R5_PM-01a.02[05]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-01", "ao_id": "GOV-01_A04", "objective": "the cybersecurity / data privacy governance program is protected from unauthorized disclosure.", "pptdf": "Technology", "origin": "53A_R5_PM-01c.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-01", "ao_id": "GOV-01_A05", "objective": "the cybersecurity / data privacy governance program is protected from unauthorized modification.", "pptdf": "Technology", "origin": "53A_R5_PM-01c.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-01", "ao_id": "GOV-01_A06", "objective": "the cybersecurity / data privacy governance program is disseminated.", "pptdf": "Process", "origin": "53A_R5_PM-01a.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-01", "ao_id": "GOV-01_A07", "objective": "the cybersecurity / data privacy governance program provides an overview of the requirements for the security program.", "pptdf": "Process", "origin": "53A_R5_PM-01a.01[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-01", "ao_id": "GOV-01_A08", "objective": "the cybersecurity / data privacy governance program provides a description of the security program management controls in place or planned for meeting those requirements.", "pptdf": "Process", "origin": "53A_R5_PM-01a.01[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-01", "ao_id": "GOV-01_A09", "objective": "the cybersecurity / data privacy governance program provides a description of the common controls in place or planned for meeting those requirements.", "pptdf": "Process", "origin": "53A_R5_PM-01a.01[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-01", "ao_id": "GOV-01_A10", "objective": "the cybersecurity / data privacy governance program includes the identification and assignment of roles.", "pptdf": "Process", "origin": "53A_R5_PM-01a.02[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-01", "ao_id": "GOV-01_A11", "objective": "the cybersecurity / data privacy governance program includes the identification and assignment of responsibilities.", "pptdf": "Process", "origin": "53A_R5_PM-01a.02[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-01", "ao_id": "GOV-01_A12", "objective": "the cybersecurity / data privacy governance program addresses coordination among organizational entities.", "pptdf": "Process", "origin": "53A_R5_PM-01a.02[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-01", "ao_id": "GOV-01_A13", "objective": "the cybersecurity / data privacy governance program reflects the coordination among the organizational entities responsible for cybersecurity / data privacy.", "pptdf": "Process", "origin": "53A_R5_PM-01a.03", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-01", "ao_id": "GOV-01_A14", "objective": "the cybersecurity / data privacy governance program is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations.", "pptdf": "Process", "origin": "53A_R5_PM-01a.04", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-01", "ao_id": "GOV-01_A15", "objective": "the frequency at which to review / update the organization-wide cybersecurity / data privacy governance program is defined.", "pptdf": "Process", "origin": "53A_R5_PM-01_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "GOV-01", "ao_id": "GOV-01_A16", "objective": "events that trigger the review / update of the organization-wide cybersecurity / data privacy governance program are defined.", "pptdf": "Process", "origin": "53A_R5_PM-01_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-01", "ao_id": "GOV-01_A17", "objective": "the cybersecurity / data privacy governance program is reviewed / updated frequently.", "pptdf": "Process", "origin": "53A_R5_PM-01b.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-01", "ao_id": "GOV-01_A18", "objective": "the cybersecurity / data privacy governance program is reviewed / updated following events.", "pptdf": "Process", "origin": "53A_R5_PM-01b.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-01", "ao_id": "GOV-01_A19", "objective": "cybersecurity & data protection governance operations are conducted according to documented policies, standards, procedures and/or other organizational directives.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-01", "ao_id": "GOV-01_A20", "objective": "adequate resources (e.g., people, processes, technologies, data and/or facilities) are provided to support cybersecurity & data protection governance operations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-01", "ao_id": "GOV-01_A21", "objective": "responsibility and authority for the performance of cybersecurity & data protection governance-related activities are assigned to designated personnel.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-01", "ao_id": "GOV-01_A22", "objective": "personnel performing cybersecurity & data protection governance-related activities have the skills and knowledge needed to perform their assigned duties.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-01.1", "ao_id": "GOV-01.1_A01", "objective": "an executive steering committee, or advisory board, is formed and is comprised of key cybersecurity, technology, risk, privacy and business executives.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-01.1", "ao_id": "GOV-01.1_A02", "objective": "the executive steering committee, or advisory board, coordinates cybersecurity, technology, risk, privacy and business alignment through recurring, formal meetings.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-01.2", "ao_id": "GOV-01.2_A01", "objective": "the executive steering committee, or advisory board, makes executive decisions about matters considered material to the organization's cybersecurity / data privacy program.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-01.3", "ao_id": "GOV-01.3_A01", "objective": "the organization commits appropriate financial resources needed for continual improvement of the organization's cybersecurity & data privacy program.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-02", "ao_id": "GOV-02_A01", "objective": "cybersecurity / data privacy policies are developed and documented.", "pptdf": "Process", "origin": "53A_R5_AC-01a.[01]\n53A_R5_AT-01a.[01]\n53A_R5_AU-01a.[01]\n53A_R5_CA-01a.[01]\n53A_R5_CM-01a.[01]\n53A_R5_CP-01a.[01]\n53A_R5_IA-01a.[01]\n53A_R5_IR-01a.[01]\n53A_R5_MA-01a.[01]\n53A_R5_MP-01a.[01]\n53A_R5_PE-01a.[01]\n53A_R5_PL-01a.[01]\n53A_R5_PS-01a.[01]\n53A_R5_PT-01a.[01]\n53A_R5_RA-01a.[01]\n53A_R5_SA-01a.[01]\n53A_R5_SC-01a.[01]\n53A_R5_SI-01a.[01]\n53A_R5_SR-01a.[01]\n171A_3.4.9[a]\n171A_3.9.2[a]\n53A_R5_AC-02a.[03]\n53A_R5_AC-04(25)_ODP[02]\n53A_R5_IA-04(05)_ODP\n53A_R5_SR-11a.[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-02", "ao_id": "GOV-02_A02", "objective": "policies needed to satisfy the security requirements for the protection of sensitive / regulated data are developed and documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-02", "ao_id": "GOV-02_A03", "objective": "policies needed to satisfy the security requirements for the protection of sensitive / regulated data are disseminated to organizational personnel or roles.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-02", "ao_id": "GOV-02_A04", "objective": "procedures needed to satisfy the security requirements for the protection of sensitive / regulated data are developed and documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-02", "ao_id": "GOV-02_A05", "objective": "procedures needed to satisfy the security requirements for the protection of sensitive / regulated data are disseminated to organizational personnel or roles.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-02", "ao_id": "GOV-02_A06", "objective": "the cybersecurity / data privacy policies address purpose.", "pptdf": "Process", "origin": "53A_R5_AC-01a.01(a)[01]\n53A_R5_AT-01a.01(a)[01]\n53A_R5_AU-01a.01(a)[01]\n53A_R5_CA-01a.01(a)[01]\n53A_R5_CM-01a.01(a)[01]\n53A_R5_CP-01a.01(a)[01]\n53A_R5_IA-01a.01(a)[01]\n53A_R5_IR-01a.01(a)[01]\n53A_R5_MA-01a.01(a)[01]\n53A_R5_MP-01a.01(a)[01]\n53A_R5_PE-01a.01(a)[01]\n53A_R5_PL-01a.01(a)[01]\n53A_R5_PS-01a.01(a)[01]\n53A_R5_PT-01a.01(a)[01]\n53A_R5_RA-01a.01(a)[01]\n53A_R5_SA-01a.01(a)[01]\n53A_R5_SC-01a.01(a)[01]\n53A_R5_SI-01a.01(a)[01]\n53A_R5_SR-01a.01(a)[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-02", "ao_id": "GOV-02_A07", "objective": "the cybersecurity / data privacy policies address scope.", "pptdf": "Process", "origin": "53A_R5_AC-01a.01(a)[02]\n53A_R5_AT-01a.01(a)[02]\n53A_R5_AU-01a.01(a)[02]\n53A_R5_CA-01a.01(a)[02]\n53A_R5_CM-01a.01(a)[02]\n53A_R5_CP-01a.01(a)[02]\n53A_R5_IA-01a.01(a)[02]\n53A_R5_IR-01a.01(a)[02]\n53A_R5_MA-01a.01(a)[02]\n53A_R5_MP-01a.01(a)[02]\n53A_R5_PE-01a.01(a)[02]\n53A_R5_PL-01a.01(a)[02]\n53A_R5_PS-01a.01(a)[02]\n53A_R5_PT-01a.01(a)[02]\n53A_R5_RA-01a.01(a)[02]\n53A_R5_SA-01a.01(a)[02]\n53A_R5_SC-01a.01(a)[02]\n53A_R5_SI-01a.01(a)[02]\n53A_R5_SR-01a.01(a)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-02", "ao_id": "GOV-02_A08", "objective": "the cybersecurity / data privacy policies address roles.", "pptdf": "Process", "origin": "53A_R5_AC-01a.01(a)[03]\n53A_R5_AT-01a.01(a)[03]\n53A_R5_AU-01a.01(a)[03]\n53A_R5_CA-01a.01(a)[03]\n53A_R5_CM-01a.01(a)[03]\n53A_R5_CP-01a.01(a)[03]\n53A_R5_IA-01a.01(a)[03]\n53A_R5_IR-01a.01(a)[03]\n53A_R5_MA-01a.01(a)[03]\n53A_R5_MP-01a.01(a)[03]\n53A_R5_PE-01a.01(a)[03]\n53A_R5_PL-01a.01(a)[03]\n53A_R5_PS-01a.01(a)[03]\n53A_R5_PT-01a.01(a)[03]\n53A_R5_RA-01a.01(a)[03]\n53A_R5_SA-01a.01(a)[03]\n53A_R5_SC-01a.01(a)[03]\n53A_R5_SI-01a.01(a)[03]\n53A_R5_SR-01a.01(a)[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-02", "ao_id": "GOV-02_A09", "objective": "the cybersecurity / data privacy policies address responsibilities.", "pptdf": "Process", "origin": "53A_R5_AC-01a.01(a)[04]\n53A_R5_AT-01a.01(a)[04]\n53A_R5_AU-01a.01(a)[04]\n53A_R5_CA-01a.01(a)[04]\n53A_R5_CM-01a.01(a)[04]\n53A_R5_CP-01a.01(a)[04]\n53A_R5_IA-01a.01(a)[04]\n53A_R5_IR-01a.01(a)[04]\n53A_R5_MA-01a.01(a)[04]\n53A_R5_MP-01a.01(a)[04]\n53A_R5_PE-01a.01(a)[04]\n53A_R5_PL-01a.01(a)[04]\n53A_R5_PS-01a.01(a)[04]\n53A_R5_PT-01a.01(a)[04]\n53A_R5_RA-01a.01(a)[04]\n53A_R5_SA-01a.01(a)[04]\n53A_R5_SC-01a.01(a)[04]\n53A_R5_SI-01a.01(a)[04]\n53A_R5_SR-01a.01(a)[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-02", "ao_id": "GOV-02_A10", "objective": "the cybersecurity / data privacy policies address management commitment.", "pptdf": "Process", "origin": "53A_R5_AC-01a.01(a)[05]\n53A_R5_AT-01a.01(a)[05]\n53A_R5_AU-01a.01(a)[05]\n53A_R5_CA-01a.01(a)[05]\n53A_R5_CM-01a.01(a)[05]\n53A_R5_CP-01a.01(a)[05]\n53A_R5_IA-01a.01(a)[05]\n53A_R5_IR-01a.01(a)[05]\n53A_R5_MA-01a.01(a)[05]\n53A_R5_MP-01a.01(a)[05]\n53A_R5_PE-01a.01(a)[05]\n53A_R5_PL-01a.01(a)[05]\n53A_R5_PS-01a.01(a)[05]\n53A_R5_PT-01a.01(a)[05]\n53A_R5_RA-01a.01(a)[05]\n53A_R5_SA-01a.01(a)[05]\n53A_R5_SC-01a.01(a)[05]\n53A_R5_SI-01a.01(a)[05]\n53A_R5_SR-01a.01(a)[05]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-02", "ao_id": "GOV-02_A11", "objective": "the cybersecurity / data privacy policies address coordination among organizational entities.", "pptdf": "Process", "origin": "53A_R5_AC-01a.01(a)[06]\n53A_R5_AT-01a.01(a)[06]\n53A_R5_AU-01a.01(a)[06]\n53A_R5_CA-01a.01(a)[06]\n53A_R5_CM-01a.01(a)[06]\n53A_R5_CP-01a.01(a)[06]\n53A_R5_IA-01a.01(a)[06]\n53A_R5_IR-01a.01(a)[06]\n53A_R5_MA-01a.01(a)[06]\n53A_R5_MP-01a.01(a)[06]\n53A_R5_PE-01a.01(a)[06]\n53A_R5_PL-01a.01(a)[06]\n53A_R5_PS-01a.01(a)[06]\n53A_R5_PT-01a.01(a)[06]\n53A_R5_RA-01a.01(a)[06]\n53A_R5_SA-01a.01(a)[06]\n53A_R5_SC-01a.01(a)[06]\n53A_R5_SI-01a.01(a)[06]\n53A_R5_SR-01a.01(a)[06]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-02", "ao_id": "GOV-02_A12", "objective": "the cybersecurity / data privacy policies address compliance.", "pptdf": "Process", "origin": "53A_R5_AC-01a.01(a)[07]\n53A_R5_AT-01a.01(a)[07]\n53A_R5_AU-01a.01(a)[07]\n53A_R5_CA-01a.01(a)[07]\n53A_R5_CM-01a.01(a)[07]\n53A_R5_CP-01a.01(a)[07]\n53A_R5_IA-01a.01(a)[07]\n53A_R5_IR-01a.01(a)[07]\n53A_R5_MA-01a.01(a)[07]\n53A_R5_MP-01a.01(a)[07]\n53A_R5_PE-01a.01(a)[07]\n53A_R5_PL-01a.01(a)[07]\n53A_R5_PS-01a.01(a)[07]\n53A_R5_PT-01a.01(a)[07]\n53A_R5_RA-01a.01(a)[07]\n53A_R5_SA-01a.01(a)[07]\n53A_R5_SC-01a.01(a)[07]\n53A_R5_SI-01a.01(a)[07]\n53A_R5_SR-01a.01(a)[07]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-02", "ao_id": "GOV-02_A13", "objective": "the cybersecurity / data privacy policies are consistent with applicable laws, regulations and contractual obligations.", "pptdf": "Process", "origin": "53A_R5_AC-01a.01(b)\n53A_R5_AT-01a.01(b)\n53A_R5_AU-01a.01(b)\n53A_R5_CA-01a.01(b)\n53A_R5_CM-01a.01(b)\n53A_R5_CP-01a.01(b)\n53A_R5_IA-01a.01(b)\n53A_R5_IR-01a.01(b)\n53A_R5_MA-01a.01(b)\n53A_R5_MP-01a.01(b)\n53A_R5_PE-01a.01(b)\n53A_R5_PL-01a.01(b)\n53A_R5_PS-01a.01(b)\n53A_R5_PT-01a.01(b)\n53A_R5_RA-01a.01(b)\n53A_R5_SA-01a.01(b)\n53A_R5_SC-01a.01(b)\n53A_R5_SI-01a.01(b)\n53A_R5_SR-01a.01(b)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-02", "ao_id": "GOV-02_A14", "objective": "personnel or roles to whom the cybersecurity / data privacy policies are to be disseminated is/are defined.", "pptdf": "Process", "origin": "53A_R5_AC-01_ODP[01]\n53A_R5_AT-01_ODP[01]\n53A_R5_AU-01_ODP[01]\n53A_R5_CA-01_ODP[01]\n53A_R5_CM-01_ODP[01]\n53A_R5_CP-01_ODP[01]\n53A_R5_IA-01_ODP[01]\n53A_R5_IR-01_ODP[01]\n53A_R5_MA-01_ODP[01]\n53A_R5_MP-01_ODP[01]\n53A_R5_PE-01_ODP[01]\n53A_R5_PL-01_ODP[01]\n53A_R5_PS-01_ODP[01]\n53A_R5_PT-01_ODP[01]\n53A_R5_RA-01_ODP[01]\n53A_R5_SA-01_ODP[01]\n53A_R5_SC-01_ODP[01]\n53A_R5_SI-01_ODP[01]\n53A_R5_SR-01_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-02", "ao_id": "GOV-02_A15", "objective": "the cybersecurity / data privacy policies are disseminated to personnel or roles.", "pptdf": "Process", "origin": "53A_R5_AC-01a.[02]\n53A_R5_AT-01a.[02]\n53A_R5_AU-01a.[02]\n53A_R5_CA-01a.[02]\n53A_R5_CM-01a.[02]\n53A_R5_CP-01a.[02]\n53A_R5_IA-01a.[02]\n53A_R5_IR-01a.[02]\n53A_R5_MA-01a.[02]\n53A_R5_MP-01a.[02]\n53A_R5_PE-01a.[02]\n53A_R5_PL-01a.[02]\n53A_R5_PS-01a.[02]\n53A_R5_PT-01a.[02]\n53A_R5_RA-01a.[02]\n53A_R5_SA-01a.[02]\n53A_R5_SC-01a.[02]\n53A_R5_SI-01a.[02]\n53A_R5_SR-01a.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-02", "ao_id": "GOV-02_A16", "objective": "the official is designated to manage the development, documentation and dissemination of the cybersecurity / data privacy policies and procedures.", "pptdf": "People", "origin": "53A_R5_AC-01b\n53A_R5_AT-01b\n53A_R5_AU-01b\n53A_R5_CA-01b\n53A_R5_CM-01b\n53A_R5_CP-01b\n53A_R5_IA-01b\n53A_R5_IR-01b\n53A_R5_MA-01b\n53A_R5_MP-01b\n53A_R5_PE-01b\n53A_R5_PL-01b\n53A_R5_PS-01b\n53A_R5_PT-01b\n53A_R5_RA-01b\n53A_R5_SA-01b\n53A_R5_SC-01b\n53A_R5_SI-01b\n53A_R5_SR-01b", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-02", "ao_id": "GOV-02_A17", "objective": "an official to manage the governance of cybersecurity / data privacy policies and procedures is defined.", "pptdf": "People", "origin": "53A_R5_AC-01_ODP[04]\n53A_R5_AT-01_ODP[04]\n53A_R5_AU-01_ODP[04]\n53A_R5_CA-01_ODP[04]\n53A_R5_CM-01_ODP[04]\n53A_R5_CP-01_ODP[04]\n53A_R5_IA-01_ODP[04]\n53A_R5_IR-01_ODP[04]\n53A_R5_MA-01_ODP[04]\n53A_R5_MP-01_ODP[04]\n53A_R5_PE-01_ODP[04]\n53A_R5_PL-01_ODP[04]\n53A_R5_PS-01_ODP[04]\n53A_R5_PT-01_ODP[04]\n53A_R5_RA-01_ODP[04]\n53A_R5_SA-01_ODP[04]\n53A_R5_SC-01_ODP[04]\n53A_R5_SI-01_ODP[04]\n53A_R5_SR-01_ODP[04]\n171A_3.4.9[a]\n171A_3.9.2[a]\n53A_R5_AC-02a.[03]\n53A_R5_AC-04(25)_ODP[02]\n53A_R5_IA-04(05)_ODP\n53A_R5_SR-11a.[03]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-02", "ao_id": "GOV-02_A18", "objective": "policies needed to satisfy the security requirements for the protection of CUI are developed and documented.", "pptdf": "Process", "origin": "171A_R3_A.03.15.01.a[01]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-02", "ao_id": "GOV-02_A19", "objective": "policies needed to satisfy the security requirements for the protection of CUI are disseminated to organizational personnel or roles.", "pptdf": "Data", "origin": "171A_R3_A.03.15.01.a[02]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-02", "ao_id": "GOV-02_A20", "objective": "procedures needed to satisfy the security requirements for the protection of CUI are developed and documented.", "pptdf": "Process", "origin": "171A_R3_A.03.15.01.a[03]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-02", "ao_id": "GOV-02_A21", "objective": "procedures needed to satisfy the security requirements for the protection of CUI are disseminated to organizational personnel or roles.", "pptdf": "Data", "origin": "171A_R3_A.03.15.01.a[04]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-02.1", "ao_id": "GOV-02.1_A01", "objective": "exception requests to standards are formally submitted for review, along with a business justification for the deviation and proposed compensating controls.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-02.1", "ao_id": "GOV-02.1_A02", "objective": "the exception request undergoes a risk assessment to evaluate the business justification and proposed compensating controls.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-02.1", "ao_id": "GOV-02.1_A03", "objective": "a documented determination is made to approve or deny the exception request.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-02.1", "ao_id": "GOV-02.1_A04", "objective": "the requestor of the exception is provided a response on the determination including required actions, if applicable.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-03", "ao_id": "GOV-03_A01", "objective": "the frequency at which the policies and procedures for satisfying security requirements are reviewed and updated is defined.", "pptdf": "Process", "origin": "171A_R3_A.03.15.01.ODP[01]\n53A_R5_AC-01_ODP[05]\n53A_R5_AT-01_ODP[05]\n53A_R5_AU-01_ODP[05]\n53A_R5_CA-01_ODP[05]\n53A_R5_CM-01_ODP[05]\n53A_R5_CP-01_ODP[05]\n53A_R5_IA-01_ODP[05]\n53A_R5_IR-01_ODP[05]\n53A_R5_MA-01_ODP[05]\n53A_R5_MP-01_ODP[05]\n53A_R5_PE-01_ODP[05]\n53A_R5_PL-01_ODP[05]\n53A_R5_PS-01_ODP[05]\n53A_R5_PT-01_ODP[05]\n53A_R5_RA-01_ODP[05]\n53A_R5_SA-01_ODP[05]\n53A_R5_SC-01_ODP[05]\n53A_R5_SI-01_ODP[05]\n53A_R5_SR-01_ODP[05]", "assessment_rigor": "1", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "GOV-03", "ao_id": "GOV-03_A02", "objective": "policies and procedures are reviewed / updated per an organization-defined frequency.", "pptdf": "Process", "origin": "53A_R5_AC-01c.01[01]\n53A_R5_AC-01c.01[02]\n53A_R5_AT-01c.01[01]\n53A_R5_AT-01c.01[02]\n53A_R5_AU-01c.01[01]\n53A_R5_AU-01c.01[02]\n53A_R5_CA-01c.01[01]\n53A_R5_CA-01c.01[02]\n53A_R5_CM-01c.01[01]\n53A_R5_CM-01c.01[02]\n53A_R5_CP-01c.01[01]\n53A_R5_CP-01c.01[02]\n53A_R5_IA-01c.01[01]\n53A_R5_IA-01c.01[02]\n53A_R5_IR-01c.01[01]\n53A_R5_IR-01c.01[02]\n53A_R5_MA-01c.01[01]\n53A_R5_MA-01c.01[02]\n53A_R5_MP-01c.01[01]\n53A_R5_MP-01c.01[02]\n53A_R5_PE-01c.01[01]\n53A_R5_PE-01c.01[02]\n53A_R5_PL-01c.01[01]\n53A_R5_PL-01c.01[02]\n53A_R5_PS-01c.01[01]\n53A_R5_PS-01c.01[02]\n53A_R5_PT-01c.01[01]\n53A_R5_PT-01c.01[02]\n53A_R5_RA-01c.01[01]\n53A_R5_RA-01c.01[02]\n53A_R5_SA-01c.01[01]\n53A_R5_SA-01c.01[02]\n53A_R5_SC-01c.01[01]\n53A_R5_SC-01c.01[02]\n53A_R5_SI-01c.01[01]\n53A_R5_SI-01c.01[02]\n53A_R5_SR-01c.01[01]\n53A_R5_SR-01c.01[02]", "assessment_rigor": "1", "scf_defined_parameters": "Review policies, standards and procedures at least annual and following significant changes", "org_defined_parameters": "" }, { "scf_control_id": "GOV-03", "ao_id": "GOV-03_A03", "objective": "events that would require the current cybersecurity / data privacy policies to be reviewed / updated are defined.", "pptdf": "Process", "origin": "53A_R5_AC-01_ODP[06]\n53A_R5_AT-01_ODP[06]\n53A_R5_AU-01_ODP[06]\n53A_R5_CA-01_ODP[06]\n53A_R5_CM-01_ODP[06]\n53A_R5_CP-01_ODP[06]\n53A_R5_IA-01_ODP[06]\n53A_R5_IR-01_ODP[06]\n53A_R5_MA-01_ODP[06]\n53A_R5_MP-01_ODP[06]\n53A_R5_PE-01_ODP[06]\n53A_R5_PL-01_ODP[06]\n53A_R5_PS-01_ODP[06]\n53A_R5_PT-01_ODP[06]\n53A_R5_RA-01_ODP[06]\n53A_R5_SA-01_ODP[06]\n53A_R5_SC-01_ODP[06]\n53A_R5_SI-01_ODP[06]\n53A_R5_SR-01_ODP[06]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-03", "ao_id": "GOV-03_A04", "objective": "policies and procedures are reviewed .", "pptdf": "Process", "origin": "171A_R3_A.03.15.01.b[01]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "at least every 12 months, or when there are significant incidents or significant changes to risks", "org_defined_parameters": "" }, { "scf_control_id": "GOV-03", "ao_id": "GOV-03_A05", "objective": "policies and procedures are updated .", "pptdf": "Process", "origin": "171A_R3_A.03.15.01.b[02]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "at least every 12 months, or when there are significant incidents or significant changes to risks", "org_defined_parameters": "" }, { "scf_control_id": "GOV-04", "ao_id": "GOV-04_A01", "objective": "a senior organizational cybersecurity position is appointed.", "pptdf": "People", "origin": "53A_R5_PM-02[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-04", "ao_id": "GOV-04_A02", "objective": "the senior organizational cybersecurity position is provided with the mission and resources to coordinate, develop, implement and maintain an organization-wide cybersecurity program.", "pptdf": "People", "origin": "53A_R5_PM-02[02]\n53A_R5_PM-02[03]\n53A_R5_PM-02[04]\n53A_R5_PM-02[05]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-04.1", "ao_id": "GOV-04.1_A01", "objective": "the cybersecurity / data privacy governance program includes the identification and assignment of roles.", "pptdf": "Process", "origin": "53A_R5_PM-01a.02[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-04.1", "ao_id": "GOV-04.1_A02", "objective": "the cybersecurity / data privacy governance program includes the identification and assignment of responsibilities.", "pptdf": "Process", "origin": "53A_R5_PM-01a.02[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-04.2", "ao_id": "GOV-04.2_A01", "objective": "a formal organization structure is published.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-04.2", "ao_id": "GOV-04.2_A02", "objective": "an individual's chain of command is clearly delineated.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-05", "ao_id": "GOV-05_A01", "objective": "cybersecurity / data privacy measures of performance are developed.", "pptdf": "Process", "origin": "53A_R5_PM-06[01]\n53A_R5_PM-06[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-05", "ao_id": "GOV-05_A02", "objective": "cybersecurity / data privacy measures of performance are monitored.", "pptdf": "Process", "origin": "53A_R5_PM-06[02]\n53A_R5_PM-06[05]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-05", "ao_id": "GOV-05_A03", "objective": "the results of cybersecurity / data privacy measures of performance are reported.", "pptdf": "Process", "origin": "53A_R5_PM-06[03]\n53A_R5_PM-06[06]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-05.1", "ao_id": "GOV-05.1_A01", "objective": "Key Performance Indicators (KPIs) are developed to assist organizational management in performance monitoring and trend analysis of specific aspects of the organization's cybersecurity / data privacy program.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-05.2", "ao_id": "GOV-05.2_A01", "objective": "Key Risk Indicators (KRIs) are developed to assist senior management in performance monitoring and trend analysis of specific aspects of the organization's cybersecurity / data privacy program.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-06", "ao_id": "GOV-06_A01", "objective": "relevant law enforcement and/or regulatory bodies are identified that necessitate communications.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-06", "ao_id": "GOV-06_A02", "objective": "contacts with relevant law enforcement and/or regulatory bodies are established and documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-07", "ao_id": "GOV-07_A01", "objective": "contact is established and institutionalized with selected groups and associations within the cybersecurity / data privacy community to facilitate ongoing security education and training for organizational personnel.", "pptdf": "Process", "origin": "53A_R5_PM-15a.[01]\n53A_R5_PM-15a.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-07", "ao_id": "GOV-07_A02", "objective": "contact is established and institutionalized with selected groups and associations within the cybersecurity / data privacy community to maintain currency with recommended security practices, techniques and technologies.", "pptdf": "Process", "origin": "53A_R5_PM-15b.[01]\n53A_R5_PM-15b.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-07", "ao_id": "GOV-07_A03", "objective": "contact is established and institutionalized with selected groups and associations within the cybersecurity / data privacy community to share current security information, including threats, vulnerabilities and incidents.", "pptdf": "Process", "origin": "53A_R5_PM-15c.[01]\n53A_R5_PM-15c.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-08", "ao_id": "GOV-08_A01", "objective": "the organization's mission is clearly defined and documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-08", "ao_id": "GOV-08_A02", "objective": "the organization's executive leadership defines and documents a formal business strategy that is used to provide operational guidance to key business leaders across the organization.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-09", "ao_id": "GOV-09_A01", "objective": "security and privacy-related control objectives are established as the basis for the selection, implementation and management of the organization's internal control system.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-10", "ao_id": "GOV-10_A01", "objective": "a data integrity board/function is established.", "pptdf": "Process", "origin": "53A_R5_PM-24", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-10", "ao_id": "GOV-10_A02", "objective": "the data integrity board/function reviews proposals to conduct or participate in a matching program.", "pptdf": "Process", "origin": "53A_R5_PM-24a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-10", "ao_id": "GOV-10_A03", "objective": "the data integrity board/function conducts an annual review of all matching programs in which the organization has participated.", "pptdf": "Process", "origin": "53A_R5_PM-24b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-10", "ao_id": "GOV-10_A04", "objective": "the roles of the organization's data governance body are defined.", "pptdf": "Process", "origin": "53A_R5_PM-23_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-10", "ao_id": "GOV-10_A05", "objective": "the responsibilities of the organization's data governance body are defined.", "pptdf": "Process", "origin": "53A_R5_PM-23_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-10", "ao_id": "GOV-10_A06", "objective": "the organization's data governance body has defined roles with established responsibilities.", "pptdf": "Process", "origin": "53A_R5_PM-23", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-11", "ao_id": "GOV-11_A01", "objective": "systems or system components supporting mission-essential services or functions are defined.", "pptdf": "Process", "origin": "53A_R5_PM-32_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-11", "ao_id": "GOV-11_A02", "objective": "systems or system components supporting mission-essential services or functions are analyzed to ensure that the information resources are being used in a manner that is consistent with their intended purpose.", "pptdf": "Process", "origin": "53A_R5_PM-32", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-12", "ao_id": "GOV-12_A01", "objective": "an executive steering committee, or advisory board, evaluates business practices for possible forced exfiltration of sensitive / regulated information (e.g., Intellectual Property (IP)) to a host government for purposes of market access or market management practices.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-12", "ao_id": "GOV-12_A02", "objective": "measures exist for the executive steering committee, or advisory board, to proactively identify and evaluate host nation business practices to identify potential instances that exist for forced exfiltration of sensitive / regulated information (e.g., Intellectual Property (IP)) to the host government for purposes of market access or market management practices.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-12", "ao_id": "GOV-12_A03", "objective": "actions are taken to prevent and/or block potential instances that enable the forced exfiltration of sensitive / regulated information (e.g., Intellectual Property (IP)) to the host government for purposes of market access or market management practices.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-13", "ao_id": "GOV-13_A01", "objective": "an executive steering committee, or advisory board, evaluates business practices for possible instances where host nation business practices could leverage the organization's technology assets for economic or political espionage and/or cyberwarfare activities.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-13", "ao_id": "GOV-13_A02", "objective": "measures exist for the executive steering committee, or advisory board, to proactively identify and evaluate host nation business practices to leverage the organization's technology assets for economic or political espionage and/or cyberwarfare activities.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-13", "ao_id": "GOV-13_A03", "objective": "actions are taken to prevent and/or block potential instances where host nation business practices could leverage the organization's technology assets for economic or political espionage and/or cyberwarfare activities.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-14", "ao_id": "GOV-14_A01", "objective": "the executive steering committee, or advisory board, directs organization leadership to incorporate cybersecurity / data privacy principles into Business As Usual (BAU) practices.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-14", "ao_id": "GOV-14_A02", "objective": "cybersecurity incidents are reviewed to identify incidents that occurred due to cybersecurity / data privacy principles not being adopted as Business As Usual (BAU) practices.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-14", "ao_id": "GOV-14_A03", "objective": "identified deficiencies of cybersecurity / data privacy principles not being adopted as Business As Usual (BAU) practices are tracked via a Plan of Action and Milestones (POA&M), or risk register, through remediation.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-15", "ao_id": "GOV-15_A01", "objective": "roles and responsibilities exist to compel data and/or process owners to operationalize cybersecurity / data privacy practices for each system, application and/or service under their control.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-15", "ao_id": "GOV-15_A02", "objective": "Individual Contributor (IC) performance reviews cover how data and/or process owners operationalized cybersecurity / data privacy practices for each system, application and/or service under their control.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-15", "ao_id": "GOV-15_A03", "objective": "organization-defined systems security engineering principles are applied to the development or modification of the system and system components.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-15", "ao_id": "GOV-15_A04", "objective": " are applied to the development or modification of the system and system components.", "pptdf": "Process", "origin": "171A_R3_A.03.16.01", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "Guidance: At a minimum, documentation that provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation should be based on the degree to which organizations depend on the capabilities, functions, or mechanisms to meet risk response expectations. Requirements can include mandated configuration settings that specify allowed functions, ports, protocols, and services. Acceptance criteria for systems, system components, and system services are defined in the same manner as the criteria for any organizational acquisition or procurement.", "org_defined_parameters": "" }, { "scf_control_id": "GOV-15.1", "ao_id": "GOV-15.1_A01", "objective": "roles and responsibilities exist to compel data and/or process owners to select required cybersecurity / data privacy controls for each system, application and/or service under their control.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-15.1", "ao_id": "GOV-15.1_A02", "objective": "Individual Contributor (IC) performance reviews cover how data and/or process owners select required cybersecurity / data privacy controls for each system, application and/or service under their control.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-15.2", "ao_id": "GOV-15.2_A01", "objective": "roles and responsibilities exist to compel data and/or process owners to implement required cybersecurity / data privacy controls for each system, application and/or service under their control.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-15.2", "ao_id": "GOV-15.2_A02", "objective": "Individual Contributor (IC) performance reviews cover how data and/or process owners implement required cybersecurity / data privacy controls for each system, application and/or service under their control.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-15.3", "ao_id": "GOV-15.3_A01", "objective": "roles and responsibilities exist to compel data and/or process owners to assess if required cybersecurity / data privacy controls for each system, application and/or service under their control are implemented correctly and are operating as intended.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-15.3", "ao_id": "GOV-15.3_A02", "objective": "Individual Contributor (IC) performance reviews cover how data and/or process owners assess if required cybersecurity / data privacy controls for each system, application and/or service under their control are implemented correctly and are operating as intended.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-15.4", "ao_id": "GOV-15.4_A01", "objective": "roles and responsibilities exist to compel data and/or process owners to obtain authorization for the production use of each system, application and/or service under their control.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-15.4", "ao_id": "GOV-15.4_A02", "objective": "Individual Contributor (IC) performance reviews cover how data and/or process owners obtain authorization for the production use of each system, application and/or service under their control.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-15.5", "ao_id": "GOV-15.5_A01", "objective": "roles and responsibilities exist to compel data and/or process owners to monitor systems, applications and/or services under their control on an ongoing basis for applicable threats and risks, as well as to ensure cybersecurity / data privacy controls are operating as intended.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-15.5", "ao_id": "GOV-15.5_A02", "objective": "Individual Contributor (IC) performance reviews cover how data and/or process owners monitor systems, applications and/or services under their control on an ongoing basis for applicable threats and risks, as well as to ensure cybersecurity / data privacy controls are operating as intended.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-16", "ao_id": "GOV-16_A01", "objective": "organization-specific criteria to define a materiality threshold capable of designating an incident as material is documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-16.1", "ao_id": "GOV-16.1_A01", "objective": "organization-specific criteria to designate a risk as a \"material risk,\" as it pertains to materiality considerations, is documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-16.2", "ao_id": "GOV-16.2_A01", "objective": "organization-specific criteria to designate a threat as a \"material threat,\" as it pertains to materiality considerations, is documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-17", "ao_id": "GOV-17_A01", "objective": "applicable statutory and/or regulatory authorities that require submissions of the organization's cybersecurity and/or data privacy program status are identified.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-17", "ao_id": "GOV-17_A02", "objective": "contact information and report formatting requirements for applicable statutory and/or regulatory authorities is identified.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-17", "ao_id": "GOV-17_A03", "objective": "a documented process exists to submit status reporting of the organization's cybersecurity and/or data privacy program to applicable statutory and/or regulatory authorities, as required.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-17", "ao_id": "GOV-17_A04", "objective": "evidence of historical submissions of the organization's cybersecurity and/or data privacy program status to applicable statutory and/or regulatory authorities is retained.", "pptdf": "Data", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-18", "ao_id": "GOV-18_A01", "objective": "a Quality Management System (QMS) is implemented to ensure cybersecurity and data protection processes conform with applicable statutory, regulatory and/or contractual obligations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-19", "ao_id": "GOV-19_A01", "objective": "the basis for confidence that implemented practices conform to applicable security, compliance and resilience controls, where the control implementation performs as intended is defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-19.1", "ao_id": "GOV-19.1_A01", "objective": "Assurance Levels (AL) for assessment activities are defined standardize assurance attributes.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-19.1", "ao_id": "GOV-19.1_A02", "objective": "Assurance Levels (AL) define depth criteria to addresses the rigor and level of detail of an assessment.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-19.1", "ao_id": "GOV-19.1_A03", "objective": "Assurance Levels (AL) define coverage criteria to address the scope and breadth of an assessment.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-19.2", "ao_id": "GOV-19.2_A01", "objective": "defined Assessment Objectives (AO) are identified.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-19.2", "ao_id": "GOV-19.2_A02", "objective": "AOs are used to assess the implementation of requirements, when available.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-20", "ao_id": "GOV-20_A01", "objective": "standardized practices to conduct Mergers, Acquisitions and Divestiture (MA&D) activities are defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "GOV-20.1", "ao_id": "GOV-20.1_A01", "objective": "a Virtual Data Room (VDR), or similar technology, is securely provisioned to share documentation among stakeholders to conduct MA&D activities.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-01", "ao_id": "HRS-01_A01", "objective": "personnel security procedures to facilitate the implementation of the personnel security policy and associated personnel security controls are developed and documented.", "pptdf": "Process", "origin": "53A_R5_PS-01a.[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-01", "ao_id": "HRS-01_A02", "objective": "an official to manage the personnel security policy and procedures is defined.", "pptdf": "People", "origin": "53A_R5_PS-01_ODP[03]\n53A_R5_PS-01_ODP[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-01", "ao_id": "HRS-01_A03", "objective": "a personnel security policy is developed and documented.", "pptdf": "Process", "origin": "53A_R5_PS-01a.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-01", "ao_id": "HRS-01_A04", "objective": "the personnel security policy is disseminated to organization-defined personnel or roles.", "pptdf": "Process", "origin": "53A_R5_PS-01a.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-01", "ao_id": "HRS-01_A05", "objective": "personnel or roles to whom the personnel security policy is to be disseminated is/are defined.", "pptdf": "Process", "origin": "53A_R5_PS-01_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-01", "ao_id": "HRS-01_A06", "objective": "personnel or roles to whom the personnel security procedures are to be disseminated is/are defined.", "pptdf": "Process", "origin": "53A_R5_PS-01_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-01", "ao_id": "HRS-01_A07", "objective": "the frequency at which the current personnel security policy is reviewed / updated is defined.", "pptdf": "Process", "origin": "53A_R5_PS-01_ODP[05]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "HRS-01", "ao_id": "HRS-01_A08", "objective": "events that would require the current personnel security policy to be reviewed / updated are defined.", "pptdf": "Process", "origin": "53A_R5_PS-01_ODP[06]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-01", "ao_id": "HRS-01_A09", "objective": "the frequency at which the current personnel security procedures are reviewed / updated is defined.", "pptdf": "Process", "origin": "53A_R5_PS-01_ODP[07]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "HRS-01", "ao_id": "HRS-01_A10", "objective": "events that would require the personnel security procedures to be reviewed / updated are defined.", "pptdf": "Process", "origin": "53A_R5_PS-01_ODP[08]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-01", "ao_id": "HRS-01_A11", "objective": "the personnel security procedures are disseminated to organization-defined personnel or roles.", "pptdf": "Process", "origin": "53A_R5_PS-01a.[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-01", "ao_id": "HRS-01_A12", "objective": "the organization's personnel security policy addresses purpose.", "pptdf": "Process", "origin": "53A_R5_PS-01a.01(a)[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-01", "ao_id": "HRS-01_A13", "objective": "the organization's personnel security policy addresses scope.", "pptdf": "Process", "origin": "53A_R5_PS-01a.01(a)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-01", "ao_id": "HRS-01_A14", "objective": "the organization's personnel security policy addresses roles.", "pptdf": "Process", "origin": "53A_R5_PS-01a.01(a)[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-01", "ao_id": "HRS-01_A15", "objective": "the organization's personnel security policy addresses responsibilities.", "pptdf": "Process", "origin": "53A_R5_PS-01a.01(a)[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-01", "ao_id": "HRS-01_A16", "objective": "the organization's personnel security policy addresses management commitment.", "pptdf": "Process", "origin": "53A_R5_PS-01a.01(a)[05]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-01", "ao_id": "HRS-01_A17", "objective": "the organization's personnel security policy addresses coordination among organizational entities.", "pptdf": "Process", "origin": "53A_R5_PS-01a.01(a)[06]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-01", "ao_id": "HRS-01_A18", "objective": "the organization's personnel security policy addresses compliance.", "pptdf": "Process", "origin": "53A_R5_PS-01a.01(a)[07]\n171A_3.9.2[a]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-01", "ao_id": "HRS-01_A19", "objective": "the organization's personnel security policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines.", "pptdf": "Process", "origin": "53A_R5_PS-01a.01(b)\n171A_3.9.2[a]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-01", "ao_id": "HRS-01_A20", "objective": "an organization-defined official is designated to manage the development, documentation, and dissemination of the personnel security policy and procedures.", "pptdf": "People", "origin": "53A_R5_PS-01b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-01", "ao_id": "HRS-01_A21", "objective": "the current personnel security policy is reviewed / updated organization-defined frequency.", "pptdf": "Process", "origin": "53A_R5_PS-01c.01[01]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "HRS-01", "ao_id": "HRS-01_A22", "objective": "the current personnel security policy is reviewed / updated following organization-defined events.", "pptdf": "Process", "origin": "53A_R5_PS-01c.01[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-01", "ao_id": "HRS-01_A23", "objective": "the current personnel security procedures are reviewed / updated organization-defined frequency.", "pptdf": "Process", "origin": "53A_R5_PS-01c.02[01]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "HRS-01", "ao_id": "HRS-01_A24", "objective": "the current personnel security procedures are reviewed / updated following organization-defined events.", "pptdf": "Process", "origin": "53A_R5_PS-01c.02[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-01", "ao_id": "HRS-01_A25", "objective": "information security-related duties, roles, and responsibilities are defined.", "pptdf": "Process", "origin": "171A_3.2.2[a]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-01", "ao_id": "HRS-01_A26", "objective": "information security-related duties, roles, and responsibilities are assigned to designated personnel.", "pptdf": "People", "origin": "171A_3.2.2[b]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-01", "ao_id": "HRS-01_A27", "objective": "personnel are adequately trained to carry out their assigned information security-related duties, roles, and responsibilities.", "pptdf": "People", "origin": "171A_3.2.2[c]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-01", "ao_id": "HRS-01_A28", "objective": "criteria and/or process for terminating system access authorization and any credentials coincident with personnel actions is established.", "pptdf": "Process", "origin": "171A_3.9.2[a]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-01", "ao_id": "HRS-01_A29", "objective": "the time period for account inactivity before disabling is defined.", "pptdf": "Process", "origin": "171A_R3_A.03.01.01.ODP[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-01", "ao_id": "HRS-01_A30", "objective": "the time period within which to notify account managers and designated personnel or roles when accounts are no longer required is defined.", "pptdf": "Process", "origin": "171A_R3_A.03.01.01.ODP[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-01", "ao_id": "HRS-01_A31", "objective": "the time period within which to notify account managers and designated personnel or roles when users are terminated or transferred is defined.", "pptdf": "Process", "origin": "171A_R3_A.03.01.01.ODP[03]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-01", "ao_id": "HRS-01_A32", "objective": "the time period within which to notify account managers and designated personnel or roles when system usage or the need-to-know changes for an individual is defined.", "pptdf": "Process", "origin": "171A_R3_A.03.01.01.ODP[04]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-01", "ao_id": "HRS-01_A33", "objective": "personnel management operations are conducted according to documented policies, standards, procedures and/or other organizational directives.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-01", "ao_id": "HRS-01_A34", "objective": "adequate resources (e.g., people, processes, technologies, data and/or facilities) are provided to support personnel management operations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-01", "ao_id": "HRS-01_A35", "objective": "responsibility and authority for the performance of personnel management-related activities are assigned to designated personnel.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-01", "ao_id": "HRS-01_A36", "objective": "personnel performing personnel management-related activities have the skills and knowledge needed to perform their assigned duties.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-01.1", "ao_id": "HRS-01.1_A01", "objective": "the organization proactively governs secure practices to address personnel onboarding, transfers and offboarding actions", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-02", "ao_id": "HRS-02_A01", "objective": "the frequency at which to review / update position risk designations is defined.", "pptdf": "Process", "origin": "53A_R5_PS-02_ODP", "assessment_rigor": "1", "scf_defined_parameters": "at least every three years", "org_defined_parameters": "" }, { "scf_control_id": "HRS-02", "ao_id": "HRS-02_A02", "objective": "a risk designation is assigned to all organizational positions.", "pptdf": "People", "origin": "53A_R5_PS-02a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-02", "ao_id": "HRS-02_A03", "objective": "screening criteria are established for individuals filling organizational positions.", "pptdf": "People", "origin": "53A_R5_PS-02b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-02", "ao_id": "HRS-02_A04", "objective": "position risk designations are reviewed / updated per an organization-defined frequency.", "pptdf": "Process", "origin": "53A_R5_PS-02c.", "assessment_rigor": "1", "scf_defined_parameters": "at least every three years", "org_defined_parameters": "" }, { "scf_control_id": "HRS-02.1", "ao_id": "HRS-02.1_A01", "objective": "every user accessing a system, application or service that processes, stores or transmits sensitive / regulated information is cleared and regularly trained to handle the information in question.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-02.2", "ao_id": "HRS-02.2_A01", "objective": "additional monitoring to be implemented on individuals during probationary periods is defined.", "pptdf": "Process", "origin": "53A_R5_SI-04(21)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-02.2", "ao_id": "HRS-02.2_A02", "objective": "the probationary period of individuals is defined.", "pptdf": "Process", "origin": "53A_R5_SI-04(21)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-02.2", "ao_id": "HRS-02.2_A03", "objective": "additional monitoring of individuals is implemented during probationary period.", "pptdf": "People", "origin": "53A_R5_SI-04(21)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-03", "ao_id": "HRS-03_A01", "objective": "cybersecurity / data privacy roles and responsibilities are incorporated into organizational position descriptions.", "pptdf": "People", "origin": "53A_R5_PS-09[01]\n53A_R5_PS-09[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-03", "ao_id": "HRS-03_A02", "objective": "the incident response plan is protected from unauthorized disclosure.", "pptdf": "Process", "origin": "171A_R3_A.03.06.05.d", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-03.1", "ao_id": "HRS-03.1_A01", "objective": "users are formally made aware of their roles and responsibilities to maintain a safe and secure working environment.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-03.1", "ao_id": "HRS-03.1_A02", "objective": "acknowledgement of user awareness is maintained by the organization.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-03.2", "ao_id": "HRS-03.2_A01", "objective": "defined competency requirements ensure that all cybersecurity / data privacy-related positions are staffed by qualified individuals who have the necessary skill set.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-03.2", "ao_id": "HRS-03.2_A02", "objective": "a risk designation is assigned to all organizational positions.", "pptdf": "People", "origin": "53A_R5_PS-02a.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-03.2", "ao_id": "HRS-03.2_A03", "objective": "the frequency at which to review / update position risk designations is defined.", "pptdf": "Process", "origin": "53A_R5_PS-02_ODP", "assessment_rigor": "3", "scf_defined_parameters": "at least every three years", "org_defined_parameters": "" }, { "scf_control_id": "HRS-03.2", "ao_id": "HRS-03.2_A04", "objective": "screening criteria are established for individuals filling organizational positions.", "pptdf": "Process", "origin": "53A_R5_PS-02b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-03.2", "ao_id": "HRS-03.2_A05", "objective": "position risk designations are reviewed / updated per an organization-defined frequency.", "pptdf": "Process", "origin": "53A_R5_PS-02c.", "assessment_rigor": "3", "scf_defined_parameters": "at least every three years", "org_defined_parameters": "" }, { "scf_control_id": "HRS-04", "ao_id": "HRS-04_A01", "objective": "conditions that require the rescreening of individuals are defined.", "pptdf": "Process", "origin": "53A_R5_PS-03_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "as required by specific information / access", "org_defined_parameters": "" }, { "scf_control_id": "HRS-04", "ao_id": "HRS-04_A02", "objective": "the frequency of rescreening individuals where it is so indicated is defined.", "pptdf": "Process", "origin": "53A_R5_PS-03_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "at least every three years", "org_defined_parameters": "" }, { "scf_control_id": "HRS-04", "ao_id": "HRS-04_A03", "objective": "individuals are screened prior to authorizing access to the system.", "pptdf": "People", "origin": "53A_R5_PS-03a.\n171A_R3_A.03.09.01.a", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-04", "ao_id": "HRS-04_A04", "objective": "individuals are rescreened in accordance with organization-defined conditions.", "pptdf": "People", "origin": "53A_R5_PS-03b.[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-04", "ao_id": "HRS-04_A05", "objective": "individuals are screened prior to authorizing access to organizational systems.", "pptdf": "People", "origin": "171A_3.9.1", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-04", "ao_id": "HRS-04_A06", "objective": "where rescreening is so indicated, individuals are rescreened per organization-defined frequency.", "pptdf": "People", "origin": "53A_R5_PS-03b.[02]", "assessment_rigor": "3", "scf_defined_parameters": "at least every three years", "org_defined_parameters": "" }, { "scf_control_id": "HRS-04", "ao_id": "HRS-04_A07", "objective": "conditions that require the rescreening of individuals are defined.", "pptdf": "Process", "origin": "171A_R3_A.03.09.01.ODP[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-04", "ao_id": "HRS-04_A08", "objective": "individuals are rescreened in accordance with the following conditions: .", "pptdf": "People", "origin": "171A_R3_A.03.09.01.b", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "an organizational policy requiring rescreening when there is a significant incident, or change in status, related to an individual", "org_defined_parameters": "" }, { "scf_control_id": "HRS-04", "ao_id": "HRS-04_A09", "objective": "upon individual reassignment or transfer to other positions in the organization, the ongoing operational need for current logical and physical access authorizations to the system and facility is reviewed.", "pptdf": "People", "origin": "171A_R3_A.03.09.02.b.01[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-04.1", "ao_id": "HRS-04.1_A01", "objective": "enhanced personnel screening for individuals is defined.", "pptdf": "Process", "origin": "172A_3.9.1e_ODP[1]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-04.1", "ao_id": "HRS-04.1_A02", "objective": "the frequency with which to reassess individual positions and access to sensitive / regulated data is defined.", "pptdf": "Process", "origin": "172A_3.9.1e_ODP[2]", "assessment_rigor": "1", "scf_defined_parameters": "at least every three years", "org_defined_parameters": "" }, { "scf_control_id": "HRS-04.1", "ao_id": "HRS-04.1_A03", "objective": "individuals that require enhanced personnel screening are identified.", "pptdf": "Process", "origin": "172A_3.9.1e[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-04.1", "ao_id": "HRS-04.1_A04", "objective": "positions that require access to sensitive / regulated data are identified.", "pptdf": "Process", "origin": "172A_3.9.1e[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-04.1", "ao_id": "HRS-04.1_A05", "objective": "enhanced personnel screening is conducted for individuals.", "pptdf": "People", "origin": "172A_3.9.1e[c]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-04.1", "ao_id": "HRS-04.1_A06", "objective": "individual positions and access to sensitive / regulated data is reassessed per an organization-defined frequency.", "pptdf": "Process", "origin": "172A_3.9.1e[d]", "assessment_rigor": "3", "scf_defined_parameters": "at least every three years", "org_defined_parameters": "" }, { "scf_control_id": "HRS-04.1", "ao_id": "HRS-04.1_A07", "objective": "individuals with access to sensitive / regulated data are identified.", "pptdf": "Process", "origin": "172A_3.9.2e[a]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-04.1", "ao_id": "HRS-04.1_A08", "objective": "adverse information about individuals with access to sensitive / regulated data is defined.", "pptdf": "Process", "origin": "172A_3.9.2e[b]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-04.1", "ao_id": "HRS-04.1_A09", "objective": "organizational systems to which individuals have access are identified.", "pptdf": "Process", "origin": "172A_3.9.2e[c]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-04.1", "ao_id": "HRS-04.1_A10", "objective": "mechanisms are in place to protect organizational systems if adverse information develops or is obtained about individuals with access to sensitive / regulated data.", "pptdf": "Process", "origin": "172A_3.9.2e[d]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-04.1", "ao_id": "HRS-04.1_A11", "objective": "individuals accessing a system, application or service processing, storing or transmitting sensitive / regulated data are cleared.", "pptdf": "Process", "origin": "53A_R5_PS-03(01)[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-04.1", "ao_id": "HRS-04.1_A12", "objective": "individuals accessing a system, application or service processing, storing or transmitting sensitive / regulated data are indoctrinated to the highest classification level of the information to which they have access on the system.", "pptdf": "Process", "origin": "53A_R5_PS-03(01)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-04.1", "ao_id": "HRS-04.1_A13", "objective": "additional personnel screening criteria to be satisfied for individuals accessing a system, application or service processing, storing or transmitting information requiring special protection are defined.", "pptdf": "Process", "origin": "53A_R5_PS-03(03)_ODP", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-04.1", "ao_id": "HRS-04.1_A14", "objective": "individuals accessing a system, application or service processing, storing or transmitting information requiring special protection have valid access authorizations that are demonstrated by assigned duties.", "pptdf": "Process", "origin": "53A_R5_PS-03(03)(a)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-04.1", "ao_id": "HRS-04.1_A15", "objective": "individuals accessing a system, application or service processing, storing or transmitting information requiring special protection satisfy additional personnel screening criteria.", "pptdf": "Process", "origin": "53A_R5_PS-03(03)(b)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-04.1", "ao_id": "HRS-04.1_A16", "objective": "conditions that require the rescreening of individuals are defined.", "pptdf": "Process", "origin": "171A_R3_A.03.09.01.ODP[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-04.2", "ao_id": "HRS-04.2_A01", "objective": "individuals accessing a system, application or service processing, storing or transmitting types of sensitive / regulated data that require formal indoctrination are formally indoctrinated for all of the relevant types of information to which they have access on the system.", "pptdf": "Process", "origin": "53A_R5_PS-03(02)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-04.3", "ao_id": "HRS-04.3_A01", "objective": "information types that are processed, stored or transmitted by a system, application or service that requires individuals accessing the system to meet citizenship requirements are defined.", "pptdf": "Process", "origin": "53A_R5_PS-03(04)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-04.3", "ao_id": "HRS-04.3_A02", "objective": "citizenship requirements to be met by individuals to access a system, application or service processing, storing or transmitting information are defined.", "pptdf": "Process", "origin": "53A_R5_PS-03(04)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-04.3", "ao_id": "HRS-04.3_A03", "objective": "individuals accessing a system, application or service processing, storing or transmitting information types meet citizenship requirements.", "pptdf": "Process", "origin": "53A_R5_PS-03(04)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-04.4", "ao_id": "HRS-04.4_A01", "objective": "foreign nationals, including by their specific citizenship, are identified.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-04.4", "ao_id": "HRS-04.4_A02", "objective": "foreign citizenship identification is made conspicuous to other users in environments that contain export-controlled data.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-05", "ao_id": "HRS-05_A01", "objective": "through terms of employment, all employees and contractors are required to apply cybersecurity / data privacy principles in their daily work.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-05", "ao_id": "HRS-05_A02", "objective": "rules are provided to individuals who require access to the system.", "pptdf": "Process", "origin": "171A_R3_A.03.15.03.b", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-05.1", "ao_id": "HRS-05.1_A01", "objective": "rules that describe responsibilities and expected behavior for system usage and protecting sensitive / regulated data are established.", "pptdf": "Process", "origin": "53A_R5_PL-04a.[01]\n53A_R5_PL-04a.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-05.1", "ao_id": "HRS-05.1_A02", "objective": "before authorizing access to information and the system, a documented acknowledgement from such individuals indicating that they have read, understand and agree to abide by the rules of behavior is received.", "pptdf": "People", "origin": "53A_R5_PL-04b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-05.1", "ao_id": "HRS-05.1_A03", "objective": "the frequency at which the rules of behavior are reviewed and updated is defined.", "pptdf": "Process", "origin": "53A_R5_PL-04_ODP[01]\n53A_R5_PL-04_ODP[02]\n171A_R3_A.03.15.03.ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "at least every 3 years", "org_defined_parameters": "" }, { "scf_control_id": "HRS-05.1", "ao_id": "HRS-05.1_A04", "objective": "the rules of behavior are reviewed / updated per an organization-defined frequency.", "pptdf": "Process", "origin": "53A_R5_PL-04c.", "assessment_rigor": "1", "scf_defined_parameters": "at least every 3 years", "org_defined_parameters": "" }, { "scf_control_id": "HRS-05.1", "ao_id": "HRS-05.1_A05", "objective": "the frequency for individuals to read and re-acknowledge the rules of behavior is defined.", "pptdf": "People", "origin": "53A_R5_PL-04_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "at least every 12 months, or when there are significant incidents or significant changes to risks", "org_defined_parameters": "" }, { "scf_control_id": "HRS-05.1", "ao_id": "HRS-05.1_A06", "objective": "individuals who have acknowledged a previous version of the rules of behavior are required to read and reacknowledge the organization's current rules of behavior.", "pptdf": "People", "origin": "53A_R5_PL-04d.", "assessment_rigor": "1", "scf_defined_parameters": "at least annually and when the rules are revised or changed", "org_defined_parameters": "" }, { "scf_control_id": "HRS-05.1", "ao_id": "HRS-05.1_A07", "objective": "rules that describe responsibilities and expected behavior for system usage and protecting CUI are established.", "pptdf": "Data", "origin": "171A_R3_A.03.15.03.a", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-05.1", "ao_id": "HRS-05.1_A08", "objective": "the rules of behavior are reviewed .", "pptdf": "Process", "origin": "171A_R3_A.03.15.03.d[01]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "at least every 12 months, or when there are significant incidents or significant changes to risks", "org_defined_parameters": "" }, { "scf_control_id": "HRS-05.1", "ao_id": "HRS-05.1_A09", "objective": "the rules of behavior are updated .", "pptdf": "Process", "origin": "171A_R3_A.03.15.03.d[02]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "at least every 12 months, or when there are significant incidents or significant changes to risks", "org_defined_parameters": "" }, { "scf_control_id": "HRS-05.2", "ao_id": "HRS-05.2_A01", "objective": "the rules of behavior include restrictions on the use of social media, social networking sites and external sites/applications.", "pptdf": "Process", "origin": "53A_R5_PL-04(01)(a)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-05.2", "ao_id": "HRS-05.2_A02", "objective": "the rules of behavior include restrictions on posting organizational information on public websites.", "pptdf": "Process", "origin": "53A_R5_PL-04(01)(b)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-05.2", "ao_id": "HRS-05.2_A03", "objective": "the rules of behavior include restrictions on the use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications.", "pptdf": "Process", "origin": "53A_R5_PL-04(01)(c)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-05.2", "ao_id": "HRS-05.2_A04", "objective": "rules that describe responsibilities and expected behavior for system usage and protecting sensitive / regulated data are established.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-05.2", "ao_id": "HRS-05.2_A05", "objective": "rules that describe responsibilities and expected behavior for system usage and protecting CUI are established.", "pptdf": "Data", "origin": "171A_R3_A.03.15.03.a", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-05.3", "ao_id": "HRS-05.3_A01", "objective": "rules that describe responsibilities and expected behavior for system usage and protecting sensitive / regulated data are established.", "pptdf": "Process", "origin": "53A_R5_PL-04a.[01]\n53A_R5_PL-04a.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-05.3", "ao_id": "HRS-05.3_A02", "objective": "before authorizing access to information and the system, a documented acknowledgement from such individuals indicating that they have read, understand and agree to abide by the rules of behavior is received.", "pptdf": "People", "origin": "53A_R5_PL-04b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-05.3", "ao_id": "HRS-05.3_A03", "objective": "rules that describe responsibilities and expected behavior for system usage and protecting CUI are established.", "pptdf": "Data", "origin": "171A_R3_A.03.15.03.a", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-05.4", "ao_id": "HRS-05.4_A01", "objective": "rules that describe responsibilities and expected behavior for information and system usage, cybersecurity / data privacy are established for individuals requiring access to the system.", "pptdf": "Process", "origin": "53A_R5_PL-04a.[01]\n53A_R5_PL-04a.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-05.4", "ao_id": "HRS-05.4_A02", "objective": "before authorizing access to information and the system, a documented acknowledgement from such individuals indicating that they have read, understand and agree to abide by the rules of behavior is received.", "pptdf": "People", "origin": "53A_R5_PL-04b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-05.5", "ao_id": "HRS-05.5_A01", "objective": "rules that describe responsibilities and expected behavior for system usage and protecting sensitive / regulated data are established.", "pptdf": "Process", "origin": "53A_R5_PL-04a.[01]\n53A_R5_PL-04a.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-05.5", "ao_id": "HRS-05.5_A02", "objective": "before authorizing access to information and the system, a documented acknowledgement from such individuals indicating that they have read, understand and agree to abide by the rules of behavior is received.", "pptdf": "People", "origin": "53A_R5_PL-04b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-05.5", "ao_id": "HRS-05.5_A03", "objective": "rules that describe responsibilities and expected behavior for system usage and protecting CUI are established.", "pptdf": "Data", "origin": "171A_R3_A.03.15.03.a", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-05.6", "ao_id": "HRS-05.6_A01", "objective": "the use of oversized clothing (e.g., baggy pants, oversized hooded sweatshirts, etc.) is prohibited to prevent the unauthorized exfiltration of data and technology assets.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-05.7", "ao_id": "HRS-05.7_A01", "objective": "personnel receive recurring familiarization with the organization's cybersecurity / data privacy policies.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-05.7", "ao_id": "HRS-05.7_A02", "objective": "a documented acknowledgement from individuals indicating that they have read, understand, and agree to abide by the rules of behavior is received before authorizing access to sensitive / regulated data and the system.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-05.7", "ao_id": "HRS-05.7_A03", "objective": "a documented acknowledgement from individuals indicating that they have read, understand, and agree to abide by the rules of behavior is received before authorizing access to CUI and the system.", "pptdf": "People", "origin": "171A_R3_A.03.15.03.c", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-06", "ao_id": "HRS-06_A01", "objective": "access agreements are developed and documented for organizational systems.", "pptdf": "Process", "origin": "53A_R5_PS-06a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-06", "ao_id": "HRS-06_A02", "objective": "individuals requiring access to organizational information and systems sign appropriate access agreements prior to being granted access.", "pptdf": "People", "origin": "53A_R5_PS-06c.01", "assessment_rigor": "1", "scf_defined_parameters": "at least annually and any time there is a change to the user's level of access", "org_defined_parameters": "" }, { "scf_control_id": "HRS-06", "ao_id": "HRS-06_A03", "objective": "individuals requiring access to organizational information and systems re-sign access agreements to maintain access to organizational systems when access agreements have been updated or frequency.", "pptdf": "Process", "origin": "53A_R5_PS-06c.02", "assessment_rigor": "2", "scf_defined_parameters": "at least annually and any time there is a change to the user's level of access", "org_defined_parameters": "" }, { "scf_control_id": "HRS-06", "ao_id": "HRS-06_A04", "objective": "the frequency at which to review / update access agreements is defined.", "pptdf": "Process", "origin": "53A_R5_PS-06_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "at least annually and any time there is a change to the user's level of access", "org_defined_parameters": "" }, { "scf_control_id": "HRS-06", "ao_id": "HRS-06_A05", "objective": "the frequency at which to re-sign access agreements to maintain access to organizational information is defined.", "pptdf": "Process", "origin": "53A_R5_PS-06_ODP[02]", "assessment_rigor": "2", "scf_defined_parameters": "at least annually and any time there is a change to the user's level of access", "org_defined_parameters": "" }, { "scf_control_id": "HRS-06", "ao_id": "HRS-06_A06", "objective": "the access agreements are reviewed / updated frequently.", "pptdf": "Process", "origin": "53A_R5_PS-06b.", "assessment_rigor": "1", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "HRS-06.1", "ao_id": "HRS-06.1_A01", "objective": "individuals requiring access to organizational information and systems sign appropriate access agreements prior to being granted access.", "pptdf": "People", "origin": "53A_R5_PS-06c.01", "assessment_rigor": "1", "scf_defined_parameters": "at least annually and any time there is a change to the user's level of access", "org_defined_parameters": "" }, { "scf_control_id": "HRS-06.1", "ao_id": "HRS-06.1_A02", "objective": "individuals requiring access to organizational information and systems re-sign access agreements to maintain access to organizational systems when access agreements have been updated or frequency.", "pptdf": "Process", "origin": "53A_R5_PS-06c.02", "assessment_rigor": "1", "scf_defined_parameters": "at least annually and any time there is a change to the user's level of access", "org_defined_parameters": "" }, { "scf_control_id": "HRS-06.1", "ao_id": "HRS-06.1_A03", "objective": "the frequency at which to review / update access agreements is defined.", "pptdf": "Process", "origin": "53A_R5_PS-06_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually and any time there is a change to the user's level of access", "org_defined_parameters": "" }, { "scf_control_id": "HRS-06.1", "ao_id": "HRS-06.1_A04", "objective": "the frequency at which to re-sign access agreements to maintain access to organizational information is defined.", "pptdf": "Process", "origin": "53A_R5_PS-06_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually and any time there is a change to the user's level of access", "org_defined_parameters": "" }, { "scf_control_id": "HRS-06.1", "ao_id": "HRS-06.1_A05", "objective": "access agreements are developed and documented for organizational systems.", "pptdf": "Process", "origin": "53A_R5_PS-06a.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-06.1", "ao_id": "HRS-06.1_A06", "objective": "the access agreements are reviewed / updated frequently.", "pptdf": "Process", "origin": "53A_R5_PS-06b.", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "HRS-06.1", "ao_id": "HRS-06.1_A07", "objective": "access to sensitive / regulated data requiring special protection is granted only to individuals who have a valid access authorization that is demonstrated by assigned duties.", "pptdf": "Process", "origin": "53A_R5_PS-06(02)(a)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-06.1", "ao_id": "HRS-06.1_A08", "objective": "access to sensitive / regulated data requiring special protection is granted only to individuals who satisfy associated personnel security criteria.", "pptdf": "Data", "origin": "53A_R5_PS-06(02)(b)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-06.1", "ao_id": "HRS-06.1_A09", "objective": "access to sensitive / regulated data requiring special protection is granted only to individuals who have read, understood and signed a non-disclosure agreement.", "pptdf": "Data", "origin": "53A_R5_PS-06(02)(c)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-06.2", "ao_id": "HRS-06.2_A01", "objective": "individuals are notified of applicable, legally binding post-employment requirements for the protection of organizational information.", "pptdf": "Process", "origin": "53A_R5_PS-06(03)(a)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-06.2", "ao_id": "HRS-06.2_A02", "objective": "individuals are required to sign an acknowledgement of applicable, legally binding post-employment requirements as part of being granted initial access to covered information.", "pptdf": "People", "origin": "53A_R5_PS-06(03)(b)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-07", "ao_id": "HRS-07_A01", "objective": "a formal sanctions process is employed for individuals failing to comply with established cybersecurity / data privacy policies and procedures.", "pptdf": "Process", "origin": "53A_R5_PS-08a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-07", "ao_id": "HRS-07_A02", "objective": "criteria and/or process for terminating system access authorization and any credentials coincide with personnel actions is established.", "pptdf": "Process", "origin": "171A_3.9.2[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-07", "ao_id": "HRS-07_A03", "objective": "personnel or roles to be notified when a formal employee sanctions process is initiated is/are defined.", "pptdf": "Process", "origin": "53A_R5_PS-08_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-07", "ao_id": "HRS-07_A04", "objective": "the time period within which organization-defined personnel or roles must be notified when a formal employee sanctions process is initiated is defined.", "pptdf": "Process", "origin": "53A_R5_PS-08_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "within twenty-four (24) hours", "org_defined_parameters": "" }, { "scf_control_id": "HRS-07", "ao_id": "HRS-07_A05", "objective": "personnel or roles is/are notified within an organization-defined time period when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.", "pptdf": "Process", "origin": "53A_R5_PS-08b.", "assessment_rigor": "1", "scf_defined_parameters": "within twenty-four (24) hours", "org_defined_parameters": "" }, { "scf_control_id": "HRS-07", "ao_id": "HRS-07_A06", "objective": "system access and credentials are terminated consistent with personnel actions such as termination or transfer.", "pptdf": "Technology", "origin": "171A_3.9.2[b]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-07", "ao_id": "HRS-07_A07", "objective": "the system is protected during and after personnel transfer actions.", "pptdf": "Technology", "origin": "171A_3.9.2[c]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-07", "ao_id": "HRS-07_A08", "objective": "individuals with access to sensitive / regulated data are identified.", "pptdf": "Process", "origin": "172A_3.9.2e[a]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-07", "ao_id": "HRS-07_A09", "objective": "adverse information about individuals with access to sensitive / regulated data is defined.", "pptdf": "Process", "origin": "172A_3.9.2e[b]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-07", "ao_id": "HRS-07_A10", "objective": "organizational systems to which individuals have access are identified.", "pptdf": "Process", "origin": "172A_3.9.2e[c]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-07", "ao_id": "HRS-07_A11", "objective": "mechanisms are in place to protect organizational systems if adverse information develops or is obtained about individuals with access to sensitive / regulated data.", "pptdf": "Process", "origin": "172A_3.9.2e[d]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-07.1", "ao_id": "HRS-07.1_A01", "objective": "individuals with access to sensitive / regulated data are identified.", "pptdf": "Process", "origin": "172A_3.9.2e[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-07.1", "ao_id": "HRS-07.1_A02", "objective": "adverse information about individuals with access to sensitive / regulated data is defined.", "pptdf": "Process", "origin": "172A_3.9.2e[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-07.1", "ao_id": "HRS-07.1_A03", "objective": "organizational systems to which individuals have access are identified.", "pptdf": "Process", "origin": "172A_3.9.2e[c]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-07.1", "ao_id": "HRS-07.1_A04", "objective": "mechanisms are in place to protect organizational systems if adverse information develops or is obtained about individuals with access to sensitive / regulated data.", "pptdf": "Process", "origin": "172A_3.9.2e[d]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-07.2", "ao_id": "HRS-07.2_A01", "objective": "disciplinary processes are updated due to legal changes (e.g., new laws or regulations).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-07.2", "ao_id": "HRS-07.2_A02", "objective": "disciplinary processes are updated due to significant changes to operations (e.g., new locations, technologies, etc.).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-07.2", "ao_id": "HRS-07.2_A03", "objective": "disciplinary processes are updated due to applicable threats and risks.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-07.3", "ao_id": "HRS-07.3_A01", "objective": "logical access is proactively restricted when an individual with access to sensitive/regulated data is under investigation for personnel sanctions that may lead to employment termination.", "pptdf": "Data", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-07.3", "ao_id": "HRS-07.3_A02", "objective": "physical access is proactively restricted when an individual with access to sensitive/regulated data is under investigation for personnel sanctions that may lead to employment termination.", "pptdf": "Data", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-08", "ao_id": "HRS-08_A01", "objective": "criteria and/or process for terminating system access authorization and any credentials coincide with personnel actions is established.", "pptdf": "Process", "origin": "171A_3.9.2[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-08", "ao_id": "HRS-08_A02", "objective": "system access and credentials are terminated consistent with personnel actions such as termination or transfer.", "pptdf": "Technology", "origin": "171A_3.9.2[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-08", "ao_id": "HRS-08_A03", "objective": "the system is protected during and after personnel transfer actions.", "pptdf": "Technology", "origin": "171A_3.9.2[c]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-08", "ao_id": "HRS-08_A04", "objective": "transfer or reassignment actions to be initiated following transfer or reassignment are defined.", "pptdf": "Process", "origin": "53A_R5_PS-05_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-08", "ao_id": "HRS-08_A05", "objective": "the time period within which transfer or reassignment actions must occur following transfer or reassignment is defined.", "pptdf": "Process", "origin": "53A_R5_PS-05_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "twenty-four (24) hours", "org_defined_parameters": "" }, { "scf_control_id": "HRS-08", "ao_id": "HRS-08_A06", "objective": "personnel or roles to be notified when individuals are reassigned or transferred to other positions within the organization is/are defined.", "pptdf": "Process", "origin": "53A_R5_PS-05_ODP[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-08", "ao_id": "HRS-08_A07", "objective": "time period within which to notify organization-defined personnel or roles when individuals are reassigned or transferred to other positions within the organization is defined.", "pptdf": "Process", "origin": "53A_R5_PS-05_ODP[04]", "assessment_rigor": "3", "scf_defined_parameters": "twenty-four (24) hours", "org_defined_parameters": "" }, { "scf_control_id": "HRS-08", "ao_id": "HRS-08_A08", "objective": "the ongoing operational need for current logical and physical access authorizations to systems and facilities are reviewed and confirmed when individuals are reassigned or transferred to other positions within the organization.", "pptdf": "Process", "origin": "53A_R5_PS-05a.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-08", "ao_id": "HRS-08_A09", "objective": "transfer or reassignment actions are initiated within an organization-defined time period following the formal transfer action.", "pptdf": "Process", "origin": "53A_R5_PS-05b.", "assessment_rigor": "3", "scf_defined_parameters": "twenty-four (24) hours", "org_defined_parameters": "" }, { "scf_control_id": "HRS-08", "ao_id": "HRS-08_A10", "objective": "access authorization is modified as needed to correspond with any changes in operational need due to reassignment or transfer.", "pptdf": "Technology", "origin": "53A_R5_PS-05c.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-08", "ao_id": "HRS-08_A11", "objective": "personnel or roles are notified within an organization-defined time period.", "pptdf": "Process", "origin": "53A_R5_PS-05d.", "assessment_rigor": "3", "scf_defined_parameters": "twenty-four (24) hours", "org_defined_parameters": "" }, { "scf_control_id": "HRS-08", "ao_id": "HRS-08_A12", "objective": "the time period within which to disable system access is defined.", "pptdf": "Process", "origin": "171A_R3_A.03.09.02.ODP[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-08", "ao_id": "HRS-08_A13", "objective": "upon individual reassignment or transfer to other positions in the organization, the ongoing operational need for current logical and physical access authorizations to the system and facility is reviewed.", "pptdf": "Process", "origin": "171A_R3_A.03.09.02.b.01[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-08", "ao_id": "HRS-08_A14", "objective": "upon individual reassignment or transfer to other positions in the organization, the ongoing operational need for current logical and physical access authorizations to the system and facility is confirmed.", "pptdf": "Process", "origin": "171A_R3_A.03.09.02.b.01[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-08", "ao_id": "HRS-08_A15", "objective": "upon individual reassignment or transfer to other positions in the organization, access authorization is modified to correspond with any changes in operational need.", "pptdf": "Technology", "origin": "171A_R3_A.03.09.02.b.02", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-09", "ao_id": "HRS-09_A01", "objective": "criteria and/or process for terminating system access authorization and any credentials coincide with personnel actions is established.", "pptdf": "Process", "origin": "171A_3.9.2[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-09", "ao_id": "HRS-09_A02", "objective": "system access and credentials are terminated consistent with personnel actions such as termination or transfer.", "pptdf": "Technology", "origin": "171A_3.9.2[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-09", "ao_id": "HRS-09_A03", "objective": "the system is protected during and after personnel transfer actions.", "pptdf": "Technology", "origin": "171A_3.9.2[c]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-09", "ao_id": "HRS-09_A04", "objective": "the time period within which to disable system access is defined.", "pptdf": "Process", "origin": "53A_R5_PS-04_ODP[01]\n171A_R3_A.03.09.02.ODP[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-09", "ao_id": "HRS-09_A05", "objective": "cybersecurity topics to be discussed when conducting exit interviews are defined.", "pptdf": "Process", "origin": "53A_R5_PS-04_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-09", "ao_id": "HRS-09_A06", "objective": "upon termination of individual employment, authenticators associated with the individual are terminated or revoked.", "pptdf": "Technology", "origin": "53A_R5_PS-04a.\n171A_R3_A.03.09.02.a.02[01]", "assessment_rigor": "2", "scf_defined_parameters": "four (4) hours", "org_defined_parameters": "" }, { "scf_control_id": "HRS-09", "ao_id": "HRS-09_A07", "objective": "upon termination of individual employment, credentials associated with the individual are terminated or revoked.", "pptdf": "Technology", "origin": "53A_R5_PS-04b.\n171A_R3_A.03.09.02.a.02[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-09", "ao_id": "HRS-09_A08", "objective": "upon termination of individual employment, exit interviews that include a discussion of cybersecurity topics are conducted.", "pptdf": "Process", "origin": "53A_R5_PS-04c.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-09", "ao_id": "HRS-09_A09", "objective": "upon termination of individual employment, security-related system property is retrieved.", "pptdf": "Process", "origin": "53A_R5_PS-04d.\n171A_R3_A.03.09.02.a.03", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-09", "ao_id": "HRS-09_A10", "objective": "upon termination of individual employment, access to organizational information and systems formerly controlled by the terminated individual are retained.", "pptdf": "Data", "origin": "53A_R5_PS-04e.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-09", "ao_id": "HRS-09_A11", "objective": "upon termination of individual employment, system access is disabled within an organization-defined time period.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-09", "ao_id": "HRS-09_A12", "objective": "upon termination of individual employment, system access is disabled within .", "pptdf": "Technology", "origin": "171A_R3_A.03.09.02.a.01", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "four (4) hours", "org_defined_parameters": "" }, { "scf_control_id": "HRS-09.1", "ao_id": "HRS-09.1_A01", "objective": "upon termination of individual employment, security-related system property is retrieved.", "pptdf": "Process", "origin": "171A_R3_A.03.09.02.a.03", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-09.2", "ao_id": "HRS-09.2_A01", "objective": "time period within which to disable accounts of individuals who are discovered to pose significant risk is defined.", "pptdf": "Process", "origin": "53A_R5_AC-02(13)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "one (1) hour", "org_defined_parameters": "" }, { "scf_control_id": "HRS-09.2", "ao_id": "HRS-09.2_A02", "objective": "significant risks leading to disabling accounts are defined.", "pptdf": "Process", "origin": "53A_R5_AC-02(13)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-09.2", "ao_id": "HRS-09.2_A03", "objective": "accounts of individuals are disabled within an organization-defined time period of discovery of organization-defined significant risks.", "pptdf": "Technology", "origin": "53A_R5_AC-02(13)", "assessment_rigor": "1", "scf_defined_parameters": "one (1) hour", "org_defined_parameters": "" }, { "scf_control_id": "HRS-09.2", "ao_id": "HRS-09.2_A04", "objective": "individuals with access to sensitive / regulated data are identified.", "pptdf": "Process", "origin": "172A_3.9.2e[a]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-09.2", "ao_id": "HRS-09.2_A05", "objective": "adverse information about individuals with access to sensitive / regulated data is defined.", "pptdf": "Process", "origin": "172A_3.9.2e[b]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-09.2", "ao_id": "HRS-09.2_A06", "objective": "organizational systems to which individuals have access are identified.", "pptdf": "Process", "origin": "172A_3.9.2e[c]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-09.2", "ao_id": "HRS-09.2_A07", "objective": "mechanisms are in place to protect organizational systems if adverse information develops or is obtained about individuals with access to sensitive / regulated data.", "pptdf": "Process", "origin": "172A_3.9.2e[d]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-09.3", "ao_id": "HRS-09.3_A01", "objective": "terminated individuals are notified of applicable, legally binding post-employment requirements for the protection of organizational information.", "pptdf": "Process", "origin": "53A_R5_PS-04(01)(a)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-09.3", "ao_id": "HRS-09.3_A02", "objective": "terminated individuals are required to sign an acknowledgement of post-employment requirements as part of the organizational termination process.", "pptdf": "People", "origin": "53A_R5_PS-04(01)(b)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-09.4", "ao_id": "HRS-09.4_A01", "objective": "automated mechanisms to notify personnel or roles of individual termination actions and/or to disable access to system resources are defined.", "pptdf": "Process", "origin": "53A_R5_PS-04(02)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-09.4", "ao_id": "HRS-09.4_A02", "objective": "personnel or roles to be notified upon termination of an individual is/are defined.", "pptdf": "Process", "origin": "53A_R5_PS-04(02)_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-09.4", "ao_id": "HRS-09.4_A03", "objective": "automated mechanisms are used to notify personnel or roles of individual termination actions and/or disable access to system resources.", "pptdf": "Technology", "origin": "53A_R5_PS-04(02)\n53A_R5_PS-04(02)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-10", "ao_id": "HRS-10_A01", "objective": "personnel or roles to be notified of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges is/are defined.", "pptdf": "Process", "origin": "53A_R5_PS-07_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-10", "ao_id": "HRS-10_A02", "objective": "time period within which third-party providers are required to notify organization-defined personnel or roles of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges is defined.", "pptdf": "Process", "origin": "53A_R5_PS-07_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-10", "ao_id": "HRS-10_A03", "objective": "personnel security requirements are established, including security roles and responsibilities for external providers.", "pptdf": "Process", "origin": "53A_R5_PS-07a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-10", "ao_id": "HRS-10_A04", "objective": "external providers are required to comply with personnel security policies and procedures established by the organization.", "pptdf": "Process", "origin": "53A_R5_PS-07b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-10", "ao_id": "HRS-10_A05", "objective": "personnel security requirements are documented.", "pptdf": "Process", "origin": "53A_R5_PS-07c.", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-10", "ao_id": "HRS-10_A06", "objective": "external providers are required to notify personnel or roles of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges within an organization-defined time period.", "pptdf": "Process", "origin": "53A_R5_PS-07d.", "assessment_rigor": "1", "scf_defined_parameters": "within twenty-four (24) hours", "org_defined_parameters": "" }, { "scf_control_id": "HRS-10", "ao_id": "HRS-10_A07", "objective": "provider compliance with personnel security requirements is monitored.", "pptdf": "Process", "origin": "53A_R5_PS-07e.", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-11", "ao_id": "HRS-11_A01", "objective": "the duties of individuals requiring separation to reduce the risk of malevolent activity are defined.", "pptdf": "Process", "origin": "171A_3.1.4[a]\n53A_R5_AC-05_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-11", "ao_id": "HRS-11_A02", "objective": "responsibilities for duties that require separation are assigned to separate individuals.", "pptdf": "Process", "origin": "171A_3.1.4[b]\n53A_R5_AC-05a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-11", "ao_id": "HRS-11_A03", "objective": "separate accounts for individuals whose duties and accesses must be separated to reduce the risk of malevolent activity or collusion are established", "pptdf": "Technology", "origin": "171A_3.1.4[c]\n53A_R5_AC-05b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-12", "ao_id": "HRS-11_A04", "objective": "duties of individuals requiring separation are identified.", "pptdf": "Process", "origin": "171A_R3_A.03.01.04.a", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-12", "ao_id": "HRS-12_A01", "objective": "incompatible development-specific roles are prevented through limiting and reviewing developer privileges to change hardware, software and firmware components within a production/operational environment.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-12.1", "ao_id": "HRS-12.1_A01", "objective": "privileged commands and/or other actions requiring dual authorization are defined.", "pptdf": "Process", "origin": "53A_R5_AC-03(02)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-12.1", "ao_id": "HRS-12.1_A02", "objective": "dual authorization is enforced for organization-defined privileged commands and/or other actions.", "pptdf": "Technology", "origin": "53A_R5_AC-03(02)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-12.1", "ao_id": "HRS-12.1_A03", "objective": "critical or sensitive system and organizational operations for which dual authorization is to be enforced are identified.", "pptdf": "Process", "origin": "172A_3.1.1e[a]\n53A_R5_CM-05(04)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-12.1", "ao_id": "HRS-12.1_A04", "objective": "dual authorization is employed to execute critical or sensitive system and organizational operations.", "pptdf": "Technology", "origin": "172A_3.1.1e[b]\n53A_R5_CM-05(04)[01]\n53A_R5_CM-05(04)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-13", "ao_id": "HRS-13_A01", "objective": "critical cybersecurity / data privacy skills needed to support the organization's mission are defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-13", "ao_id": "HRS-13_A02", "objective": "gaps / shortfalls in identified critical cybersecurity / data privacy skills needed to support the organization's mission are identified.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-13.1", "ao_id": "HRS-13.1_A01", "objective": "a plan to remediate critical skills deficiencies necessary to support the organization's mission and business functions is defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-13.1", "ao_id": "HRS-13.1_A02", "objective": "a plan to remediate critical skills deficiencies necessary to support the organization's mission and business functions is implemented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-13.2", "ao_id": "HRS-13.2_A01", "objective": "vital cybersecurity / data privacy staff are identified.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-13.3", "ao_id": "HRS-13.3_A01", "objective": "redundancy for vital cybersecurity / data privacy staff is defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-13.3", "ao_id": "HRS-13.3_A02", "objective": "redundancy for vital cybersecurity / data privacy staff is implemented.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-13.4", "ao_id": "HRS-13.4_A01", "objective": "succession planning for vital cybersecurity / data privacy roles is performed.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-14", "ao_id": "HRS-14_A01", "objective": "authorized working locations which are not on organization-controlled premises are defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-14.1", "ao_id": "HRS-14.1_A01", "objective": "authorized working locations are communicated to personnel.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-15", "ao_id": "HRS-15_A01", "objective": "personnel are empowered to efficiently report suspicious activities and/or behavior without fear of recrimination.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "HRS-15", "ao_id": "HRS-15_A02", "objective": "personnel are provided with an anonymous means to report suspicious activities and/or behavior.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-01", "ao_id": "IAC-01_A01", "objective": "a capability to govern logical identification and access management controls is implemented.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-01", "ao_id": "IAC-01_A02", "objective": "the Identity & Access Management (IAM) program is organization-wide.", "pptdf": "Process", "origin": "53A_R5_AC-01_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-01", "ao_id": "IAC-01_A03", "objective": "Identity and Access Management (IAM) operations are conducted according to documented policies, standards, procedures and/or other organizational directives.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-01", "ao_id": "IAC-01_A04", "objective": "adequate resources (e.g., people, processes, technologies, data and/or facilities) are provided to support Identity and Access Management (IAM) operations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-01", "ao_id": "IAC-01_A05", "objective": "responsibility and authority for the performance of Identity and Access Management (IAM)-related activities are assigned to designated personnel.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-01", "ao_id": "IAC-01_A06", "objective": "personnel performing Identity and Access Management (IAM)-related activities have the skills and knowledge needed to perform their assigned duties.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-01.1", "ao_id": "IAC-01.1_A01", "objective": "a record of personnel accountability is retained to ensure there is a record of all access granted to an individual (system and application-wise).", "pptdf": "Data", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-01.1", "ao_id": "IAC-01.1_A02", "objective": "a record of personnel accountability is retained to ensure there is a record of who provided the authorization.", "pptdf": "Data", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-01.1", "ao_id": "IAC-01.1_A03", "objective": "a record of personnel accountability is retained to ensure there is a record of when the authorization was granted and when the access was last reviewed.", "pptdf": "Data", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-01.1", "ao_id": "IAC-01.1_A04", "objective": "a record of personnel accountability is retained to ensure there is a record of when the access was last reviewed.", "pptdf": "Data", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-01.2", "ao_id": "IAC-01.2_A01", "objective": "access to the system is authorized based on a valid access authorization.", "pptdf": "Technology", "origin": "171A_R3_A.03.01.01.d.01", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-01.2", "ao_id": "IAC-01.2_A02", "objective": "system users are uniquely identified.", "pptdf": "Technology", "origin": "171A_R3_A.03.05.01.a[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-01.2", "ao_id": "IAC-01.2_A03", "objective": "system users are authenticated.", "pptdf": "Technology", "origin": "171A_R3_A.03.05.01.a[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-01.2", "ao_id": "IAC-01.2_A04", "objective": "an inventory of Authenticate, Authorize and Audit (AAA) solutions exists, including instances on-premises and hosted by an External Service Provider (ESP).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-01.2", "ao_id": "IAC-01.2_A05", "objective": "procedures exist to govern on-premises Authenticate, Authorize and Audit (AAA) solutions by assigned stakeholders.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-01.2", "ao_id": "IAC-01.2_A06", "objective": "contracts with External Service Providers (ESPs) contain explicit governance requirements for ESP-controlled Authenticate, Authorize and Audit (AAA) solutions.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-01.2", "ao_id": "IAC-01.2_A07", "objective": "access to the system is authorized based on intended system usage.", "pptdf": "Technology", "origin": "171A_R3_A.03.01.01.d.02", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-01.2", "ao_id": "IAC-01.2_A08", "objective": "each type of wireless access to the system is authorized prior to establishing such connections.", "pptdf": "Technology", "origin": "171A_R3_A.03.01.16.b", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-01.3", "ao_id": "IAC-01.3_A01", "objective": "a current list of authorized users and services is maintained.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-02", "ao_id": "IAC-02_A01", "objective": "system, application and service users are identified.", "pptdf": "Process", "origin": "171A_3.5.1[a]\n53A_R5_IA-02[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-02", "ao_id": "IAC-02_A02", "objective": "the identity of each user is authenticated or verified as a prerequisite to system access.", "pptdf": "Technology", "origin": "171A_3.5.2[a]\n53A_R5_IA-02[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-02", "ao_id": "IAC-02_A03", "objective": "processes acting on behalf of users are associated with uniquely identified and authenticated system users.", "pptdf": "Process", "origin": "171A_3.5.1[b]\n171A_R3_A.03.05.01.a[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-02", "ao_id": "IAC-02_A04", "objective": "the identity of each process acting on behalf of a user is authenticated or verified as a prerequisite to system access.", "pptdf": "Process", "origin": "171A_3.5.2[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-02", "ao_id": "IAC-02_A05", "objective": "the identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access.", "pptdf": "Technology", "origin": "171A_3.5.2[c]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-02", "ao_id": "IAC-02_A06", "objective": "the unique identification of authenticated organizational users is associated with processes acting on behalf of those users.", "pptdf": "Process", "origin": "53A_R5_IA-02[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-02", "ao_id": "IAC-02_A07", "objective": "devices accessing the system are identified.", "pptdf": "Process", "origin": "171A_3.5.1[c]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-02", "ao_id": "IAC-02_A08", "objective": "individual identifiers are managed by uniquely identifying each individual as .", "pptdf": "Technology", "origin": "171A_R3_A.03.05.05.d", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "privileged or non-privileged users; contractors, foreign nationals, and/or non-organizational users", "org_defined_parameters": "" }, { "scf_control_id": "IAC-02.1", "ao_id": "IAC-02.1_A01", "objective": "users are required to be individually authenticated before granting access to the shared accounts or resources when shared accounts or authenticators are employed.", "pptdf": "Technology", "origin": "53A_R5_IA-02(05)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-02.2", "ao_id": "IAC-02.2_A01", "objective": "replay-resistant authentication mechanisms for access to privileged accounts are implemented.", "pptdf": "Technology", "origin": "171A_3.5.4\n53A_R5_IA-02[01]\n53A_R5_IA-02(08)_ODP\n171A_R3_A.03.05.04[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-02.2", "ao_id": "IAC-02.2_A02", "objective": "replay-resistant authentication mechanisms for access to non-privileged accounts are implemented.", "pptdf": "Technology", "origin": "171A_3.5.4\n53A_R5_IA-02[01]\n53A_R5_IA-02(08)_ODP\n171A_R3_A.03.05.04[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-02.2", "ao_id": "IAC-02.2_A03", "objective": "replay resistance is implemented in the establishment of nonlocal maintenance and diagnostic sessions.", "pptdf": "Technology", "origin": "171A_3.5.4\n53A_R5_IA-02[01]\n53A_R5_IA-02(08)_ODP\n171A_R3_A.03.07.05.b[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-02.2", "ao_id": "IAC-02.2_A04", "objective": "systems and system components to identify and authenticate are defined.", "pptdf": "Process", "origin": "172A_3.5.1e_ODP[1]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-02.2", "ao_id": "IAC-02.2_A05", "objective": "bidirectional authentication that is cryptographically-based is implemented.", "pptdf": "Technology", "origin": "172A_3.5.1e[a]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-02.2", "ao_id": "IAC-02.2_A06", "objective": "bidirectional authentication that is replay-resistant is implemented.", "pptdf": "Technology", "origin": "172A_3.5.1e[b]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-02.2", "ao_id": "IAC-02.2_A07", "objective": "systems and system components are identified and authenticated before establishing a network connection using bidirectional authentication that is cryptographically-based and replay- resistant.", "pptdf": "Process", "origin": "172A_3.5.1e[c]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-02.3", "ao_id": "IAC-02.3_A01", "objective": "Personal Identity Verification (PIV)-compliant credentials are accepted and electronically verified.", "pptdf": "Technology", "origin": "53A_R5_IA-02(12)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-02.3", "ao_id": "IAC-02.3_A02", "objective": "organizational controls for using federated or PKI credentials are defined.", "pptdf": "Process", "origin": "53A_R5_IA-08(05)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-02.3", "ao_id": "IAC-02.3_A03", "objective": "federated or PKI credentials that meet policy are accepted.", "pptdf": "Technology", "origin": "53A_R5_IA-08(05)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-02.3", "ao_id": "IAC-02.3_A04", "objective": "federated or PKI credentials that meet policy are verified.", "pptdf": "Technology", "origin": "53A_R5_IA-08(05)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-02.4", "ao_id": "IAC-02.4_A01", "objective": "out-of-band authentication mechanisms to be implemented are defined.", "pptdf": "Process", "origin": "53A_R5_IA-02(13)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-02.4", "ao_id": "IAC-02.4_A02", "objective": "conditions under which out-of-band authentication is to be implemented are defined.", "pptdf": "Process", "origin": "53A_R5_IA-02(13)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-02.4", "ao_id": "IAC-02.4_A03", "objective": "out-of-band authentication mechanisms are implemented under organization-defined conditions.", "pptdf": "Technology", "origin": "53A_R5_IA-02(13)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-03", "ao_id": "IAC-03_A01", "objective": "non-organizational users or processes acting on behalf of non-organizational users are uniquely identified and authenticated.", "pptdf": "Process", "origin": "53A_R5_IA-08", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-03.1", "ao_id": "IAC-03.1_A01", "objective": "Personal Identity Verification (PIV)-compliant credentials from other federal agencies are accepted.", "pptdf": "Technology", "origin": "53A_R5_IA-08(01)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-03.1", "ao_id": "IAC-03.1_A02", "objective": "Personal Identity Verification (PIV)-compliant credentials from other federal agencies are electronically verified.", "pptdf": "Technology", "origin": "53A_R5_IA-08(01)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-03.2", "ao_id": "IAC-03.2_A01", "objective": "only external authenticators that are NIST-compliant are accepted.", "pptdf": "Technology", "origin": "53A_R5_IA-08(02)(a)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-03.2", "ao_id": "IAC-03.2_A02", "objective": "a list of accepted external authenticators is documented.", "pptdf": "Process", "origin": "53A_R5_IA-08(02)(b)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-03.2", "ao_id": "IAC-03.2_A03", "objective": "a list of accepted external authenticators is maintained.", "pptdf": "Process", "origin": "53A_R5_IA-08(02)(b)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-03.3", "ao_id": "IAC-03.3_A01", "objective": "identity management profiles are defined.", "pptdf": "Process", "origin": "53A_R5_IA-08(04)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-03.3", "ao_id": "IAC-03.3_A02", "objective": "there is conformance with identity management profiles for identity management.", "pptdf": "Technology", "origin": "53A_R5_IA-08(04)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-03.4", "ao_id": "IAC-03.4_A01", "objective": "disassociability measures are defined.", "pptdf": "Process", "origin": "53A_R5_IA-08(06)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-03.4", "ao_id": "IAC-03.4_A02", "objective": "measures to disassociate user attributes or identifier assertion relationships among individuals, credential service providers and relying parties are implemented.", "pptdf": "Technology", "origin": "53A_R5_IA-08(06)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-03.5", "ao_id": "IAC-03.5_A01", "objective": "the use of external authenticators is restricted to those that are National Institute of Standards and Technology (NIST)-compliant and maintain a list of accepted external authenticators.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-04", "ao_id": "IAC-04_A01", "objective": "devices or types of devices to be uniquely identified and authenticated before establishing a connection are defined.", "pptdf": "Process", "origin": "53A_R5_IA-03_ODP[01]\n171A_R3_A.03.05.02.ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-04", "ao_id": "IAC-04_A02", "objective": "organization-defined devices or types of devices are authenticated before establishing a system connection.", "pptdf": "Technology", "origin": "53A_R5_IA-03\n53A_R5_IA-03_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-04", "ao_id": "IAC-04_A03", "objective": "devices and/or types of devices are uniquely identified and authenticated before establishing a local connection.", "pptdf": "Technology", "origin": "53A_R5_IA-03\n53A_R5_IA-03_ODP[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-04", "ao_id": "IAC-04_A04", "objective": "devices and/or types of devices are uniquely identified and authenticated before establishing a remote connection.", "pptdf": "Technology", "origin": "53A_R5_IA-03\n53A_R5_IA-03_ODP[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-04", "ao_id": "IAC-04_A05", "objective": "device identification and authentication are handled based on attestation by configuration management process.", "pptdf": "Process", "origin": "53A_R5_IA-03(04)", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-04", "ao_id": "IAC-04_A06", "objective": "devices and/or types of devices requiring use of cryptographically based, bidirectional authentication to authenticate before establishing one or more connections are defined.", "pptdf": "Process", "origin": "53A_R5_IA-03(01)_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-04", "ao_id": "IAC-04_A07", "objective": "devices and/or types of devices are authenticated before establishing a local connection using bidirectional authentication that is cryptographically based.", "pptdf": "Technology", "origin": "53A_R5_IA-03(01)\n53A_R5_IA-03(01)_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-04", "ao_id": "IAC-04_A08", "objective": "devices and/or types of devices are authenticated before establishing a remote connection using bidirectional authentication that is cryptographically based.", "pptdf": "Technology", "origin": "53A_R5_IA-03(01)\n53A_R5_IA-03(01)_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-04", "ao_id": "IAC-04_A09", "objective": "devices and/or types of devices are authenticated before establishing a network connection using bidirectional authentication that is cryptographically based.", "pptdf": "Technology", "origin": "53A_R5_IA-03(01)\n53A_R5_IA-03(01)_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-04", "ao_id": "IAC-04_A10", "objective": " are uniquely identified before establishing a system connection.", "pptdf": "Technology", "origin": "171A_R3_A.03.05.02[01]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "all devices for identification, where feasible for authentication, and document when not feasible", "org_defined_parameters": "" }, { "scf_control_id": "IAC-04", "ao_id": "IAC-04_A11", "objective": " are authenticated before establishing a system connection.", "pptdf": "Technology", "origin": "171A_R3_A.03.05.02[02]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "all devices for identification, where feasible for authentication, and document when not feasible", "org_defined_parameters": "" }, { "scf_control_id": "IAC-04.1", "ao_id": "IAC-04.1_A01", "objective": "configuration management process to be employed to handle device identification and authentication based on attestation is defined.", "pptdf": "Process", "origin": "53A_R5_IA-03(04)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-04.2", "ao_id": "IAC-04.2_A01", "objective": "unique device cryptographic communications keys are used to prevent one key from being used to access multiple devices.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-05", "ao_id": "IAC-05_A01", "objective": "system services and applications to be uniquely identified and authenticated are defined.", "pptdf": "Process", "origin": "53A_R5_IA-09_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-05", "ao_id": "IAC-05_A02", "objective": "system services and applications are uniquely identified and authenticated before establishing communications with devices, users or other services or applications.", "pptdf": "Technology", "origin": "53A_R5_IA-09", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-05.1", "ao_id": "IAC-05.1_A01", "objective": "third-party service providers provide the organization with current and accurate information for any third-party user with access to the organization's data or assets.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-05.2", "ao_id": "IAC-05.2_A01", "objective": "privileged access by non-organizational users is prohibited.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-06", "ao_id": "IAC-06_A01", "objective": "multi-factor authentication for access to privileged accounts is implemented.", "pptdf": "Technology", "origin": "53A_R5_IA-02(01)\n171A_R3_A.03.05.03[01]", "assessment_rigor": "1", "scf_defined_parameters": "local, network and remote", "org_defined_parameters": "" }, { "scf_control_id": "IAC-06", "ao_id": "IAC-06_A02", "objective": "multi-factor authentication for access to non-privileged accounts is implemented.", "pptdf": "Technology", "origin": "53A_R5_IA-02(02)\n171A_R3_A.03.05.03[02]", "assessment_rigor": "1", "scf_defined_parameters": "local, network and remote", "org_defined_parameters": "" }, { "scf_control_id": "IAC-06", "ao_id": "IAC-06_A03", "objective": "system components that are known, authenticated, in a properly configured state or in a trust profile are identified.", "pptdf": "Process", "origin": "172A_3.5.3e[a]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-06", "ao_id": "IAC-06_A04", "objective": "automated or manual/procedural mechanisms to prohibit system components from connecting to organizational systems are identified.", "pptdf": "Process", "origin": "172A_3.5.3e[b]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-06", "ao_id": "IAC-06_A05", "objective": "automated or manual/procedural mechanisms are employed to prohibit system components from connecting to organizational systems unless the components are known, authenticated, in a properly configured state or in a trust profile.", "pptdf": "Technology", "origin": "172A_3.5.3e[c]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-06", "ao_id": "IAC-06_A06", "objective": "multi-factor authentication is implemented in the establishment of nonlocal maintenance and diagnostic sessions.", "pptdf": "Technology", "origin": "171A_R3_A.03.07.05.b[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-06.1", "ao_id": "IAC-06.1_A01", "objective": "privileged accounts are identified.", "pptdf": "Process", "origin": "171A_3.5.3[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-06.1", "ao_id": "IAC-06.1_A02", "objective": "multifactor authentication is implemented for network access to privileged accounts.", "pptdf": "Technology", "origin": "171A_3.5.3[c]\n53A_R5_IA-02(01)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-06.2", "ao_id": "IAC-06.2_A01", "objective": "multifactor authentication is implemented for network access to non-privileged accounts.", "pptdf": "Technology", "origin": "171A_3.5.3[d]\n53A_R5_IA-02(02)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-06.3", "ao_id": "IAC-06.3_A01", "objective": "privileged accounts are identified.", "pptdf": "Process", "origin": "171A_3.5.3[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-06.3", "ao_id": "IAC-06.3_A02", "objective": "multifactor authentication is implemented for local access to privileged accounts.", "pptdf": "Technology", "origin": "171A_3.5.3[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-06.4", "ao_id": "IAC-06.4_A01", "objective": "multi-factor authentication for access to privileged accounts is implemented.", "pptdf": "Technology", "origin": "53A_R5_IA-02(01)\n171A_R3_A.03.05.03[01]", "assessment_rigor": "1", "scf_defined_parameters": "local, network and remote", "org_defined_parameters": "" }, { "scf_control_id": "IAC-06.4", "ao_id": "IAC-06.4_A02", "objective": "multi-factor authentication for access to non-privileged accounts is implemented.", "pptdf": "Technology", "origin": "53A_R5_IA-02(02)\n171A_R3_A.03.05.03[02]", "assessment_rigor": "1", "scf_defined_parameters": "local, network and remote", "org_defined_parameters": "" }, { "scf_control_id": "IAC-06.5", "ao_id": "IAC-06.5_A01", "objective": "alternative Multi-Factor Authentication (MFA) tokens can be used when the primary MFA solution is inoperable.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-07", "ao_id": "IAC-07_A01", "objective": "the validation and verification of identity evidence is conducted in person before a designated registration authority.", "pptdf": "Technology", "origin": "53A_R5_IA-12(04)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-07", "ao_id": "IAC-07_A02", "objective": "authorization is received from organizational personnel or roles to assign an individual, group, role, service, or device identifier.", "pptdf": "Technology", "origin": "171A_R3_A.03.05.05.a", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-07", "ao_id": "IAC-07_A03", "objective": "system accounts are created in accordance with organizational policy, procedures, prerequisites, and criteria.", "pptdf": "Technology", "origin": "171A_R3_A.03.01.01.b[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-07", "ao_id": "IAC-07_A04", "objective": "system accounts are enabled in accordance with organizational policy, procedures, prerequisites, and criteria.", "pptdf": "Technology", "origin": "171A_R3_A.03.01.01.b[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-07", "ao_id": "IAC-07_A05", "objective": "system accounts are modified in accordance with organizational policy, procedures, prerequisites, and criteria.", "pptdf": "Technology", "origin": "171A_R3_A.03.01.01.b[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-07", "ao_id": "IAC-07_A06", "objective": "system accounts are disabled in accordance with organizational policy, procedures, prerequisites, and criteria.", "pptdf": "Technology", "origin": "171A_R3_A.03.01.01.b[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-07", "ao_id": "IAC-07_A07", "objective": "system accounts are removed in accordance with organizational policy, procedures, prerequisites, and criteria.", "pptdf": "Technology", "origin": "171A_R3_A.03.01.01.b[05]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-07.1", "ao_id": "IAC-07.1_A01", "objective": "user access rights are revoked following changes in personnel roles and duties, if no longer necessary or permitted.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-07.2", "ao_id": "IAC-07.2_A01", "objective": "prerequisites and criteria for group and role membership are defined.", "pptdf": "Process", "origin": "53A_R5_AC-02_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-07.2", "ao_id": "IAC-07.2_A02", "objective": "criteria for account creation, enabling, modification, disabling and removal are defined.", "pptdf": "Process", "origin": "53A_R5_AC-02_ODP[04]\n171A_3.9.2[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-07.2", "ao_id": "IAC-07.2_A03", "objective": "personnel or roles required to approve requests to create accounts is/are defined.", "pptdf": "Process", "origin": "53A_R5_AC-02_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-07.2", "ao_id": "IAC-07.2_A04", "objective": "account managers are assigned.", "pptdf": "People", "origin": "53A_R5_AC-02b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-07.2", "ao_id": "IAC-07.2_A05", "objective": "attributes (as required) for each account are defined.", "pptdf": "Process", "origin": "53A_R5_AC-02_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-07.2", "ao_id": "IAC-07.2_A06", "objective": "personnel or roles to be notified is/are defined.", "pptdf": "Process", "origin": "53A_R5_AC-02_ODP[05]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-07.2", "ao_id": "IAC-07.2_A07", "objective": "time period within which to notify account managers when accounts are no longer required is defined.", "pptdf": "Process", "origin": "53A_R5_AC-02_ODP[06]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-07.2", "ao_id": "IAC-07.2_A08", "objective": "time period within which to notify account managers when users are terminated or transferred is defined.", "pptdf": "Process", "origin": "53A_R5_AC-02_ODP[07]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-07.2", "ao_id": "IAC-07.2_A09", "objective": "time period within which to notify account managers when system usage or the need to know changes for an individual is defined.", "pptdf": "Process", "origin": "53A_R5_AC-02_ODP[08]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-07.2", "ao_id": "IAC-07.2_A10", "objective": "attributes needed to authorize system access (as required) are defined.", "pptdf": "Process", "origin": "53A_R5_AC-02_ODP[09]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-07.2", "ao_id": "IAC-07.2_A11", "objective": "the frequency of account review is defined.", "pptdf": "Process", "origin": "53A_R5_AC-02_ODP[10]", "assessment_rigor": "3", "scf_defined_parameters": "quarterly for privileged access, annually for non-privileged access", "org_defined_parameters": "" }, { "scf_control_id": "IAC-07.2", "ao_id": "IAC-07.2_A12", "objective": "account types allowed for use within the system are defined and documented.", "pptdf": "Process", "origin": "53A_R5_AC-02a.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-07.2", "ao_id": "IAC-07.2_A13", "objective": "account types specifically prohibited for use within the system are defined and documented.", "pptdf": "Process", "origin": "53A_R5_AC-02a.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-07.2", "ao_id": "IAC-07.2_A14", "objective": "prerequisites and criteria for group and role membership are required.", "pptdf": "Process", "origin": "53A_R5_AC-02c.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-07.2", "ao_id": "IAC-07.2_A15", "objective": "authorized users of the system are specified.", "pptdf": "Process", "origin": "53A_R5_AC-02d.01", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-07.2", "ao_id": "IAC-07.2_A16", "objective": "group and role memberships are specified.", "pptdf": "Process", "origin": "53A_R5_AC-02d.02\n171A_R3_A.03.01.01.c.02", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-07.2", "ao_id": "IAC-07.2_A17", "objective": "access authorizations (i.e., privileges) for each account are specified.", "pptdf": "Process", "origin": "53A_R5_AC-02d.03[01]\n171A_R3_A.03.01.01.c.03", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-07.2", "ao_id": "IAC-07.2_A18", "objective": "attributes (as required) are specified for each account.", "pptdf": "Technology", "origin": "53A_R5_AC-02d.03[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-07.2", "ao_id": "IAC-07.2_A19", "objective": "approvals are required by personnel or roles for requests to create accounts.", "pptdf": "People", "origin": "53A_R5_AC-02e.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-07.2", "ao_id": "IAC-07.2_A20", "objective": "accounts are created in accordance with policy, procedures, prerequisites and criteria.", "pptdf": "Technology", "origin": "53A_R5_AC-02f.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-07.2", "ao_id": "IAC-07.2_A21", "objective": "accounts are enabled in accordance with policy, procedures, prerequisites and criteria.", "pptdf": "Technology", "origin": "53A_R5_AC-02f.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-07.2", "ao_id": "IAC-07.2_A22", "objective": "accounts are modified in accordance with policy, procedures, prerequisites and criteria.", "pptdf": "Technology", "origin": "53A_R5_AC-02f.[03]\n171A_3.9.2[b]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-07.2", "ao_id": "IAC-07.2_A23", "objective": "accounts are disabled in accordance with policy, procedures, prerequisites and criteria.", "pptdf": "Technology", "origin": "53A_R5_AC-02f.[04]\n171A_3.9.2[b]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-07.2", "ao_id": "IAC-07.2_A24", "objective": "accounts are removed in accordance with policy, procedures, prerequisites and criteria.", "pptdf": "Technology", "origin": "53A_R5_AC-02f.[05]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-07.2", "ao_id": "IAC-07.2_A25", "objective": "the use of accounts is monitored.", "pptdf": "Technology", "origin": "53A_R5_AC-02g.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-07.2", "ao_id": "IAC-07.2_A26", "objective": "account managers and personnel or roles are notified within an organization-defined time period when accounts are no longer required.", "pptdf": "Process", "origin": "53A_R5_AC-02h.01", "assessment_rigor": "3", "scf_defined_parameters": "twenty-four (24) hours when accounts are no longer required", "org_defined_parameters": "" }, { "scf_control_id": "IAC-07.2", "ao_id": "IAC-07.2_A27", "objective": "account managers and personnel or roles are notified within an organization-defined time period when users are terminated or transferred.", "pptdf": "Process", "origin": "53A_R5_AC-02h.02", "assessment_rigor": "3", "scf_defined_parameters": "eight (8) hours when users are terminated or transferred", "org_defined_parameters": "" }, { "scf_control_id": "IAC-07.2", "ao_id": "IAC-07.2_A28", "objective": "account managers and personnel or roles are notified within an organization-defined time period when system usage or the need to know changes for an individual.", "pptdf": "Process", "origin": "53A_R5_AC-02h.03", "assessment_rigor": "3", "scf_defined_parameters": "eight (8) hours when system usage or need-to-know changes for an individual", "org_defined_parameters": "" }, { "scf_control_id": "IAC-07.2", "ao_id": "IAC-07.2_A29", "objective": "access to the system is authorized based on a valid access authorization.", "pptdf": "Technology", "origin": "53A_R5_AC-02i.01", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-07.2", "ao_id": "IAC-07.2_A30", "objective": "access to the system is authorized based on intended system usage.", "pptdf": "Technology", "origin": "53A_R5_AC-02i.02", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-07.2", "ao_id": "IAC-07.2_A31", "objective": "access to the system is authorized based on attributes (as required).", "pptdf": "Technology", "origin": "53A_R5_AC-02i.03", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-07.2", "ao_id": "IAC-07.2_A32", "objective": "accounts are reviewed for compliance with account management requirements frequency.", "pptdf": "Process", "origin": "53A_R5_AC-02j.", "assessment_rigor": "3", "scf_defined_parameters": "quarterly for privileged access, annually for non-privileged access", "org_defined_parameters": "" }, { "scf_control_id": "IAC-07.2", "ao_id": "IAC-07.2_A33", "objective": "a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group.", "pptdf": "Process", "origin": "53A_R5_AC-02k.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-07.2", "ao_id": "IAC-07.2_A34", "objective": "a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group.", "pptdf": "Process", "origin": "53A_R5_AC-02k.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-07.2", "ao_id": "IAC-07.2_A35", "objective": "account management processes are aligned with personnel termination processes.", "pptdf": "Process", "origin": "53A_R5_AC-02l.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-07.2", "ao_id": "IAC-07.2_A36", "objective": "account management processes are aligned with personnel transfer processes.", "pptdf": "Process", "origin": "53A_R5_AC-02l.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-07.2", "ao_id": "IAC-07.2_A37", "objective": "privileged user accounts are established and administered in accordance with organization-defined criteria.", "pptdf": "Process", "origin": "53A_R5_AC-02(07)_ODP\n53A_R5_AC-02(07)(a)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-07.2", "ao_id": "IAC-07.2_A38", "objective": "privileged role or attribute assignments are monitored.", "pptdf": "Technology", "origin": "53A_R5_AC-02(07)(b)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-07.2", "ao_id": "IAC-07.2_A39", "objective": "changes to roles or attributes are monitored.", "pptdf": "Process", "origin": "53A_R5_AC-02(07)(c)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-07.2", "ao_id": "IAC-07.2_A40", "objective": "access is revoked when privileged role or attribute assignments are no longer appropriate.", "pptdf": "Process", "origin": "53A_R5_AC-02(07)(d)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-08", "ao_id": "IAC-08_A01", "objective": "the organization implements a role-based access scheme or an attribute-based access scheme.", "pptdf": "Technology", "origin": "53A_R5_AC-02(07)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-08", "ao_id": "IAC-08_A02", "objective": "privileged user accounts are established and administered in accordance with organization-defined parameters.", "pptdf": "Technology", "origin": "53A_R5_AC-02(07)(a)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-08", "ao_id": "IAC-08_A03", "objective": "access to sensitive / regulated data requiring special protection is granted only to individuals who have a valid access authorization that is demonstrated by assigned duties.", "pptdf": "Technology", "origin": "53A_R5_PS-06(02)(a)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-08", "ao_id": "IAC-08_A04", "objective": "access to sensitive / regulated data requiring special protection is granted only to individuals who satisfy associated personnel security criteria.", "pptdf": "Technology", "origin": "53A_R5_PS-06(02)(b)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-08", "ao_id": "IAC-08_A05", "objective": "access to sensitive / regulated data requiring special protection is granted only to individuals who have read, understood and signed a non-disclosure agreement.", "pptdf": "Technology", "origin": "53A_R5_PS-06(02)(c)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-08", "ao_id": "IAC-08_A06", "objective": "privileged role or attribute assignments are monitored.", "pptdf": "Technology", "origin": "53A_R5_AC-02(07)(b)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-08", "ao_id": "IAC-08_A07", "objective": "changes to roles or attributes are monitored.", "pptdf": "Process", "origin": "53A_R5_AC-02(07)(c)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-08", "ao_id": "IAC-08_A08", "objective": "access is revoked when privileged role or attribute assignments are no longer appropriate.", "pptdf": "Technology", "origin": "53A_R5_AC-02(07)(d)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-08", "ao_id": "IAC-08_A09", "objective": "security functions for authorized access are defined.", "pptdf": "Process", "origin": "171A_R3_A.03.01.05.ODP[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-08", "ao_id": "IAC-08_A10", "objective": "security-relevant information for authorized access is defined.", "pptdf": "Process", "origin": "171A_R3_A.03.01.05.ODP[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-08", "ao_id": "IAC-08_A11", "objective": "access to is authorized.", "pptdf": "Technology", "origin": "171A_R3_A.03.01.05.b[01]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "at a minimum and if applicable: establishing system accounts and assigning privileges, configuring access authorizations, configuring settings for events to be audited, establishing vulnerability scanning parameters, establishing intrusion detection parameters, and managing audit information", "org_defined_parameters": "" }, { "scf_control_id": "IAC-08", "ao_id": "IAC-08_A12", "objective": "access to is authorized.", "pptdf": "Technology", "origin": "171A_R3_A.03.01.05.b[02]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "at a minimum and if applicable: threat and vulnerability information, filtering rules for routers or firewalls, configuration parameters for security services, cryptographic key management information, security architecture, access control lists, and audit information", "org_defined_parameters": "" }, { "scf_control_id": "IAC-08", "ao_id": "IAC-08_A13", "objective": "logical access restrictions associated with changes to the system are defined and documented.", "pptdf": "Process", "origin": "171A_R3_A.03.04.05[04]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-08", "ao_id": "IAC-08_A14", "objective": "the incident response plan is protected from unauthorized disclosure.", "pptdf": "Technology", "origin": "171A_R3_A.03.06.05.d", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-09", "ao_id": "IAC-09_A01", "objective": "personnel or roles from whom authorization must be received to assign an identifier are defined.", "pptdf": "Process", "origin": "53A_R5_IA-04_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-09", "ao_id": "IAC-09_A02", "objective": "system identifiers are managed by receiving authorization from personnel or roles to assign to an individual, group, role or device identifier.", "pptdf": "Technology", "origin": "53A_R5_IA-04a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-09", "ao_id": "IAC-09_A03", "objective": "the time period for preventing the reuse of identifiers is defined.", "pptdf": "Process", "origin": "53A_R5_IA-04_ODP[02]\n171A_3.5.5[a]\n171A_R3_A.03.05.05.ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "at least two (2) years", "org_defined_parameters": "" }, { "scf_control_id": "IAC-09", "ao_id": "IAC-09_A04", "objective": "the reuse of identifiers for an organization-defined time period is prevented.", "pptdf": "Technology", "origin": "53A_R5_IA-04d.\n171A_3.5.5[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-09", "ao_id": "IAC-09_A05", "objective": "an identifier that identifies an individual, group, role, service, or device is selected.", "pptdf": "Process", "origin": "53A_R5_IA-04b.\n171A_R3_A.03.05.05.b[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-09", "ao_id": "IAC-09_A06", "objective": "an identifier that identifies an individual, group, role, service, or device is assigned.", "pptdf": "Process", "origin": "53A_R5_IA-04c.\n171A_R3_A.03.05.05.b[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-09", "ao_id": "IAC-09_A07", "objective": "the reuse of identifiers for is prevented.", "pptdf": "Technology", "origin": "171A_R3_A.03.05.05.c", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "at least ten (10) years", "org_defined_parameters": "" }, { "scf_control_id": "IAC-09.1", "ao_id": "IAC-09.1_A01", "objective": "characteristics used to identify individual status is defined.", "pptdf": "Process", "origin": "53A_R5_IA-04(04)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "contractors; foreign nationals", "org_defined_parameters": "" }, { "scf_control_id": "IAC-09.1", "ao_id": "IAC-09.1_A02", "objective": "individual identifiers are managed by uniquely identifying each individual as characteristics.", "pptdf": "Technology", "origin": "53A_R5_IA-04(04)", "assessment_rigor": "1", "scf_defined_parameters": "contractors; foreign nationals", "org_defined_parameters": "" }, { "scf_control_id": "IAC-09.2", "ao_id": "IAC-09.2_A01", "objective": "characteristic used to identify individual status are defined.", "pptdf": "Process", "origin": "53A_R5_IA-04(04)_ODP\n171A_R3_A.03.05.05.ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "contractors; foreign nationals", "org_defined_parameters": "" }, { "scf_control_id": "IAC-09.2", "ao_id": "IAC-09.2_A02", "objective": "individual identifiers are managed by uniquely identifying each individual per an organization-defined characteristic.", "pptdf": "Technology", "origin": "53A_R5_IA-04(04)", "assessment_rigor": "1", "scf_defined_parameters": "contractors; foreign nationals", "org_defined_parameters": "" }, { "scf_control_id": "IAC-09.2", "ao_id": "IAC-09.2_A03", "objective": "individual identifiers are managed by uniquely identifying each individual as .", "pptdf": "Technology", "origin": "171A_R3_A.03.05.05.d", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "privileged or non-privileged users; contractors, foreign nationals, and/or non-organizational users", "org_defined_parameters": "" }, { "scf_control_id": "IAC-09.3", "ao_id": "IAC-09.3_A01", "objective": "individual identifiers are dynamically managed in accordance with dynamic identifier policy.", "pptdf": "Technology", "origin": "53A_R5_IA-04(05)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-09.3", "ao_id": "IAC-09.3_A02", "objective": "rules for dynamically binding identities and authenticators are defined.", "pptdf": "Process", "origin": "53A_R5_IA-05(10)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-09.3", "ao_id": "IAC-09.3_A03", "objective": "identities and authenticators are dynamically bound using organization-defined binding rules.", "pptdf": "Technology", "origin": "53A_R5_IA-05(10)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-09.4", "ao_id": "IAC-09.4_A01", "objective": "external organizations with whom to coordinate the cross-organization management of identifiers are defined.", "pptdf": "Process", "origin": "53A_R5_IA-04(06)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-09.4", "ao_id": "IAC-09.4_A02", "objective": "cross-organization management of identifiers is coordinated with external organizations.", "pptdf": "Technology", "origin": "53A_R5_IA-04(06)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-09.5", "ao_id": "IAC-09.5_A01", "objective": "security controls implemented to manage the risk of compromise due to individuals having accounts on multiple systems are defined.", "pptdf": "Process", "origin": "53A_R5_IA-05(08)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-09.5", "ao_id": "IAC-09.5_A02", "objective": "security controls are implemented to manage the risk of compromise due to individuals having accounts on multiple systems.", "pptdf": "Technology", "origin": "53A_R5_IA-05(08)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-09.6", "ao_id": "IAC-09.6_A01", "objective": "pairwise pseudonymous identifiers are generated.", "pptdf": "Technology", "origin": "53A_R5_IA-04(08)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10", "ao_id": "IAC-10_A01", "objective": "the number of generations during which a password cannot be reused is specified.", "pptdf": "Technology", "origin": "171A_3.5.8[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10", "ao_id": "IAC-10_A02", "objective": "reuse of passwords is prohibited during the specified number of generations.", "pptdf": "Technology", "origin": "171A_3.5.8[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10", "ao_id": "IAC-10_A03", "objective": "an immediate change to a permanent password is required when a temporary password is used for system logon.", "pptdf": "Technology", "origin": "171A_3.5.9", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10", "ao_id": "IAC-10_A04", "objective": "the frequency for changing or refreshing authenticators is defined.", "pptdf": "Process", "origin": "53A_R5_IA-05_ODP[01]\n171A_R3_A.03.05.12.ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10", "ao_id": "IAC-10_A05", "objective": "events that trigger the change or refreshment of authenticators are defined.", "pptdf": "Process", "origin": "53A_R5_IA-05_ODP[02]\n171A_R3_A.03.05.12.ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10", "ao_id": "IAC-10_A06", "objective": "the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution is verified.", "pptdf": "Technology", "origin": "53A_R5_IA-05a.\n171A_R3_A.03.05.12.a", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10", "ao_id": "IAC-10_A07", "objective": "initial authenticator content for any authenticators issued by the organization is established.", "pptdf": "Process", "origin": "53A_R5_IA-05b.\n171A_R3_A.03.05.12.b", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10", "ao_id": "IAC-10_A08", "objective": "system authenticators are managed to ensure that authenticators have sufficient strength of mechanism for their intended use.", "pptdf": "Technology", "origin": "53A_R5_IA-05c.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10", "ao_id": "IAC-10_A09", "objective": "system authenticators are managed through the establishment and implementation of administrative procedures for initial authenticator distribution. lost, compromised or damaged authenticators. and the revocation of authenticators.", "pptdf": "Technology", "origin": "53A_R5_IA-05d.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10", "ao_id": "IAC-10_A10", "objective": "default authenticators are changed at first use.", "pptdf": "Technology", "origin": "53A_R5_IA-05e.\n171A_R3_A.03.05.12.d", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10", "ao_id": "IAC-10_A11", "objective": "authenticators are changed or refreshed per an organization-defined frequency or when organization-defined events occur.", "pptdf": "Process", "origin": "53A_R5_IA-05f.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10", "ao_id": "IAC-10_A12", "objective": "system authenticators are managed through the protection of authenticator content from unauthorized disclosure and modification.", "pptdf": "Technology", "origin": "53A_R5_IA-05g.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10", "ao_id": "IAC-10_A13", "objective": "system authenticators are managed through the requirement for individuals to take specific controls to protect authenticators.", "pptdf": "Technology", "origin": "53A_R5_IA-05h.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10", "ao_id": "IAC-10_A14", "objective": "system authenticators are managed through the requirement for devices to implement specific controls to protect authenticators.", "pptdf": "Technology", "origin": "53A_R5_IA-05h.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10", "ao_id": "IAC-10_A15", "objective": "system authenticators are managed through the change of authenticators for group or role accounts when membership to those accounts changes.", "pptdf": "Technology", "origin": "53A_R5_IA-05i.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10", "ao_id": "IAC-10_A16", "objective": "the frequency at which to update the list of commonly used, expected or compromised passwords is defined.", "pptdf": "Process", "origin": "53A_R5_IA-05(01)_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10", "ao_id": "IAC-10_A17", "objective": "authenticator composition and complexity rules are defined.", "pptdf": "Process", "origin": "53A_R5_IA-05(01)_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10", "ao_id": "IAC-10_A18", "objective": "administrative procedures for initial authenticator distribution are established.", "pptdf": "Process", "origin": "171A_R3_A.03.05.12.c[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10", "ao_id": "IAC-10_A19", "objective": "administrative procedures for lost, compromised, or damaged authenticators are established.", "pptdf": "Process", "origin": "171A_R3_A.03.05.12.c[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10", "ao_id": "IAC-10_A20", "objective": "administrative procedures for revoking authenticators are established.", "pptdf": "Process", "origin": "171A_R3_A.03.05.12.c[03]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10", "ao_id": "IAC-10_A21", "objective": "administrative procedures for initial authenticator distribution are implemented.", "pptdf": "Process", "origin": "171A_R3_A.03.05.12.c[04]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10", "ao_id": "IAC-10_A22", "objective": "administrative procedures for lost, compromised, or damaged authenticators are implemented.", "pptdf": "Process", "origin": "171A_R3_A.03.05.12.c[05]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10", "ao_id": "IAC-10_A23", "objective": "administrative procedures for revoking authenticators are implemented.", "pptdf": "Process", "origin": "171A_R3_A.03.05.12.c[06]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10", "ao_id": "IAC-10_A24", "objective": "authenticator content is protected from unauthorized disclosure.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10", "ao_id": "IAC-10_A25", "objective": "authenticators are changed or refreshed or when the following events occur: .", "pptdf": "Process", "origin": "171A_R3_A.03.05.12.e", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "SDP values:\n(1) never for passwords where MFA is employed, at least every five (5) years for hard tokens and identification badges, and at least every three (3)\nyears for all other authenticators.\n(2) after a relevant security incident or any evidence of\ncompromise or loss.", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10", "ao_id": "IAC-10_A26", "objective": "authenticator content is protected from unauthorized disclosure.", "pptdf": "Technology", "origin": "171A_R3_A.03.05.12.f[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10", "ao_id": "IAC-10_A27", "objective": "authenticator content is protected from unauthorized modification.", "pptdf": "Technology", "origin": "171A_R3_A.03.05.12.f[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.1", "ao_id": "IAC-10.1_A01", "objective": "for password-based authentication, a list of commonly used, expected or compromised passwords is maintained and updated frequently and when organizational passwords are suspected to have been compromised directly or indirectly.", "pptdf": "Technology", "origin": "53A_R5_IA-05(01)(a)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.1", "ao_id": "IAC-10.1_A02", "objective": "for password-based authentication when passwords are created or updated by users, the passwords are verified not to be found on the list of commonly used, expected or compromised passwords.", "pptdf": "Technology", "origin": "53A_R5_IA-05(01)(b)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.1", "ao_id": "IAC-10.1_A03", "objective": "for password-based authentication, passwords are only transmitted over cryptographically protected channels.", "pptdf": "Technology", "origin": "53A_R5_IA-05(01)(c)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.1", "ao_id": "IAC-10.1_A04", "objective": "for password-based authentication, passwords are stored using an approved salted key derivation function, preferably using a keyed hash.", "pptdf": "Technology", "origin": "53A_R5_IA-05(01)(d)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.1", "ao_id": "IAC-10.1_A05", "objective": "for password-based authentication, immediate selection of a new password is required upon account recovery.", "pptdf": "Technology", "origin": "53A_R5_IA-05(01)(e)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.1", "ao_id": "IAC-10.1_A06", "objective": "for password-based authentication, user selection of long passwords and passphrases is allowed, including spaces and all printable characters.", "pptdf": "Technology", "origin": "53A_R5_IA-05(01)(f)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.1", "ao_id": "IAC-10.1_A07", "objective": "for password-based authentication, automated tools are employed to assist the user in selecting strong password authenticators.", "pptdf": "Technology", "origin": "53A_R5_IA-05(01)(g)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.1", "ao_id": "IAC-10.1_A08", "objective": "organization-defined composition and complexity rules for passwords are enforced.", "pptdf": "Technology", "origin": "53A_R5_IA-05(01)(h)\n171A_3.5.7[c]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.1", "ao_id": "IAC-10.1_A09", "objective": "password composition and complexity rules are defined.", "pptdf": "Process", "origin": "171A_3.5.7[a]\n171A_R3_A.03.05.07.ODP[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.1", "ao_id": "IAC-10.1_A10", "objective": "password change of character requirements are defined.", "pptdf": "Process", "origin": "171A_3.5.7[b]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.1", "ao_id": "IAC-10.1_A11", "objective": "minimum password complexity requirements, as defined, are enforced when new passwords are created.", "pptdf": "Technology", "origin": "171A_3.5.7[c]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.1", "ao_id": "IAC-10.1_A12", "objective": "minimum password change of character requirements as defined are enforced when new passwords are created.", "pptdf": "Technology", "origin": "171A_3.5.7[d]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.1", "ao_id": "IAC-10.1_A13", "objective": "the following composition and complexity rules for passwords are enforced: .", "pptdf": "Technology", "origin": "171A_R3_A.03.05.07.f", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "SDP values:\n(1) Must have a minimum length of 16 characters.\n(2) Contains a string of characters that does not include the user’s account name or full name.", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.2", "ao_id": "IAC-10.2_A01", "objective": "authorized access to the corresponding private key is enforced for public key-based authentication.", "pptdf": "Technology", "origin": "53A_R5_IA-05(02)(a)(01)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.2", "ao_id": "IAC-10.2_A02", "objective": "the authenticated identity is mapped to the account of the individual or group for public key-based authentication.", "pptdf": "Technology", "origin": "53A_R5_IA-05(02)(a)(02)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.2", "ao_id": "IAC-10.2_A03", "objective": "when public key infrastructure (PKI) is used, certificates are validated by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information.", "pptdf": "Technology", "origin": "53A_R5_IA-05(02)(b)(01)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.2", "ao_id": "IAC-10.2_A04", "objective": "when public key infrastructure (PKI) is used, a local cache of revocation data is implemented to support path discovery and validation.", "pptdf": "Technology", "origin": "53A_R5_IA-05(02)(b)(02)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.3", "ao_id": "IAC-10.3_A01", "objective": "the validation and verification of identity evidence is conducted in person before a designated registration authority.", "pptdf": "Technology", "origin": "53A_R5_IA-12(04)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.4", "ao_id": "IAC-10.4_A01", "objective": "authenticator composition and complexity rules are defined.", "pptdf": "Process", "origin": "53A_R5_IA-05(01)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.4", "ao_id": "IAC-10.4_A02", "objective": "for password-based authentication, composition and complexity rules are enforced.", "pptdf": "Technology", "origin": "53A_R5_IA-05(01)(h)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.4", "ao_id": "IAC-10.4_A03", "objective": "automated mechanisms for the generation, protection, rotation and management of passwords for systems and system components that do not support multifactor authentication or complex account management are identified.", "pptdf": "Process", "origin": "172A_3.5.2e[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.4", "ao_id": "IAC-10.4_A04", "objective": "automated mechanisms for the generation, protection, rotation and management of passwords for systems and system components that do not support multifactor authentication or complex account management are employed.", "pptdf": "Technology", "origin": "172A_3.5.2e[c]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.4", "ao_id": "IAC-10.4_A05", "objective": "the frequency at which to update the list of commonly used, expected, or compromised passwords is defined.", "pptdf": "Process", "origin": "171A_R3_A.03.05.07.ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.4", "ao_id": "IAC-10.4_A06", "objective": "a list of commonly used, expected, or compromised passwords is maintained.", "pptdf": "Technology", "origin": "171A_R3_A.03.05.07.a[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.4", "ao_id": "IAC-10.4_A07", "objective": "a list of commonly used, expected, or compromised passwords is updated per an organization-defined frequency.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.4", "ao_id": "IAC-10.4_A08", "objective": "a list of commonly used, expected, or compromised passwords is updated when organizational passwords are suspected to have been compromised.", "pptdf": "Technology", "origin": "171A_R3_A.03.05.07.a[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.4", "ao_id": "IAC-10.4_A09", "objective": "passwords are verified not to be found on the list of commonly used, expected, or compromised passwords when they are created or updated by users.", "pptdf": "Technology", "origin": "171A_R3_A.03.05.07.b", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.4", "ao_id": "IAC-10.4_A10", "objective": "a list of commonly used, expected, or compromised passwords is updated .", "pptdf": "Process", "origin": "171A_R3_A.03.05.07.a[02]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "at least quarterly", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.5", "ao_id": "IAC-10.5_A01", "objective": "authenticators are protected commensurate with the security category of the information to which use of the authenticator permits access.", "pptdf": "Technology", "origin": "53A_R5_IA-05(06)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.5", "ao_id": "IAC-10.5_A02", "objective": "authenticator content is protected from unauthorized disclosure.", "pptdf": "Technology", "origin": "171A_R3_A.03.05.12.f[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.5", "ao_id": "IAC-10.5_A03", "objective": "authenticator content is protected from unauthorized modification.", "pptdf": "Technology", "origin": "171A_R3_A.03.05.12.f[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.5", "ao_id": "IAC-10.5_A04", "objective": "passwords are stored in a cryptographically protected form.", "pptdf": "Technology", "origin": "171A_3.5.10[a]\n171A_R3_A.03.05.07.d", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.5", "ao_id": "IAC-10.5_A05", "objective": "passwords are cryptographically protected in transit.", "pptdf": "Technology", "origin": "171A_3.5.10[b]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.5", "ao_id": "IAC-10.5_A06", "objective": "passwords are only transmitted over cryptographically protected channels.", "pptdf": "Technology", "origin": "171A_R3_A.03.05.07.c", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.6", "ao_id": "IAC-10.6_A01", "objective": "unencrypted static authenticators are not embedded in applications or other forms of static storage.", "pptdf": "Technology", "origin": "53A_R5_IA-05(07)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.7", "ao_id": "IAC-10.7_A01", "objective": "organization-defined token quality requirements are satisfied for hardware token-based authentication.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.8", "ao_id": "IAC-10.8_A01", "objective": "developers and installers of system components are required to provide unique authenticators or change default authenticators prior to delivery and installation.", "pptdf": "Process", "origin": "53A_R5_IA-05(05)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.9", "ao_id": "IAC-10.9_A01", "objective": "security controls implemented to manage the risk of compromise due to individuals having accounts on multiple systems are defined.", "pptdf": "Process", "origin": "53A_R5_IA-05(08)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.9", "ao_id": "IAC-10.9_A02", "objective": "security controls are implemented to manage the risk of compromise due to individuals having accounts on multiple systems.", "pptdf": "Technology", "origin": "53A_R5_IA-05(08)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.10", "ao_id": "IAC-10.10_A01", "objective": "the time period after which the use of cached authenticators is prohibited is defined.", "pptdf": "Process", "origin": "53A_R5_IA-05(13)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.10", "ao_id": "IAC-10.10_A02", "objective": "the use of cached authenticators is prohibited after an organization-defined time period.", "pptdf": "Technology", "origin": "53A_R5_IA-05(13)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.11", "ao_id": "IAC-10.11_A01", "objective": "password managers employed for generating and managing passwords are defined.", "pptdf": "Process", "origin": "53A_R5_IA-05(18)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.11", "ao_id": "IAC-10.11_A02", "objective": "password managers are employed to generate and manage passwords.", "pptdf": "Technology", "origin": "53A_R5_IA-05(18)(a)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.11", "ao_id": "IAC-10.11_A03", "objective": "systems and system components that do not support multifactor authentication or complex account management are identified.", "pptdf": "Process", "origin": "172A_3.5.2e[a]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.11", "ao_id": "IAC-10.11_A04", "objective": "automated mechanisms for the generation, protection, rotation and management of passwords for systems and system components that do not support multifactor authentication or complex account management are identified.", "pptdf": "Process", "origin": "172A_3.5.2e[b]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.11", "ao_id": "IAC-10.11_A05", "objective": "automated mechanisms for the generation, protection, rotation and management of passwords for systems and system components that do not support multifactor authentication or complex account management are employed.", "pptdf": "Technology", "origin": "172A_3.5.2e[c]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.11", "ao_id": "IAC-10.11_A06", "objective": "controls for protecting passwords are defined.", "pptdf": "Process", "origin": "53A_R5_IA-05(18)_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.11", "ao_id": "IAC-10.11_A07", "objective": "the passwords are protected using controls.", "pptdf": "Technology", "origin": "53A_R5_IA-05(18)(b)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.11", "ao_id": "IAC-10.11_A08", "objective": "the frequency at which to update the list of commonly used, expected, or compromised passwords is defined.", "pptdf": "Process", "origin": "171A_R3_A.03.05.07.ODP[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.11", "ao_id": "IAC-10.11_A09", "objective": "a list of commonly used, expected, or compromised passwords is maintained.", "pptdf": "Technology", "origin": "171A_R3_A.03.05.07.a[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.11", "ao_id": "IAC-10.11_A10", "objective": "a list of commonly used, expected, or compromised passwords is updated per an organization-defined frequency.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.11", "ao_id": "IAC-10.11_A11", "objective": "a list of commonly used, expected, or compromised passwords is updated when organizational passwords are suspected to have been compromised.", "pptdf": "Technology", "origin": "171A_R3_A.03.05.07.a[03]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.11", "ao_id": "IAC-10.11_A12", "objective": "passwords are verified not to be found on the list of commonly used, expected, or compromised passwords when they are created or updated by users.", "pptdf": "Technology", "origin": "171A_R3_A.03.05.07.b", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.11", "ao_id": "IAC-10.11_A13", "objective": "a list of commonly used, expected, or compromised passwords is updated .", "pptdf": "Process", "origin": "171A_R3_A.03.05.07.a[02]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "at least quarterly", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.12", "ao_id": "IAC-10.12_A01", "objective": "biometric quality requirements for biometric-based authentication are defined.", "pptdf": "Process", "origin": "53A_R5_IA-05(12)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.12", "ao_id": "IAC-10.12_A02", "objective": "mechanisms that satisfy organization-defined biometric quality requirements are employed for biometric-based authentication.", "pptdf": "Technology", "origin": "53A_R5_IA-05(12)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.13", "ao_id": "IAC-10.13_A01", "objective": "authentication credentials are changed at predefined intervals.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.13", "ao_id": "IAC-10.13_A02", "objective": "authentication credentials are changed upon suspicion of credential compromise.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-10.14", "ao_id": "IAC-10.14_A01", "objective": "passkeys, or equivalent cryptographic key pairing technologies, are used to authenticate users to Assets, Applications & Services (AAS).", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-11", "ao_id": "IAC-11_A01", "objective": "authentication information is obscured during the authentication process.", "pptdf": "Process", "origin": "171A_3.5.11", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-11", "ao_id": "IAC-11_A02", "objective": "feedback of authentication information during the authentication process is obscured.", "pptdf": "Process", "origin": "53A_R5_IA-06\n171A_R3_A.03.05.11", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-12", "ao_id": "IAC-12_A01", "objective": "mechanisms for authentication to a cryptographic module are implemented that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards and guidelines for such authentication.", "pptdf": "Technology", "origin": "53A_R5_IA-07", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-12.1", "ao_id": "IAC-12.1_A01", "objective": "Hardware Security Modules (HSM) protect authenticators on which the component relies.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-13", "ao_id": "IAC-13_A01", "objective": "supplemental authentication techniques or mechanisms to be employed when accessing the system under specific circumstances or situations are defined.", "pptdf": "Process", "origin": "53A_R5_IA-10_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-13", "ao_id": "IAC-13_A02", "objective": "circumstances or situations that require individuals accessing the system to employ supplemental authentication techniques or mechanisms are defined.", "pptdf": "Process", "origin": "53A_R5_IA-10_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-13", "ao_id": "IAC-13_A03", "objective": "individuals accessing the system are required to employ supplemental authentication techniques or mechanisms under specific circumstances or situations.", "pptdf": "Technology", "origin": "53A_R5_IA-10", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-13.1", "ao_id": "IAC-13.1_A01", "objective": "system accounts and services for which a single sign-on capability must be provided are defined.", "pptdf": "Process", "origin": "53A_R5_IA-02(10)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-13.1", "ao_id": "IAC-13.1_A02", "objective": "a single sign-on capability is provided for organization-defined system accounts and services.", "pptdf": "Technology", "origin": "53A_R5_IA-02(10)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-13.2", "ao_id": "IAC-13.2_A01", "objective": "external organizations to be used for federating credentials are defined.", "pptdf": "Process", "origin": "53A_R5_IA-05(09)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-13.2", "ao_id": "IAC-13.2_A02", "objective": "external organizations are used to federate credentials.", "pptdf": "Technology", "origin": "53A_R5_IA-05(09)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-13.3", "ao_id": "IAC-13.3_A01", "objective": "technologies are configured to enforce continuous re-authentication through the lifecycle of entity interactions.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-14", "ao_id": "IAC-14_A01", "objective": "circumstances or situations that require re-authentication are defined.", "pptdf": "Process", "origin": "53A_R5_IA-11_ODP\n171A_R3_A.03.05.01.ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-14", "ao_id": "IAC-14_A02", "objective": "users are reauthenticated per organization-defined circumstances or situations.", "pptdf": "Technology", "origin": "53A_R5_IA-11", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-14", "ao_id": "IAC-14_A03", "objective": "users are reauthenticated when .", "pptdf": "Technology", "origin": "171A_R3_A.03.05.01.b", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "roles, authenticators, or credentials change (including modification of user privilege); when security categories of systems change; when the execution of privileged functions occurs; and after a session termination", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A01", "objective": "criteria for account creation, enabling, modification, disabling and removal are defined.", "pptdf": "Process", "origin": "53A_R5_AC-02_ODP[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A02", "objective": "approvals are required by organization-defined personnel or roles for requests to create accounts.", "pptdf": "Technology", "origin": "53A_R5_AC-02e.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A03", "objective": "accounts are created in accordance with organization-defined policy, procedures, prerequisites and criteria.", "pptdf": "Technology", "origin": "53A_R5_AC-02f.[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A04", "objective": "accounts are enabled in accordance with organization-defined policy, procedures, prerequisites and criteria.", "pptdf": "Technology", "origin": "53A_R5_AC-02f.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A05", "objective": "accounts are modified in accordance with organization-defined policy, procedures, prerequisites and criteria.", "pptdf": "Technology", "origin": "53A_R5_AC-02f.[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A06", "objective": "accounts are disabled in accordance with organization-defined policy, procedures, prerequisites and criteria.", "pptdf": "Technology", "origin": "53A_R5_AC-02f.[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A07", "objective": "accounts are removed in accordance with organization-defined policy, procedures, prerequisites and criteria.", "pptdf": "Technology", "origin": "53A_R5_AC-02f.[05]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A08", "objective": "the use of accounts is monitored.", "pptdf": "Technology", "origin": "53A_R5_AC-02g.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A09", "objective": "accounts are reviewed for compliance with account management requirements organization-defined frequency.", "pptdf": "Process", "origin": "53A_R5_AC-02j.", "assessment_rigor": "1", "scf_defined_parameters": "quarterly for privileged access, annually for non-privileged access", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A10", "objective": "account management processes are aligned with personnel termination processes.", "pptdf": "Process", "origin": "53A_R5_AC-02l.[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A11", "objective": "account management processes are aligned with personnel transfer processes.", "pptdf": "Process", "origin": "53A_R5_AC-02l.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A12", "objective": "account managers and organization-defined personnel or roles are notified within an organization-defined time period when accounts are no longer required.", "pptdf": "Technology", "origin": "53A_R5_AC-02h.01", "assessment_rigor": "1", "scf_defined_parameters": "twenty-four (24) hours when accounts are no longer required", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A13", "objective": "account managers and organization-defined personnel or roles are notified within an organization-defined time period when users are terminated or transferred.", "pptdf": "Technology", "origin": "53A_R5_AC-02h.02", "assessment_rigor": "1", "scf_defined_parameters": "eight (8) hours when users are terminated or transferred", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A14", "objective": "account managers and organization-defined personnel or roles are notified within an organization-defined time period when system usage or the need to know changes for an individual.", "pptdf": "Technology", "origin": "53A_R5_AC-02h.03", "assessment_rigor": "1", "scf_defined_parameters": "eight (8) hours when system usage or need-to-know changes for an individual", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A15", "objective": "access to the system is authorized based on a valid access authorization.", "pptdf": "Technology", "origin": "53A_R5_AC-02i.01", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A16", "objective": "access to the system is authorized based on intended system usage.", "pptdf": "Technology", "origin": "53A_R5_AC-02i.02", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A17", "objective": "access to the system is authorized based on organization-defined attributes (as required).", "pptdf": "Technology", "origin": "53A_R5_AC-02i.03", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A18", "objective": "the use of system accounts is monitored.", "pptdf": "Technology", "origin": "171A_R3_A.03.01.01.e", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A19", "objective": "system accounts are disabled when the accounts have expired.", "pptdf": "Technology", "origin": "171A_R3_A.03.01.01.f.01", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A20", "objective": "system accounts are disabled when the accounts have been inactive for .", "pptdf": "Technology", "origin": "171A_R3_A.03.01.01.f.02", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "at most 90 days", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A21", "objective": "system accounts are disabled when the accounts are no longer associated with a user or individual.", "pptdf": "Process", "origin": "171A_R3_A.03.01.01.f.03", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A22", "objective": "system accounts are disabled when the accounts violate organizational policy.", "pptdf": "Technology", "origin": "171A_R3_A.03.01.01.f.04", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A23", "objective": "system accounts are disabled when significant risks associated with individuals are discovered.", "pptdf": "Process", "origin": "171A_R3_A.03.01.01.f.05", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A24", "objective": "account types specifically prohibited for use within the system are defined and documented.", "pptdf": "Process", "origin": "53A_R5_AC-02a.[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A25", "objective": "the types of transactions and functions that authorized users are permitted to execute are defined.", "pptdf": "Process", "origin": "171A_3.1.2[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A26", "objective": "personnel or roles required to approve requests to create accounts is/are defined.", "pptdf": "Process", "origin": "53A_R5_AC-02_ODP[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A27", "objective": "criteria for account creation, enabling, modification, disabling and removal are defined.", "pptdf": "Process", "origin": "53A_R5_AC-02_ODP[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A28", "objective": "account types allowed for use within the system are defined and documented.", "pptdf": "Process", "origin": "53A_R5_AC-02a.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A29", "objective": "account managers are assigned.", "pptdf": "People", "origin": "53A_R5_AC-02b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A30", "objective": "system access is limited to the defined types of transactions and functions for authorized users.", "pptdf": "Technology", "origin": "171A_3.1.2[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A31", "objective": "prerequisites and criteria for group and role membership are defined.", "pptdf": "Process", "origin": "53A_R5_AC-02_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A32", "objective": "attributes (as required) for each account are defined.", "pptdf": "Process", "origin": "53A_R5_AC-02_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A33", "objective": "personnel or roles required to approve requests to create accounts is/are defined.", "pptdf": "Process", "origin": "53A_R5_AC-02_ODP[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A34", "objective": "personnel or roles to be notified is/are defined.", "pptdf": "Process", "origin": "53A_R5_AC-02_ODP[05]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A35", "objective": "time period within which to notify account managers when accounts are no longer required is defined.", "pptdf": "Process", "origin": "53A_R5_AC-02_ODP[06]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A36", "objective": "time period within which to notify account managers when users are terminated or transferred is defined.", "pptdf": "Process", "origin": "53A_R5_AC-02_ODP[07]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A37", "objective": "time period within which to notify account managers when system usage or the need to know changes for an individual is defined.", "pptdf": "Process", "origin": "53A_R5_AC-02_ODP[08]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A38", "objective": "attributes needed to authorize system access (as required) are defined.", "pptdf": "Process", "origin": "53A_R5_AC-02_ODP[09]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A39", "objective": "the frequency of account review is defined.", "pptdf": "Process", "origin": "53A_R5_AC-02_ODP[10]", "assessment_rigor": "3", "scf_defined_parameters": "quarterly for privileged access, annually for non-privileged access", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A40", "objective": "organization-defined prerequisites and criteria for group and role membership are required.", "pptdf": "Process", "origin": "53A_R5_AC-02c.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A41", "objective": "authorized users of the system are specified.", "pptdf": "Process", "origin": "53A_R5_AC-02d.01\n171A_R3_A.03.01.01.c.01", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A42", "objective": "group and role membership are specified.", "pptdf": "Process", "origin": "53A_R5_AC-02d.02", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A43", "objective": "access authorizations (e.g., privileges) are specified for each account.", "pptdf": "Process", "origin": "53A_R5_AC-02d.03[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A44", "objective": "organization-defined attributes (as required) are specified for each account.", "pptdf": "Technology", "origin": "53A_R5_AC-02d.03[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A45", "objective": "a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group.", "pptdf": "Process", "origin": "53A_R5_AC-02k.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A46", "objective": "a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group.", "pptdf": "Process", "origin": "53A_R5_AC-02k.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A47", "objective": "the time period for account inactivity before disabling is defined.", "pptdf": "Process", "origin": "171A_R3_A.03.01.01.ODP[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A48", "objective": "system account types allowed are defined.", "pptdf": "Process", "origin": "171A_R3_A.03.01.01.a[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A49", "objective": "system account types prohibited are defined.", "pptdf": "Process", "origin": "171A_R3_A.03.01.01.a[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A50", "objective": "account managers and designated personnel or roles are notified within when accounts are no longer required.", "pptdf": "Process", "origin": "171A_R3_A.03.01.01.g.01", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "24 hours", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A51", "objective": "account managers and designated personnel or roles are notified within when users are terminated or transferred.", "pptdf": "Process", "origin": "171A_R3_A.03.01.01.g.02", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "24 hours", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A52", "objective": "account managers and designated personnel or roles are notified within when system usage or the need-to-know changes for an individual.", "pptdf": "Process", "origin": "171A_R3_A.03.01.01.g.03", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "24 hours", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15", "ao_id": "IAC-15_A53", "objective": "a new password is selected upon first use after account recovery.", "pptdf": "Technology", "origin": "171A_R3_A.03.05.07.e", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15.1", "ao_id": "IAC-15.1_A01", "objective": "automated mechanisms used to support the management of system accounts are defined.", "pptdf": "Process", "origin": "53A_R5_AC-02(01)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15.1", "ao_id": "IAC-15.1_A02", "objective": "the management of system accounts is supported using organization-defined automated mechanisms.", "pptdf": "Technology", "origin": "53A_R5_AC-02(01)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15.2", "ao_id": "IAC-15.2_A01", "objective": "the time period after which to automatically remove or disable temporary or emergency accounts is defined.", "pptdf": "Process", "origin": "53A_R5_AC-02(02)_ODP[01]\n53A_R5_AC-02(02)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "disable temporary and emergency accounts after no more than 96 hours from last use.", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15.2", "ao_id": "IAC-15.2_A02", "objective": "temporary and emergency accounts are automatically disabled per an organization-defined time period.", "pptdf": "Technology", "origin": "53A_R5_AC-02(02)", "assessment_rigor": "1", "scf_defined_parameters": "disable temporary and emergency accounts after no more than 96 hours from last use.", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15.3", "ao_id": "IAC-15.3_A01", "objective": "a period of inactivity after which an account / identifier is disabled is defined.", "pptdf": "Process", "origin": "171A_3.5.6[a]\n53A_R5_AC-02(03)_ODP[01]\n53A_R5_AC-02(03)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "thirty-five (35) days", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15.3", "ao_id": "IAC-15.3_A02", "objective": "accounts / identifiers are disabled after the defined period of inactivity.", "pptdf": "Technology", "origin": "171A_3.5.6[b]\n53A_R5_AC-02(03)(d)", "assessment_rigor": "1", "scf_defined_parameters": "thirty-five (35) days", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15.3", "ao_id": "IAC-15.3_A03", "objective": "accounts / identifiers are disabled within an organization-defined time period when the accounts have expired.", "pptdf": "Technology", "origin": "53A_R5_AC-02(03)(a)", "assessment_rigor": "3", "scf_defined_parameters": "thirty-five (35) days", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15.3", "ao_id": "IAC-15.3_A04", "objective": "accounts / identifiers are disabled within an organization-defined time period when the accounts are no longer associated with a user or individual.", "pptdf": "Technology", "origin": "53A_R5_AC-02(03)(b)", "assessment_rigor": "3", "scf_defined_parameters": "24 hours for user accounts", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15.3", "ao_id": "IAC-15.3_A05", "objective": "accounts / identifiers are disabled within an organization-defined time period when the accounts are in violation of organizational policy.", "pptdf": "Technology", "origin": "53A_R5_AC-02(03)(c)", "assessment_rigor": "3", "scf_defined_parameters": "24 hours for user accounts", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15.3", "ao_id": "IAC-15.3_A06", "objective": "system accounts are disabled when the accounts have been inactive for .", "pptdf": "Technology", "origin": "171A_R3_A.03.01.01.f.02", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "at most 90 days", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15.4", "ao_id": "IAC-15.4_A01", "objective": "account creation is automatically audited.", "pptdf": "Technology", "origin": "53A_R5_AC-02(04)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15.4", "ao_id": "IAC-15.4_A02", "objective": "account modification is automatically audited.", "pptdf": "Technology", "origin": "53A_R5_AC-02(04)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15.4", "ao_id": "IAC-15.4_A03", "objective": "account enabling is automatically audited.", "pptdf": "Technology", "origin": "53A_R5_AC-02(04)[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15.4", "ao_id": "IAC-15.4_A04", "objective": "account disabling is automatically audited.", "pptdf": "Technology", "origin": "53A_R5_AC-02(04)[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15.4", "ao_id": "IAC-15.4_A05", "objective": "account removal actions are automatically audited.", "pptdf": "Technology", "origin": "53A_R5_AC-02(04)[05]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15.5", "ao_id": "IAC-15.5_A01", "objective": "conditions for establishing shared and group accounts are defined.", "pptdf": "Process", "origin": "53A_R5_AC-02(09)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "organization-defined need with justification statement that explains why such accounts are necessary", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15.5", "ao_id": "IAC-15.5_A02", "objective": "the use of shared and group accounts is only permitted if organization-defined conditions are met.", "pptdf": "Technology", "origin": "53A_R5_AC-02(09)", "assessment_rigor": "1", "scf_defined_parameters": "organization-defined need with justification statement that explains why such accounts are necessary", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15.6", "ao_id": "IAC-15.6_A01", "objective": "time period within which to disable accounts of individuals who are discovered to pose significant risk is defined.", "pptdf": "Process", "origin": "53A_R5_AC-02(13)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "one (1) hour", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15.6", "ao_id": "IAC-15.6_A02", "objective": "significant risks leading to disabling accounts are defined.", "pptdf": "Process", "origin": "53A_R5_AC-02(13)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15.6", "ao_id": "IAC-15.6_A03", "objective": "accounts of individuals are disabled within an organization-defined time period of discovery of significant risks.", "pptdf": "Technology", "origin": "53A_R5_AC-02(13)", "assessment_rigor": "1", "scf_defined_parameters": "one (1) hour", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15.7", "ao_id": "IAC-15.7_A01", "objective": "system account types allowed are defined.", "pptdf": "Process", "origin": "171A_R3_A.03.01.01.a[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15.7", "ao_id": "IAC-15.7_A02", "objective": "system account types prohibited are defined.", "pptdf": "Process", "origin": "171A_R3_A.03.01.01.a[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15.7", "ao_id": "IAC-15.7_A03", "objective": "system accounts that cannot be associated with a business process and owner are disabled.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15.7", "ao_id": "IAC-15.7_A04", "objective": "system accounts are created in accordance with organizational policy, procedures, prerequisites, and criteria.", "pptdf": "Technology", "origin": "171A_R3_A.03.01.01.b[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15.7", "ao_id": "IAC-15.7_A05", "objective": "system accounts are enabled in accordance with organizational policy, procedures, prerequisites, and criteria.", "pptdf": "Technology", "origin": "171A_R3_A.03.01.01.b[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15.7", "ao_id": "IAC-15.7_A06", "objective": "system accounts are modified in accordance with organizational policy, procedures, prerequisites, and criteria.", "pptdf": "Technology", "origin": "171A_R3_A.03.01.01.b[03]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15.7", "ao_id": "IAC-15.7_A07", "objective": "system accounts are disabled in accordance with organizational policy, procedures, prerequisites, and criteria.", "pptdf": "Technology", "origin": "171A_R3_A.03.01.01.b[04]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15.7", "ao_id": "IAC-15.7_A08", "objective": "system accounts are removed in accordance with organizational policy, procedures, prerequisites, and criteria.", "pptdf": "Technology", "origin": "171A_R3_A.03.01.01.b[05]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15.7", "ao_id": "IAC-15.7_A09", "objective": "authorized users of the system are specified.", "pptdf": "Process", "origin": "171A_R3_A.03.01.01.c.01", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15.8", "ao_id": "IAC-15.8_A01", "objective": "circumstances and/or usage conditions to be enforced for system accounts are defined.", "pptdf": "Process", "origin": "53A_R5_AC-02(11)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15.8", "ao_id": "IAC-15.8_A02", "objective": "system accounts subject to enforcement of circumstances and/or usage conditions are defined.", "pptdf": "Process", "origin": "53A_R5_AC-02(11)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15.8", "ao_id": "IAC-15.8_A03", "objective": "organization-defined system accounts are enforced.", "pptdf": "Technology", "origin": "53A_R5_AC-02(11)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15.9", "ao_id": "IAC-15.9_A01", "objective": "a process exists to establish \"emergency access only\" accounts.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-15.9", "ao_id": "IAC-15.9_A02", "objective": "\"emergency access only\" accounts are controlled.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-16", "ao_id": "IAC-16_A01", "objective": "privileged access rights for users and services are restricted based on roles.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-16", "ao_id": "IAC-16_A02", "objective": "privileged access rights for users and services are controlled.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-16.1", "ao_id": "IAC-16.1_A01", "objective": "all privileged accounts are inventoried.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-16.1", "ao_id": "IAC-16.1_A02", "objective": "validation is performed for each person with elevated privileges for authorization by the appropriate level of organizational management.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-16.2", "ao_id": "IAC-16.2_A01", "objective": "separate privileged accounts exist between infrastructure environments to reduce the risk of a compromise in one infrastructure environment from laterally affecting other infrastructure environments.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-16.3", "ao_id": "IAC-16.3_A01", "objective": "privilege change requests require additional levels of authentication (e.g., authentication prompt).", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-16.4", "ao_id": "IAC-16.4_A01", "objective": "designated privileged user accounts are controlled to be used solely for duties requiring privileged access.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-16.5", "ao_id": "IAC-16.5_A01", "objective": "instances that require a manual override of the current account privileges to enable the timely response to unusual conditions without terminating the current session and establishing a new session as a higher-privileged user are identified.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-16.5", "ao_id": "IAC-16.5_A02", "objective": "processes/technologies necessary to enable a manual override of the current account privileges to enable the timely response to unusual conditions without terminating the current session and establishing a new session as a higher-privileged user are identified.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-16.5", "ao_id": "IAC-16.5_A03", "objective": "a capability exists to manually override of the current account privileges to enable the timely response to unusual conditions without terminating the current session and establishing a new session as a higher-privileged user.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-17", "ao_id": "IAC-17_A01", "objective": "the frequency at which to review the privileges assigned to roles or classes of users is defined.", "pptdf": "Process", "origin": "53A_R5_AC-06(07)_ODP[01]\n171A_R3_A.03.01.05.ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "at a minimum, annually", "org_defined_parameters": "" }, { "scf_control_id": "IAC-17", "ao_id": "IAC-17_A02", "objective": "roles or classes of users to which privileges are assigned are defined.", "pptdf": "Process", "origin": "53A_R5_AC-06(07)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "all users with privileges", "org_defined_parameters": "" }, { "scf_control_id": "IAC-17", "ao_id": "IAC-17_A03", "objective": "the privileges assigned to roles or classes of users are reviewed to validate the need for such privileges.", "pptdf": "Process", "origin": "53A_R5_AC-06(07)(a)\n171A_R3_A.03.01.05.c", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "at least every 12 months", "org_defined_parameters": "" }, { "scf_control_id": "IAC-17", "ao_id": "IAC-17_A04", "objective": "privileges are reassigned or removed, as necessary.", "pptdf": "Process", "origin": "53A_R5_AC-06(07)(b)\n171A_R3_A.03.01.05.d", "assessment_rigor": "1", "scf_defined_parameters": "at a minimum, annually", "org_defined_parameters": "" }, { "scf_control_id": "IAC-18", "ao_id": "IAC-18_A01", "objective": "authenticators are protected commensurate with the security category of the information to which use of the authenticator permits access.", "pptdf": "Technology", "origin": "53A_R5_IA-05(06)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-19", "ao_id": "IAC-19_A01", "objective": "the sharing of generic IDs, passwords or other generic authentication methods is prevented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-20", "ao_id": "IAC-20_A01", "objective": "approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies.", "pptdf": "Technology", "origin": "53A_R5_AC-03", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-20", "ao_id": "IAC-20_A02", "objective": "the principle of least privilege is employed, allowing only authorized access for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.", "pptdf": "Technology", "origin": "53A_R5_AC-06", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-20", "ao_id": "IAC-20_A03", "objective": "authorized users are identified.", "pptdf": "Process", "origin": "171A_3.1.1[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-20", "ao_id": "IAC-20_A04", "objective": "processes acting on behalf of authorized users are identified.", "pptdf": "Process", "origin": "171A_3.1.1[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-20", "ao_id": "IAC-20_A05", "objective": "devices (including other systems) authorized to connect to the system are identified.", "pptdf": "Process", "origin": "171A_3.1.1[c]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-20", "ao_id": "IAC-20_A06", "objective": "system access is limited to authorized users.", "pptdf": "Technology", "origin": "171A_3.1.1[d]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-20", "ao_id": "IAC-20_A07", "objective": "system access is limited to processes acting on behalf of authorized users.", "pptdf": "Technology", "origin": "171A_3.1.1[e]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-20", "ao_id": "IAC-20_A08", "objective": "system access is limited to authorized devices (including other systems).", "pptdf": "Technology", "origin": "171A_3.1.1[f]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-20", "ao_id": "IAC-20_A09", "objective": "systems and system components included in the scope of the specified enhanced security requirements are identified.", "pptdf": "Process", "origin": "172A_3.14.3e_ODP[1]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-20", "ao_id": "IAC-20_A10", "objective": "systems and system components are included in the scope of the specified enhanced security requirements.", "pptdf": "Process", "origin": "172A_3.14.3e[a]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-20", "ao_id": "IAC-20_A11", "objective": "systems and system components that are not included in systems and system components are segregated in purpose-specific networks.", "pptdf": "Technology", "origin": "172A_3.14.3e[b]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-20.1", "ao_id": "IAC-20.1_A01", "objective": "access to sensitive / regulated data is restricted to only those individuals whose job requires such access.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-20.1", "ao_id": "IAC-20.1_A02", "objective": "access to is authorized.", "pptdf": "Technology", "origin": "171A_R3_A.03.01.05.b[01]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "at a minimum and if applicable: establishing system accounts and assigning privileges, configuring access authorizations, configuring settings for events to be audited, establishing vulnerability scanning parameters, establishing intrusion detection parameters, and managing audit information", "org_defined_parameters": "" }, { "scf_control_id": "IAC-20.1", "ao_id": "IAC-20.1_A03", "objective": "access to is authorized.", "pptdf": "Technology", "origin": "171A_R3_A.03.01.05.b[02]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "at a minimum and if applicable: threat and vulnerability information, filtering rules for routers or firewalls, configuration parameters for security services, cryptographic key management information, security architecture, access control lists, and audit information", "org_defined_parameters": "" }, { "scf_control_id": "IAC-20.1", "ao_id": "IAC-20.1_A04", "objective": "the incident response plan is protected from unauthorized disclosure.", "pptdf": "Technology", "origin": "171A_R3_A.03.06.05.d", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-20.2", "ao_id": "IAC-20.2_A01", "objective": "access to database containing sensitive / regulated data is restricted to only necessary services or those individuals whose job requires such access.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-20.3", "ao_id": "IAC-20.3_A01", "objective": "access to utility programs that are capable of overriding system and application controls is restricted.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-20.4", "ao_id": "IAC-20.4_A01", "objective": "executing administrative tasks or tasks requiring elevated access is restricted to a dedicated machine.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-20.5", "ao_id": "IAC-20.5_A01", "objective": "privileged commands and/or other actions requiring dual authorization are defined.", "pptdf": "Process", "origin": "53A_R5_AC-03(02)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-20.5", "ao_id": "IAC-20.5_A02", "objective": "dual authorization is enforced for organization-defined privileged commands and/or other actions.", "pptdf": "Technology", "origin": "53A_R5_AC-03(02)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-20.5", "ao_id": "IAC-20.5_A03", "objective": "critical or sensitive system and organizational operations for which dual authorization is to be enforced are identified.", "pptdf": "Process", "origin": "172A_3.1.1e[a]\n53A_R5_CM-05(04)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-20.5", "ao_id": "IAC-20.5_A04", "objective": "dual authorization is employed to execute critical or sensitive system and organizational operations.", "pptdf": "Technology", "origin": "172A_3.1.1e[b]\n53A_R5_CM-05(04)[01]\n53A_R5_CM-05(04)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-20.6", "ao_id": "IAC-20.6_A01", "objective": "rules governing the timing of revocations of access authorizations are defined.", "pptdf": "Process", "origin": "53A_R5_AC-03(08)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-20.6", "ao_id": "IAC-20.6_A02", "objective": "revocation of access authorizations is enforced, resulting from changes to the cybersecurity / data privacy attributes of subjects based on organization-defined rules.", "pptdf": "Technology", "origin": "53A_R5_AC-03(08)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-20.6", "ao_id": "IAC-20.6_A03", "objective": "revocation of access authorizations is enforced resulting from changes to the cybersecurity / data privacy attributes of objects based on organization-defined rules.", "pptdf": "Technology", "origin": "53A_R5_AC-03(08)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-20.7", "ao_id": "IAC-20.7_A01", "objective": "the types of accounts allowed on systems, applications and services is/are defined and documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-20.7", "ao_id": "IAC-20.7_A02", "objective": "the types of accounts prohibited on systems, applications and services is/are defined and documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-21", "ao_id": "IAC-21_A01", "objective": "organization-defined systems or system components implement the security design principle of least privilege.", "pptdf": "Technology", "origin": "53A_R5_SA-08(14)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-21", "ao_id": "IAC-21_A02", "objective": "privileged accounts are identified.", "pptdf": "Process", "origin": "171A_3.1.5[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-21", "ao_id": "IAC-21_A03", "objective": "access to privileged accounts is authorized in accordance with the principle of least privilege.", "pptdf": "Technology", "origin": "171A_3.1.5[b]\n53A_R5_AC-06", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-21", "ao_id": "IAC-21_A04", "objective": "systems or system components that implement the security design principle of least privilege are defined.", "pptdf": "Process", "origin": "53A_R5_SA-08(14)_ODP", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-21", "ao_id": "IAC-21_A05", "objective": "approved authorizations for logical access to system resources are enforced in accordance with applicable access control policies.", "pptdf": "Technology", "origin": "171A_R3_A.03.01.02[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-21", "ao_id": "IAC-21_A06", "objective": "system access for users (or processes acting on behalf of users) is authorized only when necessary to accomplish assigned organizational tasks.", "pptdf": "Technology", "origin": "171A_R3_A.03.01.05.a", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-21", "ao_id": "IAC-21.1_A01", "objective": "security functions are identified.", "pptdf": "Process", "origin": "171A_3.1.5[c]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-21", "ao_id": "IAC-21.1_A02", "objective": "access to security functions is authorized in accordance with the principle of least privilege.", "pptdf": "Technology", "origin": "171A_3.1.5[d]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-21.1", "ao_id": "IAC-21.1_A03", "objective": "individuals and roles with authorized access to security functions and security-relevant information are defined.", "pptdf": "Process", "origin": "53A_R5_AC-06(01)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-21.1", "ao_id": "IAC-21.1_A04", "objective": "security functions (deployed in hardware) for authorized access are defined.", "pptdf": "Process", "origin": "53A_R5_AC-06(01)_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "all functions not publicly accessible", "org_defined_parameters": "" }, { "scf_control_id": "IAC-21.1", "ao_id": "IAC-21.1_A05", "objective": "security functions (deployed in software) for authorized access are defined.", "pptdf": "Process", "origin": "53A_R5_AC-06(01)_ODP[03]", "assessment_rigor": "3", "scf_defined_parameters": "all functions not publicly accessible", "org_defined_parameters": "" }, { "scf_control_id": "IAC-21.1", "ao_id": "IAC-21.1_A06", "objective": "security functions (deployed in firmware) for authorized access are defined.", "pptdf": "Process", "origin": "53A_R5_AC-06(01)_ODP[04]", "assessment_rigor": "3", "scf_defined_parameters": "all functions not publicly accessible", "org_defined_parameters": "" }, { "scf_control_id": "IAC-21.1", "ao_id": "IAC-21.1_A07", "objective": "security-relevant information for authorized access is defined.", "pptdf": "Process", "origin": "53A_R5_AC-06(01)_ODP[05]", "assessment_rigor": "3", "scf_defined_parameters": "all security-relevant information not publicly available", "org_defined_parameters": "" }, { "scf_control_id": "IAC-21.1", "ao_id": "IAC-21.1_A08", "objective": "access is authorized for organization-defined individuals and roles to organization-defined security functions (deployed in hardware).", "pptdf": "Technology", "origin": "53A_R5_AC-06(01)(a)[01]", "assessment_rigor": "3", "scf_defined_parameters": "all functions not publicly accessible", "org_defined_parameters": "" }, { "scf_control_id": "IAC-21.1", "ao_id": "IAC-21.1_A09", "objective": "access is authorized for organization-defined individuals and roles to organization-defined security functions (deployed in software).", "pptdf": "Technology", "origin": "53A_R5_AC-06(01)(a)[02]", "assessment_rigor": "3", "scf_defined_parameters": "all functions not publicly accessible", "org_defined_parameters": "" }, { "scf_control_id": "IAC-21.1", "ao_id": "IAC-21.1_A10", "objective": "access is authorized for organization-defined individuals and roles to organization-defined security functions (deployed in firmware).", "pptdf": "Technology", "origin": "53A_R5_AC-06(01)(a)[03]", "assessment_rigor": "3", "scf_defined_parameters": "all functions not publicly accessible", "org_defined_parameters": "" }, { "scf_control_id": "IAC-21.1", "ao_id": "IAC-21.1_A11", "objective": "access is authorized for organization-defined individuals and roles to organization-defined security-relevant information.", "pptdf": "Technology", "origin": "53A_R5_AC-06(01)(b)", "assessment_rigor": "3", "scf_defined_parameters": "all security-relevant information not publicly available", "org_defined_parameters": "" }, { "scf_control_id": "IAC-21.2", "ao_id": "IAC-21.2_A01", "objective": "non-security functions are identified.", "pptdf": "Process", "origin": "171A_3.1.6[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-21.2", "ao_id": "IAC-21.2_A02", "objective": "users (or roles) with privileged accounts are required to use non-privileged accounts when accessing non-security functions or non-security information.", "pptdf": "Technology", "origin": "171A_3.1.6[b]\n53A_R5_AC-06(02)\n171A_R3_A.03.01.06.b", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-21.2", "ao_id": "IAC-21.2_A03", "objective": "security functions or security-relevant information, the access to which requires users to use non-privileged accounts to access non-security functions, are defined.", "pptdf": "Process", "origin": "53A_R5_AC-06(02)_ODP", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-21.3", "ao_id": "IAC-21.3_A01", "objective": "personnel or roles to which privileged accounts on the system are to be restricted are defined.", "pptdf": "Process", "origin": "53A_R5_AC-06(05)_ODP\n171A_R3_A.03.01.06.ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-21.3", "ao_id": "IAC-21.3_A02", "objective": "privileged accounts on the system are restricted to .", "pptdf": "Technology", "origin": "53A_R5_AC-06(05)\n171A_R3_A.03.01.06.a", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "only defined and authorized personnel or administrative roles", "org_defined_parameters": "" }, { "scf_control_id": "IAC-21.4", "ao_id": "IAC-21.4_A01", "objective": "the execution of privileged functions is logged.", "pptdf": "Technology", "origin": "53A_R5_AC-06(09)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-21.5", "ao_id": "IAC-21.5_A01", "objective": "privileged functions are defined.", "pptdf": "Process", "origin": "171A_3.1.7[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-21.5", "ao_id": "IAC-21.5_A02", "objective": "non-privileged users are defined.", "pptdf": "Process", "origin": "171A_3.1.7[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-21.5", "ao_id": "IAC-21.5_A03", "objective": "non-privileged users are prevented from executing privileged functions.", "pptdf": "Technology", "origin": "171A_3.1.7[c]\n171A_R3_A.03.01.07.a\n53A_R5_AC-06(10)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-21.5", "ao_id": "IAC-21.5_A04", "objective": "the execution of privileged functions is captured in event logs.", "pptdf": "Technology", "origin": "171A_3.1.7[d]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-21.6", "ao_id": "IAC-21.6_A01", "objective": "privileged commands to which network access is to be authorized only for compelling operational needs are defined.", "pptdf": "Process", "origin": "53A_R5_AC-06(03)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "all privileged commands", "org_defined_parameters": "" }, { "scf_control_id": "IAC-21.6", "ao_id": "IAC-21.6_A02", "objective": "network access to organization-defined privileged commands is authorized only for organization-defined compelling operational needs.", "pptdf": "Technology", "origin": "53A_R5_AC-06(03)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-21.6", "ao_id": "IAC-21.6_A03", "objective": "compelling operational needs necessitating network access to privileged commands are defined.", "pptdf": "Process", "origin": "53A_R5_AC-06(03)_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-21.6", "ao_id": "IAC-21.6_A04", "objective": "the rationale for authorizing network access to privileged commands is documented in the security plan for the system.", "pptdf": "Process", "origin": "53A_R5_AC-06(03)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-21.7", "ao_id": "IAC-21.7_A01", "objective": "software to be prevented from executing at higher privilege levels than users executing the software is defined.", "pptdf": "Process", "origin": "53A_R5_AC-06(08)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "any software except software explicitly documented", "org_defined_parameters": "" }, { "scf_control_id": "IAC-21.7", "ao_id": "IAC-21.7_A02", "objective": "organization-defined software is prevented from executing at higher privilege levels than users executing the software.", "pptdf": "Technology", "origin": "53A_R5_AC-06(08)", "assessment_rigor": "1", "scf_defined_parameters": "any software except software explicitly documented", "org_defined_parameters": "" }, { "scf_control_id": "IAC-22", "ao_id": "IAC-22_A01", "objective": "the means of limiting unsuccessful logon attempts is defined.", "pptdf": "Process", "origin": "171A_3.1.8[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-22", "ao_id": "IAC-22_A02", "objective": "the defined means of limiting unsuccessful logon attempts is implemented.", "pptdf": "Technology", "origin": "171A_3.1.8[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-22", "ao_id": "IAC-22_A03", "objective": "the number of consecutive invalid logon attempts by a user allowed during a time period is defined.", "pptdf": "Process", "origin": "53A_R5_AC-07_ODP[01]\n171A_R3_A.03.01.08.ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-22", "ao_id": "IAC-22_A04", "objective": " when the maximum number of unsuccessful attempts is exceeded.", "pptdf": "Technology", "origin": "53A_R5_AC-07b.\n171A_R3_A.03.01.08.b", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "Select one or more: \n- lock the account or node for an at least 15- minute time period; \n- lock the account or node until released by an administrator and notify a system administrator", "org_defined_parameters": "" }, { "scf_control_id": "IAC-22", "ao_id": "IAC-22_A05", "objective": "the time period to which the number of consecutive invalid logon attempts by a user is limited is defined.", "pptdf": "Process", "origin": "53A_R5_AC-07_ODP[02]\n171A_R3_A.03.01.08.ODP[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-22", "ao_id": "IAC-22_A06", "objective": "the time period for an account or node to be locked is defined (if selected).", "pptdf": "Process", "origin": "53A_R5_AC-07_ODP[04]\n171A_R3_A.03.01.08.ODP[04]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-22", "ao_id": "IAC-22_A07", "objective": "delay algorithm for the next logon prompt is defined.", "pptdf": "Process", "origin": "53A_R5_AC-07_ODP[05]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-22", "ao_id": "IAC-22_A08", "objective": "other action to be taken when the maximum number of unsuccessful attempts is exceeded is defined.", "pptdf": "Process", "origin": "53A_R5_AC-07_ODP[03]\n53A_R5_AC-07_ODP[06]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-22", "ao_id": "IAC-22_A09", "objective": "a limit of consecutive invalid logon attempts by a user during is enforced.", "pptdf": "Technology", "origin": "53A_R5_AC-07a.\n171A_R3_A.03.01.08.a", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "SDP values:\n[01] - at most five (5)\n[02] - period of five (5) minutes", "org_defined_parameters": "" }, { "scf_control_id": "IAC-22", "ao_id": "IAC-22_A10", "objective": "one or more of the following PARAMETER VALUES are selected: {the account or node is locked automatically for ; the account or node is locked automatically until released by an administrator; the next logon prompt is delayed automatically; the system administrator is notified automatically; other action is taken automatically}.", "pptdf": "Technology", "origin": "171A_R3_A.03.01.08.ODP[03]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "at least 15- minute time period", "org_defined_parameters": "" }, { "scf_control_id": "IAC-23", "ao_id": "IAC-23_A01", "objective": "accounts and/or account types for which to limit the number of concurrent sessions is defined.", "pptdf": "Process", "origin": "53A_R5_AC-10_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "privileged and non-privileged", "org_defined_parameters": "" }, { "scf_control_id": "IAC-23", "ao_id": "IAC-23_A02", "objective": "the number of concurrent sessions to be allowed for each account and/or account type is defined.", "pptdf": "Process", "origin": "53A_R5_AC-10_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "three (3) sessions for privileged access and two (2) sessions for non-privileged access", "org_defined_parameters": "" }, { "scf_control_id": "IAC-23", "ao_id": "IAC-23_A03", "objective": "the number of concurrent sessions for each organization-defined account and/or account types is limited to organization-defined number.", "pptdf": "Technology", "origin": "53A_R5_AC-10", "assessment_rigor": "1", "scf_defined_parameters": "three (3) sessions for privileged access and two (2) sessions for non-privileged access", "org_defined_parameters": "" }, { "scf_control_id": "IAC-24", "ao_id": "IAC-24_A01", "objective": "the period of inactivity after which the system initiates a session lock is defined.", "pptdf": "Process", "origin": "171A_3.1.10[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-24", "ao_id": "IAC-24_A02", "objective": "access to the system and viewing of data is prevented by initiating a session lock after the defined period of inactivity.", "pptdf": "Technology", "origin": "171A_3.1.10[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-24", "ao_id": "IAC-24_A03", "objective": "previously visible information is concealed via a pattern-hiding display after the defined period of inactivity.", "pptdf": "Technology", "origin": "171A_3.1.10[c]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-24", "ao_id": "IAC-24_A04", "objective": "the time period of expected inactivity or description of when to log out is defined.", "pptdf": "Process", "origin": "53A_R5_AC-02(05)_ODP", "assessment_rigor": "3", "scf_defined_parameters": "When inactivity is anticipated to exceed Fifteen (15) minutes. For privileged users, it is also the end of a user's standard work period.", "org_defined_parameters": "" }, { "scf_control_id": "IAC-24", "ao_id": "IAC-24_A05", "objective": "users are required to log out when organization-defined time period of expected inactivity or description of when to log out.", "pptdf": "Technology", "origin": "53A_R5_AC-02(05)", "assessment_rigor": "3", "scf_defined_parameters": "When inactivity is anticipated to exceed Fifteen (15) minutes. For privileged users, it is also the end of a user's standard work period.", "org_defined_parameters": "" }, { "scf_control_id": "IAC-24", "ao_id": "IAC-24_A06", "objective": "the time period of inactivity after which a device lock is initiated is defined (if selected).", "pptdf": "Process", "origin": "53A_R5_AC-11_ODP[01]\n53A_R5_AC-11_ODP[02]\n171A_R3_A.03.01.10.ODP[02]", "assessment_rigor": "2", "scf_defined_parameters": "fifteen (15) minutes", "org_defined_parameters": "" }, { "scf_control_id": "IAC-24", "ao_id": "IAC-24_A07", "objective": "access to the system is prevented by .", "pptdf": "Technology", "origin": "53A_R5_AC-11a.\n171A_R3_A.03.01.10.a", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "initiating a device lock after “at most 15 minutes” of inactivity and requiring the user to initiate a device lock before leaving the system unattended", "org_defined_parameters": "" }, { "scf_control_id": "IAC-24", "ao_id": "IAC-24_A08", "objective": "the device lock is retained until the user reestablishes access using established identification and authentication procedures.", "pptdf": "Data", "origin": "53A_R5_AC-11b.\n171A_R3_A.03.01.10.b", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-24", "ao_id": "IAC-24_A09", "objective": "one or more of the following PARAMETER VALUES are selected: {a device lock is initiated after of inactivity; the user is required to initiate a device lock before leaving the system unattended}.", "pptdf": "Technology", "origin": "171A_R3_A.03.01.10.ODP[01]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "at most 15- minute time period", "org_defined_parameters": "" }, { "scf_control_id": "IAC-24.1", "ao_id": "IAC-24.1_A01", "objective": "information previously visible on the display is concealed via device lock with a publicly viewable image.", "pptdf": "Technology", "origin": "53A_R5_AC-11(01)\n171A_R3_A.03.01.10.c", "assessment_rigor": "1", "scf_defined_parameters": "requiring the user to initiate a device lock before leaving the system unattended.", "org_defined_parameters": "" }, { "scf_control_id": "IAC-25", "ao_id": "IAC-25_A01", "objective": "conditions requiring a user session to terminate are defined.", "pptdf": "Process", "origin": "171A_3.1.11[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-25", "ao_id": "IAC-25_A02", "objective": "conditions or trigger events that require session disconnect are defined.", "pptdf": "Process", "origin": "171A_3.1.11[b]\n171A_R3_A.03.01.11.ODP[01]\n53A_R5_AC-12_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-25", "ao_id": "IAC-25_A03", "objective": "a user session is automatically terminated after any of the defined conditions occur.", "pptdf": "Technology", "origin": "53A_R5_AC-12\n171A_3.1.11[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-25", "ao_id": "IAC-25_A04", "objective": "the time period of expected inactivity requiring users to log out of the system is defined.", "pptdf": "Process", "origin": "171A_R3_A.03.01.01.ODP[05]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-25", "ao_id": "IAC-25_A05", "objective": "circumstances requiring users to log out of the system are defined.", "pptdf": "Process", "origin": "171A_R3_A.03.01.01.ODP[06]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-25", "ao_id": "IAC-25_A06", "objective": "users are required to log out of the system after of expected inactivity or when the following circumstances occur: .", "pptdf": "Technology", "origin": "171A_R3_A.03.01.01.h", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "SDP values:\n[05] - at most 24 hours\n[06] - the work period ends, for privileged users at a minimum", "org_defined_parameters": "" }, { "scf_control_id": "IAC-25", "ao_id": "IAC-25_A07", "objective": "session connections are terminated when nonlocal maintenance is completed.", "pptdf": "Technology", "origin": "171A_R3_A.03.07.05.c[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-25", "ao_id": "IAC-25_A08", "objective": "a user session is terminated automatically after .", "pptdf": "Technology", "origin": "171A_R3_A.03.01.11", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "a specified duration (maximum of 24 hours) of inactivity, misbehavior (end the session due to an attempted policy violation), and maintenance (terminate sessions to prevent issues with an upgrade or service outage)", "org_defined_parameters": "" }, { "scf_control_id": "IAC-25.1", "ao_id": "IAC-25.1_A01", "objective": "information resources for which a logout capability for user-initiated communications sessions is required are defined.", "pptdf": "Process", "origin": "53A_R5_AC-12(01)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-25.1", "ao_id": "IAC-25.1_A02", "objective": "a logout capability is provided for user-initiated communications sessions whenever authentication is used to gain access to organization-defined information resources.", "pptdf": "Technology", "origin": "53A_R5_AC-12(01)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-26", "ao_id": "IAC-26_A01", "objective": "user actions that can be performed on the system without identification or authentication are defined.", "pptdf": "Process", "origin": "53A_R5_AC-14_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-26", "ao_id": "IAC-26_A02", "objective": "organization-defined user actions that can be performed on the system without identification or authentication consistent with organizational mission and business functions are identified.", "pptdf": "Process", "origin": "53A_R5_AC-14a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-26", "ao_id": "IAC-26_A03", "objective": "user actions not requiring identification or authentication are documented in the security plan for the system.", "pptdf": "Process", "origin": "53A_R5_AC-14b.[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-26", "ao_id": "IAC-26_A04", "objective": "a rationale for user actions not requiring identification or authentication is provided in the security plan for the system.", "pptdf": "Technology", "origin": "53A_R5_AC-14b.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-27", "ao_id": "IAC-27_A01", "objective": "access control policies for which a reference monitor is implemented are defined.", "pptdf": "Process", "origin": "53A_R5_AC-25_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-27", "ao_id": "IAC-27_A02", "objective": "a reference monitor is implemented for organization-defined access control policies that is tamper-proof, always invoked and small enough to be subject to analysis and testing, the completeness of which can be assured.", "pptdf": "Process", "origin": "53A_R5_AC-25", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-28", "ao_id": "IAC-28_A01", "objective": "users who require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines are identity proofed.", "pptdf": "Technology", "origin": "53A_R5_IA-12a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-28", "ao_id": "IAC-28_A02", "objective": "user identities are resolved to a unique individual.", "pptdf": "Technology", "origin": "53A_R5_IA-12b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-28", "ao_id": "IAC-28_A03", "objective": "identity evidence is collected.", "pptdf": "Process", "origin": "53A_R5_IA-12c.[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-28", "ao_id": "IAC-28_A04", "objective": "identity evidence is validated.", "pptdf": "Process", "origin": "53A_R5_IA-12c.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-28", "ao_id": "IAC-28_A05", "objective": "identity evidence is verified.", "pptdf": "Process", "origin": "53A_R5_IA-12c.[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-28.1", "ao_id": "IAC-28.1_A01", "objective": "the registration process to receive an account for logical access includes supervisor or sponsor authorization.", "pptdf": "Process", "origin": "53A_R5_IA-12(01)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-28.1", "ao_id": "IAC-28.1_A02", "objective": "access control decisions applied to each access request prior to access enforcement are defined.", "pptdf": "Process", "origin": "53A_R5_AC-24_ODP[01]\n53A_R5_AC-24_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-28.1", "ao_id": "IAC-28.1_A03", "objective": "organization-defined criteria are taken into account to ensure that access control decisions are applied to each access request prior to access enforcement.", "pptdf": "Technology", "origin": "53A_R5_AC-24", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-28.2", "ao_id": "IAC-28.2_A01", "objective": "evidence of individual identification is presented to the registration authority.", "pptdf": "Process", "origin": "53A_R5_IA-12(02)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-28.3", "ao_id": "IAC-28.3_A01", "objective": "methods of validation and verification of identity evidence are defined.", "pptdf": "Process", "origin": "53A_R5_IA-12(03)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-28.3", "ao_id": "IAC-28.3_A02", "objective": "the presented identity evidence is validated and verified through organization-defined methods of validation and verification.", "pptdf": "Process", "origin": "53A_R5_IA-12(03)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-28.4", "ao_id": "IAC-28.4_A01", "objective": "the validation and verification of identity evidence is conducted in person before a designated registration authority.", "pptdf": "Process", "origin": "53A_R5_IA-12(04)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-28.5", "ao_id": "IAC-28.5_A01", "objective": "organization-defined criteria are delivered through an out-of-band channel to verify the user’s address (physical or digital) of record.", "pptdf": "Process", "origin": "53A_R5_IA-12(05)_ODP\n53A_R5_IA-12(05)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-29", "ao_id": "IAC-29_A01", "objective": "Attribute-Based Access Control (ABAC) is enforced for policy-driven, dynamic authorizations that supports the secure sharing of information.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-29.1", "ao_id": "IAC-29.1_A01", "objective": "Machine Learning (ML) is used to make real-time access decisions based on advanced network analytics, leveraging enterprise-wide data sources.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-29.2", "ao_id": "IAC-29.2_A01", "objective": "access profile rules for sensitive/regulated Data, Assets, Applications & Services (DAAS) access are developed, based on User, Data, Network, Environment & Device attributes.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-30", "ao_id": "IAC-30_A01", "objective": "instances that require Mutual Authentication (MA) are identified, where both sides of a communications channel verify the identity of the other party through certificate exchange.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-30", "ao_id": "IAC-30_A02", "objective": "technologies to implement MA are identified.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAC-30", "ao_id": "IAC-30_A03", "objective": "technologies enforce MA, where required.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-01", "ao_id": "IAO-01_A01", "objective": "an Information Assurance (IA) process is implemented for conducting cybersecurity / data privacy testing, training and monitoring activities associated with systems, applications and services.", "pptdf": "Process", "origin": "SCF Created\n53A_R5_PM-14a.01[01]\n53A_R5_PM-14a.01[02]\n53A_R5_PM-14a.01[03]\n53A_R5_PM-14a.01[04]\n53A_R5_PM-14a.02[01]\n53A_R5_PM-14a.02[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-01", "ao_id": "IAO-01_A02", "objective": "the Information Assurance (IA) program is organization-wide.", "pptdf": "Process", "origin": "53A_R5_CA-01_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-01", "ao_id": "IAO-01_A03", "objective": "the authorization processes are integrated into an organization-wide Risk Management Program (RMP).", "pptdf": "Process", "origin": "53A_R5_PM-10c.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-01", "ao_id": "IAO-01_A04", "objective": "the cybersecurity / data privacy security state of organizational systems and the environments in which those systems operate are managed through authorization processes.", "pptdf": "Process", "origin": "53A_R5_PM-10a.[01]\n53A_R5_PM-10a.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-01", "ao_id": "IAO-01_A05", "objective": "individuals are designated to fulfill specific roles and responsibilities within the organizational risk management process.", "pptdf": "Process", "origin": "53A_R5_PM-10b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-01", "ao_id": "IAO-01_A06", "objective": "information assurance management operations are conducted according to documented policies, standards, procedures and/or other organizational directives.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-01", "ao_id": "IAO-01_A07", "objective": "adequate resources (e.g., people, processes, technologies, data and/or facilities) are provided to support information assurance management operations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-01", "ao_id": "IAO-01_A08", "objective": "responsibility and authority for the performance of information assurance management-related activities are assigned to designated personnel.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-01", "ao_id": "IAO-01_A09", "objective": "personnel performing information assurance management-related activities have the skills and knowledge needed to perform their assigned duties.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-01.1", "ao_id": "IAO-01.1_A01", "objective": "assessments are defined as (1) organization-level, (2) mission/business process-level, or (3) system/application/service-level.", "pptdf": "Process", "origin": "53A_R5_AC-01_ODP[03]\n53A_R5_AT-01_ODP[03]\n53A_R5_AU-01_ODP[03]\n53A_R5_CA-01_ODP[03]\n53A_R5_CM-01_ODP[03]\n53A_R5_CP-01_ODP[03]\n53A_R5_IA-01_ODP[03]\n53A_R5_IR-01_ODP[03]\n53A_R5_MA-01_ODP[03]\n53A_R5_MP-01_ODP[03]\n53A_R5_PE-01_ODP[03]\n53A_R5_PL-01_ODP[03]\n53A_R5_PS-01_ODP[03]\n53A_R5_PT-01_ODP[03]\n53A_R5_RA-01_ODP[03]\n53A_R5_SA-01_ODP[03]\n53A_R5_SC-01_ODP[03]\n53A_R5_SI-01_ODP[03]\n53A_R5_SR-01_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-01.1", "ao_id": "IAO-01.1_A02", "objective": "the scope of assessments is established by defining the assessment boundary, according to people, processes and technology that directly or indirectly impact the confidentiality, integrity, availability and safety of the data and systems under review.", "pptdf": "Process", "origin": "172A_3.14.3e_ODP[1]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-02", "ao_id": "IAO-02_A01", "objective": "the frequency at which to assess controls in the system and its environment of operation is defined.", "pptdf": "Process", "origin": "53A_R5_CA-02_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "IAO-02", "ao_id": "IAO-02_A02", "objective": "individuals or roles to whom control assessment results are to be provided are defined.", "pptdf": "Process", "origin": "53A_R5_CA-02_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-02", "ao_id": "IAO-02_A03", "objective": "an appropriate assessor or assessment team is selected for the type of assessment to be conducted.", "pptdf": "Process", "origin": "53A_R5_CA-02a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-02", "ao_id": "IAO-02_A04", "objective": "a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment.", "pptdf": "Process", "origin": "53A_R5_CA-02b.01", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-02", "ao_id": "IAO-02_A05", "objective": "a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness.", "pptdf": "Process", "origin": "53A_R5_CA-02b.02", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-02", "ao_id": "IAO-02_A06", "objective": "a control assessment plan is developed that describes the scope of the assessment, including the assessment environment.", "pptdf": "Process", "origin": "53A_R5_CA-02b.03[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-02", "ao_id": "IAO-02_A07", "objective": "a control assessment plan is developed that describes the scope of the assessment, including the assessment team.", "pptdf": "Process", "origin": "53A_R5_CA-02b.03[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-02", "ao_id": "IAO-02_A08", "objective": "a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities.", "pptdf": "Process", "origin": "53A_R5_CA-02b.03[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-02", "ao_id": "IAO-02_A09", "objective": "the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment.", "pptdf": "Process", "origin": "53A_R5_CA-02c.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-02", "ao_id": "IAO-02_A10", "objective": "security critical or essential software, firmware and hardware components for which to verify correctness are defined.", "pptdf": "Process", "origin": "172A_3.14.7e_ODP[1]\n172A_3.14.7e_ODP[2]\n172A_3.14.7e_ODP[3]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-02", "ao_id": "IAO-02_A11", "objective": "verification methods or techniques are defined.", "pptdf": "Process", "origin": "172A_3.14.7e_ODP[4]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-02", "ao_id": "IAO-02_A12", "objective": "the correctness of security critical or essential software, firmware and hardware components is verified using verification methods or techniques.", "pptdf": "Process", "origin": "172A_3.14.7e[a]\n172A_3.14.7e[b]\n172A_3.14.7e[c]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-02", "ao_id": "IAO-02_A13", "objective": "controls are assessed in the system and its environment of operation per an assessment frequency to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting established security requirements.", "pptdf": "Process", "origin": "53A_R5_CA-02d.[01]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "IAO-02", "ao_id": "IAO-02_A14", "objective": "controls are assessed in the system and its environment of operation per an assessment frequency to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting established privacy requirements.", "pptdf": "Process", "origin": "53A_R5_CA-02d.[02]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "IAO-02", "ao_id": "IAO-02_A15", "objective": "a control assessment report is produced that documents the results of the assessment.", "pptdf": "Process", "origin": "53A_R5_CA-02e.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-02", "ao_id": "IAO-02_A16", "objective": "the results of the control assessment are provided to individuals or roles.", "pptdf": "Process", "origin": "53A_R5_CA-02f.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-02.1", "ao_id": "IAO-02.1_A01", "objective": "independent assessors or assessment teams are employed to conduct control assessments.", "pptdf": "Process", "origin": "53A_R5_CA-02(01)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-02.2", "ao_id": "IAO-02.2_A01", "objective": "the frequency at which to include specialized assessments as part of the control assessment is defined.", "pptdf": "Process", "origin": "53A_R5_CA-02(02)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-02.2", "ao_id": "IAO-02.2_A02", "objective": "other forms of announced or unannounced assessment are defined.", "pptdf": "Process", "origin": "53A_R5_CA-02(02)_ODP[02]\n53A_R5_CA-02(02)_ODP[03]\n53A_R5_CA-02(02)_ODP[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-02.2", "ao_id": "IAO-02.2_A03", "objective": "organization-defined specialized assessment frequencies are included as part of control assessments.", "pptdf": "Process", "origin": "53A_R5_CA-02(02)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-02.3", "ao_id": "IAO-02.3_A01", "objective": "external organizations from which the results of control assessments are leveraged are defined.", "pptdf": "Process", "origin": "53A_R5_CA-02(03)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-02.3", "ao_id": "IAO-02.3_A02", "objective": "systems, applications and/or services on which a control assessment to be performed by an external organization are defined.", "pptdf": "Process", "origin": "53A_R5_CA-02(03)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-02.3", "ao_id": "IAO-02.3_A03", "objective": "requirements to be met by the control assessment performed by an external organization on systems, applications and/or services are defined.", "pptdf": "Process", "origin": "53A_R5_CA-02(03)_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-02.3", "ao_id": "IAO-02.3_A04", "objective": "the results of control assessments performed by organization-defined external organizations on systems, applications and/or services are leveraged when the assessment meets organization-defined requirements.", "pptdf": "Process", "origin": "53A_R5_CA-02(03)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-02.4", "ao_id": "IAO-02.4_A01", "objective": "produce a Security Assessment Report (SAR) at the conclusion of a security assessment to certify the results of the assessment and assist with any remediation actions.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A01", "objective": "the system boundary is described and documented in the system security plan.", "pptdf": "Process", "origin": "171A_3.12.4[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A02", "objective": "the system components on which sensitive / regulated data is processed are identified and documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A03", "objective": "the system components on which sensitive / regulated data is stored are identified and documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A04", "objective": "changes to the system or system component location where sensitive / regulated data is processed are documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A05", "objective": "changes to the system or system component location where sensitive / regulated data is stored are documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A06", "objective": "a system security plan that describes specific threats to the system that are of concern to the organization is developed.", "pptdf": "Process", "origin": "171A_R3_A.03.15.02.a.03", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A07", "objective": "a system security plan that describes the safeguards in place or planned for meeting the security requirements is developed.", "pptdf": "Process", "origin": "171A_R3_A.03.15.02.a.06", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A08", "objective": "a system security plan that identifies individuals that fulfill system roles and responsibilities is developed.", "pptdf": "Process", "origin": "171A_R3_A.03.15.02.a.07", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A09", "objective": "a system security plan that includes other relevant information necessary for the protection of sensitive / regulated data is developed.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A10", "objective": "the system security plan is reviewed per an organization-defined frequency.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "at least every 12 months, or when there are significant incidents or significant changes to risks", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A11", "objective": "the system security plan is protected from unauthorized disclosure.", "pptdf": "Technology", "origin": "171A_R3_A.03.15.02.c", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A12", "objective": "the security requirements identified and approved by the designated authority as non-applicable are identified.", "pptdf": "Process", "origin": "171A_3.12.4[d]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A13", "objective": "the method of security requirement implementation is described and documented in the system security plan.", "pptdf": "Process", "origin": "171A_3.12.4[e]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A14", "objective": "the relationship with or connection to other systems is described and documented in the system security plan.", "pptdf": "Process", "origin": "171A_3.12.4[f]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A15", "objective": "the system security plan documents or references the security solution selected.", "pptdf": "Process", "origin": "172A_3.11.4e[a]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A16", "objective": "the system security plan documents or references the rationale for the security solution.", "pptdf": "Process", "origin": "172A_3.11.4e[b]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A17", "objective": "the system security plan documents or references the risk determination.", "pptdf": "Process", "origin": "172A_3.11.4e[c]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A18", "objective": "individuals or groups with whom cybersecurity / data privacy-related activities affecting the system that require planning and coordination is/are assigned.", "pptdf": "People", "origin": "53A_R5_PL-02_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A19", "objective": "personnel or roles to receive distributed copies of the system cybersecurity / data privacy plans is/are assigned.", "pptdf": "People", "origin": "53A_R5_PL-02_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A20", "objective": "the frequency at which the system security plan is reviewed and updated is defined.", "pptdf": "Process", "origin": "53A_R5_PL-02_ODP[03]\n171A_3.12.4[g]\n171A_R3_A.03.15.02.ODP[01]", "assessment_rigor": "2", "scf_defined_parameters": "at least every 12 months, or when there are significant incidents or significant changes to risks", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A21", "objective": "the system security plan is updated per an organization-defined frequency.", "pptdf": "Process", "origin": "171A_3.12.4[h]", "assessment_rigor": "2", "scf_defined_parameters": "at least every 12 months, or when there are significant incidents or significant changes to risks", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A22", "objective": "a security plan for the system is developed that is consistent with the organization's enterprise architecture.", "pptdf": "Process", "origin": "53A_R5_PL-02a.01[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A23", "objective": "a privacy plan for the system is developed that is consistent with the organization's enterprise architecture.", "pptdf": "Process", "origin": "53A_R5_PL-02a.01[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A24", "objective": "a system security plan that defines the constituent system components is developed.", "pptdf": "Process", "origin": "53A_R5_PL-02a.02[01]\n171A_R3_A.03.15.02.a.01", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A25", "objective": "a privacy plan for the system is developed that explicitly defines the constituent system components.", "pptdf": "Process", "origin": "53A_R5_PL-02a.02[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A26", "objective": "a security plan for the system is developed that describes the operational context of the system in terms of mission and business processes.", "pptdf": "Process", "origin": "53A_R5_PL-02a.03[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A27", "objective": "a privacy plan for the system is developed that describes the operational context of the system in terms of mission and business processes.", "pptdf": "Process", "origin": "53A_R5_PL-02a.03[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A28", "objective": "a security plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities.", "pptdf": "Process", "origin": "53A_R5_PL-02a.04[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A29", "objective": "a privacy plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities.", "pptdf": "Process", "origin": "53A_R5_PL-02a.04[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A30", "objective": "a system security plan that identifies the information types processed, stored, and transmitted by the system is developed.", "pptdf": "Process", "origin": "53A_R5_PL-02a.05[01]\n171A_R3_A.03.15.02.a.02", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A31", "objective": "a privacy plan for the system is developed that identifies the information types processed, stored and transmitted by the system.", "pptdf": "Process", "origin": "53A_R5_PL-02a.05[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A32", "objective": "a security plan for the system is developed that provides the security categorization of the system, including supporting rationale.", "pptdf": "Process", "origin": "53A_R5_PL-02a.06[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A33", "objective": "a privacy plan for the system is developed that provides the security categorization of the system, including supporting rationale.", "pptdf": "Process", "origin": "53A_R5_PL-02a.06[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A34", "objective": "a security plan for the system is developed that describes any specific threats to the system that are of concern to the organization.", "pptdf": "Process", "origin": "53A_R5_PL-02a.07[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A35", "objective": "a privacy plan for the system is developed that describes any specific threats to the system that are of concern to the organization.", "pptdf": "Process", "origin": "53A_R5_PL-02a.07[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A36", "objective": "a security plan for the system is developed that provides the results of a privacy risk assessment for systems processing Personal Data (PD).", "pptdf": "Process", "origin": "53A_R5_PL-02a.08[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A37", "objective": "a privacy plan for the system is developed that provides the results of a privacy risk assessment for systems processing Personal Data (PD).", "pptdf": "Process", "origin": "53A_R5_PL-02a.08[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A38", "objective": "a system security plan that describes the operational environment for the system and any dependencies on or connections to other systems or system components is developed.", "pptdf": "Process", "origin": "53A_R5_PL-02a.09[01]\n53A_R5_PL-02a.09[02]\n171A_3.12.4[c]\n171A_R3_A.03.15.02.a.04", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A39", "objective": "a system security plan that provides an overview of the security requirements for the system is developed.", "pptdf": "Process", "origin": "53A_R5_PL-02a.10[01]\n171A_3.12.4[a]\n171A_R3_A.03.15.02.a.05", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A40", "objective": "a privacy plan for the system is developed that provides an overview of the privacy requirements for the system.", "pptdf": "Process", "origin": "53A_R5_PL-02a.10[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A41", "objective": "a security plan for the system is developed that identifies any relevant control baselines or overlays, if applicable.", "pptdf": "Process", "origin": "53A_R5_PL-02a.11[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A42", "objective": "a privacy plan for the system is developed that identifies any relevant control baselines or overlays, if applicable.", "pptdf": "Process", "origin": "53A_R5_PL-02a.11[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A43", "objective": "a security plan for the system is developed that describes the controls in place or planned for meeting the security requirements, including rationale for any tailoring decisions.", "pptdf": "Process", "origin": "53A_R5_PL-02a.12[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A44", "objective": "a privacy plan for the system is developed that describes the controls in place or planned for meeting the privacy requirements, including rationale for any tailoring decisions.", "pptdf": "Process", "origin": "53A_R5_PL-02a.12[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A45", "objective": "a security plan for the system is developed that includes risk determinations for security architecture and design decisions.", "pptdf": "Process", "origin": "53A_R5_PL-02a.13[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A46", "objective": "a privacy plan for the system is developed that includes risk determinations for privacy architecture and design decisions.", "pptdf": "Process", "origin": "53A_R5_PL-02a.13[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A47", "objective": "a security plan for the system is developed that includes security-related activities affecting the system that require planning and coordination with individuals or groups.", "pptdf": "Process", "origin": "53A_R5_PL-02a.14[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A48", "objective": "a privacy plan for the system is developed that includes privacy-related activities affecting the system that require planning and coordination with individuals or groups.", "pptdf": "Process", "origin": "53A_R5_PL-02a.14[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A49", "objective": "a security plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation.", "pptdf": "Process", "origin": "53A_R5_PL-02a.15[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A50", "objective": "a privacy plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation.", "pptdf": "Process", "origin": "53A_R5_PL-02a.15[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A51", "objective": "copies of the plans are distributed to personnel or roles.", "pptdf": "Process", "origin": "53A_R5_PL-02b.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A52", "objective": "subsequent changes to the plans are communicated to personnel or roles.", "pptdf": "Process", "origin": "53A_R5_PL-02b.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A53", "objective": "plans are reviewed frequently.", "pptdf": "Process", "origin": "53A_R5_PL-02c.", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A54", "objective": "plans are updated to address changes to the system and environment of operations.", "pptdf": "Process", "origin": "53A_R5_PL-02d.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A55", "objective": "plans are updated to address problems identified during the plan implementation.", "pptdf": "Process", "origin": "53A_R5_PL-02d.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A56", "objective": "plans are updated to address problems identified during control assessments.", "pptdf": "Process", "origin": "53A_R5_PL-02d.[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A57", "objective": "plans are protected from unauthorized disclosure.", "pptdf": "Technology", "origin": "53A_R5_PL-02e.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A58", "objective": "plans are protected from unauthorized modification.", "pptdf": "Technology", "origin": "53A_R5_PL-02e.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A59", "objective": "the system components on which CUI is stored are identified and documented.", "pptdf": "Process", "origin": "171A_R3_A.03.04.11.a[02]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A60", "objective": "the system components on which CUI is stored are identified and documented.", "pptdf": "Process", "origin": "171A_R3_A.03.04.11.a[03]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A61", "objective": "changes to the system or system component location where CUI is processed are documented.", "pptdf": "Process", "origin": "171A_R3_A.03.04.11.b[01]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A62", "objective": "changes to the system or system component location where CUI is stored are documented.", "pptdf": "Process", "origin": "171A_R3_A.03.04.11.b[02]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A63", "objective": "a system security plan that includes other relevant information necessary for the protection of CUI is developed.", "pptdf": "Data", "origin": "171A_R3_A.03.15.02.a.08", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A64", "objective": "the system security plan is reviewed .", "pptdf": "Process", "origin": "171A_R3_A.03.15.02.b[01]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "at least every 12 months, or when there are significant incidents or significant changes to risks", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03", "ao_id": "IAO-03_A65", "objective": "the system security plan is updated .", "pptdf": "Process", "origin": "171A_R3_A.03.15.02.b[02]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "at least every 12 months, or when there are significant incidents or significant changes to risks", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03.1", "ao_id": "IAO-03.1_A01", "objective": "a cybersecurity / data privacy plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components.", "pptdf": "Process", "origin": "53A_R5_PL-02a.09[01]\n53A_R5_PL-02a.09[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-03.2", "ao_id": "IAO-03.2_A01", "objective": "sensitive / regulated data that is collected, developed, received, transmitted, used or stored in support of the performance of a contract is protected.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-04", "ao_id": "IAO-04_A01", "objective": "the breadth of penetration testing is defined.", "pptdf": "Process", "origin": "53A_R5_SA-11(05)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-04", "ao_id": "IAO-04_A02", "objective": "the depth of penetration testing is defined.", "pptdf": "Process", "origin": "53A_R5_SA-11(05)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-04", "ao_id": "IAO-04_A03", "objective": "constraints of penetration testing are defined.", "pptdf": "Process", "origin": "53A_R5_SA-11(05)_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-04", "ao_id": "IAO-04_A04", "objective": "the developer of the system, system component, or system service is required to perform penetration testing at an organization-defined breadth.", "pptdf": "Process", "origin": "53A_R5_SA-11(05)(a)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-04", "ao_id": "IAO-04_A05", "objective": "the developer of the system, system component, or system service is required to perform penetration testing at an organization-defined level of rigor.", "pptdf": "Process", "origin": "53A_R5_SA-11(05)(a)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-04", "ao_id": "IAO-04_A06", "objective": "the developer of the system, system component, or system service is required to perform penetration testing under organization-defined constraints.", "pptdf": "Process", "origin": "53A_R5_SA-11(05)(b)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-05", "ao_id": "IAO-05_A01", "objective": "deficiencies and vulnerabilities to be addressed by the plan of action are identified.", "pptdf": "Process", "origin": "171A_3.12.2[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-05", "ao_id": "IAO-05_A02", "objective": "a plan of action is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system.", "pptdf": "Process", "origin": "53A_R5_CA-05a.\n171A_3.12.2[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-05", "ao_id": "IAO-05_A03", "objective": "the frequency at which to update an existing plan of action based on the findings from control assessments, independent audits or reviews and continuous monitoring activities is defined.", "pptdf": "Process", "origin": "53A_R5_CA-05_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-05", "ao_id": "IAO-05_A04", "objective": "existing plan of action is updated organization-defined frequency based on the findings from control assessments, independent audits or reviews and continuous monitoring activities.", "pptdf": "Process", "origin": "53A_R5_CA-05b.", "assessment_rigor": "1", "scf_defined_parameters": "at least monthly", "org_defined_parameters": "" }, { "scf_control_id": "IAO-05", "ao_id": "IAO-05_A05", "objective": "a process to ensure the plan of action for the cybersecurity program and associated organizational systems is developed.", "pptdf": "Process", "origin": "53A_R5_PM-04a.01[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-05", "ao_id": "IAO-05_A06", "objective": "a process to ensure the plan of action for the cybersecurity program and associated organizational systems is maintained.", "pptdf": "Process", "origin": "53A_R5_PM-04a.01[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-05", "ao_id": "IAO-05_A07", "objective": "a process to ensure the plan of action for the privacy program and associated organizational systems is developed.", "pptdf": "Process", "origin": "53A_R5_PM-04a.01[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-05", "ao_id": "IAO-05_A08", "objective": "a process to ensure the plan of action for the privacy program and associated organizational systems is maintained.", "pptdf": "Process", "origin": "53A_R5_PM-04a.01[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-05", "ao_id": "IAO-05_A09", "objective": "a process to ensure the plan of action for the supply chain risk management program and associated organizational systems is developed.", "pptdf": "Process", "origin": "53A_R5_PM-04a.01[05]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-05", "ao_id": "IAO-05_A10", "objective": "a process to ensure the plan of action for the supply chain risk management program and associated organizational systems is maintained.", "pptdf": "Process", "origin": "53A_R5_PM-04a.01[06]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-05", "ao_id": "IAO-05_A11", "objective": "a process to ensure the plan of action for the cybersecurity program and associated organizational systems documents remedial cybersecurity risk management actions to adequately respond to risks to organizational operations and assets, individuals, other organizations and the Nation.", "pptdf": "Process", "origin": "53A_R5_PM-04a.02[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-05", "ao_id": "IAO-05_A12", "objective": "a process to ensure the plan of action for the privacy program and associated organizational systems documents remedial privacy risk management actions to adequately respond to risks to organizational operations and assets, individuals, other organizations and the Nation.", "pptdf": "Process", "origin": "53A_R5_PM-04a.02[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-05", "ao_id": "IAO-05_A13", "objective": "a process to ensure the plan of action for the supply chain risk management program and associated organizational systems documents remedial supply chain risk management actions to adequately respond to risks to organizational operations and assets, individuals, other organizations and the Nation.", "pptdf": "Process", "origin": "53A_R5_PM-04a.02[03]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-05", "ao_id": "IAO-05_A14", "objective": "a process to ensure the plan of action for the cybersecurity risk management programs and associated organizational systems is reported in accordance with established reporting requirements.", "pptdf": "Process", "origin": "53A_R5_PM-04a.03[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-05", "ao_id": "IAO-05_A15", "objective": "a process to ensure the plan of action for the privacy risk management programs and associated organizational systems is reported in accordance with established reporting requirements.", "pptdf": "Process", "origin": "53A_R5_PM-04a.03[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-05", "ao_id": "IAO-05_A16", "objective": "a process to ensure the plan of action for the supply chain risk management programs and associated organizational systems is reported in accordance with established reporting requirements.", "pptdf": "Process", "origin": "53A_R5_PM-04a.03[03]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-05", "ao_id": "IAO-05_A17", "objective": "plan of action is reviewed for consistency with the organizational risk management strategy.", "pptdf": "Process", "origin": "53A_R5_PM-04b.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-05", "ao_id": "IAO-05_A18", "objective": "plan of action is reviewed for consistency with organization-wide priorities for risk response actions.", "pptdf": "Process", "origin": "53A_R5_PM-04b.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-05", "ao_id": "IAO-05_A19", "objective": "the developer of the system, system component or system service is required to select and employ security tracking tools for use during the development process.", "pptdf": "Process", "origin": "53A_R5_SA-15(02)[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-05", "ao_id": "IAO-05_A20", "objective": "the developer of the system, system component or system service is required to select and employ privacy tracking tools for use during the development process.", "pptdf": "Process", "origin": "53A_R5_SA-15(02)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-05", "ao_id": "IAO-05_A21", "objective": "the frequency at which to update an existing plan of action based on the findings from control assessments, independent audits or reviews and continuous monitoring activities is defined.", "pptdf": "Process", "origin": "53A_R5_CA-05_ODP", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-05", "ao_id": "IAO-05_A22", "objective": "a plan of action is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system.", "pptdf": "Process", "origin": "53A_R5_CA-05a.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-05", "ao_id": "IAO-05_A23", "objective": "existing plan of action is updated per an organization-defined frequency based on the findings from control assessments, independent audits or reviews and continuous monitoring activities.", "pptdf": "Process", "origin": "53A_R5_CA-05b.", "assessment_rigor": "3", "scf_defined_parameters": "at least monthly", "org_defined_parameters": "" }, { "scf_control_id": "IAO-05", "ao_id": "IAO-05_A24", "objective": "a plan of action is developed to document the planned remediation actions for correcting weaknesses or deficiencies noted during security assessments.", "pptdf": "Process", "origin": "171A_R3_A.03.12.02.a.01", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-05", "ao_id": "IAO-05_A25", "objective": "a plan of action is developed to reduce or eliminate known system vulnerabilities.", "pptdf": "Process", "origin": "171A_R3_A.03.12.02.a.02", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-05", "ao_id": "IAO-05_A26", "objective": "the existing plan of action is updated based on the findings from security assessments.", "pptdf": "Process", "origin": "171A_R3_A.03.12.02.b.01", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-05", "ao_id": "IAO-05_A27", "objective": "the existing plan of action is updated based on the findings from audits or reviews.", "pptdf": "Process", "origin": "171A_R3_A.03.12.02.b.02", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-05", "ao_id": "IAO-05_A28", "objective": "the existing plan of action is updated based on the findings from continuous monitoring activities.", "pptdf": "Process", "origin": "171A_R3_A.03.12.02.b.03", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-05", "ao_id": "IAO-05_A29", "objective": "the plan of action is implemented to correct identified deficiencies and reduce or eliminate identified vulnerabilities.", "pptdf": "Process", "origin": "171A_3.12.2[c]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-05.1", "ao_id": "IAO-05.1_A01", "objective": "automated mechanisms used to ensure the accuracy, currency, and availability of the plan of action for the system are defined.", "pptdf": "Process", "origin": "53A_R5_CA-05(01)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-05.1", "ao_id": "IAO-05.1_A02", "objective": "organization-defined automated mechanisms are used to ensure the accuracy, currency, and availability of the plan of action for the system.", "pptdf": "Technology", "origin": "53A_R5_CA-05(01)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-06", "ao_id": "IAO-06_A01", "objective": "the frequency at which to assess controls in the system and its environment of operation is defined.", "pptdf": "Process", "origin": "53A_R5_CA-02_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "IAO-06", "ao_id": "IAO-06_A02", "objective": "individuals or roles to whom control assessment results are to be provided are defined.", "pptdf": "Process", "origin": "53A_R5_CA-02_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-06", "ao_id": "IAO-06_A03", "objective": "an appropriate assessor or assessment team is selected for the type of assessment to be conducted.", "pptdf": "Process", "origin": "53A_R5_CA-02a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-06", "ao_id": "IAO-06_A04", "objective": "a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment.", "pptdf": "Process", "origin": "53A_R5_CA-02b.01", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-06", "ao_id": "IAO-06_A05", "objective": "the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment.", "pptdf": "Process", "origin": "53A_R5_CA-02c.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-06", "ao_id": "IAO-06_A06", "objective": "controls are assessed in the system and its environment of operation per an organization-defined assessment frequency to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting established cybersecurity / data privacy requirements.", "pptdf": "Process", "origin": "53A_R5_CA-02d.[01]\n53A_R5_CA-02d.[02]", "assessment_rigor": "1", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "IAO-06", "ao_id": "IAO-06_A07", "objective": "a control assessment report is produced that documents the results of the assessment.", "pptdf": "Process", "origin": "53A_R5_CA-02e.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-06", "ao_id": "IAO-06_A08", "objective": "the results of the control assessment are provided to individuals or roles.", "pptdf": "Process", "origin": "53A_R5_CA-02f.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-06", "ao_id": "IAO-06_A09", "objective": "the impacted controls are implemented correctly with regard to meeting the cybersecurity / data privacy requirements for the system after system changes.", "pptdf": "Process", "origin": "53A_R5_CM-04(02)[01]\n53A_R5_CM-04(02)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-06", "ao_id": "IAO-06_A10", "objective": "the impacted controls are operating as intended with regard to meeting the cybersecurity / data privacy requirements for the system after system changes.", "pptdf": "Process", "origin": "53A_R5_CM-04(02)[03]\n53A_R5_CM-04(02)[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-06", "ao_id": "IAO-06_A11", "objective": "the impacted controls are producing the desired outcome with regard to meeting the cybersecurity / data privacy requirements for the system after system changes.", "pptdf": "Process", "origin": "53A_R5_CM-04(02)[05]\n53A_R5_CM-04(02)[06]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-06", "ao_id": "IAO-06_A12", "objective": "a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness.", "pptdf": "Process", "origin": "53A_R5_CA-02b.02", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-06", "ao_id": "IAO-06_A13", "objective": "a control assessment plan is developed that describes the scope of the assessment, including the assessment environment.", "pptdf": "Process", "origin": "53A_R5_CA-02b.03[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-06", "ao_id": "IAO-06_A14", "objective": "a control assessment plan is developed that describes the scope of the assessment, including the assessment team.", "pptdf": "Process", "origin": "53A_R5_CA-02b.03[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-06", "ao_id": "IAO-06_A15", "objective": "a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities.", "pptdf": "Process", "origin": "53A_R5_CA-02b.03[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-07", "ao_id": "IAO-07_A01", "objective": "the frequency at which to update the authorizations is defined.", "pptdf": "Process", "origin": "53A_R5_CA-06_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-07", "ao_id": "IAO-07_A02", "objective": "a senior official is assigned as the authorizing official for the system.", "pptdf": "People", "origin": "53A_R5_CA-06a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-07", "ao_id": "IAO-07_A03", "objective": "the authorizations are updated organization-defined frequency.", "pptdf": "Process", "origin": "53A_R5_CA-06e.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-07", "ao_id": "IAO-07_A04", "objective": "a senior official is assigned as the authorizing official for common controls available for inheritance by organizational systems.", "pptdf": "People", "origin": "53A_R5_CA-06b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-07", "ao_id": "IAO-07_A05", "objective": "before commencing operations, the authorizing official for the system accepts the use of common controls inherited by the system.", "pptdf": "Process", "origin": "53A_R5_CA-06c.01", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-07", "ao_id": "IAO-07_A06", "objective": "before commencing operations, the authorizing official for the system authorizes the system to operate.", "pptdf": "Process", "origin": "53A_R5_CA-06c.02", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IAO-07", "ao_id": "IAO-07_A07", "objective": "the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems.", "pptdf": "Process", "origin": "53A_R5_CA-06d.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-01", "ao_id": "IRO-01_A01", "objective": "the rigor of incident handling activities is comparable and predictable across the organization.", "pptdf": "Process", "origin": "53A_R5_IR-04d.[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-01", "ao_id": "IRO-01_A02", "objective": "the intensity of incident handling activities is comparable and predictable across the organization.", "pptdf": "Process", "origin": "53A_R5_IR-04d.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-01", "ao_id": "IRO-01_A03", "objective": "the scope of incident handling activities is comparable and predictable across the organization.", "pptdf": "Process", "origin": "53A_R5_IR-04d.[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-01", "ao_id": "IRO-01_A04", "objective": "the results of incident handling activities are comparable and predictable across the organization.", "pptdf": "Process", "origin": "53A_R5_IR-04d.[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-01", "ao_id": "IRO-01_A05", "objective": "incident handling activities are coordinated with contingency planning activities.", "pptdf": "Process", "origin": "53A_R5_IR-04b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-01", "ao_id": "IRO-01_A06", "objective": "an operational incident-handling capability is established.", "pptdf": "Process", "origin": "53A_R5_IR-04a.[01]\n171A_3.6.1[a]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-01", "ao_id": "IRO-01_A07", "objective": "the operational incident-handling capability includes preparation.", "pptdf": "Process", "origin": "53A_R5_IR-04a.[02]\n171A_3.6.1[b]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-01", "ao_id": "IRO-01_A08", "objective": "the operational incident-handling capability includes detection and analysis.", "pptdf": "Process", "origin": "53A_R5_IR-04a.[03]\n171A_3.6.1[c]\n171A_3.6.1[d]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-01", "ao_id": "IRO-01_A09", "objective": "the operational incident-handling capability includes containment.", "pptdf": "Process", "origin": "53A_R5_IR-04a.[04]\n171A_3.6.1[e]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-01", "ao_id": "IRO-01_A10", "objective": "the operational incident-handling capability includes eradication.", "pptdf": "Process", "origin": "53A_R5_IR-04a.[05]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-01", "ao_id": "IRO-01_A11", "objective": "the operational incident-handling capability includes recovery.", "pptdf": "Process", "origin": "53A_R5_IR-04a.[06]\n171A_3.6.1[f]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-01", "ao_id": "IRO-01_A12", "objective": "lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing.", "pptdf": "Process", "origin": "53A_R5_IR-04c.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-01", "ao_id": "IRO-01_A13", "objective": "the changes resulting from the incorporated lessons learned are implemented accordingly.", "pptdf": "Process", "origin": "53A_R5_IR-04c.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-01", "ao_id": "IRO-01_A14", "objective": "an incident-handling capability that is consistent with the incident response plan is implemented.", "pptdf": "Process", "origin": "171A_R3_A.03.06.01[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-01", "ao_id": "IRO-01_A15", "objective": "incident response management operations are conducted according to documented policies, standards, procedures and/or other organizational directives.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-01", "ao_id": "IRO-01_A16", "objective": "adequate resources (e.g., people, processes, technologies, data and/or facilities) are provided to support incident response management operations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-01", "ao_id": "IRO-01_A17", "objective": "responsibility and authority for the performance of incident response management-related activities are assigned to designated personnel.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-01", "ao_id": "IRO-01_A18", "objective": "personnel performing incident response management-related activities have the skills and knowledge needed to perform their assigned duties.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-02", "ao_id": "IRO-02_A01", "objective": "an incident handling capability for incidents is implemented that is consistent with the incident response plan.", "pptdf": "Process", "origin": "53A_R5_IR-04a.[01]\n171A_3.6.1[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-02", "ao_id": "IRO-02_A02", "objective": "the incident handling capability includes preparation.", "pptdf": "Process", "origin": "53A_R5_IR-04a.[02]\n171A_3.6.1[b]\n171A_R3_A.03.06.01[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-02", "ao_id": "IRO-02_A03", "objective": "the incident handling capability includes detection and analysis.", "pptdf": "Process", "origin": "53A_R5_IR-04a.[03]\n171A_3.6.1[c]\n171A_3.6.1[d]\n171A_R3_A.03.06.01[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-02", "ao_id": "IRO-02_A04", "objective": "the incident handling capability includes containment.", "pptdf": "Process", "origin": "53A_R5_IR-04a.[04]\n171A_3.6.1[e]\n171A_R3_A.03.06.01[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-02", "ao_id": "IRO-02_A05", "objective": "the incident handling capability includes eradication.", "pptdf": "Process", "origin": "53A_R5_IR-04a.[05]\n171A_R3_A.03.06.01[05]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-02", "ao_id": "IRO-02_A06", "objective": "the incident handling capability includes recovery.", "pptdf": "Process", "origin": "53A_R5_IR-04a.[06]\n171A_3.6.1[f]\n171A_R3_A.03.06.01[06]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-02", "ao_id": "IRO-02_A07", "objective": "incident handling activities are coordinated with contingency planning activities.", "pptdf": "Process", "origin": "53A_R5_IR-04b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-02", "ao_id": "IRO-02_A08", "objective": "the operational incident-handling capability includes user response activities.", "pptdf": "Process", "origin": "171A_3.6.1[g]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-02", "ao_id": "IRO-02_A09", "objective": "authorities to whom incidents are to be reported are identified.", "pptdf": "Process", "origin": "171A_3.6.2[c]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-02", "ao_id": "IRO-02_A10", "objective": "organizational officials to whom incidents are to be reported are identified.", "pptdf": "Process", "origin": "171A_3.6.2[d]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-02", "ao_id": "IRO-02_A11", "objective": "identified authorities are notified of incidents.", "pptdf": "Process", "origin": "171A_3.6.2[e]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-02", "ao_id": "IRO-02_A12", "objective": "identified organizational officials are notified of incidents.", "pptdf": "Process", "origin": "171A_3.6.2[f]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-02", "ao_id": "IRO-02_A13", "objective": "incidents are tracked.", "pptdf": "Process", "origin": "171A_3.6.2[a]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-02", "ao_id": "IRO-02_A14", "objective": "incidents are documented.", "pptdf": "Process", "origin": "171A_3.6.2[b]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-02", "ao_id": "IRO-02_A15", "objective": "lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training and testing.", "pptdf": "Process", "origin": "53A_R5_IR-04c.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-02", "ao_id": "IRO-02_A16", "objective": "the changes resulting from the incorporated lessons learned are implemented accordingly.", "pptdf": "Process", "origin": "53A_R5_IR-04c.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-02", "ao_id": "IRO-02_A17", "objective": "the rigor of incident handling activities is comparable and predictable across the organization.", "pptdf": "Process", "origin": "53A_R5_IR-04d.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-02", "ao_id": "IRO-02_A18", "objective": "the intensity of incident handling activities is comparable and predictable across the organization.", "pptdf": "Process", "origin": "53A_R5_IR-04d.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-02", "ao_id": "IRO-02_A19", "objective": "the scope of incident handling activities is comparable and predictable across the organization.", "pptdf": "Process", "origin": "53A_R5_IR-04d.[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-02", "ao_id": "IRO-02_A20", "objective": "the results of incident handling activities are comparable and predictable across the organization.", "pptdf": "Process", "origin": "53A_R5_IR-04d.[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-02", "ao_id": "IRO-02_A21", "objective": "suspected incidents are reported to the organizational incident response capability within an organization-defined time period.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-02", "ao_id": "IRO-02_A22", "objective": "suspected incidents are reported to the organizational incident response capability within .", "pptdf": "Process", "origin": "171A_R3_A.03.06.02.b", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "near real time or as soon as practicable upon discovery", "org_defined_parameters": "" }, { "scf_control_id": "IRO-02.1", "ao_id": "IRO-02.1_A01", "objective": "anomalous or suspicious behavior is defined.", "pptdf": "Process", "origin": "172A_3.14.2e[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-02.1", "ao_id": "IRO-02.1_A02", "objective": "organizational systems and system components are monitored on an ongoing basis for anomalous or suspicious behavior.", "pptdf": "Process", "origin": "172A_3.14.2e[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-02.1", "ao_id": "IRO-02.1_A03", "objective": "automated mechanisms used to support the incident handling process are defined.", "pptdf": "Process", "origin": "53A_R5_IR-04(01)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-02.1", "ao_id": "IRO-02.1_A04", "objective": "the incident handling process is supported using automated mechanisms.", "pptdf": "Technology", "origin": "53A_R5_IR-04(01)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-02.1", "ao_id": "IRO-02.1_A05", "objective": "incident response personnel (identified by name and/or by role) to be notified of detected suspicious events is/are defined.", "pptdf": "Process", "origin": "53A_R5_SI-04(07)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-02.1", "ao_id": "IRO-02.1_A06", "objective": "least-disruptive actions to terminate suspicious events are defined.", "pptdf": "Process", "origin": "53A_R5_SI-04(07)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-02.1", "ao_id": "IRO-02.1_A07", "objective": "incident response personnel are notified of detected suspicious events.", "pptdf": "Process", "origin": "53A_R5_SI-04(07)(a)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-02.1", "ao_id": "IRO-02.1_A08", "objective": "least-disruptive actions are taken upon the detection of suspicious events.", "pptdf": "Process", "origin": "53A_R5_SI-04(07)(b)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-02.2", "ao_id": "IRO-02.2_A01", "objective": "an incident handling capability is implemented for incidents involving insider threats.", "pptdf": "Process", "origin": "53A_R5_IR-04(06)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-02.3", "ao_id": "IRO-02.3_A01", "objective": "types of dynamic reconfiguration for system components are defined.", "pptdf": "Process", "origin": "53A_R5_IR-04(02)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-02.3", "ao_id": "IRO-02.3_A02", "objective": "system components that require dynamic reconfiguration are defined.", "pptdf": "Process", "origin": "53A_R5_IR-04(02)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-02.3", "ao_id": "IRO-02.3_A03", "objective": "types of dynamic reconfiguration for system components are included as part of the incident response capability.", "pptdf": "Technology", "origin": "53A_R5_IR-04(02)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-02.4", "ao_id": "IRO-02.4_A01", "objective": "classes of incidents requiring an organization-defined action to be taken are defined.", "pptdf": "Process", "origin": "53A_R5_IR-04(03)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-02.4", "ao_id": "IRO-02.4_A02", "objective": "classes of incidents are identified.", "pptdf": "Process", "origin": "53A_R5_IR-04(03)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-02.4", "ao_id": "IRO-02.4_A03", "objective": "actions to be taken in response to organization-defined classes of incidents are defined.", "pptdf": "Process", "origin": "53A_R5_IR-04(03)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-02.4", "ao_id": "IRO-02.4_A04", "objective": "actions are taken in response to those incidents to ensure the continuation of organizational mission and business functions.", "pptdf": "Process", "origin": "53A_R5_IR-04(03)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-02.5", "ao_id": "IRO-02.5_A01", "objective": "external organizations with whom organizational incident information is to be coordinated and shared are defined.", "pptdf": "Process", "origin": "53A_R5_IR-04(08)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-02.5", "ao_id": "IRO-02.5_A02", "objective": "incident information to be correlated and shared with organization-defined external organizations are defined.", "pptdf": "Process", "origin": "53A_R5_IR-04(08)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-02.5", "ao_id": "IRO-02.5_A03", "objective": "there is coordination with external organizations to correlate and share incident information to achieve a cross-organization perspective on incident awareness and more effective incident responses.", "pptdf": "Process", "origin": "53A_R5_IR-04(08)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-02.6", "ao_id": "IRO-02.6_A01", "objective": "a configurable capability is implemented to automatically disable the system if security violations are detected.", "pptdf": "Technology", "origin": "53A_R5_IR-04(05)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-03", "ao_id": "IRO-03_A01", "objective": "anomalous or suspicious behavior is defined.", "pptdf": "Process", "origin": "172A_3.14.2e[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-03", "ao_id": "IRO-03_A02", "objective": "environments or resources which may contain or may be related to anomalous or suspected adversarial behavior are defined.", "pptdf": "Process", "origin": "53A_R5_IR-04(13)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-03", "ao_id": "IRO-03_A03", "objective": "anomalous or suspected adversarial behavior in or related to organization-defined environments or resources are analyzed.", "pptdf": "Process", "origin": "53A_R5_IR-04(13)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-03", "ao_id": "IRO-03_A04", "objective": "organizational systems and system components are monitored on an ongoing basis for anomalous or suspicious behavior.", "pptdf": "Technology", "origin": "172A_3.14.2e[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04", "ao_id": "IRO-04_A01", "objective": "personnel or roles that review and approve the incident response plan is/are identified.", "pptdf": "Process", "origin": "53A_R5_IR-08_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04", "ao_id": "IRO-04_A02", "objective": "entities, personnel or roles with designated responsibility for incident response are defined.", "pptdf": "Process", "origin": "53A_R5_IR-08_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04", "ao_id": "IRO-04_A03", "objective": "an incident response plan is developed that provides the organization with a roadmap for implementing its incident response capability.", "pptdf": "Process", "origin": "53A_R5_IR-08a.01\n171A_R3_A.03.06.05.a.01", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04", "ao_id": "IRO-04_A04", "objective": "an incident response plan is developed that describes the structure and organization of the incident response capability.", "pptdf": "Process", "origin": "53A_R5_IR-08a.02\n171A_R3_A.03.06.05.a.02", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04", "ao_id": "IRO-04_A05", "objective": "an incident response plan is developed that provides a high-level approach for how the incident response capability fits into the overall organization.", "pptdf": "Process", "origin": "53A_R5_IR-08a.03\n171A_R3_A.03.06.05.a.03", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04", "ao_id": "IRO-04_A06", "objective": "an incident response plan is developed that meets the unique requirements of the organization with regard to mission, size, structure and functions.", "pptdf": "Process", "origin": "53A_R5_IR-08a.04", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04", "ao_id": "IRO-04_A07", "objective": "an incident response plan is developed that defines reportable incidents.", "pptdf": "Process", "origin": "53A_R5_IR-08a.05\n171A_R3_A.03.06.05.a.04", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04", "ao_id": "IRO-04_A08", "objective": "an incident response plan is developed that provides metrics for measuring the incident response capability within the organization.", "pptdf": "Process", "origin": "53A_R5_IR-08a.06", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04", "ao_id": "IRO-04_A09", "objective": "an incident response plan is developed that defines the resources and management support needed to effectively maintain and mature an incident response capability.", "pptdf": "Process", "origin": "53A_R5_IR-08a.07", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04", "ao_id": "IRO-04_A10", "objective": "an incident response plan is developed that addresses the sharing of incident information.", "pptdf": "Process", "origin": "53A_R5_IR-08a.08\n171A_R3_A.03.06.05.a.05", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04", "ao_id": "IRO-04_A11", "objective": "an incident response plan is developed that is reviewed and approved by personnel or roles frequency.", "pptdf": "Process", "origin": "53A_R5_IR-08a.09", "assessment_rigor": "1", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04", "ao_id": "IRO-04_A12", "objective": "an incident response plan is developed that designates responsibilities to organizational entities, personnel, or roles.", "pptdf": "Process", "origin": "53A_R5_IR-08a.10\n171A_R3_A.03.06.05.a.06", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04", "ao_id": "IRO-04_A13", "objective": "copies of the incident response plan are distributed to designated incident response personnel (identified by name or by role).", "pptdf": "Process", "origin": "53A_R5_IR-08b.[01]\n171A_R3_A.03.06.05.b[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04", "ao_id": "IRO-04_A14", "objective": "incident response personnel (identified by name and/or by role) to whom copies of the incident response plan are to be distributed is/are defined.", "pptdf": "Process", "origin": "53A_R5_IR-08_ODP[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04", "ao_id": "IRO-04_A15", "objective": "organizational elements to which copies of the incident response plan are to be distributed are defined.", "pptdf": "Process", "origin": "53A_R5_IR-08_ODP[05]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04", "ao_id": "IRO-04_A16", "objective": "incident response personnel (identified by name and/or by role) to whom changes to the incident response plan is/are communicated are defined.", "pptdf": "Process", "origin": "53A_R5_IR-08_ODP[06]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04", "ao_id": "IRO-04_A17", "objective": "organizational elements to which changes to the incident response plan are communicated are defined.", "pptdf": "Process", "origin": "53A_R5_IR-08_ODP[07]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04", "ao_id": "IRO-04_A18", "objective": "copies of the incident response plan are distributed to organizational elements.", "pptdf": "Process", "origin": "53A_R5_IR-08b.[02]\n171A_R3_A.03.06.05.b[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04", "ao_id": "IRO-04_A19", "objective": "the frequency at which to review and approve the incident response plan is defined.", "pptdf": "Process", "origin": "53A_R5_IR-08_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04", "ao_id": "IRO-04_A20", "objective": "the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution or testing.", "pptdf": "Process", "origin": "53A_R5_IR-08c.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04", "ao_id": "IRO-04_A21", "objective": "incident response plan changes are communicated to incident response personnel.", "pptdf": "Process", "origin": "53A_R5_IR-08d.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04", "ao_id": "IRO-04_A22", "objective": "incident response plan changes are communicated to organizational elements.", "pptdf": "Process", "origin": "53A_R5_IR-08d.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04", "ao_id": "IRO-04_A23", "objective": "the incident response plan is protected from unauthorized disclosure.", "pptdf": "Technology", "origin": "53A_R5_IR-08e.[01]\n171A_R3_A.03.06.05.d", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04", "ao_id": "IRO-04_A24", "objective": "the incident response plan is protected from unauthorized modification.", "pptdf": "Technology", "origin": "53A_R5_IR-08e.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04", "ao_id": "IRO-04_A25", "objective": "the time period to report suspected incidents to the organizational incident response capability is defined.", "pptdf": "Process", "origin": "171A_R3_A.03.06.02.ODP[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04", "ao_id": "IRO-04_A26", "objective": "authorities to whom incident information is to be reported are defined.", "pptdf": "Process", "origin": "171A_R3_A.03.06.02.ODP[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04.1", "ao_id": "IRO-04.1_A01", "objective": "the incident response plan for breaches involving Personal Data (PD) includes a process to determine if notice to individuals or other organizations, including oversight organizations, is needed.", "pptdf": "Process", "origin": "53A_R5_IR-08(01)(a)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04.1", "ao_id": "IRO-04.1_A02", "objective": "the incident response plan for breaches involving Personal Data (PD) includes an assessment process to determine the extent of the harm, embarrassment, inconvenience or unfairness to affected individuals and any mechanisms to mitigate such harms.", "pptdf": "Process", "origin": "53A_R5_IR-08(01)(b)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04.1", "ao_id": "IRO-04.1_A03", "objective": "the incident response plan for breaches involving Personal Data (PD) includes the identification of applicable privacy requirements.", "pptdf": "Process", "origin": "53A_R5_IR-08(01)(c)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04.2", "ao_id": "IRO-04.2_A01", "objective": "an official to manage the incident response policy / procedures is defined.", "pptdf": "People", "origin": "53A_R5_IR-01_ODP[03]\n53A_R5_IR-01_ODP[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04.2", "ao_id": "IRO-04.2_A02", "objective": "the frequency at which the current incident response policy / procedures is reviewed / updated is defined.", "pptdf": "Process", "origin": "53A_R5_IR-01_ODP[05]\n53A_R5_IR-01_ODP[07]", "assessment_rigor": "1", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04.2", "ao_id": "IRO-04.2_A03", "objective": "events that would require the current incident response policy / procedures to be reviewed / updated are defined.", "pptdf": "Process", "origin": "53A_R5_IR-01_ODP[06]\n53A_R5_IR-01_ODP[08]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04.2", "ao_id": "IRO-04.2_A04", "objective": "the current incident response policy / procedures are reviewed / updated organization-defined frequency.", "pptdf": "Process", "origin": "53A_R5_IR-01c.01[01]\n53A_R5_IR-01c.02[01]", "assessment_rigor": "1", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04.2", "ao_id": "IRO-04.2_A05", "objective": "the current incident response policy / procedures are reviewed / updated following organization-defined events.", "pptdf": "Process", "origin": "53A_R5_IR-01c.01[02]\n53A_R5_IR-01c.02[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04.2", "ao_id": "IRO-04.2_A06", "objective": "the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution, or testing.", "pptdf": "Process", "origin": "171A_R3_A.03.06.05.c", "assessment_rigor": "1", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04.2", "ao_id": "IRO-04.2_A07", "objective": "personnel or roles to whom the incident response policy / procedures is to be disseminated are defined.", "pptdf": "Process", "origin": "53A_R5_IR-01_ODP[01]\n53A_R5_IR-01_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04.2", "ao_id": "IRO-04.2_A08", "objective": "an incident response policy is developed and documented.", "pptdf": "Process", "origin": "53A_R5_IR-01a.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04.2", "ao_id": "IRO-04.2_A09", "objective": "the incident response policy is disseminated to organization-defined personnel or roles.", "pptdf": "Process", "origin": "53A_R5_IR-01a.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04.2", "ao_id": "IRO-04.2_A10", "objective": "incident response procedures to facilitate the implementation of the incident response policy and associated incident response controls are developed and documented.", "pptdf": "Process", "origin": "53A_R5_IR-01a.[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04.2", "ao_id": "IRO-04.2_A11", "objective": "the incident response procedures are disseminated to organization-defined personnel or roles.", "pptdf": "Process", "origin": "53A_R5_IR-01a.[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04.2", "ao_id": "IRO-04.2_A12", "objective": "the organization's incident response policy addresses purpose.", "pptdf": "Process", "origin": "53A_R5_IR-01a.01(a)[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04.2", "ao_id": "IRO-04.2_A13", "objective": "the organization's incident response policy addresses scope.", "pptdf": "Process", "origin": "53A_R5_IR-01a.01(a)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04.2", "ao_id": "IRO-04.2_A14", "objective": "the organization's incident response policy addresses roles.", "pptdf": "Process", "origin": "53A_R5_IR-01a.01(a)[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04.2", "ao_id": "IRO-04.2_A15", "objective": "the organization's incident response policy addresses responsibilities.", "pptdf": "Process", "origin": "53A_R5_IR-01a.01(a)[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04.2", "ao_id": "IRO-04.2_A16", "objective": "the organization's incident response policy addresses management commitment.", "pptdf": "Process", "origin": "53A_R5_IR-01a.01(a)[05]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04.2", "ao_id": "IRO-04.2_A17", "objective": "the organization's incident response policy addresses coordination among organizational entities.", "pptdf": "Process", "origin": "53A_R5_IR-01a.01(a)[06]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04.2", "ao_id": "IRO-04.2_A18", "objective": "the organization's incident response policy addresses compliance.", "pptdf": "Process", "origin": "53A_R5_IR-01a.01(a)[07]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04.2", "ao_id": "IRO-04.2_A19", "objective": "the organization's incident response policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines.", "pptdf": "Process", "origin": "53A_R5_IR-01a.01(b)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04.2", "ao_id": "IRO-04.2_A20", "objective": "the organization-defined official is designated to manage the development, documentation, and dissemination of the incident response policy and procedures.", "pptdf": "People", "origin": "53A_R5_IR-01b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04.3", "ao_id": "IRO-04.3_A01", "objective": "qualitative / quantitative data from testing are used to determine the effectiveness of incident response processes.", "pptdf": "Process", "origin": "53A_R5_IR-03(03)(a)[01]\n53A_R5_IR-03(03)(a)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04.3", "ao_id": "IRO-04.3_A02", "objective": "qualitative / quantitative data from testing are used to continuously improve incident response processes.", "pptdf": "Process", "origin": "53A_R5_IR-03(03)(b)[01]\n53A_R5_IR-03(03)(b)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04.3", "ao_id": "IRO-04.3_A03", "objective": "qualitative / quantitative data from testing are used to provide incident response measures and metrics that are accurate.", "pptdf": "Process", "origin": "53A_R5_IR-03(03)(c)[01]\n53A_R5_IR-03(03)(c)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04.3", "ao_id": "IRO-04.3_A04", "objective": "qualitative / quantitative data from testing are used to provide incident response measures and metrics that are consistent.", "pptdf": "Process", "origin": "53A_R5_IR-03(03)(c)[03]\n53A_R5_IR-03(03)(c)[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-04.3", "ao_id": "IRO-04.3_A05", "objective": "qualitative / quantitative data from testing are used to provide incident response measures and metrics in a reproducible format.", "pptdf": "Process", "origin": "53A_R5_IR-03(03)(c)[05]\n53A_R5_IR-03(03)(c)[06]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-05", "ao_id": "IRO-05_A01", "objective": "incident response training for system users consistent with assigned roles and responsibilities is provided within an organization-defined time period of assuming an incident response role or responsibility or acquiring system access.", "pptdf": "People", "origin": "53A_R5_IR-02a.01", "assessment_rigor": "1", "scf_defined_parameters": "Ten (10) days for privileged users, thirty (30) days for Incident Response roles", "org_defined_parameters": "" }, { "scf_control_id": "IRO-05", "ao_id": "IRO-05_A02", "objective": "events that initiate a review of the incident response training content are defined.", "pptdf": "Process", "origin": "53A_R5_IR-02_ODP[04]\n171A_R3_A.03.06.04.ODP[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-05", "ao_id": "IRO-05_A03", "objective": "incident response training content is updated per an organization-defined frequency.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "IRO-05", "ao_id": "IRO-05_A04", "objective": "incident response training content is reviewed / updated following organization-defined events.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-05", "ao_id": "IRO-05_A05", "objective": "the time period within which incident response training is to be provided to system users is defined.", "pptdf": "Process", "origin": "53A_R5_IR-02_ODP[01]\n171A_R3_A.03.06.04.ODP[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-05", "ao_id": "IRO-05_A06", "objective": "the frequency at which to provide incident response training to users after initial training is defined.", "pptdf": "Process", "origin": "53A_R5_IR-02_ODP[02]\n171A_R3_A.03.06.04.ODP[02]", "assessment_rigor": "2", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "IRO-05", "ao_id": "IRO-05_A07", "objective": "the frequency at which to review and update incident response training content is defined.", "pptdf": "Process", "origin": "53A_R5_IR-02_ODP[03]\n171A_R3_A.03.06.04.ODP[03]", "assessment_rigor": "2", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "IRO-05", "ao_id": "IRO-05_A08", "objective": "incident response training is provided to system users consistent with assigned roles and responsibilities when required by system changes.", "pptdf": "People", "origin": "53A_R5_IR-02a.02", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-05", "ao_id": "IRO-05_A09", "objective": "incident response training is provided to system users consistent with assigned roles and responsibilities upon role assignment and per an organization-defined frequency thereafter.", "pptdf": "People", "origin": "53A_R5_IR-02a.03", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "IRO-05", "ao_id": "IRO-05_A10", "objective": "incident response training content is reviewed per an organization-defined frequency.", "pptdf": "Process", "origin": "53A_R5_IR-02b.[01]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "IRO-05", "ao_id": "IRO-05_A11", "objective": "incident response training content is reviewed / updated following events.", "pptdf": "Process", "origin": "53A_R5_IR-02b.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-05", "ao_id": "IRO-05_A12", "objective": "incident response training on how to identify and respond to a breach is provided.", "pptdf": "Process", "origin": "53A_R5_IR-02(03)[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-05", "ao_id": "IRO-05_A13", "objective": "incident response training on the organization's process for reporting a breach is provided.", "pptdf": "Process", "origin": "53A_R5_IR-02(03)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-05", "ao_id": "IRO-05_A14", "objective": "incident response training for system users consistent with assigned roles and responsibilities is provided within of assuming an incident response role or responsibility or acquiring system access.", "pptdf": "People", "origin": "171A_R3_A.03.06.04.a.01", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "ten (10) days for privileged users, thirty (30) days for all other roles", "org_defined_parameters": "" }, { "scf_control_id": "IRO-05", "ao_id": "IRO-05_A15", "objective": "incident response training content is reviewed .", "pptdf": "Process", "origin": "171A_R3_A.03.06.04.b[01]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "at least every 12 months", "org_defined_parameters": "" }, { "scf_control_id": "IRO-05", "ao_id": "IRO-05_A16", "objective": "incident response training content is updated .", "pptdf": "Process", "origin": "171A_R3_A.03.06.04.b[02]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "at least every 12 months", "org_defined_parameters": "" }, { "scf_control_id": "IRO-05", "ao_id": "IRO-05_A17", "objective": "incident response training content is reviewed following .", "pptdf": "Process", "origin": "171A_R3_A.03.06.04.b[03]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "SDP values:\n(1) at least every 12 months\n(2) significant, novel incidents, or significant changes to risks", "org_defined_parameters": "" }, { "scf_control_id": "IRO-05", "ao_id": "IRO-05_A18", "objective": "incident response training content is updated following .", "pptdf": "Process", "origin": "171A_R3_A.03.06.04.b[04]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "SDP values:\n(1) at least every 12 months\n(2) significant, novel incidents, or significant changes to risks", "org_defined_parameters": "" }, { "scf_control_id": "IRO-05.1", "ao_id": "IRO-05.1_A01", "objective": "simulated events are incorporated into incident response training to facilitate the required response by personnel in crisis situations.", "pptdf": "Process", "origin": "53A_R5_IR-02(01)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-05.2", "ao_id": "IRO-05.2_A01", "objective": "automated mechanisms used in an incident response training environment are defined.", "pptdf": "Process", "origin": "53A_R5_IR-02(02)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-05.2", "ao_id": "IRO-05.2_A02", "objective": "an incident response training environment is provided using automated mechanisms.", "pptdf": "Technology", "origin": "53A_R5_IR-02(02)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-06", "ao_id": "IRO-06_A01", "objective": "the frequency at which to test the effectiveness of the incident response capability for the system is defined.", "pptdf": "Process", "origin": "53A_R5_IR-03_ODP[01]\n171A_R3_A.03.06.03.ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "IRO-06", "ao_id": "IRO-06_A02", "objective": "tests used to test the effectiveness of the incident response capability for the system are defined.", "pptdf": "Process", "origin": "53A_R5_IR-03_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "functional", "org_defined_parameters": "" }, { "scf_control_id": "IRO-06", "ao_id": "IRO-06_A03", "objective": "the incident response capability is tested.", "pptdf": "Process", "origin": "171A_3.6.3", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-06", "ao_id": "IRO-06_A04", "objective": "the effectiveness of the incident response capability is tested per an organization-defined frequency.", "pptdf": "Process", "origin": "53A_R5_IR-03", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "IRO-06", "ao_id": "IRO-06_A05", "objective": "a frequency at which to test intrusion-monitoring tools and mechanisms is defined.", "pptdf": "Process", "origin": "53A_R5_SI-04(09)_ODP", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-06", "ao_id": "IRO-06_A06", "objective": "intrusion-monitoring tools and mechanisms are tested frequently.", "pptdf": "Technology", "origin": "53A_R5_SI-04(09)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-06", "ao_id": "IRO-06_A07", "objective": "the effectiveness of the incident response capability is tested .", "pptdf": "Process", "origin": "171A_R3_A.03.06.03", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "at least every 12 months", "org_defined_parameters": "" }, { "scf_control_id": "IRO-06.1", "ao_id": "IRO-06.1_A01", "objective": "incident response testing is coordinated with organizational elements responsible for related plans.", "pptdf": "Process", "origin": "53A_R5_IR-03(02)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-07", "ao_id": "IRO-07_A01", "objective": "an integrated incident response team is established and maintained.", "pptdf": "Process", "origin": "53A_R5_IR-04(11)[01]\n172A_3.6.2e[a]\n172A_3.6.2e[c]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-07", "ao_id": "IRO-07_A02", "objective": "the time period within which an integrated incident response team can be deployed is defined.", "pptdf": "Process", "origin": "53A_R5_IR-04(11)_ODP\n172A_3.6.2e_ODP[1]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-07", "ao_id": "IRO-07_A03", "objective": "the cyber incident response team can be deployed by the organization within an organization-defined time period.", "pptdf": "Process", "origin": "53A_R5_IR-04(11)[02]\n172A_3.6.2e[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-07", "ao_id": "IRO-07_A04", "objective": "suspected incidents are reported to the organizational incident response capability within an organization-defined time period.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-07", "ao_id": "IRO-07_A05", "objective": "an incident response support resource that offers advice and assistance to system users on handling and reporting incidents is provided.", "pptdf": "Process", "origin": "171A_R3_A.03.06.02.d", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-07", "ao_id": "IRO-07_A06", "objective": "a time period for deploying a cyber incident response team is defined.", "pptdf": "Process", "origin": "172A_3.6.2e_ODP[1]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-07", "ao_id": "IRO-07_A07", "objective": "the cyber incident response team can be deployed by the organization within an organization-defined time period.", "pptdf": "Process", "origin": "172A_3.6.2e[b]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-07", "ao_id": "IRO-07_A08", "objective": "the cyber incident response team is maintained.", "pptdf": "Process", "origin": "172A_3.6.2e[c]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-07", "ao_id": "IRO-07_A09", "objective": "suspected incidents are reported to the organizational incident response capability within .", "pptdf": "Process", "origin": "171A_R3_A.03.06.02.b", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "near real time or as soon as practicable upon discovery", "org_defined_parameters": "" }, { "scf_control_id": "IRO-08", "ao_id": "IRO-08_A01", "objective": "reviewer or releaser credentials are maintained within the established chain of custody for information reviewed or released.", "pptdf": "Process", "origin": "53A_R5_AU-10(03)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-08.1", "ao_id": "IRO-08.1_A01", "objective": "requirements for utilizing a licensed forensic investigator to perform data analysis for evidentiary purposes that may be used in legal proceedings or to prove wrongdoing are identified.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-08.1", "ao_id": "IRO-08.1_A02", "objective": "where required, only licensed forensic investigators are to perform data analysis for evidentiary purposes that may be used in legal proceedings or to prove wrongdoing.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-09", "ao_id": "IRO-09_A01", "objective": "suspected incidents are reported to the organizational incident response capability within an organization-defined time period.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-09", "ao_id": "IRO-09_A02", "objective": "system security incidents are tracked / reported to internal stakeholders.", "pptdf": "Process", "origin": "SCF Created\n53A_R5_IR-05[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-09", "ao_id": "IRO-09_A03", "objective": "system security incidents are documented.", "pptdf": "Process", "origin": "53A_R5_IR-05[02]\n171A_R3_A.03.06.02.a[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-09", "ao_id": "IRO-09_A04", "objective": "system security incidents are tracked.", "pptdf": "Process", "origin": "171A_R3_A.03.06.02.a[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-09.1", "ao_id": "IRO-09.1_A01", "objective": "automated mechanisms used to track incidents are defined.", "pptdf": "Process", "origin": "53A_R5_IR-05(01)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-09.1", "ao_id": "IRO-09.1_A02", "objective": "automated mechanisms used to collect incident information are defined.", "pptdf": "Process", "origin": "53A_R5_IR-05(01)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-09.1", "ao_id": "IRO-09.1_A03", "objective": "automated mechanisms used to analyze incident information are defined.", "pptdf": "Process", "origin": "53A_R5_IR-05(01)_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-09.1", "ao_id": "IRO-09.1_A04", "objective": "incidents are tracked using automated mechanisms.", "pptdf": "Technology", "origin": "53A_R5_IR-05(01)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-09.1", "ao_id": "IRO-09.1_A05", "objective": "incident information is collected using automated mechanisms.", "pptdf": "Technology", "origin": "53A_R5_IR-05(01)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-09.1", "ao_id": "IRO-09.1_A06", "objective": "incident information is analyzed using automated mechanisms.", "pptdf": "Technology", "origin": "53A_R5_IR-05(01)[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-09.2", "ao_id": "IRO-09.2_A01", "objective": "incident response activities are periodically reviewed for the existence of recurring incidents.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-09.3", "ao_id": "IRO-09.3_A01", "objective": "a repository to document cybersecurity events and incidents is defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-09.3", "ao_id": "IRO-09.3_A02", "objective": "details of the incident (e.g., category, severity, affected parties, etc.) are documented in the repository.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-09.3", "ao_id": "IRO-09.3_A03", "objective": "remediation actions taken through incident closure are documented in the repository.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-09.3", "ao_id": "IRO-09.3_A04", "objective": "a summary from the Root Cause Analysis (RCA) are documented in the repository, if applicable.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-09.4", "ao_id": "IRO-09.4_A01", "objective": "a method to analyze historical incidents in aggregate is defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-09.4", "ao_id": "IRO-09.4_A02", "objective": "historical incidents are analyzed in aggregate to identify patterns.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-09.4", "ao_id": "IRO-09.4_A03", "objective": "historical incidents are analyzed in aggregate to identify trends.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-09.4", "ao_id": "IRO-09.4_A04", "objective": "historical incidents are analyzed in aggregate to identify other common root causes in order to address the vulnerability and risk.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-10", "ao_id": "IRO-10_A01", "objective": "the time period to report suspected incidents to the organizational incident response capability is defined.", "pptdf": "Process", "origin": "53A_R5_IR-06_ODP[01]\n171A_R3_A.03.06.02.ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-10", "ao_id": "IRO-10_A02", "objective": "authorities to whom incident information is to be reported are defined.", "pptdf": "Process", "origin": "53A_R5_IR-06_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-10", "ao_id": "IRO-10_A03", "objective": "personnel are required to report suspected incidents to the organizational incident response capability within an organization-defined time period.", "pptdf": "Process", "origin": "53A_R5_IR-06a.", "assessment_rigor": "1", "scf_defined_parameters": "without delay", "org_defined_parameters": "" }, { "scf_control_id": "IRO-10", "ao_id": "IRO-10_A04", "objective": "incident information is reported to organization-defined authorities.", "pptdf": "Process", "origin": "53A_R5_IR-06b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-10", "ao_id": "IRO-10_A05", "objective": "suspected incidents are reported to the organizational incident response capability within an organization-defined time period.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-10", "ao_id": "IRO-10_A06", "objective": "an incident response support resource that offers advice and assistance to system users on handling and reporting incidents is provided.", "pptdf": "Process", "origin": "171A_R3_A.03.06.02.d", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-10", "ao_id": "IRO-10_A07", "objective": "suspected incidents are reported to the organizational incident response capability within .", "pptdf": "Process", "origin": "171A_R3_A.03.06.02.b", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "near real time or as soon as practicable upon discovery", "org_defined_parameters": "" }, { "scf_control_id": "IRO-10", "ao_id": "IRO-10_A08", "objective": "incident information is reported to .", "pptdf": "Process", "origin": "171A_R3_A.03.06.02.c", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "all applicable personnel and entities as specified by the contract, and in accordance with any incident response plan notification procedures", "org_defined_parameters": "" }, { "scf_control_id": "IRO-10.1", "ao_id": "IRO-10.1_A01", "objective": "automated mechanisms used for reporting incidents are defined.", "pptdf": "Process", "origin": "53A_R5_IR-06(01)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-10.1", "ao_id": "IRO-10.1_A02", "objective": "incidents are reported using automated mechanisms.", "pptdf": "Technology", "origin": "53A_R5_IR-06(01)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-10.2", "ao_id": "IRO-10.2_A01", "objective": "sensitive / regulated data incidents are reported in a timely manner.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-10.2", "ao_id": "IRO-10.2_A02", "objective": "authorities to whom incident information is to be reported are defined.", "pptdf": "Process", "origin": "171A_R3_A.03.06.02.ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-10.3", "ao_id": "IRO-10.3_A01", "objective": "personnel or roles to whom system vulnerabilities associated with reported incidents are reported to is/are defined.", "pptdf": "Process", "origin": "53A_R5_IR-06(02)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-10.3", "ao_id": "IRO-10.3_A02", "objective": "system vulnerabilities associated with reported incidents are reported to personnel or roles.", "pptdf": "Process", "origin": "53A_R5_IR-06(02)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-10.4", "ao_id": "IRO-10.4_A01", "objective": "incident handling activities involving supply chain events are coordinated with other organizations involved in the supply chain.", "pptdf": "Process", "origin": "53A_R5_IR-04(10)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-10.4", "ao_id": "IRO-10.4_A02", "objective": "incident information is provided to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident.", "pptdf": "Process", "origin": "53A_R5_IR-06(03)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-10.5", "ao_id": "IRO-10.5_A01", "objective": "serious incident involving the organization's systems, applications and/or services are reported to relevant authorities in the locality where the incident occurred, in accordance with legal requirements.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-11", "ao_id": "IRO-11_A01", "objective": "an incident response support resource that offers advice and assistance to system users on handling and reporting incidents is provided.", "pptdf": "Process", "origin": "53A_R5_IR-07[01]\n171A_R3_A.03.06.02.d", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-11", "ao_id": "IRO-11_A02", "objective": "the incident response support resource offers advice and assistance to users of the system for the response and reporting of incidents.", "pptdf": "Process", "origin": "53A_R5_IR-07[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-11.1", "ao_id": "IRO-11.1_A01", "objective": "automated mechanisms used to increase the availability of incident response information and support are defined.", "pptdf": "Process", "origin": "53A_R5_IR-07(01)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-11.1", "ao_id": "IRO-11.1_A02", "objective": "the availability of incident response information and support is increased using automated mechanisms.", "pptdf": "Technology", "origin": "53A_R5_IR-07(01)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-11.2", "ao_id": "IRO-11.2_A01", "objective": "a direct, cooperative relationship is established between its incident response capability and external providers of the system protection capability.", "pptdf": "Process", "origin": "53A_R5_IR-07(02)(a)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-11.2", "ao_id": "IRO-11.2_A02", "objective": "organizational incident response team members are identified to the external providers.", "pptdf": "Process", "origin": "53A_R5_IR-07(02)(b)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-12", "ao_id": "IRO-12_A01", "objective": "actions to be performed are defined.", "pptdf": "Process", "origin": "53A_R5_IR-09_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-12", "ao_id": "IRO-12_A02", "objective": "the specific information involved in the system contamination is identified in response to information spills.", "pptdf": "Process", "origin": "53A_R5_IR-09b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-12", "ao_id": "IRO-12_A03", "objective": "personnel or roles is/are alerted of the information spill using a method of communication not associated with the spill.", "pptdf": "Process", "origin": "53A_R5_IR-09c.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-12", "ao_id": "IRO-12_A04", "objective": "the contaminated system or system component is isolated in response to information spills.", "pptdf": "Process", "origin": "53A_R5_IR-09d.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-12", "ao_id": "IRO-12_A05", "objective": "the information is eradicated from the contaminated system or component in response to information spills.", "pptdf": "Process", "origin": "53A_R5_IR-09e.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-12", "ao_id": "IRO-12_A06", "objective": "other systems or system components that may have been subsequently contaminated are identified in response to information spills.", "pptdf": "Process", "origin": "53A_R5_IR-09f.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-12", "ao_id": "IRO-12_A07", "objective": "actions are performed in response to information spills.", "pptdf": "Process", "origin": "53A_R5_IR-09g.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-12", "ao_id": "IRO-12_A08", "objective": "sensitive / regulated data is removed from publicly accessible systems, if discovered.", "pptdf": "Data", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-12", "ao_id": "IRO-12_A09", "objective": "CUI is removed from publicly accessible systems, if discovered.", "pptdf": "Data", "origin": "171A_R3_A.03.01.22.b[02]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-12.1", "ao_id": "IRO-12.1_A01", "objective": "personnel or roles assigned the responsibility for responding to information spills is/are defined.", "pptdf": "Process", "origin": "53A_R5_IR-09_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-12.1", "ao_id": "IRO-12.1_A02", "objective": "personnel or roles to be alerted of the information spill using a method of communication not associated with the spill is/are defined.", "pptdf": "Process", "origin": "53A_R5_IR-09_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-12.1", "ao_id": "IRO-12.1_A03", "objective": "personnel or roles is/are assigned the responsibility to respond to information spills.", "pptdf": "People", "origin": "53A_R5_IR-09a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-12.2", "ao_id": "IRO-12.2_A01", "objective": "the frequency at which to provide information spillage response training is defined.", "pptdf": "Process", "origin": "53A_R5_IR-09(02)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "IRO-12.2", "ao_id": "IRO-12.2_A02", "objective": "information spillage response training is provided frequently.", "pptdf": "Process", "origin": "53A_R5_IR-09(02)", "assessment_rigor": "1", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "IRO-12.3", "ao_id": "IRO-12.3_A01", "objective": "procedures to be implemented to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems undergo corrective actions are defined.", "pptdf": "Process", "origin": "53A_R5_IR-09(03)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-12.3", "ao_id": "IRO-12.3_A02", "objective": "procedures are implemented to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions.", "pptdf": "People", "origin": "53A_R5_IR-09(03)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-12.4", "ao_id": "IRO-12.4_A01", "objective": "controls employed for personnel exposed to information not within assigned access authorizations are defined.", "pptdf": "Process", "origin": "53A_R5_IR-09(04)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-12.4", "ao_id": "IRO-12.4_A02", "objective": "controls are employed for personnel exposed to information not within assigned access authorizations.", "pptdf": "Process", "origin": "53A_R5_IR-09(04)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-12.4", "ao_id": "IRO-12.4_A03", "objective": "malicious code remaining in the system is analyzed after the incident.", "pptdf": "Process", "origin": "53A_R5_IR-04(12)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-12.4", "ao_id": "IRO-12.4_A04", "objective": "other residual artifacts remaining in the system (if any) are analyzed after the incident.", "pptdf": "Process", "origin": "53A_R5_IR-04(12)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-13", "ao_id": "IRO-13_A01", "objective": "an After Action Reviews (AARs), or a similar process, is conducted following incidents that require escalation to an Integrated Security Incident Response Team (ISIRT), or similar integrated team of cybersecurity, IT and business function representatives, are established to address a cybersecurity and/or data privacy incident response operations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-13", "ao_id": "IRO-13_A02", "objective": "events that would require the current incident response policy / procedures to be reviewed / updated are defined.", "pptdf": "Process", "origin": "53A_R5_IR-01_ODP[06]\n53A_R5_IR-01_ODP[08]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-13", "ao_id": "IRO-13_A03", "objective": "incident response documentation is updated to address necessary changes to enable the timely and effective response to incidents.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-13", "ao_id": "IRO-13_A04", "objective": "events that initiate a review of the incident response training content are defined.", "pptdf": "Process", "origin": "53A_R5_IR-02_ODP[04]\n171A_R3_A.03.06.04.ODP[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-14", "ao_id": "IRO-14_A01", "objective": "time period for personnel to report suspected incidents to the organizational incident response capability is defined.", "pptdf": "Process", "origin": "53A_R5_IR-06_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-14", "ao_id": "IRO-14_A02", "objective": "authorities to whom incident information is to be reported are defined.", "pptdf": "Process", "origin": "53A_R5_IR-06_ODP[02]\n171A_R3_A.03.06.02.ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-14", "ao_id": "IRO-14_A03", "objective": "personnel are required to report suspected incidents to the organizational incident response capability within an organization-defined time period.", "pptdf": "Process", "origin": "53A_R5_IR-06a.", "assessment_rigor": "1", "scf_defined_parameters": "without delay", "org_defined_parameters": "" }, { "scf_control_id": "IRO-14", "ao_id": "IRO-14_A04", "objective": "incident information is reported to authorities.", "pptdf": "Process", "origin": "53A_R5_IR-06b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-15", "ao_id": "IRO-15_A01", "objective": "the system, system component or location where a detonation chamber capability is to be employed is defined.", "pptdf": "Process", "origin": "53A_R5_SC-44_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-15", "ao_id": "IRO-15_A02", "objective": "a detonation chamber capability is employed within the organization-defined system, system component or location.", "pptdf": "Technology", "origin": "53A_R5_SC-44", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-16", "ao_id": "IRO-16_A01", "objective": "public relations associated with an incident are managed.", "pptdf": "Process", "origin": "53A_R5_IR-04(15)(a)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "IRO-16", "ao_id": "IRO-16_A02", "objective": "measures are employed to repair the reputation of the organization.", "pptdf": "Process", "origin": "53A_R5_IR-04(15)(b)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MDM-01", "ao_id": "MDM-01_A01", "objective": "policies and standards facilitate the implementation of mobile device management controls.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MDM-01", "ao_id": "MDM-01_A02", "objective": "usage restrictions are established for mobile devices.", "pptdf": "Technology", "origin": "171A_R3_A.03.01.18.a[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MDM-01", "ao_id": "MDM-01_A03", "objective": "Mobile Device Management (MDM) operations are conducted according to documented policies, standards, procedures and/or other organizational directives.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MDM-01", "ao_id": "MDM-01_A04", "objective": "adequate resources (e.g., people, processes, technologies, data and/or facilities) are provided to support Mobile Device Management (MDM) operations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MDM-01", "ao_id": "MDM-01_A05", "objective": "responsibility and authority for the performance of Mobile Device Management (MDM)-related activities are assigned to designated personnel.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MDM-01", "ao_id": "MDM-01_A06", "objective": "personnel performing Mobile Device Management (MDM)-related activities have the skills and knowledge needed to perform their assigned duties.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MDM-02", "ao_id": "MDM-02_A01", "objective": "configuration requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area.", "pptdf": "Technology", "origin": "53A_R5_AC-19a.[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MDM-02", "ao_id": "MDM-02_A02", "objective": "connection requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area.", "pptdf": "Technology", "origin": "53A_R5_AC-19a.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MDM-02", "ao_id": "MDM-02_A03", "objective": "implementation guidance is established for organization-controlled mobile devices, including when such devices are outside of the controlled area.", "pptdf": "Process", "origin": "53A_R5_AC-19a.[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MDM-02", "ao_id": "MDM-02_A04", "objective": "the connection of mobile devices to the system is authorized.", "pptdf": "Technology", "origin": "53A_R5_AC-19b.\n171A_3.1.18[b]\n171A_R3_A.03.01.18.b", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MDM-02", "ao_id": "MDM-02_A05", "objective": "mobile devices that process, store or transmit sensitive / regulated data are identified.", "pptdf": "Process", "origin": "171A_3.1.18[a]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MDM-02", "ao_id": "MDM-02_A06", "objective": "mobile device connections are monitored and logged.", "pptdf": "Technology", "origin": "171A_3.1.18[c]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MDM-03", "ao_id": "MDM-03_A01", "objective": "mobile devices on which to employ encryption are defined.", "pptdf": "Process", "origin": "53A_R5_AC-19(05)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MDM-03", "ao_id": "MDM-03_A02", "objective": "full-device or container-based encryption is implemented to protect the confidentiality of sensitive / regulated data on mobile devices.", "pptdf": "Technology", "origin": "53A_R5_AC-19(05)_ODP[01]\n53A_R5_AC-19(05)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MDM-03", "ao_id": "MDM-03_A03", "objective": "mobile devices and mobile computing platforms that process, store or transmit sensitive / regulated data are identified.", "pptdf": "Process", "origin": "171A_3.1.19[a]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MDM-03", "ao_id": "MDM-03_A04", "objective": "encryption is employed to protect sensitive / regulated data on identified mobile devices and mobile computing platforms", "pptdf": "Technology", "origin": "171A_3.1.19[b]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MDM-03", "ao_id": "MDM-03_A05", "objective": "full-device or container-based encryption is implemented to protect the confidentiality of CUI on mobile devices.", "pptdf": "Data", "origin": "171A_R3_A.03.01.18.c", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MDM-04", "ao_id": "MDM-04_A01", "objective": "anti-tamper technologies to be employed are defined.", "pptdf": "Process", "origin": "53A_R5_PE-03(05)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MDM-04", "ao_id": "MDM-04_A02", "objective": "hardware components to be protected from physical tampering or alteration are defined.", "pptdf": "Process", "origin": "53A_R5_PE-03(05)_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MDM-04", "ao_id": "MDM-04_A03", "objective": "anti-tamper technologies are employed to detect and/or prevent physical tampering or alteration of hardware components within the system.", "pptdf": "Process", "origin": "53A_R5_PE-03(05)\n53A_R5_PE-03(05)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MDM-05", "ao_id": "MDM-05_A01", "objective": "mobile devices to be purged or wiped of information are defined.", "pptdf": "Process", "origin": "53A_R5_AC-07(02)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MDM-05", "ao_id": "MDM-05_A02", "objective": "purging or wiping requirements and techniques to be used when mobile devices are purged or wiped of information are defined.", "pptdf": "Process", "origin": "53A_R5_AC-07(02)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MDM-05", "ao_id": "MDM-05_A03", "objective": "information is purged or wiped from organization-defined mobile devices based on organization-defined purging or wiping requirements or techniques after organization-defined number consecutive, unsuccessful device logon attempts.", "pptdf": "Technology", "origin": "53A_R5_AC-07(02)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MDM-05", "ao_id": "MDM-05_A04", "objective": "the number of consecutive, unsuccessful logon attempts before the information is purged or wiped from mobile devices is defined.", "pptdf": "Process", "origin": "53A_R5_AC-07(02)_ODP[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MDM-05", "ao_id": "MDM-05_A05", "objective": "systems or system components to purge or wipe information either remotely or under specific conditions are defined.", "pptdf": "Process", "origin": "53A_R5_MP-06(08)_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MDM-05", "ao_id": "MDM-05_A06", "objective": "conditions under which information is to be purged or wiped are defined.", "pptdf": "Process", "origin": "53A_R5_MP-06(08)_ODP[02]\n53A_R5_MP-06(08)_ODP[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MDM-05", "ao_id": "MDM-05_A07", "objective": "the capability to purge or wipe information from systems or system components organization-defined criteria are provided.", "pptdf": "Technology", "origin": "53A_R5_MP-06(08)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MDM-06", "ao_id": "MDM-06_A01", "objective": "the connection of personally-owned, mobile devices to organizational systems and networks is restricted.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MDM-07", "ao_id": "MDM-07_A01", "objective": "the installation of non-approved applications or approved applications not obtained through the organization-approved application store is prohibited.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MDM-08", "ao_id": "MDM-08_A01", "objective": "data retention on mobile devices is limited to the smallest usable dataset and timeframe.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MDM-09", "ao_id": "MDM-09_A01", "objective": "the functionality of mobile devices is restricted based on geographic location.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MDM-10", "ao_id": "MDM-10_A01", "objective": "a separate device workspace is enforced on applicable mobile devices to separate work-related and personal-related applications and data.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MDM-11", "ao_id": "MDM-11_A01", "objective": "the connectivity of unauthorized mobile devices is restricted from communicating with systems, applications and services.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-01", "ao_id": "MNT-01_A01", "objective": "a maintenance policy is developed and documented.", "pptdf": "Process", "origin": "53A_R5_MA-01a.[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-01", "ao_id": "MNT-01_A02", "objective": "the maintenance policy is disseminated to organization-defined personnel or roles.", "pptdf": "Process", "origin": "53A_R5_MA-01a.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-01", "ao_id": "MNT-01_A03", "objective": "maintenance procedures to facilitate the implementation of the maintenance policy and associated maintenance controls are developed and documented.", "pptdf": "Process", "origin": "53A_R5_MA-01a.[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-01", "ao_id": "MNT-01_A04", "objective": "the maintenance procedures are disseminated to organization-defined personnel or roles.", "pptdf": "Process", "origin": "53A_R5_MA-01a.[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-01", "ao_id": "MNT-01_A05", "objective": "personnel or roles to whom the maintenance policy is to be disseminated is/are defined.", "pptdf": "Process", "origin": "53A_R5_MA-01_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-01", "ao_id": "MNT-01_A06", "objective": "personnel or roles to whom the maintenance procedures are to be disseminated is/are defined.", "pptdf": "Process", "origin": "53A_R5_MA-01_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-01", "ao_id": "MNT-01_A07", "objective": "one or more of the following organization-defined criteria is/are selected: {organization-level. mission/business process-level. system-level}.", "pptdf": "Process", "origin": "53A_R5_MA-01_ODP[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-01", "ao_id": "MNT-01_A08", "objective": "an official to manage the maintenance policy and procedures is defined.", "pptdf": "People", "origin": "53A_R5_MA-01_ODP[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-01", "ao_id": "MNT-01_A09", "objective": "the frequency with which the current maintenance policy is reviewed / updated is defined.", "pptdf": "Process", "origin": "53A_R5_MA-01_ODP[05]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "MNT-01", "ao_id": "MNT-01_A10", "objective": "events that would require the current maintenance policy to be reviewed / updated are defined.", "pptdf": "Process", "origin": "53A_R5_MA-01_ODP[06]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-01", "ao_id": "MNT-01_A11", "objective": "the frequency with which the current maintenance procedures are reviewed / updated is defined.", "pptdf": "Process", "origin": "53A_R5_MA-01_ODP[07]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "MNT-01", "ao_id": "MNT-01_A12", "objective": "events that would require the maintenance procedures to be reviewed / updated are defined.", "pptdf": "Process", "origin": "53A_R5_MA-01_ODP[08]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-01", "ao_id": "MNT-01_A13", "objective": "the organization's maintenance policy addresses purpose.", "pptdf": "Process", "origin": "53A_R5_MA-01a.01(a)[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-01", "ao_id": "MNT-01_A14", "objective": "the organization's maintenance policy addresses scope.", "pptdf": "Process", "origin": "53A_R5_MA-01a.01(a)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-01", "ao_id": "MNT-01_A15", "objective": "the organization's maintenance policy addresses roles.", "pptdf": "Process", "origin": "53A_R5_MA-01a.01(a)[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-01", "ao_id": "MNT-01_A16", "objective": "the organization's maintenance policy addresses responsibilities.", "pptdf": "Process", "origin": "53A_R5_MA-01a.01(a)[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-01", "ao_id": "MNT-01_A17", "objective": "the organization's maintenance policy addresses management commitment.", "pptdf": "Process", "origin": "53A_R5_MA-01a.01(a)[05]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-01", "ao_id": "MNT-01_A18", "objective": "the organization's maintenance policy addresses coordination among organizational entities.", "pptdf": "Process", "origin": "53A_R5_MA-01a.01(a)[06]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-01", "ao_id": "MNT-01_A19", "objective": "the organization's maintenance policy addresses compliance.", "pptdf": "Process", "origin": "53A_R5_MA-01a.01(a)[07]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-01", "ao_id": "MNT-01_A20", "objective": "the organization's maintenance policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines.", "pptdf": "Process", "origin": "53A_R5_MA-01a.01(b)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-01", "ao_id": "MNT-01_A21", "objective": "the organization-defined official is designated to manage the development, documentation, and dissemination of the maintenance policy and procedures.", "pptdf": "Process", "origin": "53A_R5_MA-01b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-01", "ao_id": "MNT-01_A22", "objective": "the current maintenance policy is reviewed / updated organization-defined frequency.", "pptdf": "Process", "origin": "53A_R5_MA-01c.01[01]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "MNT-01", "ao_id": "MNT-01_A23", "objective": "the current maintenance policy is reviewed / updated following organization-defined events.", "pptdf": "Process", "origin": "53A_R5_MA-01c.01[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-01", "ao_id": "MNT-01_A24", "objective": "the current maintenance procedures are reviewed / updated organization-defined frequency.", "pptdf": "Process", "origin": "53A_R5_MA-01c.02[01]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "MNT-01", "ao_id": "MNT-01_A25", "objective": "the current maintenance procedures are reviewed / updated following organization-defined events.", "pptdf": "Process", "origin": "53A_R5_MA-01c.02[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-01", "ao_id": "MNT-01_A26", "objective": "maintenance management operations are conducted according to documented policies, standards, procedures and/or other organizational directives.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-01", "ao_id": "MNT-01_A27", "objective": "adequate resources (e.g., people, processes, technologies, data and/or facilities) are provided to support maintenance management operations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-01", "ao_id": "MNT-01_A28", "objective": "responsibility and authority for the performance of maintenance management-related activities are assigned to designated personnel.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-01", "ao_id": "MNT-01_A29", "objective": "personnel performing maintenance management-related activities have the skills and knowledge needed to perform their assigned duties.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-02", "ao_id": "MNT-02_A01", "objective": "maintenance, repair and replacement of systems, applications and/or services are scheduled in accordance with manufacturer or vendor specifications and/or organizational requirements.", "pptdf": "Process", "origin": "53A_R5_MA-02a.[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-02", "ao_id": "MNT-02_A02", "objective": "approved configuration-controlled changes to the system are implemented.", "pptdf": "Process", "origin": "171A_R3_A.03.04.03.c[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-02", "ao_id": "MNT-02_A03", "objective": "system maintenance is performed.", "pptdf": "Process", "origin": "171A_3.7.1", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-02", "ao_id": "MNT-02_A04", "objective": "personnel or roles required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance or repairs is/are defined.", "pptdf": "Process", "origin": "53A_R5_MA-02_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-02", "ao_id": "MNT-02_A05", "objective": "information to be removed from associated media prior to removal from organizational facilities for off-site maintenance, repair or replacement is defined.", "pptdf": "Process", "origin": "53A_R5_MA-02_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-02", "ao_id": "MNT-02_A06", "objective": "information to be included in organizational maintenance records is defined.", "pptdf": "Process", "origin": "53A_R5_MA-02_ODP[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-02", "ao_id": "MNT-02_A07", "objective": "maintenance, repair and replacement of system components are documented in accordance with manufacturer or vendor specifications and/or organizational requirements.", "pptdf": "Process", "origin": "53A_R5_MA-02a.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-02", "ao_id": "MNT-02_A08", "objective": "records of maintenance, repair and replacement of system components are reviewed in accordance with manufacturer or vendor specifications and/or organizational requirements.", "pptdf": "Process", "origin": "53A_R5_MA-02a.[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-02", "ao_id": "MNT-02_A09", "objective": "all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are approved.", "pptdf": "Process", "origin": "53A_R5_MA-02b.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-02", "ao_id": "MNT-02_A10", "objective": "all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are monitored.", "pptdf": "Process", "origin": "53A_R5_MA-02b.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-02", "ao_id": "MNT-02_A11", "objective": "personnel or roles is/are required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair or replacement.", "pptdf": "Process", "origin": "53A_R5_MA-02c.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-02", "ao_id": "MNT-02_A12", "objective": "equipment is sanitized to remove information from associated media prior to removal from organizational facilities for off-site maintenance, repair or replacement.", "pptdf": "Process", "origin": "53A_R5_MA-02d.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-02", "ao_id": "MNT-02_A13", "objective": "all potentially impacted controls are checked to verify that the controls are still functioning properly following maintenance, repair or replacement actions.", "pptdf": "Process", "origin": "53A_R5_MA-02e.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-02", "ao_id": "MNT-02_A14", "objective": "information is included in organizational maintenance records.", "pptdf": "Process", "origin": "53A_R5_MA-02f.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-02.1", "ao_id": "MNT-02.1_A01", "objective": "automated mechanisms used to schedule maintenance, repair and replacement actions for the system, application and/or service are defined.", "pptdf": "Process", "origin": "53A_R5_MA-02(02)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-02.1", "ao_id": "MNT-02.1_A02", "objective": "automated mechanisms used to conduct maintenance, repair and replacement actions for the system, application and/or service are defined.", "pptdf": "Process", "origin": "53A_R5_MA-02(02)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-02.1", "ao_id": "MNT-02.1_A03", "objective": "automated mechanisms used to document maintenance, repair and replacement actions for the system, application and/or service are defined.", "pptdf": "Process", "origin": "53A_R5_MA-02(02)_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-02.1", "ao_id": "MNT-02.1_A04", "objective": "automated mechanisms are used to schedule maintenance, repair and replacement actions for the system, application and/or service.", "pptdf": "Technology", "origin": "53A_R5_MA-02(02)(a)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-02.1", "ao_id": "MNT-02.1_A05", "objective": "automated mechanisms are used to conduct maintenance, repair and replacement actions for the system, application and/or service.", "pptdf": "Technology", "origin": "53A_R5_MA-02(02)(a)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-02.1", "ao_id": "MNT-02.1_A06", "objective": "automated mechanisms are used to document maintenance, repair and replacement actions for the system, application and/or service.", "pptdf": "Technology", "origin": "53A_R5_MA-02(02)(a)[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-02.1", "ao_id": "MNT-02.1_A07", "objective": "up-to-date, accurate and complete records of all maintenance actions requested, scheduled, in process and completed are produced.", "pptdf": "Process", "origin": "53A_R5_MA-02(02)(b)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-02.1", "ao_id": "MNT-02.1_A08", "objective": "up-to-date, accurate and complete records of all repair actions requested, scheduled, in process and completed are produced.", "pptdf": "Process", "origin": "53A_R5_MA-02(02)(b)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-02.1", "ao_id": "MNT-02.1_A09", "objective": "up-to-date, accurate and complete records of all replacement actions requested, scheduled, in process and completed are produced.", "pptdf": "Process", "origin": "53A_R5_MA-02(02)(b)[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-03", "ao_id": "MNT-03_A01", "objective": "system components for which maintenance support and/or spare parts are obtained are defined.", "pptdf": "Process", "origin": "53A_R5_MA-06_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-03", "ao_id": "MNT-03_A02", "objective": "time period within which maintenance support and/or spare parts are to be obtained after a failure are defined.", "pptdf": "Process", "origin": "53A_R5_MA-06_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-03", "ao_id": "MNT-03_A03", "objective": "maintenance support and/or spare parts are obtained for system components within an organization-defined time period of failure.", "pptdf": "Process", "origin": "53A_R5_MA-06", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-03.1", "ao_id": "MNT-03.1_A01", "objective": "system components on which preventive maintenance is to be performed are defined.", "pptdf": "Process", "origin": "53A_R5_MA-06(01)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-03.1", "ao_id": "MNT-03.1_A02", "objective": "time intervals within which preventive maintenance is to be performed on system components are defined.", "pptdf": "Process", "origin": "53A_R5_MA-06(01)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-03.1", "ao_id": "MNT-03.1_A03", "objective": "preventive maintenance is performed on system components at organization-defined time intervals.", "pptdf": "Process", "origin": "53A_R5_MA-06(01)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-03.2", "ao_id": "MNT-03.2_A01", "objective": "system components on which predictive maintenance is to be performed are defined.", "pptdf": "Process", "origin": "53A_R5_MA-06(02)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-03.2", "ao_id": "MNT-03.2_A02", "objective": "time intervals within which predictive maintenance is to be performed are defined.", "pptdf": "Process", "origin": "53A_R5_MA-06(02)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "a timeframe to support advertised uptime and availability", "org_defined_parameters": "" }, { "scf_control_id": "MNT-03.2", "ao_id": "MNT-03.2_A03", "objective": "predictive maintenance is performed on system components at organization-defined time intervals.", "pptdf": "Process", "origin": "53A_R5_MA-06(02)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-03.3", "ao_id": "MNT-03.3_A01", "objective": "automated mechanisms used to transfer predictive maintenance data to a maintenance management system are defined.", "pptdf": "Process", "origin": "53A_R5_MA-06(03)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-03.3", "ao_id": "MNT-03.3_A02", "objective": "predictive maintenance data is transferred to a maintenance management system using automated mechanisms.", "pptdf": "Technology", "origin": "53A_R5_MA-06(03)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-04", "ao_id": "MNT-04_A01", "objective": "tools used to conduct system maintenance are controlled.", "pptdf": "Technology", "origin": "171A_3.7.2[a]\n53A_R5_MA-03a.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-04", "ao_id": "MNT-04_A02", "objective": "techniques used to conduct system maintenance are controlled.", "pptdf": "Process", "origin": "171A_3.7.2[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-04", "ao_id": "MNT-04_A03", "objective": "mechanisms used to conduct system maintenance are controlled.", "pptdf": "Technology", "origin": "171A_3.7.2[c]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-04", "ao_id": "MNT-04_A04", "objective": "personnel used to conduct system maintenance are controlled.", "pptdf": "Process", "origin": "171A_3.7.2[d]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-04", "ao_id": "MNT-04_A05", "objective": "the use of maintenance tools that execute with increased privilege is monitored.", "pptdf": "Technology", "origin": "53A_R5_MA-03(05)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-04", "ao_id": "MNT-04_A06", "objective": "the frequency at which to review previously approved system maintenance tools is defined.", "pptdf": "Process", "origin": "53A_R5_MA-03_ODP", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "MNT-04", "ao_id": "MNT-04_A07", "objective": "the use of system maintenance tools is approved.", "pptdf": "Process", "origin": "53A_R5_MA-03a.[01]\n171A_R3_A.03.07.04.a[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-04", "ao_id": "MNT-04_A08", "objective": "the use of system maintenance tools is controlled.", "pptdf": "Technology", "origin": "171A_R3_A.03.07.04.a[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-04", "ao_id": "MNT-04_A09", "objective": "the use of system maintenance tools is monitored.", "pptdf": "Technology", "origin": "53A_R5_MA-03a.[03]\n171A_R3_A.03.07.04.a[03]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-04", "ao_id": "MNT-04_A10", "objective": "previously approved system maintenance tools are reviewed per an organization-defined frequency.", "pptdf": "Process", "origin": "53A_R5_MA-03b.", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "MNT-04", "ao_id": "MNT-04_A11", "objective": "maintenance tools are inspected to ensure that the latest software updates and patches are installed.", "pptdf": "Process", "origin": "53A_R5_MA-03(06)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-04.1", "ao_id": "MNT-04.1_A01", "objective": "maintenance tools used by maintenance personnel are inspected for improper or unauthorized modifications.", "pptdf": "Process", "origin": "53A_R5_MA-03(01)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-04.2", "ao_id": "MNT-04.2_A01", "objective": "media with diagnostic and test programs are checked for malicious code before the media are used in the system.", "pptdf": "Technology", "origin": "53A_R5_MA-03(02)\n171A_3.7.4\n171A_R3_A.03.07.04.b", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-04.3", "ao_id": "MNT-04.3_A01", "objective": "personnel or roles who can authorize removal of equipment from the facility is/are defined.", "pptdf": "Process", "origin": "53A_R5_MA-03(03)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "the information owner", "org_defined_parameters": "" }, { "scf_control_id": "MNT-04.3", "ao_id": "MNT-04.3_A02", "objective": "the removal of system maintenance equipment containing sensitive / regulated data is prevented by verifying that there is no sensitive / regulated data on the equipment, sanitizing or destroying the equipment, or retaining the equipment within the facility.", "pptdf": "Data", "origin": "53A_R5_MA-03(03)(a)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-04.3", "ao_id": "MNT-04.3_A03", "objective": "the removal of maintenance equipment containing organizational information is prevented by sanitizing or destroying the equipment.", "pptdf": "Data", "origin": "53A_R5_MA-03(03)(b)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-04.3", "ao_id": "MNT-04.3_A04", "objective": "the removal of maintenance equipment containing organizational information is prevented by retaining the equipment within the facility.", "pptdf": "Data", "origin": "53A_R5_MA-03(03)(c)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-04.3", "ao_id": "MNT-04.3_A05", "objective": "the removal of maintenance equipment containing organizational information is prevented by obtaining an exemption from personnel or roles explicitly authorizing removal of the equipment from the facility.", "pptdf": "Data", "origin": "53A_R5_MA-03(03)(d)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-04.3", "ao_id": "MNT-04.3_A06", "objective": "the removal of system maintenance equipment containing CUI is prevented by verifying that there is no CUI on the equipment, sanitizing or destroying the equipment, or retaining the equipment within the facility.", "pptdf": "Data", "origin": "171A_R3_A.03.07.04.c", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-04.4", "ao_id": "MNT-04.4_A01", "objective": "the use of maintenance tools is restricted to authorized personnel only.", "pptdf": "Process", "origin": "53A_R5_MA-03(04)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-05", "ao_id": "MNT-05_A01", "objective": "nonlocal maintenance and diagnostic activities are approved.", "pptdf": "Process", "origin": "53A_R5_MA-04a.[01]\n171A_R3_A.03.07.05.a[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-05", "ao_id": "MNT-05_A02", "objective": "nonlocal maintenance and diagnostic activities are monitored.", "pptdf": "Technology", "origin": "53A_R5_MA-04a.[02]\n171A_R3_A.03.07.05.a[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-05", "ao_id": "MNT-05_A03", "objective": "the use of nonlocal maintenance and diagnostic tools are allowed only as consistent with organizational policy.", "pptdf": "Technology", "origin": "53A_R5_MA-04b.[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-05", "ao_id": "MNT-05_A04", "objective": "the use of nonlocal maintenance and diagnostic tools are documented in the security plan for the system.", "pptdf": "Process", "origin": "53A_R5_MA-04b.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-05", "ao_id": "MNT-05_A05", "objective": "strong authentication is employed in the establishment of nonlocal maintenance and diagnostic sessions.", "pptdf": "Technology", "origin": "53A_R5_MA-04c.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-05", "ao_id": "MNT-05_A06", "objective": "records for nonlocal maintenance and diagnostic activities are maintained.", "pptdf": "Process", "origin": "53A_R5_MA-04d.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-05", "ao_id": "MNT-05_A07", "objective": "session connections are terminated when nonlocal maintenance is completed.", "pptdf": "Technology", "origin": "53A_R5_MA-04e.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-05", "ao_id": "MNT-05_A08", "objective": "network connections are terminated when nonlocal maintenance is completed.", "pptdf": "Technology", "origin": "53A_R5_MA-04e.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-05", "ao_id": "MNT-05_A09", "objective": "multifactor authentication is used to establish nonlocal maintenance sessions via external network connections.", "pptdf": "Technology", "origin": "171A_3.7.5[a]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-05", "ao_id": "MNT-05_A10", "objective": "nonlocal maintenance sessions established via external network connections are terminated when nonlocal maintenance is complete.", "pptdf": "Technology", "origin": "171A_3.7.5[b]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-05.1", "ao_id": "MNT-05.1_A01", "objective": "nonlocal maintenance and diagnostic activities are monitored.", "pptdf": "Technology", "origin": "53A_R5_MA-04a.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-05.1", "ao_id": "MNT-05.1_A02", "objective": "audit events to be logged for nonlocal maintenance are defined.", "pptdf": "Process", "origin": "53A_R5_MA-04(01)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-05.1", "ao_id": "MNT-05.1_A03", "objective": "audit events to be logged for diagnostic sessions are defined.", "pptdf": "Process", "origin": "53A_R5_MA-04(01)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-05.1", "ao_id": "MNT-05.1_A04", "objective": "audit events are logged for nonlocal maintenance sessions.", "pptdf": "Technology", "origin": "53A_R5_MA-04(01)(a)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-05.1", "ao_id": "MNT-05.1_A05", "objective": "audit events are logged for nonlocal diagnostic sessions.", "pptdf": "Technology", "origin": "53A_R5_MA-04(01)(a)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-05.1", "ao_id": "MNT-05.1_A06", "objective": "the audit records of the maintenance sessions are reviewed to detect anomalous behavior.", "pptdf": "Process", "origin": "53A_R5_MA-04(01)(b)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-05.1", "ao_id": "MNT-05.1_A07", "objective": "the audit records of the diagnostic sessions are reviewed to detect anomalous behavior.", "pptdf": "Process", "origin": "53A_R5_MA-04(01)(b)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-05.2", "ao_id": "MNT-05.2_A01", "objective": "personnel and roles to be notified of the date and time of planned nonlocal maintenance is/are defined.", "pptdf": "Process", "origin": "53A_R5_MA-04(05)_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-05.2", "ao_id": "MNT-05.2_A02", "objective": "personnel and roles are notified of the date and time of planned nonlocal maintenance.", "pptdf": "Process", "origin": "53A_R5_MA-04(05)(b)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-05.3", "ao_id": "MNT-05.3_A01", "objective": "cryptographic mechanisms to be implemented to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications are defined.", "pptdf": "Process", "origin": "53A_R5_MA-04(06)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-05.3", "ao_id": "MNT-05.3_A02", "objective": "cryptographic mechanisms are implemented to protect the integrity of nonlocal maintenance and diagnostic communications.", "pptdf": "Technology", "origin": "53A_R5_MA-04(06)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-05.3", "ao_id": "MNT-05.3_A03", "objective": "cryptographic mechanisms are implemented to protect the confidentiality of nonlocal maintenance and diagnostic communications.", "pptdf": "Technology", "origin": "53A_R5_MA-04(06)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-05.3", "ao_id": "MNT-05.3_A04", "objective": "replay resistance is implemented in the establishment of nonlocal maintenance and diagnostic sessions.", "pptdf": "Technology", "origin": "171A_R3_A.03.07.05.b[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-05.4", "ao_id": "MNT-05.4_A01", "objective": "session connections are terminated when nonlocal maintenance is completed.", "pptdf": "Technology", "origin": "171A_R3_A.03.07.05.c[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-05.4", "ao_id": "MNT-05.4_A02", "objective": "session connection termination is verified after the completion of nonlocal maintenance and diagnostic sessions.", "pptdf": "Technology", "origin": "53A_R5_MA-04(07)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-05.4", "ao_id": "MNT-05.4_A03", "objective": "network connection termination is verified after the completion of nonlocal maintenance and diagnostic sessions.", "pptdf": "Technology", "origin": "53A_R5_MA-04(07)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-05.5", "ao_id": "MNT-05.5_A01", "objective": "personnel or roles required to approve each nonlocal maintenance session is/are defined.", "pptdf": "Process", "origin": "53A_R5_MA-04(05)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-05.5", "ao_id": "MNT-05.5_A02", "objective": "the approval of each nonlocal maintenance session is required by personnel or roles.", "pptdf": "Process", "origin": "53A_R5_MA-04(05)(a)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-05.6", "ao_id": "MNT-05.6_A01", "objective": "nonlocal maintenance / diagnostic services are required to be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced.", "pptdf": "Technology", "origin": "53A_R5_MA-04(03)(a)[01]\n53A_R5_MA-04(03)(a)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-05.6", "ao_id": "MNT-05.6_A02", "objective": "alternate controls to be developed and implemented in the event that a system component cannot be sanitized, removed or disconnected from the system are defined.", "pptdf": "Process", "origin": "53A_R5_MA-05(01)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-05.6", "ao_id": "MNT-05.6_A03", "objective": "the component to be serviced is removed from the system prior to nonlocal maintenance or diagnostic services.", "pptdf": "Process", "origin": "53A_R5_MA-04(03)(b)[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-05.6", "ao_id": "MNT-05.6_A04", "objective": "the component to be serviced is sanitized (for organizational information).", "pptdf": "Process", "origin": "53A_R5_MA-04(03)(b)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-05.6", "ao_id": "MNT-05.6_A05", "objective": "the component is inspected and sanitized (for potentially malicious software) after the service is performed and before reconnecting the component to the system.", "pptdf": "Process", "origin": "53A_R5_MA-04(03)(b)[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-05.7", "ao_id": "MNT-05.7_A01", "objective": "authenticators that are replay resistant are defined.", "pptdf": "Process", "origin": "53A_R5_MA-04(04)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-05.7", "ao_id": "MNT-05.7_A02", "objective": "nonlocal maintenance sessions are protected by employing organization-defined authenticators that are replay resistant.", "pptdf": "Technology", "origin": "53A_R5_MA-04(04)(a)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-05.7", "ao_id": "MNT-05.7_A03", "objective": "nonlocal maintenance sessions are protected by separating maintenance sessions from other network sessions with the system by physically separated communication paths.", "pptdf": "Technology", "origin": "53A_R5_MA-04(04)(b)(01)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-05.7", "ao_id": "MNT-05.7_A04", "objective": "nonlocal maintenance sessions are protected by logically separated communication paths.", "pptdf": "Technology", "origin": "53A_R5_MA-04(04)(b)(02)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-06", "ao_id": "MNT-06_A01", "objective": "a process for maintenance personnel authorization is established.", "pptdf": "Process", "origin": "53A_R5_MA-05a.[01]\n171A_R3_A.03.07.06.a", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-06", "ao_id": "MNT-06_A02", "objective": "a list of authorized maintenance organizations or personnel is maintained.", "pptdf": "Technology", "origin": "53A_R5_MA-05a.[02]\n171A_R3_A.03.07.06.b", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-06", "ao_id": "MNT-06_A03", "objective": "non-escorted personnel who perform maintenance on the system possess the required access authorizations.", "pptdf": "Process", "origin": "53A_R5_MA-05b.\n171A_R3_A.03.07.06.c", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-06.1", "ao_id": "MNT-06.1_A01", "objective": "maintenance personnel without required access authorization are supervised during maintenance activities.", "pptdf": "Process", "origin": "171A_3.7.6", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-06.1", "ao_id": "MNT-06.1_A02", "objective": "organizational personnel with required access authorizations are designated to supervise the maintenance activities of personnel who do not possess the required access authorizations.", "pptdf": "Process", "origin": "171A_R3_A.03.07.06.d[01]\n53A_R5_MA-05c.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-06.1", "ao_id": "MNT-06.1_A03", "objective": "procedures for the use of maintenance personnel who lack appropriate security clearances or are not U.S. citizens are implemented and include approved organizational personnel who are fully cleared, have appropriate access authorizations and are technically qualified escorting and supervising maintenance personnel without the needed access authorization during the performance of maintenance and diagnostic activities.", "pptdf": "Process", "origin": "53A_R5_MA-05(01)(a)(01)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-06.1", "ao_id": "MNT-06.1_A04", "objective": "procedures for the use of maintenance personnel who lack appropriate security clearances or are not U.S. citizens are implemented and include all volatile information storage components within the system being sanitized and all non-volatile storage media being removed or physically disconnected from the system and secured prior to initiating maintenance or diagnostic activities.", "pptdf": "Process", "origin": "53A_R5_MA-05(01)(a)(02)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-06.1", "ao_id": "MNT-06.1_A05", "objective": "alternate controls are developed and implemented in the event that a system cannot be sanitized, removed or disconnected from the system.", "pptdf": "Process", "origin": "53A_R5_MA-05(01)(b)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-06.1", "ao_id": "MNT-06.1_A06", "objective": "personnel performing maintenance and diagnostic activities on a system processing, storing or transmitting sensitive / regulated data possess security clearances for at least the highest classification level and for compartments of information on the system.", "pptdf": "Process", "origin": "53A_R5_MA-05(02)[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-06.1", "ao_id": "MNT-06.1_A07", "objective": "personnel performing maintenance and diagnostic activities on a system processing, storing or transmitting sensitive / regulated data possess formal access approvals for at least the highest classification level and for compartments of information on the system.", "pptdf": "Process", "origin": "53A_R5_MA-05(02)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-06.1", "ao_id": "MNT-06.1_A08", "objective": "personnel performing maintenance and diagnostic activities on a system processing, storing or transmitting sensitive / regulated data are U.S. citizens.", "pptdf": "Process", "origin": "53A_R5_MA-05(03)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-06.1", "ao_id": "MNT-06.1_A09", "objective": "foreign nationals are used to conduct maintenance and diagnostic activities on systems only when approved and authorized.", "pptdf": "Process", "origin": "53A_R5_MA-05(04)(a)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-06.1", "ao_id": "MNT-06.1_A10", "objective": "approvals regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified systems are fully documented within Memoranda of Agreements.", "pptdf": "Process", "origin": "53A_R5_MA-05(04)(b)[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-06.1", "ao_id": "MNT-06.1_A11", "objective": "consents regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified systems are fully documented within Memoranda of Agreements.", "pptdf": "Process", "origin": "53A_R5_MA-05(04)(b)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-06.1", "ao_id": "MNT-06.1_A12", "objective": "detailed operational conditions regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified systems are fully documented within Memoranda of Agreements.", "pptdf": "Process", "origin": "53A_R5_MA-05(04)(b)[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-06.1", "ao_id": "MNT-06.1_A13", "objective": "non-escorted personnel who perform maintenance on the system possess the required access authorizations.", "pptdf": "Process", "origin": "171A_R3_A.03.07.06.c", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-06.1", "ao_id": "MNT-06.1_A14", "objective": "organizational personnel with required technical competence are designated to supervise the maintenance activities of personnel who do not possess the required access authorizations.", "pptdf": "Process", "origin": "171A_R3_A.03.07.06.d[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-06.2", "ao_id": "MNT-06.2_A01", "objective": "non-escorted personnel performing maintenance activities not directly associated with the system but in the physical proximity of the system have required access authorizations.", "pptdf": "Process", "origin": "53A_R5_MA-05(05)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-06.2", "ao_id": "MNT-06.2_A02", "objective": "non-escorted personnel who perform maintenance on the system possess the required access authorizations.", "pptdf": "Process", "origin": "171A_R3_A.03.07.06.c", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-07", "ao_id": "MNT-07_A01", "objective": "system components requiring configuration control are defined.", "pptdf": "Process", "origin": "53A_R5_SR-11(02)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-07", "ao_id": "MNT-07_A02", "objective": "configuration control over organization-defined system components awaiting service or repair is maintained.", "pptdf": "Process", "origin": "53A_R5_SR-11(02)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-07", "ao_id": "MNT-07_A03", "objective": "configuration control over serviced or repaired organization-defined system components awaiting return to service is maintained.", "pptdf": "Process", "origin": "53A_R5_SR-11(02)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-08", "ao_id": "MNT-08_A01", "objective": "systems or system components on which field maintenance is restricted or prohibited to trusted maintenance facilities are defined.", "pptdf": "Process", "origin": "53A_R5_MA-07_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-08", "ao_id": "MNT-08_A02", "objective": "trusted maintenance facilities that are not restricted or prohibited from conducting field maintenance are defined.", "pptdf": "Process", "origin": "53A_R5_MA-07_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-08", "ao_id": "MNT-08_A03", "objective": "field maintenance on systems or system components are restricted or prohibited to trusted maintenance facilities.", "pptdf": "Process", "origin": "53A_R5_MA-07", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-09", "ao_id": "MNT-09_A01", "objective": "off-site maintenance activities are conducted securely and the asset(s) undergoing maintenance actions are secured during physical transfer and storage while off-site.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-10", "ao_id": "MNT-10_A01", "objective": "maintenance activities are validated to ensure they were appropriately performed according to the work order and that security controls are operational.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MNT-11", "ao_id": "MNT-11_A01", "objective": "situational awareness is maintained of the quality and reliability of systems and components through tracking maintenance activities and component failure rates.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01", "ao_id": "MON-01_A01", "objective": "the continuous monitoring program is organization-wide.", "pptdf": "Process", "origin": "53A_R5_AU-01_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01", "ao_id": "MON-01_A02", "objective": "monitoring objectives to detect attacks and indicators of potential attacks on the system are defined.", "pptdf": "Process", "origin": "53A_R5_SI-04_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01", "ao_id": "MON-01_A03", "objective": "techniques and methods used to identify unauthorized use of the system are defined.", "pptdf": "Process", "origin": "53A_R5_SI-04_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01", "ao_id": "MON-01_A04", "objective": "system monitoring information to be provided to personnel or roles is defined.", "pptdf": "Process", "origin": "53A_R5_SI-04_ODP[03]\n53A_R5_SI-04g.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01", "ao_id": "MON-01_A05", "objective": "personnel or roles to whom system monitoring information is to be provided is/are defined.", "pptdf": "Process", "origin": "53A_R5_SI-04_ODP[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01", "ao_id": "MON-01_A06", "objective": "a frequency for providing system monitoring to personnel or roles is defined.", "pptdf": "Process", "origin": "53A_R5_SI-04_ODP[05]\n53A_R5_SI-04_ODP[06]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01", "ao_id": "MON-01_A07", "objective": "the level of system monitoring activity is adjusted when there is a change in risk to organizational operations and assets, individuals, other organizations or the Nation.", "pptdf": "Process", "origin": "53A_R5_SI-04e.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01", "ao_id": "MON-01_A08", "objective": "a legal opinion regarding system monitoring activities is obtained.", "pptdf": "Process", "origin": "53A_R5_SI-04f.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01", "ao_id": "MON-01_A09", "objective": "the system is monitored to detect attacks.", "pptdf": "Technology", "origin": "171A_R3_A.03.14.06.a.01[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01", "ao_id": "MON-01_A10", "objective": "the system is monitored to detect indicators of potential attacks.", "pptdf": "Technology", "origin": "171A_R3_A.03.14.06.a.01[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01", "ao_id": "MON-01_A11", "objective": "the system is monitored to detect unauthorized connections.", "pptdf": "Technology", "origin": "171A_R3_A.03.14.06.a.02", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01", "ao_id": "MON-01_A12", "objective": "event monitoring operations are conducted according to documented policies, standards, procedures and/or other organizational directives.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01", "ao_id": "MON-01_A13", "objective": "adequate resources (e.g., people, processes, technologies, data and/or facilities) are provided to support event monitoring operations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01", "ao_id": "MON-01_A14", "objective": "responsibility and authority for the performance of event monitoring-related activities are assigned to designated personnel.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01", "ao_id": "MON-01_A15", "objective": "personnel performing event monitoring-related activities have the skills and knowledge needed to perform their assigned duties.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.1", "ao_id": "MON-01.1_A01", "objective": "visibility into network traffic at external system interfaces is provided to optimize the effectiveness of monitoring devices.", "pptdf": "Technology", "origin": "53A_R5_SI-04(25)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.1", "ao_id": "MON-01.1_A02", "objective": "visibility into network traffic at key internal system interfaces is provided to optimize the effectiveness of monitoring devices.", "pptdf": "Technology", "origin": "53A_R5_SI-04(25)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.1", "ao_id": "MON-01.1_A03", "objective": "individual intrusion detection tools are connected to a system-wide intrusion detection system.", "pptdf": "Technology", "origin": "53A_R5_SI-04(01)[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.1", "ao_id": "MON-01.1_A04", "objective": "individual intrusion detection tools are configured into a system-wide intrusion detection system.", "pptdf": "Technology", "origin": "53A_R5_SI-04(01)[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.2", "ao_id": "MON-01.2_A01", "objective": "automated tools and mechanisms are employed to support a near real-time analysis of events.", "pptdf": "Technology", "origin": "53A_R5_SI-04(02)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.3", "ao_id": "MON-01.3_A01", "objective": "criteria for unusual or unauthorized activities or conditions for inbound communications traffic are defined.", "pptdf": "Process", "origin": "53A_R5_SI-04(04)(a)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.3", "ao_id": "MON-01.3_A02", "objective": "criteria for unusual or unauthorized activities or conditions for outbound communications traffic are defined.", "pptdf": "Process", "origin": "53A_R5_SI-04(04)(a)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.3", "ao_id": "MON-01.3_A03", "objective": "unusual or unauthorized activities or conditions that are to be monitored in outbound communications traffic are defined.", "pptdf": "Process", "origin": "53A_R5_SI-04(04)_ODP[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.3", "ao_id": "MON-01.3_A04", "objective": "inbound communications traffic is monitored to detect unusual or unauthorized activities or conditions.", "pptdf": "Technology", "origin": "171A_3.14.6[b]\n171A_R3_A.03.14.06.c[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.3", "ao_id": "MON-01.3_A05", "objective": "outbound communications traffic is monitored to detect unusual or unauthorized activities or conditions.", "pptdf": "Technology", "origin": "171A_3.14.6[c]\n171A_R3_A.03.14.06.c[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.3", "ao_id": "MON-01.3_A06", "objective": "anomalous or suspicious behavior is defined.", "pptdf": "Process", "origin": "172A_3.14.2e[a]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.3", "ao_id": "MON-01.3_A07", "objective": "systems, applications and services are monitored to detect attacks and indicators of potential attacks.", "pptdf": "Technology", "origin": "171A_3.14.6[a]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.3", "ao_id": "MON-01.3_A08", "objective": "communications at external managed interfaces to the system are monitored.", "pptdf": "Technology", "origin": "171A_R3_A.03.13.01.a[01]\n53A_R5_SI-04(04)(b)[01]\n53A_R5_SI-04(04)_ODP[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.3", "ao_id": "MON-01.3_A09", "objective": "communications at key internal managed interfaces within the system are monitored.", "pptdf": "Technology", "origin": "171A_R3_A.03.13.01.a[03]\n53A_R5_SI-04(04)(b)[02]\n53A_R5_SI-04(04)_ODP[03]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.3", "ao_id": "MON-01.3_A10", "objective": "the frequency at which to monitor inbound communications traffic for unusual or unauthorized activities or conditions is defined.", "pptdf": "Process", "origin": "53A_R5_SI-04(04)_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "continuous", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.4", "ao_id": "MON-01.4_A01", "objective": "audit records contain information that establishes what type of event occurred.", "pptdf": "Technology", "origin": "171A_R3_A.03.03.02.a.01", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.4", "ao_id": "MON-01.4_A02", "objective": "audit records for the selected event types and audit record content are generated.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.4", "ao_id": "MON-01.4_A03", "objective": "personnel or roles to be alerted when indications of compromise or potential compromise occur is/are defined.", "pptdf": "Process", "origin": "53A_R5_SI-04(05)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.4", "ao_id": "MON-01.4_A04", "objective": "compromise indicators are defined.", "pptdf": "Process", "origin": "53A_R5_SI-04(05)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.4", "ao_id": "MON-01.4_A05", "objective": "personnel or roles are alerted when system-generated compromise indicators occur.", "pptdf": "Technology", "origin": "53A_R5_SI-04(05)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.4", "ao_id": "MON-01.4_A06", "objective": "audit records for the selected event types and audit record content specified in 03.03.01 and 03.03.02 are generated.", "pptdf": "Technology", "origin": "171A_R3_A.03.03.03.a", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.5", "ao_id": "MON-01.5_A01", "objective": "a wireless intrusion detection system is employed to detect potential compromises or breaches.", "pptdf": "Technology", "origin": "53A_R5_SI-04(14)[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.5", "ao_id": "MON-01.5_A02", "objective": "an intrusion detection system is employed to monitor wireless communications traffic as the traffic passes from wireless to wireline networks.", "pptdf": "Technology", "origin": "53A_R5_SI-04(15)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.5", "ao_id": "MON-01.5_A03", "objective": "a wireless intrusion detection system is employed to identify rogue wireless devices.", "pptdf": "Technology", "origin": "53A_R5_SI-04(14)[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.5", "ao_id": "MON-01.5_A04", "objective": "a wireless intrusion detection system is employed to detect attack attempts on the system.", "pptdf": "Technology", "origin": "53A_R5_SI-04(14)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.6", "ao_id": "MON-01.6_A01", "objective": "host-based monitoring mechanisms to be implemented on system components are defined.", "pptdf": "Process", "origin": "53A_R5_SI-04(23)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.6", "ao_id": "MON-01.6_A02", "objective": "system components where host-based monitoring is to be implemented are defined.", "pptdf": "Process", "origin": "53A_R5_SI-04(23)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.6", "ao_id": "MON-01.6_A03", "objective": "host-based monitoring mechanisms are implemented on system components.", "pptdf": "Technology", "origin": "53A_R5_SI-04(23)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.7", "ao_id": "MON-01.7_A01", "objective": "integrity verification tools are employed to detect unauthorized changes to organization-defined software, firmware and/or information.", "pptdf": "Technology", "origin": "53A_R5_SI-07a.[01]\n53A_R5_SI-07a.[02]\n53A_R5_SI-07a.[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.7", "ao_id": "MON-01.7_A02", "objective": "organization-defined actions are taken when unauthorized changes to the software, firmware and/or information, are detected;", "pptdf": "Technology", "origin": "53A_R5_SI-07b.[01]\n53A_R5_SI-07b.[02]\n53A_R5_SI-07b.[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.8", "ao_id": "MON-01.8_A01", "objective": "the frequency at which system audit records are reviewed and analyzed is defined.", "pptdf": "Process", "origin": "171A_R3_A.03.03.05.ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "at least weekly", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.8", "ao_id": "MON-01.8_A02", "objective": "system audit records are reviewed and analyzed per an organization-defined frequency for indications and the potential impact of inappropriate or unusual activity.", "pptdf": "Process", "origin": "171A_3.3.3[a]\n171A_3.3.3[b]", "assessment_rigor": "1", "scf_defined_parameters": "at least weekly", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.8", "ao_id": "MON-01.8_A03", "objective": "response actions to system security alerts and advisories are identified.", "pptdf": "Process", "origin": "171A_3.14.3[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.8", "ao_id": "MON-01.8_A04", "objective": "system security alerts and advisories are monitored.", "pptdf": "Technology", "origin": "171A_3.14.3[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.8", "ao_id": "MON-01.8_A05", "objective": "actions in response to system security alerts and advisories are taken.", "pptdf": "Technology", "origin": "171A_3.14.3[c]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.8", "ao_id": "MON-01.8_A06", "objective": "the frequency of event types selected for logging are reviewed and updated.", "pptdf": "Process", "origin": "171A_R3_A.03.03.01.ODP[02]", "assessment_rigor": "2", "scf_defined_parameters": "at least weekly", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.8", "ao_id": "MON-01.8_A07", "objective": "event types being logged are updated based on the review.", "pptdf": "Technology", "origin": "171A_3.3.3[c]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.8", "ao_id": "MON-01.8_A08", "objective": "a process for determining when to review logged events is defined.", "pptdf": "Process", "origin": "171A_3.3.3[a]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.8", "ao_id": "MON-01.8_A09", "objective": "the event types selected for logging are reviewed .", "pptdf": "Process", "origin": "171A_R3_A.03.03.01.b[01]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "at least every 12 months and after any significant incidents or significant changes to risks", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.8", "ao_id": "MON-01.8_A10", "objective": "system audit records are reviewed and analyzed for indications and the potential impact of inappropriate or unusual activity.", "pptdf": "Process", "origin": "171A_R3_A.03.03.05.a", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "at least weekly", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.9", "ao_id": "MON-01.9_A01", "objective": "all external-bound requests are logged in order to identify prohibited activities and assist incident handlers with identifying potentially compromised systems.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.10", "ao_id": "MON-01.10_A01", "objective": "directory services are configured to generate a log for attempted usage of deactivated accounts.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.10", "ao_id": "MON-01.10_A02", "objective": "personnel or roles are alerted when system-generated alerts from attempted usage of deactivated accounts occur.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.11", "ao_id": "MON-01.11_A01", "objective": "security violations that automatically disable a system are defined.", "pptdf": "Process", "origin": "53A_R5_IR-04(05)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.11", "ao_id": "MON-01.11_A02", "objective": "least-disruptive actions to terminate suspicious events are defined.", "pptdf": "Process", "origin": "53A_R5_SI-04(07)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.11", "ao_id": "MON-01.11_A03", "objective": "a configurable capability is implemented to automatically disable the system if security violations are detected.", "pptdf": "Technology", "origin": "53A_R5_IR-04(05)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.11", "ao_id": "MON-01.11_A04", "objective": "least-disruptive actions are taken upon the detection of suspicious events.", "pptdf": "Technology", "origin": "53A_R5_SI-04(07)(b)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.11", "ao_id": "MON-01.11_A05", "objective": "incident response personnel (identified by name and/or by role) to be notified of detected suspicious events is/are defined.", "pptdf": "Process", "origin": "53A_R5_SI-04(07)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.11", "ao_id": "MON-01.11_A06", "objective": "incident response personnel are notified of detected suspicious events.", "pptdf": "Technology", "origin": "53A_R5_SI-04(07)(a)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.12", "ao_id": "MON-01.12_A01", "objective": "personnel or roles to be alerted when indications of inappropriate or unusual activity with cybersecurity / data privacy implications occur is/are defined.", "pptdf": "Process", "origin": "53A_R5_SI-04(12)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.12", "ao_id": "MON-01.12_A02", "objective": "automated mechanisms used to alert personnel or roles are defined.", "pptdf": "Process", "origin": "53A_R5_SI-04(12)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.12", "ao_id": "MON-01.12_A03", "objective": "activities that trigger alerts to personnel or are defined.", "pptdf": "Process", "origin": "53A_R5_SI-04(12)_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.12", "ao_id": "MON-01.12_A04", "objective": "personnel or roles is/are alerted using automated mechanisms when activities that trigger alerts indicate inappropriate or unusual activities with cybersecurity / data privacy implications.", "pptdf": "Technology", "origin": "53A_R5_SI-04(12)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.12", "ao_id": "MON-01.12_A05", "objective": "findings are reported to organizational personnel or roles.", "pptdf": "Process", "origin": "171A_R3_A.03.03.05.b", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.13", "ao_id": "MON-01.13_A01", "objective": "communications traffic for the system is analyzed.", "pptdf": "Technology", "origin": "53A_R5_SI-04(13)(a)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.13", "ao_id": "MON-01.13_A02", "objective": "event patterns for the system are analyzed.", "pptdf": "Technology", "origin": "53A_R5_SI-04(13)(a)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.13", "ao_id": "MON-01.13_A03", "objective": "profiles representing common traffic are developed.", "pptdf": "Process", "origin": "53A_R5_SI-04(13)(b)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.13", "ao_id": "MON-01.13_A04", "objective": "profiles representing event patterns are developed.", "pptdf": "Process", "origin": "53A_R5_SI-04(13)(b)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.13", "ao_id": "MON-01.13_A05", "objective": "traffic profiles are used in tuning system-monitoring devices.", "pptdf": "Technology", "origin": "53A_R5_SI-04(13)(c)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.13", "ao_id": "MON-01.13_A06", "objective": "event profiles are used in tuning system-monitoring devices.", "pptdf": "Technology", "origin": "53A_R5_SI-04(13)(c)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.14", "ao_id": "MON-01.14_A01", "objective": "additional monitoring of individuals who have been identified as posing an increased level of risk is defined.", "pptdf": "Process", "origin": "53A_R5_SI-04(19)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.14", "ao_id": "MON-01.14_A02", "objective": "sources that identify individuals who pose an increased level of risk are defined.", "pptdf": "Process", "origin": "53A_R5_SI-04(19)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.14", "ao_id": "MON-01.14_A03", "objective": "additional monitoring is implemented on individuals who have been identified by sources as posing an increased level of risk.", "pptdf": "Process", "origin": "53A_R5_SI-04(19)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.15", "ao_id": "MON-01.15_A01", "objective": "additional monitoring of privileged users is defined.", "pptdf": "Process", "origin": "53A_R5_SI-04(20)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.15", "ao_id": "MON-01.15_A02", "objective": "additional monitoring of privileged users is implemented.", "pptdf": "Process", "origin": "53A_R5_SI-04(20)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.16", "ao_id": "MON-01.16_A01", "objective": "the organization formally identifies its needs for monitoring.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.16", "ao_id": "MON-01.16_A02", "objective": "monitoring needs are prioritized by asset, based on (1) asset criticality and (2) the sensitivity of the data it stores, transmits and processes.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.17", "ao_id": "MON-01.17_A01", "objective": "the capability for authorized users to remotely view and hear content related to an established user session in real time is provided.", "pptdf": "Technology", "origin": "53A_R5_AU-14(03)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-01.17", "ao_id": "MON-01.17_A02", "objective": "the capability for authorized users to remotely view and hear content related to an established user session in real time is implemented.", "pptdf": "Technology", "origin": "53A_R5_AU-14(03)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-02", "ao_id": "MON-02_A01", "objective": "the frequency at which system audit records are reviewed and analyzed is defined.", "pptdf": "Process", "origin": "171A_R3_A.03.03.05.ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "at least weekly", "org_defined_parameters": "" }, { "scf_control_id": "MON-02", "ao_id": "MON-02_A02", "objective": "system audit records are reviewed and analyzed per an organization-defined frequency for indications and the potential impact of inappropriate or unusual activity.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "at least weekly", "org_defined_parameters": "" }, { "scf_control_id": "MON-02", "ao_id": "MON-02_A03", "objective": "audit records across different repositories are analyzed to gain organization-wide situational awareness.", "pptdf": "Technology", "origin": "171A_R3_A.03.03.05.c[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-02", "ao_id": "MON-02_A04", "objective": "automated mechanisms used for integrating audit record review, analysis and reporting processes are defined.", "pptdf": "Process", "origin": "53A_R5_AU-06(01)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-02", "ao_id": "MON-02_A05", "objective": "audit record review, analysis and reporting processes are integrated using organization-defined automated mechanisms.", "pptdf": "Technology", "origin": "53A_R5_AU-06(01)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-02", "ao_id": "MON-02_A06", "objective": "the frequency or situation requiring logging for each specified event type is defined.", "pptdf": "Process", "origin": "53A_R5_AU-06_ODP[01]\n53A_R5_AU-02_ODP[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-02", "ao_id": "MON-02_A07", "objective": "the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged.", "pptdf": "Process", "origin": "53A_R5_AU-02b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-02", "ao_id": "MON-02_A08", "objective": "the event types selected for logging are reviewed / updated organization-defined frequency.", "pptdf": "Process", "origin": "53A_R5_AU-02e.", "assessment_rigor": "2", "scf_defined_parameters": "annually and whenever there is a change in the threat environment", "org_defined_parameters": "" }, { "scf_control_id": "MON-02", "ao_id": "MON-02_A09", "objective": "a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents.", "pptdf": "Process", "origin": "53A_R5_AU-02d.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-02", "ao_id": "MON-02_A10", "objective": "system audit records are reviewed and analyzed per an organization-defined frequency for indications of organization-defined inappropriate or unusual activity and the potential impact of the inappropriate or unusual activity.", "pptdf": "Process", "origin": "53A_R5_AU-06a.", "assessment_rigor": "3", "scf_defined_parameters": "at least weekly", "org_defined_parameters": "" }, { "scf_control_id": "MON-02", "ao_id": "MON-02_A11", "objective": "findings are reported to organization-defined personnel or roles.", "pptdf": "Process", "origin": "53A_R5_AU-06b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-02", "ao_id": "MON-02_A12", "objective": "the level of audit record review, analysis and reporting within the system is adjusted when there is a change in risk based on law enforcement information, intelligence information or other credible sources of information.", "pptdf": "Process", "origin": "53A_R5_AU-06c.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-02", "ao_id": "MON-02_A13", "objective": "system audit records are reviewed and analyzed for indications and the potential impact of inappropriate or unusual activity.", "pptdf": "Process", "origin": "171A_R3_A.03.03.05.a", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "at least weekly", "org_defined_parameters": "" }, { "scf_control_id": "MON-02.1", "ao_id": "MON-02.1_A01", "objective": "authorized use of the system is defined.", "pptdf": "Process", "origin": "171A_3.14.7[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-02.1", "ao_id": "MON-02.1_A02", "objective": "unauthorized use of the system is identified.", "pptdf": "Process", "origin": "171A_3.14.7[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-02.1", "ao_id": "MON-02.1_A03", "objective": "incident information and individual incident responses are correlated to achieve an organization-wide perspective on incident awareness and response.", "pptdf": "Technology", "origin": "53A_R5_IR-04(04)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-02.1", "ao_id": "MON-02.1_A04", "objective": "audit records across different repositories are correlated to gain organization-wide situational awareness.", "pptdf": "Technology", "origin": "53A_R5_AU-06(03)\n53A_R5_IR-04(04)\n53A_R5_SI-04(16)\n171A_R3_A.03.03.05.c[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-02.1", "ao_id": "MON-02.1_A05", "objective": "audit record review, analysis and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious or unusual activity are defined.", "pptdf": "Process", "origin": "171A_3.3.5[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-02.1", "ao_id": "MON-02.1_A06", "objective": "defined audit record review, analysis and reporting processes are correlated.", "pptdf": "Process", "origin": "171A_3.3.5[b]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-02.2", "ao_id": "MON-02.2_A01", "objective": "the capability to centrally review and analyze audit records from multiple components within the system is provided.", "pptdf": "Technology", "origin": "53A_R5_AU-06(04)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-02.2", "ao_id": "MON-02.2_A02", "objective": "the capability to centrally review and analyze audit records from multiple components within the system is implemented.", "pptdf": "Technology", "origin": "53A_R5_AU-06(04)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-02.3", "ao_id": "MON-02.3_A01", "objective": "data/information collected from other sources to be analyzed is defined.", "pptdf": "Process", "origin": "53A_R5_AU-06(05)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-02.3", "ao_id": "MON-02.3_A02", "objective": "information from monitoring physical, cyber and supply chain activities are correlated to achieve integrated, organization-wide situational awareness.", "pptdf": "Technology", "origin": "53A_R5_SI-04(17)\n53A_R5_AU-06(05)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-02.3", "ao_id": "MON-02.3_A03", "objective": "analysis of audit records is integrated with analysis of organization-specific criteria to further enhance the ability to identify inappropriate or unusual activity.", "pptdf": "Technology", "origin": "53A_R5_AU-06(05)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-02.4", "ao_id": "MON-02.4_A01", "objective": "information from audit records is correlated with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual or malevolent activity.", "pptdf": "Technology", "origin": "53A_R5_AU-06(06)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-02.5", "ao_id": "MON-02.5_A01", "objective": "the permitted actions for each organization-defined criteria (e.g., system process, role or user) associated with the review, analysis and reporting of audit record information are specified.", "pptdf": "Process", "origin": "53A_R5_AU-06(07)\n53A_R5_AU-06(07)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-02.6", "ao_id": "MON-02.6_A01", "objective": "system audit records are reviewed and analyzed per an organization-defined frequency for indications of organization-defined inappropriate or unusual activity and the potential impact of the inappropriate or unusual activity.", "pptdf": "Process", "origin": "53A_R5_AU-06a.", "assessment_rigor": "1", "scf_defined_parameters": "at least weekly", "org_defined_parameters": "" }, { "scf_control_id": "MON-02.6", "ao_id": "MON-02.6_A02", "objective": "findings are reported to organization-defined personnel or roles.", "pptdf": "Process", "origin": "53A_R5_AU-06b.", "assessment_rigor": "1", "scf_defined_parameters": "at least weekly", "org_defined_parameters": "" }, { "scf_control_id": "MON-02.6", "ao_id": "MON-02.6_A03", "objective": "the level of audit record review, analysis and reporting within the system is adjusted when there is a change in risk based on law enforcement information, intelligence information or other credible sources of information.", "pptdf": "Process", "origin": "53A_R5_AU-06c.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-02.6", "ao_id": "MON-02.6_A04", "objective": "the frequency at which system audit records are reviewed and analyzed is defined.", "pptdf": "Process", "origin": "53A_R5_AU-06_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "at least weekly", "org_defined_parameters": "" }, { "scf_control_id": "MON-02.6", "ao_id": "MON-02.6_A05", "objective": "inappropriate or unusual activity is defined.", "pptdf": "Process", "origin": "53A_R5_AU-06_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-02.6", "ao_id": "MON-02.6_A06", "objective": "personnel or roles to receive findings from reviews and analyses of system records is/are defined.", "pptdf": "Process", "origin": "53A_R5_AU-06_ODP[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-02.7", "ao_id": "MON-02.7_A01", "objective": "system components from which audit records are to be compiled into a system-wide (logical or physical) audit trail are defined.", "pptdf": "Process", "origin": "53A_R5_AU-12(01)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-02.7", "ao_id": "MON-02.7_A02", "objective": "level of tolerance for the relationship between timestamps of individual records in the audit trail is defined.", "pptdf": "Process", "origin": "53A_R5_AU-12(01)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-02.7", "ao_id": "MON-02.7_A03", "objective": "audit records from organization-defined system components are compiled into a system-wide (logical or physical) audit trail that is time-correlated to within organization-defined level of tolerance.", "pptdf": "Technology", "origin": "53A_R5_AU-12(01)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-02.8", "ao_id": "MON-02.8_A01", "objective": "individuals or roles authorized to change the logging on system components are defined.", "pptdf": "Process", "origin": "53A_R5_AU-12(03)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-02.8", "ao_id": "MON-02.8_A02", "objective": "system components on which logging is to be performed are defined.", "pptdf": "Process", "origin": "53A_R5_AU-12(03)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-02.8", "ao_id": "MON-02.8_A03", "objective": "selectable event criteria with which change logging is to be performed are defined.", "pptdf": "Process", "origin": "53A_R5_AU-12(03)_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-02.8", "ao_id": "MON-02.8_A04", "objective": "the capability for organization-defined individuals or roles to change the logging to be performed on organization-defined system components based on organization-defined selectable event criteria within organization-defined time thresholds is provided / implemented.", "pptdf": "Technology", "origin": "53A_R5_AU-12(03)[01]\n53A_R5_AU-12(03)[02]\n53A_R5_AU-12(03)_ODP[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-02.9", "ao_id": "MON-02.9_A01", "objective": "a current and accurate inventory of technology assets being logged is maintained.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-03", "ao_id": "MON-03_A01", "objective": "the content of audit records needed to support monitoring, analysis, investigation and reporting of unlawful or unauthorized system activity is defined.", "pptdf": "Process", "origin": "171A_3.3.1[b]\n171A_3.3.2[a]\n53A_R5_AU-02_ODP[01]\n53A_R5_AU-02_ODP[02]\n53A_R5_AU-02a.\n53A_R5_AU-02c.[01]", "assessment_rigor": "1", "scf_defined_parameters": "successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events.\n\nFor Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes", "org_defined_parameters": "" }, { "scf_control_id": "MON-03", "ao_id": "MON-03_A02", "objective": "audit records contain information that establishes what type of event occurred.", "pptdf": "Technology", "origin": "53A_R5_AU-03a.\n53A_R5_AU-02c.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-03", "ao_id": "MON-03_A03", "objective": "audit records contain information that establishes when the event occurred.", "pptdf": "Technology", "origin": "53A_R5_AU-03b.\n53A_R5_AU-02c.[02]\n171A_R3_A.03.03.02.a.02", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-03", "ao_id": "MON-03_A04", "objective": "audit records contain information that establishes where the event occurred.", "pptdf": "Technology", "origin": "53A_R5_AU-03c.\n53A_R5_AU-02c.[02]\n171A_R3_A.03.03.02.a.03", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-03", "ao_id": "MON-03_A05", "objective": "audit records contain information that establishes the source of the event.", "pptdf": "Technology", "origin": "53A_R5_AU-03d.\n53A_R5_AU-02c.[02]\n171A_R3_A.03.03.02.a.04", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-03", "ao_id": "MON-03_A06", "objective": "audit records contain information that establishes the outcome of the event.", "pptdf": "Technology", "origin": "53A_R5_AU-03e.\n53A_R5_AU-02c.[02]\n171A_R3_A.03.03.02.a.05", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-03", "ao_id": "MON-03_A07", "objective": "audit records contain information that establishes the identity of the individuals, subjects, objects, or entities associated with the event.", "pptdf": "Technology", "origin": "53A_R5_AU-03f.\n171A_R3_A.03.03.02.a.06", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-03", "ao_id": "MON-03_A08", "objective": "event logs needed (e.g., event types to be logged) to enable the monitoring, analysis, investigation and reporting of unlawful or unauthorized system activity are specified.", "pptdf": "Process", "origin": "171A_3.3.1[a]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-03", "ao_id": "MON-03_A09", "objective": "a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents.", "pptdf": "Technology", "origin": "53A_R5_AU-02d.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-03", "ao_id": "MON-03_A10", "objective": "audit records, once created, contain the defined content.", "pptdf": "Technology", "origin": "171A_3.3.1[d]\n171A_3.3.2[b]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-03", "ao_id": "MON-03_A11", "objective": "the frequency of event types selected for logging are reviewed / updated.", "pptdf": "Process", "origin": "53A_R5_AU-02_ODP[04]", "assessment_rigor": "3", "scf_defined_parameters": "at least weekly", "org_defined_parameters": "" }, { "scf_control_id": "MON-03", "ao_id": "MON-03_A12", "objective": "event types selected for logging within the system are defined.", "pptdf": "Process", "origin": "171A_R3_A.03.03.01.ODP[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-03", "ao_id": "MON-03_A13", "objective": "the following event types are specified for logging within the system: .", "pptdf": "Process", "origin": "171A_R3_A.03.03.01.a", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "SDP values:\nat a minimum and where applicable:\n(1) Authentication events:\n (a) Logons (Success/Failure)\n (b) Logoffs (Success)\n(2) Security Relevant File and Objects events:\n (a) Create (Success/Failure)\n (b) Access (Success/Failure)\n (c) Delete (Success/Failure)\n (d) Modify (Success/Failure)\n (e) Permission Modification (Success/Failure)\n (f) Ownership Modification (Success/Failure)\n(3) Export/Writes/downloads to devices/digital media (e.g., CD/DVD, USB, SD) (Success/Failure)\n(4) Import/Uploads from devices/digital media (e.g., CD/DVD, USB, SD) (Success/Failure)\n(5) User and Group Management events:\n (a) User add, delete, modify, disable, lock (Success/Failure)\n (b) Group/Role add, delete, modify (Success/Failure)\n6) Use of Privileged/Special Rights events:\n (a) Security or audit policy changes (Success/Failure)\n (b) Configuration changes (Success/Failure)\n(7) Admin or root-level access (Success/Failure)\n(8) Privilege/Role escalation (Success/Failure)\n(9) Audit and security relevant log data accesses (Success/Failure)\n(10) System reboot, restart, and shutdown (Success/Failure)\n(11) Print to a device (Success/Failure)\n(12) Print to a file (e.g., pdf format) (Success/Failure)\n(13) Application (e.g., Adobe, Firefox, MS Office Suite) initialization (Success/Failure)\n\nFor additional guidance, see: OMB21-31 ML 1", "org_defined_parameters": "" }, { "scf_control_id": "MON-03", "ao_id": "MON-03_A14", "objective": "the event types selected for logging are updated .", "pptdf": "Process", "origin": "171A_R3_A.03.03.01.b[02]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "at least every 12 months and after any significant incidents or significant changes to risks", "org_defined_parameters": "" }, { "scf_control_id": "MON-03", "ao_id": "MON-03_A15", "objective": "additional information for audit records is provided, as needed.", "pptdf": "Technology", "origin": "171A_R3_A.03.03.02.b", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-03.1", "ao_id": "MON-03.1_A01", "objective": "additional information to be included in audit records is defined.", "pptdf": "Process", "origin": "53A_R5_AU-03(01)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-03.1", "ao_id": "MON-03.1_A02", "objective": "generated audit records contain the following organization-defined additional information.", "pptdf": "Technology", "origin": "53A_R5_AU-03(01)", "assessment_rigor": "1", "scf_defined_parameters": "session, connection, transaction, or activity duration; \n\nFor client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands", "org_defined_parameters": "" }, { "scf_control_id": "MON-03.2", "ao_id": "MON-03.2_A01", "objective": "the content of the audit records needed to support the ability to uniquely trace users to their actions is defined.", "pptdf": "Process", "origin": "171A_3.3.2[a]\n53A_R5_AU-02_ODP[01]\n53A_R5_AU-02_ODP[02]\n53A_R5_AU-02a.\n53A_R5_AU-02c.[01]", "assessment_rigor": "1", "scf_defined_parameters": "successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events.\n\nFor Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes", "org_defined_parameters": "" }, { "scf_control_id": "MON-03.2", "ao_id": "MON-03.2_A02", "objective": "audit records are created (generated).", "pptdf": "Technology", "origin": "171A_3.3.1[c]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-03.2", "ao_id": "MON-03.2_A03", "objective": "audit records contain information that establishes the identity of any individuals, subjects or objects/entities associated with the event.", "pptdf": "Technology", "origin": "53A_R5_AU-03f.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-03.3", "ao_id": "MON-03.3_A01", "objective": "a full text analysis of logged privileged commands in a physically distinct component or subsystem of the system or other system that is dedicated to that analysis is performed.", "pptdf": "Technology", "origin": "53A_R5_AU-06(08)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-03.3", "ao_id": "MON-03.3_A02", "objective": "the execution of privileged functions is logged.", "pptdf": "Technology", "origin": "171A_R3_A.03.01.07.b", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-03.4", "ao_id": "MON-03.4_A01", "objective": "the level of verbosity for information to be included in audit records is defined.", "pptdf": "Process", "origin": "53A_R5_AU-03(01)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-03.4", "ao_id": "MON-03.4_A02", "objective": "generated audit records contain the specified level of verbosity.", "pptdf": "Technology", "origin": "53A_R5_AU-03(01)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-03.5", "ao_id": "MON-03.5_A01", "objective": "elements identified in the privacy risk assessment are defined.", "pptdf": "Process", "origin": "53A_R5_AU-03(03)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-03.5", "ao_id": "MON-03.5_A02", "objective": "Personal Data (PD) contained in audit records is limited to organization-defined elements identified in the privacy risk assessment.", "pptdf": "Process", "origin": "53A_R5_AU-03(03)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-03.6", "ao_id": "MON-03.6_A01", "objective": "cybersecurity / data privacy controls and related processes to be centrally managed are defined.", "pptdf": "Process", "origin": "53A_R5_PL-09_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-03.6", "ao_id": "MON-03.6_A02", "objective": "cybersecurity / data privacy controls and related processes are centrally managed.", "pptdf": "Process", "origin": "53A_R5_PL-09", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-03.7", "ao_id": "MON-03.7_A01", "objective": "the content of database audit records needed to support the ability to uniquely trace account actions is defined.", "pptdf": "Process", "origin": "171A_3.3.2[a]\n53A_R5_AU-02_ODP[01]\n53A_R5_AU-02_ODP[02]\n53A_R5_AU-02a.\n53A_R5_AU-02c.[01]", "assessment_rigor": "1", "scf_defined_parameters": "successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events.", "org_defined_parameters": "" }, { "scf_control_id": "MON-03.7", "ao_id": "MON-03.7_A02", "objective": "database audit records contain information that establishes the identity of any individuals, subjects or objects/entities associated with the event.", "pptdf": "Technology", "origin": "53A_R5_AU-03f.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-04", "ao_id": "MON-04_A01", "objective": "event log retention requirements are defined.", "pptdf": "Process", "origin": "53A_R5_AU-04_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-04", "ao_id": "MON-04_A02", "objective": "event log storage capacity is allocated to accommodate organization-defined event log retention requirements.", "pptdf": "Technology", "origin": "53A_R5_AU-04", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-05", "ao_id": "MON-05_A01", "objective": "personnel or roles to be alerted in the event of an event logging process failure are identified.", "pptdf": "Process", "origin": "171A_3.3.4[a]\n53A_R5_AU-05_ODP[01]\n53A_R5_AU-05a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-05", "ao_id": "MON-05_A02", "objective": "types of event logging process failures for which alert will be generated are defined.", "pptdf": "Process", "origin": "171A_3.3.4[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-05", "ao_id": "MON-05_A03", "objective": "organization-defined additional actions are taken.", "pptdf": "Process", "origin": "53A_R5_AU-05_ODP[03]\n53A_R5_AU-05b.", "assessment_rigor": "1", "scf_defined_parameters": "overwrite oldest record", "org_defined_parameters": "" }, { "scf_control_id": "MON-05", "ao_id": "MON-05_A04", "objective": "organizational personnel or roles are alerted in the event of an audit logging process failure within an organization-defined time period.", "pptdf": "Technology", "origin": "171A_3.3.4[c]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-05", "ao_id": "MON-05_A05", "objective": "the time period for organizational personnel or roles receiving audit logging process failure alerts is defined.", "pptdf": "Process", "origin": "53A_R5_AU-05_ODP[02]\n171A_R3_A.03.03.04.ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-05", "ao_id": "MON-05_A06", "objective": "additional actions to be taken in the event of an audit logging process failure are defined.", "pptdf": "Process", "origin": "171A_R3_A.03.03.04.ODP[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-05", "ao_id": "MON-05_A07", "objective": "organizational personnel or roles are alerted in the event of an audit logging process failure within .", "pptdf": "Process", "origin": "171A_R3_A.03.03.04.a", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "near real time or as soon as practicable upon discovery", "org_defined_parameters": "" }, { "scf_control_id": "MON-05", "ao_id": "MON-05_A08", "objective": "the following additional actions are taken: .", "pptdf": "Process", "origin": "171A_R3_A.03.03.04.b", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "document the failure and resolution, troubleshoot, repair/restart the audit logging process, and report as incident if applicable", "org_defined_parameters": "" }, { "scf_control_id": "MON-05.1", "ao_id": "MON-05.1_A01", "objective": "real-time period requiring alerts when event log failure events occur is defined.", "pptdf": "Process", "origin": "53A_R5_AU-05(02)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-05.1", "ao_id": "MON-05.1_A02", "objective": "personnel, roles, and/or locations to be alerted in real time when event log failure events occur is/are defined.", "pptdf": "Process", "origin": "53A_R5_AU-05(02)_ODP[02]\n53A_R5_SI-04(12)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-05.1", "ao_id": "MON-05.1_A03", "objective": "event logging failure events requiring real-time alerts are defined.", "pptdf": "Process", "origin": "53A_R5_AU-05(02)_ODP[03]\n53A_R5_SI-04(12)_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-05.1", "ao_id": "MON-05.1_A04", "objective": "an alert is provided within organization-defined real-time period to organization-defined personnel, roles, and/or locations when organization-defined event logging failure events requiring real-time alerts occur.", "pptdf": "Technology", "origin": "53A_R5_AU-05(02)\n53A_R5_SI-04(12)_ODP[02]\n53A_R5_SI-04(12)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-05.2", "ao_id": "MON-05.2_A01", "objective": "personnel, roles, and/or locations to be warned when allocated event log storage volume reaches a percentage of repository maximum event log storage capacity is defined.", "pptdf": "Process", "origin": "53A_R5_AU-05(01)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-05.2", "ao_id": "MON-05.2_A02", "objective": "time period for defined personnel, roles, and/or locations to be warned when allocated event log storage volume reaches a percentage of repository maximum event log storage capacity is defined.", "pptdf": "Process", "origin": "53A_R5_AU-05(01)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-05.2", "ao_id": "MON-05.2_A03", "objective": "percentage of repository maximum event log storage capacity is defined.", "pptdf": "Process", "origin": "53A_R5_AU-05(01)_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-05.2", "ao_id": "MON-05.2_A04", "objective": "a warning is provided per an organization-defined time period when allocated event log storage volume reaches organization-defined percentage of repository maximum event log storage capacity.", "pptdf": "Technology", "origin": "53A_R5_AU-05(01)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-06", "ao_id": "MON-06_A01", "objective": "system components that provide an audit record generation capability for the events types are defined.", "pptdf": "Process", "origin": "53A_R5_AU-12_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-06", "ao_id": "MON-06_A02", "objective": "audit records include organization-defined audit record content requirements.", "pptdf": "Technology", "origin": "53A_R5_AU-12c.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-06", "ao_id": "MON-06_A03", "objective": "personnel or roles allowed to select the event types that are to be logged by specific components of the system is/are defined.", "pptdf": "Process", "origin": "53A_R5_AU-12_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-06", "ao_id": "MON-06_A04", "objective": "an audit record reduction and report generation capability is implemented that supports on-demand audit record review, analysis and reporting requirements and after-the-fact investigations of incidents that does not alter the original content or time ordering of audit records.", "pptdf": "Technology", "origin": "171A_3.3.6[b]\n53A_R5_AU-07a.[02]\n53A_R5_AU-07b.[02]\n53A_R5_AU-07(01)[01]\n53A_R5_AU-07(01)[02]\n53A_R5_AU-12a.\n53A_R5_AU-12b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-06", "ao_id": "MON-06_A05", "objective": "fields within audit records that can be processed, sorted or searched are defined.", "pptdf": "Process", "origin": "53A_R5_AU-07(01)_ODP", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-06", "ao_id": "MON-06_A06", "objective": "findings are reported to organizational personnel or roles.", "pptdf": "Process", "origin": "171A_R3_A.03.03.05.b", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-06", "ao_id": "MON-06_A07", "objective": "an audit record reduction and report generation capability that supports audit record review is implemented.", "pptdf": "Technology", "origin": "171A_R3_A.03.03.06.a[01]\n171A_3.3.6[a]\n53A_R5_AU-07a.[01]\n53A_R5_AU-07b.[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-06", "ao_id": "MON-06_A08", "objective": "an audit record reduction and report generation capability that supports audit record analysis is implemented.", "pptdf": "Technology", "origin": "171A_R3_A.03.03.06.a[02]\n171A_3.3.6[a]\n53A_R5_AU-07a.[01]\n53A_R5_AU-07b.[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-06", "ao_id": "MON-06_A09", "objective": "an audit record reduction and report generation capability that supports audit record reporting requirements is implemented.", "pptdf": "Technology", "origin": "171A_R3_A.03.03.06.a[03]\n171A_3.3.6[a]\n53A_R5_AU-07a.[01]\n53A_R5_AU-07b.[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-06", "ao_id": "MON-06_A10", "objective": "an audit record reduction and report generation capability that supports after-the-fact investigations of incidents is implemented.", "pptdf": "Technology", "origin": "171A_R3_A.03.03.06.a[04]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-06.1", "ao_id": "MON-06.1_A01", "objective": "the capability to audit the parameters of user query events for data sets containing Personal Data (PD) is provided.", "pptdf": "Technology", "origin": "53A_R5_AU-12(04)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-06.1", "ao_id": "MON-06.1_A02", "objective": "the capability to audit the parameters of user query events for data sets containing Personal Data (PD) is implemented.", "pptdf": "Technology", "origin": "53A_R5_AU-12(04)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-06.2", "ao_id": "MON-06.2_A01", "objective": "trend analysis is employed to determine if control implementations used in the continuous monitoring process need to be modified based on empirical data.", "pptdf": "Process", "origin": "53A_R5_CA-07(03)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-06.2", "ao_id": "MON-06.2_A02", "objective": "trend analysis is employed to determine if the frequency of continuous monitoring activities used in the continuous monitoring process needs to be modified based on empirical data.", "pptdf": "Process", "origin": "53A_R5_CA-07(03)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-06.2", "ao_id": "MON-06.2_A03", "objective": "trend analysis is employed to determine if the types of activities used in the continuous monitoring process need to be modified based on empirical data.", "pptdf": "Process", "origin": "53A_R5_CA-07(03)[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-07", "ao_id": "MON-07_A01", "objective": "timestamps are recorded for audit records that meet organization-defined granularity of time measurement and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time or include the local time offset as part of the timestamp.", "pptdf": "Technology", "origin": "53A_R5_AU-08b.\n171A_3.3.7[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-07", "ao_id": "MON-07_A02", "objective": "internal system clocks are used to generate time stamps for audit records.", "pptdf": "Technology", "origin": "171A_3.3.7[a]\n171A_R3_A.03.03.07.a", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-07", "ao_id": "MON-07_A03", "objective": "granularity of time measurement for audit record time stamps is defined.", "pptdf": "Process", "origin": "171A_R3_A.03.03.07.ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-07", "ao_id": "MON-07_A04", "objective": "time stamps are recorded for audit records that meet organization-defined granularity of time measurement.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-07", "ao_id": "MON-07_A05", "objective": "time stamps are recorded for audit records that meet .", "pptdf": "Technology", "origin": "171A_R3_A.03.03.07.b[01]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "a granularity of one (1) second or smaller", "org_defined_parameters": "" }, { "scf_control_id": "MON-07.1", "ao_id": "MON-07.1_A01", "objective": "an authoritative source with which to compare and synchronize internal system clocks is specified.", "pptdf": "Technology", "origin": "171A_3.3.7[b]\n53A_R5_SC-45(01)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-07.1", "ao_id": "MON-07.1_A02", "objective": "internal system clocks used to generate time stamps for audit records are compared to and synchronized with the specified authoritative time source.", "pptdf": "Technology", "origin": "171A_3.3.7[c]\n53A_R5_SC-45(01)(a)\n53A_R5_SC-45(01)_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "at least hourly", "org_defined_parameters": "" }, { "scf_control_id": "MON-07.1", "ao_id": "MON-07.1_A03", "objective": "system clocks are synchronized within and between systems and system components.", "pptdf": "Technology", "origin": "53A_R5_SC-45", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-07.1", "ao_id": "MON-07.1_A04", "objective": "the frequency at which to compare the internal system clocks with the authoritative time source is defined.", "pptdf": "Process", "origin": "53A_R5_SC-45(01)_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "at least hourly", "org_defined_parameters": "" }, { "scf_control_id": "MON-07.1", "ao_id": "MON-07.1_A05", "objective": "the internal system clocks are synchronized with the authoritative time source when the time difference is greater than an organization-defined time period.", "pptdf": "Technology", "origin": "53A_R5_SC-45(01)(b)", "assessment_rigor": "3", "scf_defined_parameters": "any difference", "org_defined_parameters": "" }, { "scf_control_id": "MON-07.1", "ao_id": "MON-07.1_A06", "objective": "time stamps are recorded for audit records that use Coordinated Universal Time (UTC), have a fixed local time offset from UTC, or include the local time offset as part of the time stamp.", "pptdf": "Technology", "origin": "171A_R3_A.03.03.07.b[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-08", "ao_id": "MON-08_A01", "objective": "audit records are retained for a time period consistent with the records retention policy.", "pptdf": "Data", "origin": "171A_R3_A.03.03.03.b", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-08", "ao_id": "MON-08_A02", "objective": "the original content of audit records is preserved.", "pptdf": "Technology", "origin": "171A_R3_A.03.03.06.b[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-08", "ao_id": "MON-08_A03", "objective": "the original time ordering of audit records is preserved.", "pptdf": "Technology", "origin": "171A_R3_A.03.03.06.b[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-08", "ao_id": "MON-08_A04", "objective": "audit information is protected from unauthorized access, modification, and deletion.", "pptdf": "Technology", "origin": "171A_R3_A.03.03.08.a[01]\n171A_3.3.8[d]\n171A_3.3.8[e]\n171A_3.3.8[f]\n53A_R5_AU-09a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-08", "ao_id": "MON-08_A05", "objective": "access to management of audit logging functionality is authorized to only a subset of privileged users or roles.", "pptdf": "Technology", "origin": "171A_R3_A.03.03.08.b", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-08", "ao_id": "MON-08_A06", "objective": "personnel or roles to be alerted upon detection of unauthorized access, modification or deletion of audit information is/are defined.", "pptdf": "Process", "origin": "53A_R5_AU-09_ODP", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-08", "ao_id": "MON-08_A07", "objective": "organization-defined personnel or roles are alerted upon detection of unauthorized access, modification or deletion of audit information.", "pptdf": "Technology", "origin": "53A_R5_AU-09b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-08.1", "ao_id": "MON-08.1_A01", "objective": "the frequency of event logs transferred to a different system, system component or media other than the system or system component conducting the logging is defined.", "pptdf": "Process", "origin": "53A_R5_AU-04(01)_ODP\n53A_R5_AU-09(02)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-08.1", "ao_id": "MON-08.1_A02", "objective": "event logs are transferred per an organization-defined frequency to a different system, system component or media other than the system or system component conducting the logging.", "pptdf": "Process", "origin": "53A_R5_AU-04(01)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-08.1", "ao_id": "MON-08.1_A03", "objective": "audit records are stored per an organization-defined frequency in a repository that is part of a physically different system or system component than the system or component being audited.", "pptdf": "Process", "origin": "53A_R5_AU-09(02)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-08.2", "ao_id": "MON-08.2_A01", "objective": "a subset of privileged users or roles authorized to access management of event logging functionality is defined.", "pptdf": "Process", "origin": "171A_3.3.9[a]\n53A_R5_AU-09(04)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-08.2", "ao_id": "MON-08.2_A02", "objective": "access to management of audit logging functionality is authorized to only a subset of privileged users or roles.", "pptdf": "Technology", "origin": "171A_3.3.9[b]\n171A_R3_A.03.03.08.b\n53A_R5_AU-09(04)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-08.3", "ao_id": "MON-08.3_A01", "objective": "cryptographic mechanisms to protect the integrity of audit information and audit tools are implemented.", "pptdf": "Technology", "origin": "53A_R5_AU-09(03)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-08.4", "ao_id": "MON-08.4_A01", "objective": "critical or sensitive system and organizational operations for which dual authorization is to be enforced are identified.", "pptdf": "Process", "origin": "172A_3.1.1e[a]\n53A_R5_CM-05(04)_ODP[01]\n53A_R5_AU-09(05)_ODP[01]\n53A_R5_AU-09(05)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-08.4", "ao_id": "MON-08.4_A02", "objective": "dual authorization is employed to execute critical or sensitive system and organizational operations.", "pptdf": "Technology", "origin": "172A_3.1.1e[b]\n53A_R5_AU-09(05)\n53A_R5_CM-05(04)[01]\n53A_R5_CM-05(04)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-09", "ao_id": "MON-09_A01", "objective": "actions to be covered by non-repudiation are defined.", "pptdf": "Process", "origin": "53A_R5_AU-10_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-09", "ao_id": "MON-09_A02", "objective": "irrefutable evidence is provided that an individual (or process acting on behalf of an individual) has performed organization-defined actions.", "pptdf": "Technology", "origin": "53A_R5_AU-10", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-09.1", "ao_id": "MON-09.1_A01", "objective": "the strength of binding between the identity of the information producer and the information is defined.", "pptdf": "Process", "origin": "53A_R5_AU-10(01)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-09.1", "ao_id": "MON-09.1_A02", "objective": "the identity of the information producer is bound with the information to organization-defined strength of binding.", "pptdf": "Technology", "origin": "53A_R5_AU-10(01)(a)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-09.1", "ao_id": "MON-09.1_A03", "objective": "the means for authorized individuals to determine the identity of the producer of the information is provided.", "pptdf": "Technology", "origin": "53A_R5_AU-10(01)(b)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-09.1", "ao_id": "MON-09.1_A04", "objective": "the frequency at which to validate the binding of the information producer identity to the information is defined.", "pptdf": "Process", "origin": "53A_R5_AU-10(02)_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-09.1", "ao_id": "MON-09.1_A05", "objective": "the actions to be performed in the event of a validation error are defined.", "pptdf": "Process", "origin": "53A_R5_AU-10(02)_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-09.1", "ao_id": "MON-09.1_A06", "objective": "the binding of the information producer identity to the information is validated at organization-defined frequency.", "pptdf": "Process", "origin": "53A_R5_AU-10(02)(a)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-09.1", "ao_id": "MON-09.1_A07", "objective": "organization-defined actions in the event of a validation error are performed.", "pptdf": "Technology", "origin": "53A_R5_AU-10(02)(b)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-10", "ao_id": "MON-10_A01", "objective": "a time period to retain audit records that is consistent with the records retention policy is defined.", "pptdf": "Process", "origin": "171A_3.3.1[e]\n53A_R5_AU-11_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-10", "ao_id": "MON-10_A02", "objective": "audit records are retained for a time period consistent with the records retention policy.", "pptdf": "Data", "origin": "171A_3.3.1[f]\n171A_R3_A.03.03.03.b\n53A_R5_AU-11", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-11", "ao_id": "MON-11_A01", "objective": "open-source information and/or information sites to be monitored for evidence of unauthorized disclosure of organizational information is/are defined.", "pptdf": "Process", "origin": "53A_R5_AU-13_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-11", "ao_id": "MON-11_A02", "objective": "the frequency with which open-source information and/or information sites are monitored for evidence of unauthorized disclosure of organizational information is defined.", "pptdf": "Process", "origin": "53A_R5_AU-13_ODP[02]\n53A_R5_AU-13a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-11", "ao_id": "MON-11_A03", "objective": "personnel or roles to be notified if an information disclosure is discovered is/are defined.", "pptdf": "Process", "origin": "53A_R5_AU-13_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-11", "ao_id": "MON-11_A04", "objective": "additional actions to be taken if an information disclosure is discovered are defined.", "pptdf": "Process", "origin": "53A_R5_AU-13_ODP[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-11", "ao_id": "MON-11_A05", "objective": "personnel or roles are notified if an information disclosure is discovered.", "pptdf": "Technology", "origin": "53A_R5_AU-13b.01", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-11", "ao_id": "MON-11_A06", "objective": "additional actions are taken if an information disclosure is discovered.", "pptdf": "Technology", "origin": "53A_R5_AU-13b.02", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-11.1", "ao_id": "MON-11.1_A01", "objective": "anomalous or suspicious behavior is defined.", "pptdf": "Process", "origin": "172A_3.14.2e[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-11.1", "ao_id": "MON-11.1_A02", "objective": "organizational systems and system components are monitored on an ongoing basis for anomalous or suspicious behavior.", "pptdf": "Technology", "origin": "172A_3.14.2e[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-11.1", "ao_id": "MON-11.1_A03", "objective": "outbound communications traffic is analyzed at interfaces external to the system to detect covert exfiltration of information.", "pptdf": "Technology", "origin": "53A_R5_SI-04(18)[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-11.1", "ao_id": "MON-11.1_A04", "objective": "interior points of the network are monitored to detect covert exfiltration of information.", "pptdf": "Technology", "origin": "53A_R5_SI-04(18)_ODP\n53A_R5_SI-04(18)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-11.2", "ao_id": "MON-11.2_A01", "objective": "authorization or approval processes for network services are defined.", "pptdf": "Process", "origin": "53A_R5_SI-04(22)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-11.2", "ao_id": "MON-11.2_A03", "objective": "personnel or roles to be alerted upon the detection of network services that have not been authorized or approved by authorization or approval processes is/are defined.", "pptdf": "Process", "origin": "53A_R5_SI-04(22)_ODP[02]\n53A_R5_SI-04(22)_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-11.2", "ao_id": "MON-11.2_A04", "objective": "network services that have not been authorized or approved by authorization or approval processes are detected.", "pptdf": "Technology", "origin": "53A_R5_SI-04(22)(a)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-11.2", "ao_id": "MON-11.2_A05", "objective": "organization-defined actions are initiated when network services that have not been authorized or approved by authorization or approval processes are detected.", "pptdf": "Process", "origin": "53A_R5_SI-04(22)(b)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-11.2", "ao_id": "MON-11.2_A06", "objective": "organizational systems and system components are monitored on an ongoing basis for anomalous or suspicious behavior.", "pptdf": "Technology", "origin": "172A_3.14.2e[b]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-11.3", "ao_id": "MON-11.3_A01", "objective": "anomalous or suspicious behavior is defined.", "pptdf": "Process", "origin": "172A_3.14.2e[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-11.3", "ao_id": "MON-11.3_A02", "objective": "Indicators of Compromise (IOC) are defined.", "pptdf": "Process", "origin": "172A_3.11.2e[a]\n172A_3.14.6e[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-11.3", "ao_id": "MON-11.3_A03", "objective": "sources that provide Indicators of Compromise (IOC) are defined.", "pptdf": "Process", "origin": "53A_R5_SI-04(24)_ODP[01]\n53A_R5_SI-04(24)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-11.3", "ao_id": "MON-11.3_A04", "objective": "Indicators of Compromise (IOC) provided by sources are discovered.", "pptdf": "Technology", "origin": "53A_R5_SI-04(24)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-11.3", "ao_id": "MON-11.3_A05", "objective": "Indicators of Compromise (IOC) provided by sources are collected.", "pptdf": "Technology", "origin": "53A_R5_SI-04(24)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-11.3", "ao_id": "MON-11.3_A06", "objective": "unauthorized use of the system is identified through techniques and methods.", "pptdf": "Process", "origin": "53A_R5_SI-04b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-11.3", "ao_id": "MON-11.3_A07", "objective": "internal monitoring capabilities are invoked or monitoring devices are deployed strategically within the system to collect organization-determined essential information.", "pptdf": "Technology", "origin": "53A_R5_SI-04c.01", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-11.3", "ao_id": "MON-11.3_A08", "objective": "internal monitoring capabilities are invoked or monitoring devices are deployed at ad hoc locations within the system to track specific types of transactions of interest to the organization.", "pptdf": "Technology", "origin": "53A_R5_SI-04c.02", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-11.3", "ao_id": "MON-11.3_A09", "objective": "personnel or roles to whom Indicators of Compromise (IOC) are to be distributed is/are defined.", "pptdf": "Process", "origin": "53A_R5_SI-04(24)_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-11.3", "ao_id": "MON-11.3_A10", "objective": "Indicators of Compromise (IOC) provided by sources are distributed to personnel or roles.", "pptdf": "Technology", "origin": "53A_R5_SI-04(24)[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-11.3", "ao_id": "MON-11.3_A11", "objective": "personnel or roles to whom Indicators of Compromise (IOC) are to be distributed is/are defined.", "pptdf": "Process", "origin": "53A_R5_SI-04(24)_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-11.3", "ao_id": "MON-11.3_A12", "objective": "Indicators of Compromise (IOC) provided by sources are distributed to personnel or roles.", "pptdf": "Technology", "origin": "53A_R5_SI-04(24)[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-11.3", "ao_id": "MON-11.3_A13", "objective": "organizational systems to search for Indicators of Compromise (IOC) are defined.", "pptdf": "Process", "origin": "172A_3.11.2e_ODP[4]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-11.3", "ao_id": "MON-11.3_A14", "objective": "effective mitigations are identified.", "pptdf": "Process", "origin": "172A_3.14.6e[b]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-11.3", "ao_id": "MON-11.3_A15", "objective": "intrusion detection approaches are identified.", "pptdf": "Process", "origin": "172A_3.14.6e[c]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-11.3", "ao_id": "MON-11.3_A16", "objective": "threat hunting activities are identified.", "pptdf": "Process", "origin": "172A_3.14.6e[d]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-11.3", "ao_id": "MON-11.3_A17", "objective": "advanced automation and analytics capabilities are used to predict and identify risks to organizations, systems and system components are identified.", "pptdf": "Process", "origin": "172A_3.11.3e[a]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-11.3", "ao_id": "MON-11.3_A18", "objective": "analysts are used to predict and identify risks to organizations, systems and system components are identified.", "pptdf": "Process", "origin": "172A_3.11.3e[b]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-11.3", "ao_id": "MON-11.3_A19", "objective": "advanced automation and analytics capabilities are employed in support of analysts to predict and identify risks to organizations, systems and system components.", "pptdf": "Technology", "origin": "172A_3.11.3e[c]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-11.3", "ao_id": "MON-11.3_A20", "objective": "threat indicator information and effective mitigations obtained from external organizations are used to guide and inform intrusion detection and threat hunting.", "pptdf": "Technology", "origin": "172A_3.14.6e[e]\n172A_3.14.6e_ODP[1]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-12", "ao_id": "MON-12_A01", "objective": "user session auditing practices are defined (e.g., record, view, hear or log).", "pptdf": "Process", "origin": "53A_R5_AU-14_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-12", "ao_id": "MON-12_A02", "objective": "users or roles who can audit the content of a user session are defined.", "pptdf": "Process", "origin": "53A_R5_AU-14_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-12", "ao_id": "MON-12_A03", "objective": "circumstances under which the content of a user session can be audited are defined.", "pptdf": "Process", "origin": "53A_R5_AU-14_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-12", "ao_id": "MON-12_A04", "objective": "designated users or roles are provided with the capability to audit the content of a user session under organization-defined circumstances.", "pptdf": "Process", "origin": "53A_R5_AU-14a.[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-12", "ao_id": "MON-12_A05", "objective": "the capability for organization's the content of a user session under organization-defined circumstances is implemented.", "pptdf": "Technology", "origin": "53A_R5_AU-14a.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-12", "ao_id": "MON-12_A06", "objective": "session auditing activities are developed in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards and guidelines.", "pptdf": "Process", "origin": "53A_R5_AU-14b.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-12", "ao_id": "MON-12_A07", "objective": "session auditing activities are integrated in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards and guidelines.", "pptdf": "Process", "origin": "53A_R5_AU-14b.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-12", "ao_id": "MON-12_A08", "objective": "session auditing activities are used in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards and guidelines.", "pptdf": "Process", "origin": "53A_R5_AU-14b.[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-13", "ao_id": "MON-13_A01", "objective": "an alternate event logging functionality in the event of a failure in primary event logging capability is defined.", "pptdf": "Process", "origin": "53A_R5_AU-05(05)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-13", "ao_id": "MON-13_A02", "objective": "an alternate event logging capability is provided in the event of a failure in primary event logging capability that implements organization-defined alternate event logging functionality.", "pptdf": "Technology", "origin": "53A_R5_AU-05(05)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-14", "ao_id": "MON-14_A01", "objective": "methods for coordinating audit information among external organizations when audit information is transmitted across organizational boundaries are defined.", "pptdf": "Process", "origin": "53A_R5_AU-16_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-14", "ao_id": "MON-14_A02", "objective": "audit information to be coordinated among external organizations when audit information is transmitted across organizational boundaries is defined.", "pptdf": "Process", "origin": "53A_R5_AU-16_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-14", "ao_id": "MON-14_A03", "objective": "organization-defined methods for coordinating audit information among external organizations when audit information is transmitted across organizational boundaries are employed.", "pptdf": "Technology", "origin": "53A_R5_AU-16", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-14.1", "ao_id": "MON-14.1_A01", "objective": "organizations with which cross-organizational audit information is to be shared are defined.", "pptdf": "Process", "origin": "53A_R5_AU-16(02)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-14.1", "ao_id": "MON-14.1_A02", "objective": "cross-organizational sharing agreements to be used when providing cross-organizational audit information to organizations are defined.", "pptdf": "Process", "origin": "53A_R5_AU-16(02)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-14.1", "ao_id": "MON-14.1_A03", "objective": "cross-organizational audit information is provided to organization-defined organizations based on organization-defined cross-organizational sharing agreements.", "pptdf": "Technology", "origin": "53A_R5_AU-16(02)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-15", "ao_id": "MON-15_A01", "objective": "a covert channel analysis is performed to identify those aspects of communications within the system that are potential avenues for covert channels (e.g., storage and/or timing).", "pptdf": "Technology", "origin": "53A_R5_SC-31a.\n53A_R5_SC-31_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-15", "ao_id": "MON-15_A02", "objective": "the maximum bandwidth of those channels is estimated.", "pptdf": "Technology", "origin": "53A_R5_SC-31b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-16", "ao_id": "MON-16_A01", "objective": "environments or resources which may contain or may be related to anomalous or suspected adversarial behavior are defined.", "pptdf": "Process", "origin": "53A_R5_SI-04(11)_ODP\n53A_R5_IR-04(13)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-16", "ao_id": "MON-16_A02", "objective": "systems are monitored to detect unauthorized local connections.", "pptdf": "Technology", "origin": "53A_R5_SI-04a.02[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-16", "ao_id": "MON-16_A03", "objective": "systems are monitored to detect unauthorized network connections.", "pptdf": "Technology", "origin": "53A_R5_SI-04a.02[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-16", "ao_id": "MON-16_A04", "objective": "systems are monitored to detect unauthorized remote connections.", "pptdf": "Technology", "origin": "53A_R5_SI-04a.02[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-16", "ao_id": "MON-16_A05", "objective": "outbound communications traffic at the external interfaces to the system is analyzed to discover anomalies.", "pptdf": "Technology", "origin": "53A_R5_SI-04(11)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-16", "ao_id": "MON-16_A06", "objective": "outbound communications traffic at interior points is analyzed to discover anomalies.", "pptdf": "Technology", "origin": "53A_R5_SI-04(11)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-16", "ao_id": "MON-16_A07", "objective": "anomalous or suspected adversarial behavior in or related to organization-defined environments or resources are analyzed.", "pptdf": "Technology", "origin": "53A_R5_IR-04(13)\n53A_R5_SI-04d.[01]\n53A_R5_SI-04d.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-16", "ao_id": "MON-16_A08", "objective": "unauthorized use of the system is identified.", "pptdf": "Process", "origin": "171A_R3_A.03.14.06.b", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-16", "ao_id": "MON-16_A09", "objective": "anomalous or suspicious behavior is defined.", "pptdf": "Process", "origin": "172A_3.14.2e[a]\n53A_R5_AC-02(12)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-16", "ao_id": "MON-16_A10", "objective": "personnel or roles to report atypical usage is/are defined.", "pptdf": "Process", "origin": "53A_R5_AC-02(12)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "at a minimum, the organization's cybersecurity team and/or similar role within the organization", "org_defined_parameters": "" }, { "scf_control_id": "MON-16", "ao_id": "MON-16_A11", "objective": "atypical usage of system accounts is reported to organization-defined personnel or roles.", "pptdf": "Technology", "origin": "53A_R5_AC-02(12)(b)\n53A_R5_SI-04g.", "assessment_rigor": "1", "scf_defined_parameters": "at a minimum, the organization's cybersecurity team and/or similar role within the organization", "org_defined_parameters": "" }, { "scf_control_id": "MON-16", "ao_id": "MON-16_A12", "objective": "organizational systems and system components are monitored on an ongoing basis for anomalous or suspicious behavior.", "pptdf": "Technology", "origin": "172A_3.14.2e[b]\n53A_R5_AC-02(12)(a)\n53A_R5_SI-04a.01", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-16.1", "ao_id": "MON-16.1_A01", "objective": "a legal opinion regarding insider threat monitoring is obtained.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-16.1", "ao_id": "MON-16.1_A02", "objective": "monitoring activities for insider threats is defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-16.1", "ao_id": "MON-16.1_A03", "objective": "organization-defined mechanisms are employed to monitor internal personnel activity for potential security incidents.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-16.2", "ao_id": "MON-16.2_A01", "objective": "a legal opinion regarding third-party threat monitoring is obtained.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-16.2", "ao_id": "MON-16.2_A02", "objective": "monitoring activities for third-party threats is defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-16.2", "ao_id": "MON-16.2_A03", "objective": "organization-defined mechanisms are employed to monitor third-party activities for potential security incidents.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-16.3", "ao_id": "MON-16.3_A01", "objective": "unauthorized activities are defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-16.3", "ao_id": "MON-16.3_A02", "objective": "personnel or roles to be notified when unauthorized activities are detected is/are defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-16.3", "ao_id": "MON-16.3_A03", "objective": "methods to detect unauthorized activities are identified.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-16.3", "ao_id": "MON-16.3_A04", "objective": "monitoring mechanisms are configured to detect unauthorized activities.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-16.3", "ao_id": "MON-16.3_A05", "objective": "personnel or roles are notified when unauthorized activities are detected.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-16.4", "ao_id": "MON-16.4_A01", "objective": "an automated mechanism generates event logs for permissions changes to privileged accounts and/or groups.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-17", "ao_id": "MON-17_A01", "objective": "analysis and triage capabilities for event log review processes are defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-17", "ao_id": "MON-17_A02", "objective": "analysis and triage capabilities are integrated into event log review processes that support the organization's governance and incident response functions.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-17.1", "ao_id": "MON-17.1_A01", "objective": "an escalation matrix that is specific to the organization's unique monitoring practices is developed and maintained.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-18", "ao_id": "MON-18_A01", "objective": "automated tools are used to monitor sensitive/regulated data in Assets, Applications & Services (AAS).", "pptdf": "Data", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-18", "ao_id": "MON-18_A02", "objective": "automated tools are used to monitor sensitive/regulated data in data repositories.", "pptdf": "Data", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-19", "ao_id": "MON-19_A01", "objective": "Technology Assets, Applications and/or Services (TAAS) that require hardware-enforced, write-once media (e.g., Write Once Read Many (WORM) technologies) are identified.", "pptdf": "Process", "origin": "", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-19", "ao_id": "MON-19_A02", "objective": "hardware-enforced, write-once media technologies are identified.", "pptdf": "Process", "origin": "", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "MON-19", "ao_id": "MON-19_A03", "objective": "hardware-enforced, write-once media technologies are implemented, where required.", "pptdf": "Technology", "origin": "", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-01", "ao_id": "NET-01_A01", "objective": "system and communications protection procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls are developed and documented.", "pptdf": "Process", "origin": "53A_R5_SC-01a.[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-01", "ao_id": "NET-01_A02", "objective": "personnel or roles to whom the system and communications protection policy is to be disseminated is/are defined.", "pptdf": "Process", "origin": "53A_R5_SC-01_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-01", "ao_id": "NET-01_A03", "objective": "personnel or roles to whom the system and communications protection procedures are to be disseminated is/are defined.", "pptdf": "Process", "origin": "53A_R5_SC-01_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-01", "ao_id": "NET-01_A04", "objective": "an official to manage the system and communications protection policy and procedures is defined.", "pptdf": "People", "origin": "53A_R5_SC-01_ODP[03]\n53A_R5_SC-01_ODP[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-01", "ao_id": "NET-01_A05", "objective": "the frequency at which the current system and communications protection policy is reviewed / updated is defined.", "pptdf": "Process", "origin": "53A_R5_SC-01_ODP[05]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-01", "ao_id": "NET-01_A06", "objective": "events that would require the current system and communications protection policy to be reviewed / updated are defined.", "pptdf": "Process", "origin": "53A_R5_SC-01_ODP[06]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-01", "ao_id": "NET-01_A07", "objective": "the frequency at which the current system and communications protection procedures are reviewed / updated is defined.", "pptdf": "Process", "origin": "53A_R5_SC-01_ODP[07]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-01", "ao_id": "NET-01_A08", "objective": "events that would require the system and communications protection procedures to be reviewed / updated are defined.", "pptdf": "Process", "origin": "53A_R5_SC-01_ODP[08]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-01", "ao_id": "NET-01_A09", "objective": "a system and communications protection policy is developed and documented.", "pptdf": "Process", "origin": "53A_R5_SC-01a.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-01", "ao_id": "NET-01_A10", "objective": "the system and communications protection policy is disseminated to organization-defined personnel or roles.", "pptdf": "Technology", "origin": "53A_R5_SC-01a.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-01", "ao_id": "NET-01_A11", "objective": "the system and communications protection procedures are disseminated to organization-defined personnel or roles.", "pptdf": "Process", "origin": "53A_R5_SC-01a.[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-01", "ao_id": "NET-01_A12", "objective": "the organization's system and communications protection policy addresses purpose.", "pptdf": "Process", "origin": "53A_R5_SC-01a.01(a)[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-01", "ao_id": "NET-01_A13", "objective": "the organization's system and communications protection policy addresses scope.", "pptdf": "Process", "origin": "53A_R5_SC-01a.01(a)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-01", "ao_id": "NET-01_A14", "objective": "the organization's system and communications protection policy addresses roles.", "pptdf": "Process", "origin": "53A_R5_SC-01a.01(a)[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-01", "ao_id": "NET-01_A15", "objective": "the organization's system and communications protection policy addresses responsibilities.", "pptdf": "Process", "origin": "53A_R5_SC-01a.01(a)[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-01", "ao_id": "NET-01_A16", "objective": "the organization's system and communications protection policy addresses management commitment.", "pptdf": "Process", "origin": "53A_R5_SC-01a.01(a)[05]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-01", "ao_id": "NET-01_A17", "objective": "the organization's system and communications protection policy addresses coordination among organizational entities.", "pptdf": "Process", "origin": "53A_R5_SC-01a.01(a)[06]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-01", "ao_id": "NET-01_A18", "objective": "the organization's system and communications protection policy addresses compliance.", "pptdf": "Process", "origin": "53A_R5_SC-01a.01(a)[07]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-01", "ao_id": "NET-01_A19", "objective": "the organization's system and communications protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines.", "pptdf": "Process", "origin": "53A_R5_SC-01a.01(b)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-01", "ao_id": "NET-01_A20", "objective": "the organization-defined official is designated to manage the development, documentation, and dissemination of the system and communications protection policy and procedures.", "pptdf": "Process", "origin": "53A_R5_SC-01b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-01", "ao_id": "NET-01_A21", "objective": "the current system and communications protection policy is reviewed / updated organization-defined frequency.", "pptdf": "Process", "origin": "53A_R5_SC-01c.01[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-01", "ao_id": "NET-01_A22", "objective": "the current system and communications protection policy is reviewed / updated following organization-defined events.", "pptdf": "Technology", "origin": "53A_R5_SC-01c.01[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-01", "ao_id": "NET-01_A23", "objective": "the current system and communications protection procedures are reviewed / updated organization-defined frequency.", "pptdf": "Process", "origin": "53A_R5_SC-01c.02[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-01", "ao_id": "NET-01_A24", "objective": "the current system and communications protection procedures are reviewed / updated following organization-defined events.", "pptdf": "Process", "origin": "53A_R5_SC-01c.02[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-01", "ao_id": "NET-01_A25", "objective": "network security management operations are conducted according to documented policies, standards, procedures and/or other organizational directives.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-01", "ao_id": "NET-01_A26", "objective": "adequate resources (e.g., people, processes, technologies, data and/or facilities) are provided to support network security management operations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-01", "ao_id": "NET-01_A27", "objective": "responsibility and authority for the performance of network security management-related activities are assigned to designated personnel.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-01", "ao_id": "NET-01_A28", "objective": "personnel performing network security management-related activities have the skills and knowledge needed to perform their assigned duties.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-01.1", "ao_id": "NET-01.1_A01", "objective": "all users are treated as potential threats and prevent access to data and resources until the user can be properly authenticated and their access authorized.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-01.1", "ao_id": "NET-01.1_A02", "objective": "all devices are treated as potential threats and prevent access to data and resources until the device can be properly authenticated and its access authorized.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-02", "ao_id": "NET-02_A01", "objective": "security functions are implemented as a layered structure that minimizes interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-02.1", "ao_id": "NET-02.1_A01", "objective": "types of denial-of-service events to be protected against or limited are defined.", "pptdf": "Process", "origin": "53A_R5_SC-05_ODP[01]\n53A_R5_SC-05(01)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-02.1", "ao_id": "NET-02.1_A02", "objective": "resource prioritization is designed to limit negative effects of denial-of-service events.", "pptdf": "Technology", "origin": "53A_R5_SC-05_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-02.1", "ao_id": "NET-02.1_A03", "objective": "controls to achieve the denial-of-service objective by type of denial-of-service event are defined.", "pptdf": "Process", "origin": "53A_R5_SC-05_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-02.1", "ao_id": "NET-02.1_A04", "objective": "controls by type of denial-of-service event are employed to achieve the denial-of-service protection objective.", "pptdf": "Technology", "origin": "53A_R5_SC-05b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-02.1", "ao_id": "NET-02.1_A05", "objective": "the ability of individuals to launch denial-of-service attacks against other systems is restricted.", "pptdf": "Technology", "origin": "53A_R5_SC-05(01)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-02.1", "ao_id": "NET-02.1_A06", "objective": "the effects of types of denial-of-service events are organizationally-defined.", "pptdf": "Technology", "origin": "53A_R5_SC-05a.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-02.1", "ao_id": "NET-02.1_A07", "objective": "capacity, bandwidth or other redundancies to limit the effects of information flooding denial-of-service attacks are managed.", "pptdf": "Technology", "origin": "53A_R5_SC-05(02)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-02.1", "ao_id": "NET-02.1_A08", "objective": "monitoring tools for detecting indicators of denial-of-service attacks are defined.", "pptdf": "Process", "origin": "53A_R5_SC-05(03)_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-02.1", "ao_id": "NET-02.1_A09", "objective": "system resources to be monitored to determine if sufficient resources exist to prevent effective denial-of-service attacks are defined.", "pptdf": "Process", "origin": "53A_R5_SC-05(03)_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-02.1", "ao_id": "NET-02.1_A10", "objective": "monitoring tools are employed to detect indicators of denial-of-service attacks against or launched from the system.", "pptdf": "Technology", "origin": "53A_R5_SC-05(03)(a)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-02.1", "ao_id": "NET-02.1_A11", "objective": "system resources are monitored to determine if sufficient resources exist to prevent effective denial-of-service attacks.", "pptdf": "Technology", "origin": "53A_R5_SC-05(03)(b)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-02.2", "ao_id": "NET-02.2_A01", "objective": "a secure guest network is defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-02.2", "ao_id": "NET-02.2_A02", "objective": "a secure guest network is implemented", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-02.2", "ao_id": "NET-02.2_A03", "objective": "each type of wireless access to the system is defined.", "pptdf": "Process", "origin": "171A_R3_A.03.01.16.a[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-02.2", "ao_id": "NET-02.2_A04", "objective": "usage restrictions are established for each type of wireless access to the system.", "pptdf": "Technology", "origin": "171A_R3_A.03.01.16.a[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-02.2", "ao_id": "NET-02.2_A05", "objective": "connection requirements are established for each type of wireless access to the system.", "pptdf": "Technology", "origin": "171A_R3_A.03.01.16.a[04]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-02.2", "ao_id": "NET-02.2_A06", "objective": "each type of wireless access to the system is authorized prior to establishing such connections.", "pptdf": "Technology", "origin": "171A_R3_A.03.01.16.b", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-02.3", "ao_id": "NET-02.3_A01", "objective": "a Cross Domain Solution (CDS) is implemented to mitigate the specific security risks of accessing or transferring information between security domains.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03", "ao_id": "NET-03_A01", "objective": "the external system boundary is defined.", "pptdf": "Process", "origin": "171A_3.13.1[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03", "ao_id": "NET-03_A02", "objective": "key internal system boundaries are defined.", "pptdf": "Process", "origin": "171A_3.13.1[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03", "ao_id": "NET-03_A03", "objective": "communications are protected at the external system boundary.", "pptdf": "Technology", "origin": "171A_3.13.1[g]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03", "ao_id": "NET-03_A04", "objective": "communications are protected at key internal boundaries.", "pptdf": "Technology", "origin": "171A_3.13.1[h]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03", "ao_id": "NET-03_A05", "objective": "communications are monitored at the external system boundary.", "pptdf": "Technology", "origin": "53A_R5_SC-07_ODP\n53A_R5_SC-07a.[01]\n171A_3.13.1[c]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03", "ao_id": "NET-03_A06", "objective": "communications are controlled at the external system boundary.", "pptdf": "Technology", "origin": "53A_R5_SC-07_ODP\n53A_R5_SC-07a.[02]\n171A_3.13.1[e]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03", "ao_id": "NET-03_A07", "objective": "communications are monitored at key internal boundaries.", "pptdf": "Technology", "origin": "53A_R5_SC-07a.[03]\n171A_3.13.1[d]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03", "ao_id": "NET-03_A08", "objective": "communications are controlled at key internal boundaries.", "pptdf": "Technology", "origin": "53A_R5_SC-07a.[04]\n171A_3.13.1[f]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03", "ao_id": "NET-03_A09", "objective": "subnetworks for publicly accessible system components are selected per organization-defined values separated from internal organizational networks.", "pptdf": "Technology", "origin": "53A_R5_SC-07b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03", "ao_id": "NET-03_A10", "objective": "external networks or systems are only connected to through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational cybersecurity / data privacy architecture.", "pptdf": "Technology", "origin": "53A_R5_SC-07c.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03", "ao_id": "NET-03_A11", "objective": "outgoing communications traffic posing a threat to external systems is detected.", "pptdf": "Technology", "origin": "53A_R5_SC-07(09)(a)[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03", "ao_id": "NET-03_A12", "objective": "outgoing communications traffic posing a threat to external systems is denied.", "pptdf": "Technology", "origin": "53A_R5_SC-07(09)(a)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03", "ao_id": "NET-03_A13", "objective": "the identity of internal users associated with denied communications is audited.", "pptdf": "Technology", "origin": "53A_R5_SC-07(09)(b)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03", "ao_id": "NET-03_A14", "objective": "authorized sources of incoming communications to be routed are defined.", "pptdf": "Process", "origin": "53A_R5_SC-07(11)_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03", "ao_id": "NET-03_A15", "objective": "authorized destinations to which incoming communications from authorized sources may be routed are defined.", "pptdf": "Process", "origin": "53A_R5_SC-07(11)_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03", "ao_id": "NET-03_A16", "objective": "only incoming communications from authorized sources are allowed to be routed to authorized destinations.", "pptdf": "Technology", "origin": "53A_R5_SC-07(11)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03", "ao_id": "NET-03_A17", "objective": "one or more of the following is/are selected: physical isolation techniques. logical isolation techniques.", "pptdf": "Technology", "origin": "172A_3.13.4e_ODP[1]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03", "ao_id": "NET-03_A18", "objective": "physical isolation techniques are defined.", "pptdf": "Process", "origin": "172A_3.13.4e_ODP[2]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03", "ao_id": "NET-03_A19", "objective": "logical isolation techniques are defined.", "pptdf": "Process", "origin": "172A_3.13.4e_ODP[3]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03", "ao_id": "NET-03_A20", "objective": "physical isolation techniques and/or organization-defined logical isolation techniques are employed in organizational systems and system components.", "pptdf": "Technology", "origin": "172A_3.13.4e[a]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03", "ao_id": "NET-03_A21", "objective": "connection requirements are established for mobile devices.", "pptdf": "Technology", "origin": "171A_R3_A.03.01.18.a[03]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03", "ao_id": "NET-03_A22", "objective": "external system connections are only made through managed interfaces that consist of boundary protection devices arranged in accordance with an organizational security architecture.", "pptdf": "Technology", "origin": "171A_R3_A.03.13.01.c", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03", "ao_id": "NET-03_A23", "objective": "communications at external managed interfaces to the system are controlled.", "pptdf": "Technology", "origin": "171A_R3_A.03.13.01.a[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03", "ao_id": "NET-03_A24", "objective": "communications at key internal managed interfaces within the system are controlled.", "pptdf": "Technology", "origin": "171A_R3_A.03.13.01.a[04]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03.1", "ao_id": "NET-03.1_A01", "objective": "the number of external network connections to the system is limited.", "pptdf": "Technology", "origin": "53A_R5_SC-07(03)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03.2", "ao_id": "NET-03.2_A01", "objective": "the frequency at which to review exceptions to traffic flow policy is defined.", "pptdf": "Process", "origin": "53A_R5_SC-07(04)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "at least every 180 days or whenever there is a change in the threat environment that warrants a review of the exceptions", "org_defined_parameters": "" }, { "scf_control_id": "NET-03.2", "ao_id": "NET-03.2_A02", "objective": "a managed interface is implemented for each external telecommunication service.", "pptdf": "Technology", "origin": "53A_R5_SC-07(04)(a)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03.2", "ao_id": "NET-03.2_A03", "objective": "a traffic flow policy is established for each managed interface.", "pptdf": "Technology", "origin": "53A_R5_SC-07(04)(b)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03.2", "ao_id": "NET-03.2_A04", "objective": "the confidentiality of the information being transmitted across each interface is protected.", "pptdf": "Technology", "origin": "53A_R5_SC-07(04)(c)[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03.2", "ao_id": "NET-03.2_A05", "objective": "the integrity of the information being transmitted across each interface is protected.", "pptdf": "Technology", "origin": "53A_R5_SC-07(04)(c)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03.2", "ao_id": "NET-03.2_A06", "objective": "each exception to the traffic flow policy is documented with a supporting mission or business need and duration of that need.", "pptdf": "Process", "origin": "53A_R5_SC-07(04)(d)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03.2", "ao_id": "NET-03.2_A07", "objective": "exceptions to the traffic flow policy are reviewed frequently.", "pptdf": "Process", "origin": "53A_R5_SC-07(04)(e)[01]", "assessment_rigor": "3", "scf_defined_parameters": "at least every 180 days or whenever there is a change in the threat environment that warrants a review of the exceptions", "org_defined_parameters": "" }, { "scf_control_id": "NET-03.2", "ao_id": "NET-03.2_A08", "objective": "exceptions to the traffic flow policy that are no longer supported by an explicit mission or business need are removed.", "pptdf": "Technology", "origin": "53A_R5_SC-07(04)(e)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03.2", "ao_id": "NET-03.2_A09", "objective": "unauthorized exchanges of control plan traffic with external networks are prevented.", "pptdf": "Technology", "origin": "53A_R5_SC-07(04)(f)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03.2", "ao_id": "NET-03.2_A10", "objective": "information is published to enable remote networks to detect unauthorized control plane traffic from internal networks.", "pptdf": "Technology", "origin": "53A_R5_SC-07(04)(g)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03.2", "ao_id": "NET-03.2_A11", "objective": "unauthorized control plane traffic is filtered from external networks.", "pptdf": "Technology", "origin": "53A_R5_SC-07(04)(h)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03.2", "ao_id": "NET-03.2_A12", "objective": "outgoing communications traffic posing a threat to external systems is detected.", "pptdf": "Technology", "origin": "53A_R5_SC-07(09)(a)[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03.2", "ao_id": "NET-03.2_A13", "objective": "outgoing communications traffic posing a threat to external systems is denied.", "pptdf": "Technology", "origin": "53A_R5_SC-07(09)(a)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03.2", "ao_id": "NET-03.2_A14", "objective": "the identity of internal users associated with denied communications is audited.", "pptdf": "Technology", "origin": "53A_R5_SC-07(09)(b)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03.3", "ao_id": "NET-03.3_A01", "objective": "the discovery of specific system components that represent a managed interface is prevented.", "pptdf": "Technology", "origin": "53A_R5_SC-07(16)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03.4", "ao_id": "NET-03.4_A01", "objective": "processing rules for systems that process Personal Data (PD) are defined.", "pptdf": "Process", "origin": "53A_R5_SC-07(24)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03.4", "ao_id": "NET-03.4_A02", "objective": "processing rules are applied to data elements of Personal Data (PD) on systems that process Personal Data (PD).", "pptdf": "Technology", "origin": "53A_R5_SC-07(24)(a)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03.4", "ao_id": "NET-03.4_A03", "objective": "permitted processing is monitored at the external interfaces to the systems that process Personal Data (PD).", "pptdf": "Process", "origin": "53A_R5_SC-07(24)(b)[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03.4", "ao_id": "NET-03.4_A04", "objective": "permitted processing is monitored at key internal boundaries within the systems that process Personal Data (PD).", "pptdf": "Process", "origin": "53A_R5_SC-07(24)(b)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03.4", "ao_id": "NET-03.4_A05", "objective": "each processing exception is documented for systems that process Personal Data (PD).", "pptdf": "Process", "origin": "53A_R5_SC-07(24)(c)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03.4", "ao_id": "NET-03.4_A06", "objective": "exceptions for systems that process Personal Data (PD) are reviewed.", "pptdf": "Process", "origin": "53A_R5_SC-07(24)(d)[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03.4", "ao_id": "NET-03.4_A07", "objective": "exceptions for systems that process Personal Data (PD) that are no longer supported are removed.", "pptdf": "Process", "origin": "53A_R5_SC-07(24)(d)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03.5", "ao_id": "NET-03.5_A01", "objective": "the exfiltration of information is prevented.", "pptdf": "Technology", "origin": "53A_R5_SC-07(10)(a)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03.5", "ao_id": "NET-03.5_A02", "objective": "the frequency for conducting exfiltration tests is defined.", "pptdf": "Process", "origin": "53A_R5_SC-07(10)_ODP", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03.5", "ao_id": "NET-03.5_A03", "objective": "exfiltration tests are conducted per an organization-defined frequency.", "pptdf": "Process", "origin": "53A_R5_SC-07(10)(b)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03.6", "ao_id": "NET-03.6_A01", "objective": "system components to be dynamically isolated from other system components are defined.", "pptdf": "Process", "origin": "53A_R5_SC-07(20)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03.6", "ao_id": "NET-03.6_A02", "objective": "the capability to dynamically isolate organization-defined system components from other system components is provided.", "pptdf": "Technology", "origin": "53A_R5_SC-07(20)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03.7", "ao_id": "NET-03.7_A01", "objective": "system components to be isolated by boundary protection mechanisms are defined.", "pptdf": "Process", "origin": "53A_R5_SC-07(21)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03.7", "ao_id": "NET-03.7_A02", "objective": "boundary protection mechanisms are employed to isolate system components supporting missions and/or business functions.", "pptdf": "Technology", "origin": "53A_R5_SC-07(21)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03.7", "ao_id": "NET-03.7_A03", "objective": "missions and/or business functions to be supported by system components isolated by boundary protection mechanisms are defined.", "pptdf": "Process", "origin": "53A_R5_SC-07(21)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03.7", "ao_id": "NET-03.7_A04", "objective": "physical isolation techniques are defined.", "pptdf": "Process", "origin": "172A_3.13.4e_ODP[2]\n172A_3.13.4e_ODP[1]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03.7", "ao_id": "NET-03.7_A05", "objective": "logical isolation techniques are defined.", "pptdf": "Process", "origin": "172A_3.13.4e_ODP[3]\n172A_3.13.4e_ODP[1]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03.7", "ao_id": "NET-03.7_A06", "objective": "physical isolation techniques and/or organization-defined logical isolation techniques are employed in organizational systems and system components.", "pptdf": "Technology", "origin": "172A_3.13.4e[a]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03.8", "ao_id": "NET-03.8_A01", "objective": "separate network addresses are implemented to connect to systems in different security domains.", "pptdf": "Technology", "origin": "53A_R5_SC-07(22)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03.8", "ao_id": "NET-03.8_A02", "objective": "critical system components and functions are logically isolated.", "pptdf": "Technology", "origin": "53A_R5_SC-07(29)_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03.8", "ao_id": "NET-03.8_A03", "objective": "critical system components and functions to be isolated are defined.", "pptdf": "Process", "origin": "53A_R5_SC-07(29)_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03.8", "ao_id": "NET-03.8_A04", "objective": "subnetworks are separated organization-defined criteria to isolate critical system components and functions.", "pptdf": "Technology", "origin": "53A_R5_SC-07(29)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03.8", "ao_id": "NET-03.8_A05", "objective": "physical isolation techniques are defined.", "pptdf": "Process", "origin": "172A_3.13.4e_ODP[1]\n172A_3.13.4e_ODP[2]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03.8", "ao_id": "NET-03.8_A06", "objective": "logical isolation techniques are defined.", "pptdf": "Process", "origin": "172A_3.13.4e_ODP[1]\n172A_3.13.4e_ODP[3]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-03.8", "ao_id": "NET-03.8_A07", "objective": "physical isolation techniques and/or organization-defined logical isolation techniques are employed in organizational systems and system components.", "pptdf": "Technology", "origin": "172A_3.13.4e[a]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04", "ao_id": "NET-04_A01", "objective": "information flow control policies are defined.", "pptdf": "Process", "origin": "171A_3.1.3[a]\n53A_R5_AC-04_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04", "ao_id": "NET-04_A02", "objective": "methods and enforcement mechanisms for controlling the flow of sensitive / regulated data are defined.", "pptdf": "Process", "origin": "171A_3.1.3[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04", "ao_id": "NET-04_A03", "objective": "approved authorizations are enforced for controlling the flow of information within the system and between connected systems based on organization-defined information flow control policies.", "pptdf": "Technology", "origin": "53A_R5_AC-04", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04", "ao_id": "NET-04_A04", "objective": "designated sources and destinations (e.g., networks, individuals and devices) for sensitive / regulated data within the system and between interconnected systems are identified.", "pptdf": "Process", "origin": "171A_3.1.3[c]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04", "ao_id": "NET-04_A05", "objective": "authorizations for controlling the flow of sensitive / regulated data are defined.", "pptdf": "Process", "origin": "171A_3.1.3[d]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04", "ao_id": "NET-04_A06", "objective": "approved authorizations are enforced for controlling the flow of CUI between connected systems.", "pptdf": "Data", "origin": "171A_3.1.3[e]\n171A_R3_A.03.01.03[02]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04", "ao_id": "NET-04_A07", "objective": "secure information transfer solutions are defined.", "pptdf": "Process", "origin": "172A_3.1.3e_ODP[1]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04", "ao_id": "NET-04_A08", "objective": "information flows between security domains on connected systems are identified.", "pptdf": "Process", "origin": "172A_3.1.3e[a]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04", "ao_id": "NET-04_A09", "objective": "solutions are employed to control information flows between security domains on connected systems.", "pptdf": "Technology", "origin": "172A_3.1.3e[b]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04", "ao_id": "NET-04_A10", "objective": "systems and system components included in the scope of the specified enhanced security requirements are identified.", "pptdf": "Process", "origin": "172A_3.14.3e_ODP[1]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04", "ao_id": "NET-04_A11", "objective": "systems and system components are included in the scope of the specified enhanced security requirements.", "pptdf": "Technology", "origin": "172A_3.14.3e[a]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04", "ao_id": "NET-04_A12", "objective": "systems and system components that are not included in systems and system components are segregated in purpose-specific networks.", "pptdf": "Technology", "origin": "172A_3.14.3e[b]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04.1", "ao_id": "NET-04.1_A01", "objective": "network communications traffic is denied by default.", "pptdf": "Technology", "origin": "171A_3.13.6[a]\n171A_R3_A.03.13.06[01]\n53A_R5_SC-07(05)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04.1", "ao_id": "NET-04.1_A02", "objective": "network communications traffic is allowed by exception.", "pptdf": "Technology", "origin": "171A_3.13.6[b]\n171A_R3_A.03.13.06[02]\n53A_R5_SC-07(05)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04.1", "ao_id": "NET-04.1_A03", "objective": "systems for which network communications traffic is denied by default and network communications traffic is allowed by exception are defined.", "pptdf": "Process", "origin": "53A_R5_SC-07(05)_ODP[01]\n53A_R5_SC-07(05)_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "any systems", "org_defined_parameters": "" }, { "scf_control_id": "NET-04.1", "ao_id": "NET-04.1_A04", "objective": "authorized sources of incoming communications to be routed are defined.", "pptdf": "Process", "origin": "53A_R5_SC-07(11)_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04.1", "ao_id": "NET-04.1_A05", "objective": "authorized destinations to which incoming communications from authorized sources may be routed are defined.", "pptdf": "Process", "origin": "53A_R5_SC-07(11)_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04.1", "ao_id": "NET-04.1_A06", "objective": "only incoming communications from authorized sources are allowed to be routed to authorized destinations.", "pptdf": "Technology", "origin": "53A_R5_SC-07(11)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04.2", "ao_id": "NET-04.2_A01", "objective": "cybersecurity / data privacy attributes associated with information, source and destination objects are defined.", "pptdf": "Process", "origin": "53A_R5_AC-04(01)_ODP[01]\n53A_R5_AC-04(01)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04.2", "ao_id": "NET-04.2_A02", "objective": "information objects to be associated with cybersecurity / data privacy attributes are defined.", "pptdf": "Process", "origin": "53A_R5_AC-04(01)_ODP[03]\n53A_R5_AC-04(01)_ODP[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04.2", "ao_id": "NET-04.2_A03", "objective": "source objects to be associated with cybersecurity / data privacy attributes are defined.", "pptdf": "Process", "origin": "53A_R5_AC-04(01)_ODP[05]\n53A_R5_AC-04(01)_ODP[06]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04.2", "ao_id": "NET-04.2_A04", "objective": "destination objects to be associated with cybersecurity / data privacy attributes are defined.", "pptdf": "Process", "origin": "53A_R5_AC-04(01)_ODP[07]\n53A_R5_AC-04(01)_ODP[08]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04.2", "ao_id": "NET-04.2_A05", "objective": "information flow control policies as a basis for enforcement of flow control decisions are defined.", "pptdf": "Process", "origin": "53A_R5_AC-04(01)_ODP[09]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04.2", "ao_id": "NET-04.2_A06", "objective": "organization-defined cybersecurity / data privacy attributes associated with organization-defined information objects, organization-defined source objects and organization-defined destination objects are used to enforce organization-defined information flow control policies as a basis for flow control decisions.", "pptdf": "Technology", "origin": "53A_R5_AC-04(01)[01]\n53A_R5_AC-04(01)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04.2", "ao_id": "NET-04.2_A07", "objective": "secure information transfer solutions are defined.", "pptdf": "Process", "origin": "172A_3.1.3e_ODP[1]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04.2", "ao_id": "NET-04.2_A08", "objective": "information flows between security domains on connected systems are identified.", "pptdf": "Process", "origin": "172A_3.1.3e[a]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04.2", "ao_id": "NET-04.2_A09", "objective": "solutions are employed to control information flows between security domains on connected systems.", "pptdf": "Technology", "origin": "172A_3.1.3e[b]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04.3", "ao_id": "NET-04.3_A01", "objective": "information flow control mechanisms that encrypted information is prevented from bypassing are defined.", "pptdf": "Process", "origin": "53A_R5_AC-04(04)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04.3", "ao_id": "NET-04.3_A02", "objective": "the organization-defined procedure or method used to prevent encrypted information from bypassing information flow control mechanisms is defined.", "pptdf": "Process", "origin": "53A_R5_AC-04(04)_ODP[02]\n53A_R5_AC-04(04)_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04.3", "ao_id": "NET-04.3_A03", "objective": "encrypted information is prevented from bypassing the organization's information flow control mechanisms.", "pptdf": "Technology", "origin": "53A_R5_AC-04(04)", "assessment_rigor": "1", "scf_defined_parameters": "intrusion detection mechanisms", "org_defined_parameters": "" }, { "scf_control_id": "NET-04.4", "ao_id": "NET-04.4_A01", "objective": "limitations on embedding data types within other data types are defined.", "pptdf": "Process", "origin": "53A_R5_AC-04(05)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04.4", "ao_id": "NET-04.4_A02", "objective": "organization-defined limitations are enforced on embedding data types within other data types.", "pptdf": "Technology", "origin": "53A_R5_AC-04(05)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04.5", "ao_id": "NET-04.5_A01", "objective": "metadata on which to base enforcement of information flow control is defined.", "pptdf": "Process", "origin": "53A_R5_AC-04(06)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04.5", "ao_id": "NET-04.5_A02", "objective": "information flow control enforcement is based on organization-defined metadata.", "pptdf": "Technology", "origin": "53A_R5_AC-04(06)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04.5", "ao_id": "NET-04.5_A03", "objective": "secure information transfer solutions are defined.", "pptdf": "Process", "origin": "172A_3.1.3e_ODP[1]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04.5", "ao_id": "NET-04.5_A04", "objective": "information flows between security domains on connected systems are identified.", "pptdf": "Process", "origin": "172A_3.1.3e[a]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04.5", "ao_id": "NET-04.5_A05", "objective": "solutions are employed to control information flows between security domains on connected systems.", "pptdf": "Technology", "origin": "172A_3.1.3e[b]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04.6", "ao_id": "NET-04.6_A01", "objective": "information flows requiring the use of human reviews are defined.", "pptdf": "Process", "origin": "53A_R5_AC-04(09)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04.6", "ao_id": "NET-04.6_A02", "objective": "conditions under which the use of human reviews for information flows are to be enforced are defined.", "pptdf": "Process", "origin": "53A_R5_AC-04(09)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04.6", "ao_id": "NET-04.6_A03", "objective": "human reviews are used for organization-defined conditions.", "pptdf": "Process", "origin": "53A_R5_AC-04(09)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04.7", "ao_id": "NET-04.7_A01", "objective": "information flows between security domains on connected systems are identified.", "pptdf": "Process", "origin": "172A_3.1.3e[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04.7", "ao_id": "NET-04.7_A02", "objective": "solutions are employed to control information flows between security domains on connected systems.", "pptdf": "Technology", "origin": "172A_3.1.3e[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04.7", "ao_id": "NET-04.7_A03", "objective": "cybersecurity / data privacy policy filters to be used as a basis for enforcing information flow control are defined.", "pptdf": "Process", "origin": "53A_R5_AC-04(08)_ODP[01]\n53A_R5_AC-04(08)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04.7", "ao_id": "NET-04.7_A04", "objective": "information flows for which information flow control is enforced by cybersecurity / data privacy filters are defined.", "pptdf": "Process", "origin": "53A_R5_AC-04(08)_ODP[03]\n53A_R5_AC-04(08)_ODP[04]\n172A_3.1.3e_ODP[1]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04.7", "ao_id": "NET-04.7_A05", "objective": "information flow control is enforced using organization-defined cybersecurity / data privacy policy filter as a basis for flow control decisions for organization-defined information flows.", "pptdf": "Technology", "origin": "53A_R5_AC-04(08)(a)[01]\n53A_R5_AC-04(08)(a)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04.7", "ao_id": "NET-04.7_A06", "objective": "cybersecurity / data privacy policy identifying actions to be taken after a filter processing failure are defined (e.g., block, strip, modify or quarantine)", "pptdf": "Process", "origin": "53A_R5_AC-04(08)_ODP[05]\n53A_R5_AC-04(08)_ODP[06]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04.7", "ao_id": "NET-04.7_A07", "objective": "policy identifying actions to be taken after a filter processing failure are defined.", "pptdf": "Process", "origin": "53A_R5_AC-04(08)_ODP[07]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04.7", "ao_id": "NET-04.7_A08", "objective": "organization's data after a filter processing failure in accordance with organization's data after a filter processing failure in accordance with organization-defined privacy policy.", "pptdf": "Process", "origin": "53A_R5_AC-04(08)(b)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04.7", "ao_id": "NET-04.7_A09", "objective": "when transferring information between different security domains, data is sanitized to minimize organization's in accordance with organization-defined policy.", "pptdf": "Technology", "origin": "53A_R5_AC-04(25)_ODP[01]\n53A_R5_AC-04(25)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04.8", "ao_id": "NET-04.8_A01", "objective": "data type identifiers to be used to validate data essential for information flow decisions are defined.", "pptdf": "Process", "origin": "53A_R5_AC-04(12)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04.8", "ao_id": "NET-04.8_A02", "objective": "when transferring information between different security domains, organization-defined data type identifiers are used to validate data essential for information flow decisions.", "pptdf": "Technology", "origin": "53A_R5_AC-04(12)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04.9", "ao_id": "NET-04.9_A01", "objective": "policy-relevant subcomponents into which to decompose information for submission to policy enforcement mechanisms are defined.", "pptdf": "Process", "origin": "53A_R5_AC-04(13)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04.9", "ao_id": "NET-04.9_A02", "objective": "when transferring information between different security domains, information is decomposed into organization-defined policy-relevant subcomponents for submission to policy enforcement mechanisms.", "pptdf": "Technology", "origin": "53A_R5_AC-04(13)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04.10", "ao_id": "NET-04.10_A01", "objective": "unsanctioned information to be detected is defined.", "pptdf": "Process", "origin": "53A_R5_AC-04(15)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04.10", "ao_id": "NET-04.10_A02", "objective": "cybersecurity / data privacy policy that requires the transfer of unsanctioned information between different security domains to be prohibited is defined.", "pptdf": "Process", "origin": "53A_R5_AC-04(15)_ODP[02]\n53A_R5_AC-04(15)_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04.10", "ao_id": "NET-04.10_A03", "objective": "when transferring information between different security domains, information is examined for the presence of organization-defined unsanctioned information.", "pptdf": "Technology", "origin": "53A_R5_AC-04(15)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04.10", "ao_id": "NET-04.10_A04", "objective": "when transferring information between different security domains, transfer of organization-defined unsanctioned information is prohibited in accordance with the organization-defined cybersecurity / data privacy policy.", "pptdf": "Technology", "origin": "53A_R5_AC-04(15)[02]\n53A_R5_AC-04(15)[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04.11", "ao_id": "NET-04.11_A01", "objective": "solutions in approved configurations to control the flow of information across security domains are defined.", "pptdf": "Process", "origin": "53A_R5_AC-04(20)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04.11", "ao_id": "NET-04.11_A02", "objective": "information to be controlled when it flows across security domains is defined.", "pptdf": "Process", "origin": "53A_R5_AC-04(20)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04.11", "ao_id": "NET-04.11_A03", "objective": "organization-defined solutions in approved configurations are employed to control the flow of organization-defined information across security domains.", "pptdf": "Technology", "origin": "53A_R5_AC-04(20)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04.12", "ao_id": "NET-04.12_A01", "objective": "source and destination points are uniquely identified and authenticated by organization-defined criteria for information transfer (e.g., organization, system, application, service or individual).", "pptdf": "Technology", "origin": "53A_R5_AC-04(17)_ODP\n53A_R5_AC-04(17)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04.13", "ao_id": "NET-04.13_A01", "objective": "cybersecurity / data privacy policy filters to be implemented on metadata are defined (if selected).", "pptdf": "Process", "origin": "53A_R5_AC-04(19)_ODP[01]\n53A_R5_AC-04(19)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04.13", "ao_id": "NET-04.13_A02", "objective": "when transferring information between different security domains, organization-defined cybersecurity / data privacy policy filters are implemented on metadata.", "pptdf": "Technology", "origin": "53A_R5_AC-04(19)[01]\n53A_R5_AC-04(19)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-04.14", "ao_id": "NET-04.14_A01", "objective": "visibility and control over application traffic is maintained, regardless of the user’s location or the security posture of the surrounding network.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-05", "ao_id": "NET-05_A01", "objective": "the type of agreement used to approve and manage the exchange of information is defined (e.g., interconnection security agreements, information exchange security agreements, memoranda of understanding or agreement, service level agreements, user agreements, non-disclosure agreements or organization-defined type of agreements).", "pptdf": "Process", "origin": "53A_R5_CA-03_ODP[01]\n53A_R5_CA-03_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-05", "ao_id": "NET-05_A02", "objective": "security requirements for each system are documented as part of the exchange agreements.", "pptdf": "Process", "origin": "53A_R5_CA-03b.[02]\n53A_R5_CA-03b.[03]\n171A_R3_A.03.12.05.b[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-05", "ao_id": "NET-05_A03", "objective": "controls are documented as part of each exchange agreement.", "pptdf": "Process", "origin": "53A_R5_CA-03b.[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-05", "ao_id": "NET-05_A04", "objective": "the frequency at which to review and update agreements is defined.", "pptdf": "Process", "origin": "53A_R5_CA-03_ODP[03]\n171A_R3_A.03.12.05.ODP[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-05", "ao_id": "NET-05_A05", "objective": "the exchange of sensitive / regulated data between the system and other systems is approved using organization-defined values.", "pptdf": "Data", "origin": "53A_R5_CA-03a.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-05", "ao_id": "NET-05_A06", "objective": "the exchange of sensitive / regulated data between the system and other systems is managed using organization-defined values.", "pptdf": "Data", "origin": "53A_R5_CA-03a.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-05", "ao_id": "NET-05_A07", "objective": "interface characteristics for each system are documented as part of the exchange agreements.", "pptdf": "Process", "origin": "53A_R5_CA-03b.[01]\n171A_R3_A.03.12.05.b[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-05", "ao_id": "NET-05_A08", "objective": "responsibilities for each system are documented as part of the exchange agreements.", "pptdf": "Process", "origin": "53A_R5_CA-03b.[05]\n171A_R3_A.03.12.05.b[03]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-05", "ao_id": "NET-05_A09", "objective": "the impact level of the information communicated is documented as part of each exchange agreement.", "pptdf": "Process", "origin": "53A_R5_CA-03b.[06]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-05", "ao_id": "NET-05_A10", "objective": "exchange agreements are reviewed per an organization-defined frequency.", "pptdf": "Process", "origin": "53A_R5_CA-03c.", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "NET-05", "ao_id": "NET-05_A11", "objective": "exchange agreements are updated per an organization-defined frequency.", "pptdf": "Process", "origin": "53A_R5_CA-03c.", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "NET-05", "ao_id": "NET-05_A12", "objective": "systems are prohibited from directly connecting to an external network is defined.", "pptdf": "Process", "origin": "53A_R5_SC-07(25)_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-05", "ao_id": "NET-05_A13", "objective": "the boundary protection device required for a direct connection to an external network is defined.", "pptdf": "Process", "origin": "53A_R5_SC-07(25)_ODP[02]\n53A_R5_SC-07(26)_ODP", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-05", "ao_id": "NET-05_A14", "objective": "the direct connection of systems to an external network without the use of boundary protection device is prohibited.", "pptdf": "Technology", "origin": "53A_R5_SC-07(25)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-05", "ao_id": "NET-05_A15", "objective": "the direct connection of classified national security system to an external network without the use of an organization-defined boundary protection device is prohibited.", "pptdf": "Technology", "origin": "53A_R5_SC-07(26)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-05", "ao_id": "NET-05_A16", "objective": "approved authorizations are enforced for controlling the flow of CUI between connected systems.", "pptdf": "Data", "origin": "171A_R3_A.03.01.03[02]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-05", "ao_id": "NET-05_A17", "objective": "one or more of the following PARAMETER VALUES are selected: {interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; service-level agreements; user agreements; non-disclosure agreements; other types of agreements}.", "pptdf": "Technology", "origin": "171A_R3_A.03.12.05.ODP[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-05", "ao_id": "NET-05_A18", "objective": "the exchange of CUI between the system and other systems is approved using .", "pptdf": "Data", "origin": "171A_R3_A.03.12.05.a[01]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "requirements as described in the contract", "org_defined_parameters": "" }, { "scf_control_id": "NET-05", "ao_id": "NET-05_A19", "objective": "the exchange of CUI between the system and other systems is managed using .", "pptdf": "Data", "origin": "171A_R3_A.03.12.05.a[02]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "requirements as described in the contract", "org_defined_parameters": "" }, { "scf_control_id": "NET-05", "ao_id": "NET-05_A20", "objective": "exchange agreements are reviewed .", "pptdf": "Process", "origin": "171A_R3_A.03.12.05.c[01]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "at least every 12 months", "org_defined_parameters": "" }, { "scf_control_id": "NET-05", "ao_id": "NET-05_A21", "objective": "exchange agreements are updated .", "pptdf": "Process", "origin": "171A_R3_A.03.12.05.c[02]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "at least every 12 months", "org_defined_parameters": "" }, { "scf_control_id": "NET-05.1", "ao_id": "NET-05.1_A01", "objective": "systems are prohibited from directly connecting to an external network is defined.", "pptdf": "Process", "origin": "53A_R5_SC-07(27)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-05.1", "ao_id": "NET-05.1_A02", "objective": "the boundary protection device required for a direct connection of a system to an external network is defined.", "pptdf": "Process", "origin": "53A_R5_SC-07(27)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-05.1", "ao_id": "NET-05.1_A03", "objective": "the direct connection of a system to an external network without the use of a boundary protection device is prohibited.", "pptdf": "Technology", "origin": "53A_R5_SC-07(27)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-05.2", "ao_id": "NET-05.2_A01", "objective": "internal connections of organization-defined system components to the system are authorized.", "pptdf": "Technology", "origin": "53A_R5_CA-09a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-05.2", "ao_id": "NET-05.2_A02", "objective": "for each internal connection, the interface characteristics are documented.", "pptdf": "Process", "origin": "53A_R5_CA-09b.[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-05.2", "ao_id": "NET-05.2_A03", "objective": "for each internal connection, the security requirements are documented.", "pptdf": "Process", "origin": "53A_R5_CA-09b.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-05.2", "ao_id": "NET-05.2_A04", "objective": "for each internal connection, the privacy requirements are documented.", "pptdf": "Process", "origin": "53A_R5_CA-09b.[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-05.2", "ao_id": "NET-05.2_A05", "objective": "for each internal connection, the nature of the information communicated is documented.", "pptdf": "Process", "origin": "53A_R5_CA-09b.[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-05.2", "ao_id": "NET-05.2_A06", "objective": "internal system connections are terminated after organization-defined conditions.", "pptdf": "Technology", "origin": "53A_R5_CA-09c.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-05.2", "ao_id": "NET-05.2_A07", "objective": "the continued need for each internal connection is reviewed organization-defined frequency.", "pptdf": "Process", "origin": "53A_R5_CA-09d.", "assessment_rigor": "1", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "NET-05.2", "ao_id": "NET-05.2_A08", "objective": "system components or classes of components requiring internal connections to the system are defined.", "pptdf": "Process", "origin": "53A_R5_CA-09_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-05.2", "ao_id": "NET-05.2_A09", "objective": "conditions requiring termination of internal connections are defined.", "pptdf": "Process", "origin": "53A_R5_CA-09_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-05.2", "ao_id": "NET-05.2_A10", "objective": "frequency at which to review the continued need for each internal connection is defined.", "pptdf": "Process", "origin": "53A_R5_CA-09_ODP[03]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "NET-06", "ao_id": "NET-06_A01", "objective": "logical isolation techniques are defined.", "pptdf": "Process", "origin": "172A_3.13.4e_ODP[1]\n172A_3.13.4e_ODP[3]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-06", "ao_id": "NET-06_A02", "objective": "mechanisms and/or techniques used to logically separate information flows are defined.", "pptdf": "Process", "origin": "53A_R5_AC-04(21)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-06", "ao_id": "NET-06_A03", "objective": "information flows are separated logically using organization-defined mechanisms and/or techniques to accomplish organization-defined required separations.", "pptdf": "Technology", "origin": "53A_R5_AC-04(21)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-06", "ao_id": "NET-06_A04", "objective": "publicly accessible system components are identified.", "pptdf": "Process", "origin": "171A_3.13.5[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-06", "ao_id": "NET-06_A05", "objective": "subnetworks for publicly accessible system components are physically or logically separated from internal networks.", "pptdf": "Technology", "origin": "171A_3.13.5[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-06", "ao_id": "NET-06_A06", "objective": "physical isolation techniques and/or organization-defined logical isolation techniques are employed in organizational systems and system components.", "pptdf": "Technology", "origin": "172A_3.13.4e[a]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-06", "ao_id": "NET-06_A07", "objective": "mechanisms and/or techniques used to physically separate information flows are defined.", "pptdf": "Process", "origin": "53A_R5_AC-04(21)_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-06", "ao_id": "NET-06_A08", "objective": "required separations by types of information are defined.", "pptdf": "Process", "origin": "53A_R5_AC-04(21)_ODP[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-06", "ao_id": "NET-06_A09", "objective": "information flows are separated physically using organization-defined mechanisms and/or techniques to accomplish organization-defined required separations.", "pptdf": "Technology", "origin": "53A_R5_AC-04(21)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-06", "ao_id": "NET-06_A10", "objective": "subnetworks are implemented for publicly accessible system components that are physically or logically separated from internal networks.", "pptdf": "Technology", "origin": "171A_R3_A.03.13.01.b", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-06.1", "ao_id": "NET-06.1_A01", "objective": "cybersecurity tools, mechanisms and support components to be isolated from other internal system components are defined.", "pptdf": "Process", "origin": "53A_R5_SC-07(13)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-06.1", "ao_id": "NET-06.1_A02", "objective": "cybersecurity tools, mechanisms and support components are isolated from other internal system components by implementing physically separate subnetworks with managed interfaces to other components of the system.", "pptdf": "Technology", "origin": "53A_R5_SC-07(13)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-06.1", "ao_id": "NET-06.1_A03", "objective": "security management subnets are logically isolated.", "pptdf": "Technology", "origin": "53A_R5_SC-07(29)_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-06.1", "ao_id": "NET-06.1_A04", "objective": "security management subnet system components and functions to be isolated are defined.", "pptdf": "Process", "origin": "53A_R5_SC-07(29)_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-06.1", "ao_id": "NET-06.1_A05", "objective": "organization-defined criteria are used to isolate security management subnets.", "pptdf": "Technology", "origin": "53A_R5_SC-07(29)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-06.1", "ao_id": "NET-06.1_A06", "objective": "physical isolation techniques are defined.", "pptdf": "Process", "origin": "172A_3.13.4e_ODP[1]\n172A_3.13.4e_ODP[2]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-06.1", "ao_id": "NET-06.1_A07", "objective": "logical isolation techniques are defined.", "pptdf": "Process", "origin": "172A_3.13.4e_ODP[1]\n172A_3.13.4e_ODP[3]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-06.1", "ao_id": "NET-06.1_A08", "objective": "physical isolation techniques and/or organization-defined logical isolation techniques are employed in organizational systems and system components.", "pptdf": "Technology", "origin": "172A_3.13.4e[a]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-06.2", "ao_id": "NET-06.2_A01", "objective": "enable Virtual Local Area Networks (VLANs) to limit the ability of devices on a network to directly communicate with other devices on the subnet and limit an attacker's ability to laterally move to compromise neighboring systems.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-06.3", "ao_id": "NET-06.3_A01", "objective": "segmentation controls restrict inbound and outbound connectivity for sensitive / regulated data enclaves (secure zones).", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-06.4", "ao_id": "NET-06.4_A01", "objective": "sensitive / regulated data enclaves (secure zones) are isolated from corporate-provided IT resources by providing enclave-specific IT services (e.g., directory services, DNS, NTP, ITAM, antimalware, patch management, etc.) to those isolated network segments.", "pptdf": "Data", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-06.5", "ao_id": "NET-06.5_A01", "objective": "Internet access from sensitive / regulated data enclaves (secure zones) is prohibited or strictly-controlled.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-06.6", "ao_id": "NET-06.6_A01", "objective": "microsegmentation is implemented to divide the network according to application and data workflows communications needs.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-06.7", "ao_id": "NET-06.7_A01", "objective": "automated mechanisms implement dynamic, policy-driven network segmentation.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-06.7", "ao_id": "NET-06.7_A02", "objective": "automated mechanisms implement dynamic, policy-driven access controls.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-06.7", "ao_id": "NET-06.7_A03", "objective": "automated mechanisms implement dynamic, policy-driven network traffic management.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-07", "ao_id": "NET-07_A01", "objective": "a period of inactivity to terminate network connections associated with communications sessions is defined.", "pptdf": "Process", "origin": "171A_3.13.9[a]\n53A_R5_SC-10_ODP", "assessment_rigor": "1", "scf_defined_parameters": "no longer than ten (10) minutes for privileged sessions and no longer than fifteen (15) minutes for user sessions", "org_defined_parameters": "" }, { "scf_control_id": "NET-07", "ao_id": "NET-07_A02", "objective": "network connections associated with communications sessions are terminated at the end of the sessions.", "pptdf": "Technology", "origin": "171A_3.13.9[b]\n53A_R5_SC-10", "assessment_rigor": "1", "scf_defined_parameters": "no longer than ten (10) minutes for privileged sessions and no longer than fifteen (15) minutes for user sessions", "org_defined_parameters": "" }, { "scf_control_id": "NET-07", "ao_id": "NET-07_A03", "objective": "network connections associated with communications sessions are terminated after the defined period of inactivity.", "pptdf": "Technology", "origin": "171A_3.13.9[c]\n53A_R5_SC-10", "assessment_rigor": "1", "scf_defined_parameters": "no longer than ten (10) minutes for privileged sessions and no longer than fifteen (15) minutes for user sessions", "org_defined_parameters": "" }, { "scf_control_id": "NET-07", "ao_id": "NET-07_A04", "objective": "network connections are terminated when nonlocal maintenance is completed.", "pptdf": "Technology", "origin": "171A_R3_A.03.07.05.c[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-07", "ao_id": "NET-07_A05", "objective": "the time period of inactivity after which the system terminates a network connection associated with a communications session is defined.", "pptdf": "Process", "origin": "171A_R3_A.03.13.09.ODP[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-07", "ao_id": "NET-07_A06", "objective": "the network connection associated with a communications session is terminated at the end of the session or after an organization-defined time period of inactivity.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-07", "ao_id": "NET-07_A07", "objective": "the network connection associated with a communications session is terminated at the end of the session or after of inactivity.", "pptdf": "Technology", "origin": "171A_R3_A.03.13.09", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "no longer than 15 minutes", "org_defined_parameters": "" }, { "scf_control_id": "NET-08", "ao_id": "NET-08_A01", "objective": "Network Intrusion Detection / Prevention Systems (NIDS/NIPS) is utilized to detect and/or prevent intrusions into the network.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-08.1", "ao_id": "NET-08.1_A01", "objective": "De-Militarized Zone (DMZ) network segments exist to separate untrusted networks from trusted networks.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-08.2", "ao_id": "NET-08.2_A01", "objective": "wireless network segments implement Wireless Intrusion Detection / Prevention Systems (WIDS/WIPS) technologies.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-08.3", "ao_id": "NET-08.3_A01", "objective": "host containment protections exist that revoke or quarantine a host’s access to the network.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-08.4", "ao_id": "NET-08.4_A01", "objective": "resource containment protections exist that remove or quarantine a resource’s access to other resources.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-09", "ao_id": "NET-09_A01", "objective": "the authenticity of communications sessions is protected.", "pptdf": "Technology", "origin": "171A_3.13.15\n171A_R3_A.03.13.15\n53A_R5_SC-23", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-09", "ao_id": "NET-09_A02", "objective": "the confidentiality and/or integrity of information is/are maintained during preparation for transmission.", "pptdf": "Technology", "origin": "53A_R5_SC-08(02)[01]\n53A_R5_SC-08(02)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-09", "ao_id": "NET-09_A03", "objective": "the confidentiality and/or integrity of information is/are maintained during reception.", "pptdf": "Technology", "origin": "53A_R5_SC-08(02)[02]\n53A_R5_SC-08(02)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-09.1", "ao_id": "NET-09.1_A01", "objective": "session identifiers are invalidated upon user logout or other session termination.", "pptdf": "Technology", "origin": "53A_R5_SC-23(01)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-09.2", "ao_id": "NET-09.2_A01", "objective": "randomness requirements for generating a unique session identifier for each session are defined.", "pptdf": "Process", "origin": "53A_R5_SC-23(03)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-09.2", "ao_id": "NET-09.2_A02", "objective": "a unique session identifier is generated for each session with organization-defined randomness requirements.", "pptdf": "Technology", "origin": "53A_R5_SC-23(03)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-09.2", "ao_id": "NET-09.2_A03", "objective": "only system-generated session identifiers are recognized.", "pptdf": "Technology", "origin": "53A_R5_SC-23(03)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-10", "ao_id": "NET-10_A01", "objective": "additional data origin authentication is provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries.", "pptdf": "Technology", "origin": "53A_R5_SC-20a.[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-10", "ao_id": "NET-10_A02", "objective": "integrity verification artifacts are provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries.", "pptdf": "Process", "origin": "53A_R5_SC-20a.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-10", "ao_id": "NET-10_A03", "objective": "the means to indicate the security status of child zones (and if the child supports secure resolution services) is provided when operating as part of a distributed, hierarchical namespace.", "pptdf": "Technology", "origin": "53A_R5_SC-20b.[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-10", "ao_id": "NET-10_A04", "objective": "the means to enable verification of a chain of trust among parent and child domains when operating as part of a distributed, hierarchical namespace is provided.", "pptdf": "Technology", "origin": "53A_R5_SC-20b.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-10.1", "ao_id": "NET-10.1_A01", "objective": "the systems that collectively provide name/address resolution services for an organization are fault-tolerant.", "pptdf": "Technology", "origin": "53A_R5_SC-22[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-10.1", "ao_id": "NET-10.1_A02", "objective": "the systems that collectively provide name/address resolution services for an organization implement internal role separation.", "pptdf": "Technology", "origin": "53A_R5_SC-22[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-10.1", "ao_id": "NET-10.1_A03", "objective": "the systems that collectively provide name/address resolution services for an organization implement external role separation.", "pptdf": "Technology", "origin": "53A_R5_SC-22[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-10.2", "ao_id": "NET-10.2_A01", "objective": "data origin authentication is requested for the name/address resolution responses that the system receives from authoritative sources.", "pptdf": "Technology", "origin": "53A_R5_SC-21[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-10.2", "ao_id": "NET-10.2_A02", "objective": "data origin authentication is performed on the name/address resolution responses that the system receives from authoritative sources.", "pptdf": "Technology", "origin": "53A_R5_SC-21[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-10.2", "ao_id": "NET-10.2_A03", "objective": "data integrity verification is requested for the name/address resolution responses that the system receives from authoritative sources.", "pptdf": "Technology", "origin": "53A_R5_SC-21[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-10.2", "ao_id": "NET-10.2_A04", "objective": "data integrity verification is performed on the name/address resolution responses that the system receives from authoritative sources.", "pptdf": "Technology", "origin": "53A_R5_SC-21[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-10.3", "ao_id": "NET-10.3_A01", "objective": "the legitimacy of email communications is validated through configuring a Domain Naming Service (DNS) Sender Policy Framework (SPF) record to specify the IP addresses and/or hostnames that are authorized to send email from the specified domain.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-10.4", "ao_id": "NET-10.4_A01", "objective": "the domain name registrar is locked to prevent a denial of service caused by unauthorized deletion, transfer or other unauthorized modification of a domain’s registration details.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-11", "ao_id": "NET-11_A01", "objective": "out-of-band channels to be employed for the physical delivery or electronic transmission of information, system components or devices to individuals or the system are defined.", "pptdf": "Process", "origin": "53A_R5_SC-37_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-11", "ao_id": "NET-11_A02", "objective": "out-of-band channels are employed for the physical delivery or electronic transmission of information, system components or devices to individuals or systems.", "pptdf": "Technology", "origin": "53A_R5_SC-37", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-11", "ao_id": "NET-11_A03", "objective": "information, system components or devices to employ out-of-band-channels for physical delivery or electronic transmission are defined.", "pptdf": "Process", "origin": "53A_R5_SC-37_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-11", "ao_id": "NET-11_A04", "objective": "individuals or systems to which physical delivery or electronic transmission of information, system components or devices is to be achieved via the employment of out-of-band channels are defined.", "pptdf": "Process", "origin": "53A_R5_SC-37_ODP[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-11", "ao_id": "NET-11_A05", "objective": "controls to be employed to ensure that only designated individuals or systems receive specific information, system components or devices are defined.", "pptdf": "Process", "origin": "53A_R5_SC-37(01)_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-11", "ao_id": "NET-11_A06", "objective": "individuals or systems designated to receive specific information, system components or devices are defined.", "pptdf": "Process", "origin": "53A_R5_SC-37(01)_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-11", "ao_id": "NET-11_A07", "objective": "information, system components or devices that only individuals or systems are designated to receive are defined.", "pptdf": "Process", "origin": "53A_R5_SC-37(01)_ODP[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-11", "ao_id": "NET-11_A08", "objective": "organization-defined controls are employed to ensure that only authorized individuals or systems receive information, system components or devices.", "pptdf": "Technology", "origin": "53A_R5_SC-37(01)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-12", "ao_id": "NET-12_A01", "objective": "approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies.", "pptdf": "Technology", "origin": "53A_R5_AC-03", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-12.1", "ao_id": "NET-12.1_A01", "objective": "external wireless links to be protected from particular types of signal parameter attacks are defined.", "pptdf": "Process", "origin": "53A_R5_SC-40_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-12.1", "ao_id": "NET-12.1_A02", "objective": "internal wireless links to be protected from particular types of signal parameter attacks are defined.", "pptdf": "Process", "origin": "53A_R5_SC-40_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-12.1", "ao_id": "NET-12.1_A03", "objective": "external wireless links are protected from types of signal parameter attacks or references to sources for such attacks.", "pptdf": "Technology", "origin": "53A_R5_SC-40[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-12.1", "ao_id": "NET-12.1_A04", "objective": "internal wireless links are protected from types of signal parameter attacks or references to sources for such attacks.", "pptdf": "Technology", "origin": "53A_R5_SC-40[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-12.1", "ao_id": "NET-12.1_A05", "objective": "types of signal parameter attacks or references to sources for such attacks from which to protect external wireless links are defined.", "pptdf": "Process", "origin": "53A_R5_SC-40_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-12.1", "ao_id": "NET-12.1_A06", "objective": "types of signal parameter attacks or references to sources for such attacks from which to protect internal wireless links are defined.", "pptdf": "Process", "origin": "53A_R5_SC-40_ODP[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-12.2", "ao_id": "NET-12.2_A01", "objective": "the transmission of unprotected sensitive / regulated data by end-user messaging technologies is prohibited through administrative and/or technical means.", "pptdf": "Data", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-13", "ao_id": "NET-13_A01", "objective": "cryptographic mechanisms are implemented to protect message externals unless otherwise protected by alternative physical controls.", "pptdf": "Technology", "origin": "53A_R5_SC-08(03)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-13", "ao_id": "NET-13_A02", "objective": "alternative physical controls to protect message externals are defined.", "pptdf": "Process", "origin": "53A_R5_SC-08(03)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-13", "ao_id": "NET-13_A03", "objective": "use of Voice over Internet Protocol (VoIP) technologies is controlled.", "pptdf": "Technology", "origin": "171A_3.13.14[a]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-13", "ao_id": "NET-13_A04", "objective": "use of Voice over Internet Protocol (VoIP) technologies is monitored.", "pptdf": "Technology", "origin": "171A_3.13.14[b]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-14", "ao_id": "NET-14_A01", "objective": "usage restrictions are established for each type of allowable remote system access.", "pptdf": "Technology", "origin": "53A_R5_AC-17a.[01]\n171A_R3_A.03.01.12.a[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-14", "ao_id": "NET-14_A02", "objective": "types of allowable remote system access are defined.", "pptdf": "Process", "origin": "171A_R3_A.03.01.12.a[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-14", "ao_id": "NET-14_A03", "objective": "connection requirements are established for each type of allowable remote system access.", "pptdf": "Technology", "origin": "171A_R3_A.03.01.12.a[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-14", "ao_id": "NET-14_A04", "objective": "each type of remote system access is authorized prior to establishing such connections.", "pptdf": "Technology", "origin": "171A_R3_A.03.01.12.b", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-14", "ao_id": "NET-14_A05", "objective": "configuration requirements are established for each type of allowable remote system access.", "pptdf": "Technology", "origin": "53A_R5_AC-17a.[02]\n171A_R3_A.03.01.12.a[03]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-14", "ao_id": "NET-14_A06", "objective": "implementation guidance is established and documented for each type of remote access allowed.", "pptdf": "Process", "origin": "53A_R5_AC-17a.[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-14", "ao_id": "NET-14_A07", "objective": "each type of remote access to the system is authorized prior to allowing such connections.", "pptdf": "Technology", "origin": "53A_R5_AC-17b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-14", "ao_id": "NET-14_A08", "objective": "information about remote access mechanisms is protected from unauthorized use and disclosure.", "pptdf": "Technology", "origin": "53A_R5_AC-17(06)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-14", "ao_id": "NET-14_A09", "objective": "remote access to the system is routed through authorized access control points.", "pptdf": "Technology", "origin": "171A_R3_A.03.01.12.c[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-14", "ao_id": "NET-14_A10", "objective": "remote access to the system is routed through managed access control points.", "pptdf": "Technology", "origin": "171A_R3_A.03.01.12.c[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-14", "ao_id": "NET-14_A11", "objective": "remote execution of privileged commands is authorized.", "pptdf": "Technology", "origin": "171A_R3_A.03.01.12.d[1]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-14", "ao_id": "NET-14_A12", "objective": "remote access to security-relevant information is authorized.", "pptdf": "Technology", "origin": "171A_R3_A.03.01.12.d[2]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-14.1", "ao_id": "NET-14.1_A01", "objective": "remote access sessions are controlled.", "pptdf": "Technology", "origin": "171A_3.1.12[c]\n53A_R5_AC-17(01)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-14.1", "ao_id": "NET-14.1_A02", "objective": "remote access sessions are permitted.", "pptdf": "Technology", "origin": "171A_3.1.12[a]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-14.1", "ao_id": "NET-14.1_A03", "objective": "the types of permitted remote access are identified.", "pptdf": "Process", "origin": "171A_3.1.12[b]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-14.1", "ao_id": "NET-14.1_A04", "objective": "remote access sessions are monitored.", "pptdf": "Technology", "origin": "171A_3.1.12[d]\n53A_R5_AC-17(01)[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-14.2", "ao_id": "NET-14.2_A01", "objective": "cryptographic mechanisms to protect the confidentiality of remote access sessions are identified.", "pptdf": "Process", "origin": "171A_3.1.13[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-14.2", "ao_id": "NET-14.2_A02", "objective": "cryptographic mechanisms to protect the confidentiality of remote access sessions are implemented.", "pptdf": "Technology", "origin": "171A_3.1.13[b]\n53A_R5_AC-17(02)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-14.3", "ao_id": "NET-14.3_A01", "objective": "managed access control points are identified and implemented.", "pptdf": "Process", "origin": "171A_3.1.14[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-14.3", "ao_id": "NET-14.3_A02", "objective": "remote access is routed through managed network access control points.", "pptdf": "Technology", "origin": "171A_3.1.14[b]\n53A_R5_AC-17(03)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-14.4", "ao_id": "NET-14.4_A01", "objective": "privileged commands authorized for remote execution are identified.", "pptdf": "Process", "origin": "171A_3.1.15[a]\n53A_R5_AC-17(04)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-14.4", "ao_id": "NET-14.4_A02", "objective": "security-relevant information authorized to be accessed remotely is identified.", "pptdf": "Process", "origin": "171A_3.1.15[b]\n53A_R5_AC-17(04)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-14.4", "ao_id": "NET-14.4_A03", "objective": "the execution of the identified privileged commands via remote access is authorized.", "pptdf": "Technology", "origin": "171A_3.1.15[c]\n53A_R5_AC-17(04)(a)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-14.4", "ao_id": "NET-14.4_A04", "objective": "access to the identified security-relevant information via remote access is authorized.", "pptdf": "Technology", "origin": "171A_3.1.15[d]\n53A_R5_AC-17(04)(a)[02]\n53A_R5_AC-17(04)(a)[04]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-14.4", "ao_id": "NET-14.4_A05", "objective": "the rationale for remote access is documented in the security plan for the system.", "pptdf": "Process", "origin": "53A_R5_AC-17(04)(b)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-14.4", "ao_id": "NET-14.4_A06", "objective": "remote execution of privileged commands is authorized.", "pptdf": "Technology", "origin": "171A_R3_A.03.01.12.d[1]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-14.4", "ao_id": "NET-14.4_A07", "objective": "remote access to security-relevant information is authorized.", "pptdf": "Technology", "origin": "171A_R3_A.03.01.12.d[2]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-14.5", "ao_id": "NET-14.5_A01", "objective": "secure telecommuting practices are defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-14.5", "ao_id": "NET-14.5_A02", "objective": "technical measures govern remote access to systems and data for remote workers.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-14.5", "ao_id": "NET-14.5_A03", "objective": "administrative measures govern rules of behavior for telecommuting practices.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-14.5", "ao_id": "NET-14.5_A04", "objective": "security requirements to be employed at alternate work sites are defined.", "pptdf": "Process", "origin": "171A_R3_A.03.10.06.ODP[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-14.5", "ao_id": "NET-14.5_A05", "objective": "alternate work sites allowed for use by employees are determined.", "pptdf": "Process", "origin": "171A_R3_A.03.10.06.a", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-14.5", "ao_id": "NET-14.5_A06", "objective": "the following security requirements are employed at alternate work sites: .", "pptdf": "Facility", "origin": "171A_R3_A.03.10.06.b", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "adequate security, comparable to organizational security requirements at the primary work site where practical, documented in policy, and covered by training", "org_defined_parameters": "" }, { "scf_control_id": "NET-14.6", "ao_id": "NET-14.6_A01", "objective": "proactively control and monitor third-party accounts used to access, support or maintain system components via remote access.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-14.7", "ao_id": "NET-14.7_A01", "objective": "cybersecurity / data privacy compliance checks are performed on constituent system components prior to the establishment of the internal connection.", "pptdf": "Technology", "origin": "53A_R5_CA-09(01)[01]\n53A_R5_CA-09(01)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-14.8", "ao_id": "NET-14.8_A01", "objective": "the time period within which to disconnect or disable remote access to the system is defined.", "pptdf": "Process", "origin": "53A_R5_AC-17(09)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-14.8", "ao_id": "NET-14.8_A02", "objective": "the capability to disconnect or disable remote access to the system within an organization-defined time period is provided.", "pptdf": "Technology", "origin": "53A_R5_AC-17(09)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-15", "ao_id": "NET-15_A01", "objective": "usage restrictions are established for each type of wireless access to the system.", "pptdf": "Technology", "origin": "171A_R3_A.03.01.16.a[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-15", "ao_id": "NET-15_A02", "objective": "connection requirements are established for each type of wireless access to the system.", "pptdf": "Technology", "origin": "171A_R3_A.03.01.16.a[04]\n53A_R5_AC-18a.[01]\n53A_R5_AC-18a.[02]\n53A_R5_AC-18a.[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-15", "ao_id": "NET-15_A03", "objective": "wireless access points are identified.", "pptdf": "Process", "origin": "171A_3.1.16[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-15", "ao_id": "NET-15_A04", "objective": "wireless access is authorized prior to allowing such connections.", "pptdf": "Technology", "origin": "171A_3.1.16[b]\n53A_R5_AC-18b.", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-15", "ao_id": "NET-15_A05", "objective": "each type of wireless access to the system is defined.", "pptdf": "Process", "origin": "171A_R3_A.03.01.16.a[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-15.1", "ao_id": "NET-15.1_A01", "objective": "wireless access to the system is protected using authentication.", "pptdf": "Technology", "origin": "171A_3.1.17[a]\n171A_R3_A.03.01.16.d[01]\n53A_R5_AC-18(01)_ODP\n53A_R5_AC-18(01)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-15.1", "ao_id": "NET-15.1_A02", "objective": "wireless access to the system is protected using encryption.", "pptdf": "Technology", "origin": "171A_3.1.17[b]\n171A_R3_A.03.01.16.d[02]\n53A_R5_AC-18(01)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-15.1", "ao_id": "NET-15.1_A03", "objective": "information is/are maintained during preparation for transmission.", "pptdf": "Technology", "origin": "53A_R5_SC-08(02)[01]\n53A_R5_SC-08(02)_ODP", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-15.1", "ao_id": "NET-15.1_A04", "objective": "information is/are maintained during reception.", "pptdf": "Technology", "origin": "53A_R5_SC-08(02)[02]\n53A_R5_SC-08(02)_ODP", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-15.2", "ao_id": "NET-15.2_A01", "objective": "when not intended for use, wireless networking capabilities embedded within system components are disabled prior to issuance and deployment.", "pptdf": "Technology", "origin": "53A_R5_AC-18(03)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-15.3", "ao_id": "NET-15.3_A01", "objective": "users allowed to independently configure wireless networking capabilities are identified.", "pptdf": "Process", "origin": "53A_R5_AC-18(04)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-15.3", "ao_id": "NET-15.3_A02", "objective": "users allowed to independently configure wireless networking capabilities are explicitly authorized.", "pptdf": "Technology", "origin": "53A_R5_AC-18(04)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-15.3", "ao_id": "NET-15.3_A03", "objective": "radio antennas are selected to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries.", "pptdf": "Technology", "origin": "53A_R5_AC-18(05)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-15.4", "ao_id": "NET-15.4_A01", "objective": "transmission power levels are calibrated to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries.", "pptdf": "Technology", "origin": "53A_R5_AC-18(05)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-15.5", "ao_id": "NET-15.5_A01", "objective": "all authorized and unauthorized Wireless Access Points (WAPs) are identified within the facility(ies).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-15.5", "ao_id": "NET-15.5_A02", "objective": "rogue WAPs are responded to in accordance with published incident response plans.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-16", "ao_id": "NET-16_A01", "objective": "trust relationships are established with other organizations owning, operating, and/or maintaining intranet systems.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-16", "ao_id": "NET-16_A02", "objective": "trust relationships with other organizations allow authorized individuals to: \n •Access the intranet from external systems. and/or and\n •Process, store, and/or transmit organization-controlled information using the external systems.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-17", "ao_id": "NET-17_A01", "objective": "points where communications traffic is to be analyzed are defined.", "pptdf": "Process", "origin": "53A_R5_SI-04(18)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-17", "ao_id": "NET-17_A02", "objective": "outbound communications traffic is analyzed at interfaces external to the system to detect covert exfiltration of information.", "pptdf": "Technology", "origin": "53A_R5_SI-04(18)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-17", "ao_id": "NET-17_A03", "objective": "outbound communications traffic is analyzed at interfaces internal to the system to detect covert exfiltration of information.", "pptdf": "Technology", "origin": "53A_R5_SI-04(18)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-18", "ao_id": "NET-18_A01", "objective": "Internet-bound network traffic is routed through a proxy device or service for URL content filtering and DNS filtering to limit a user's ability to connect to dangerous or prohibited Internet sites.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-18.1", "ao_id": "NET-18.1_A01", "objective": "internal communications traffic to be routed to external networks is defined.", "pptdf": "Process", "origin": "53A_R5_SC-07(08)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-18.1", "ao_id": "NET-18.1_A02", "objective": "external networks to which internal communications traffic is to be routed are defined.", "pptdf": "Process", "origin": "53A_R5_SC-07(08)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "any network outside of organizational control and any network outside the authorization boundary", "org_defined_parameters": "" }, { "scf_control_id": "NET-18.1", "ao_id": "NET-18.1_A03", "objective": "internal communications traffic is routed to external networks through authenticated proxy servers at managed interfaces.", "pptdf": "Technology", "origin": "53A_R5_SC-07(08)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-18.2", "ao_id": "NET-18.2_A01", "objective": "encrypted communications traffic to be made visible to system monitoring tools and mechanisms is defined.", "pptdf": "Process", "origin": "53A_R5_SI-04(10)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-18.2", "ao_id": "NET-18.2_A02", "objective": "system monitoring tools and mechanisms to be provided access to encrypted communications traffic are defined.", "pptdf": "Process", "origin": "53A_R5_SI-04(10)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-18.2", "ao_id": "NET-18.2_A03", "objective": "provisions are made so that encrypted communications traffic is visible to system monitoring tools and mechanisms.", "pptdf": "Technology", "origin": "53A_R5_SI-04(10)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-18.3", "ao_id": "NET-18.3_A01", "objective": "networked, privileged accesses are routed through a dedicated, managed interface for purposes of auditing.", "pptdf": "Technology", "origin": "53A_R5_SC-07(15)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-18.3", "ao_id": "NET-18.3_A02", "objective": "networked, privileged accesses are routed through a dedicated, managed interface for purposes of access control.", "pptdf": "Technology", "origin": "53A_R5_SC-07(15)[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-18.4", "ao_id": "NET-18.4_A01", "objective": "technologies are configured block/drop network traffic that does not comply with Internet Engineering Task Force (IETF) protocol specifications.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-18.5", "ao_id": "NET-18.5_A01", "objective": "internal domain name lookups are validated according to Domain Name System Security Extensions (DNSSEC).", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-18.5", "ao_id": "NET-18.5_A02", "objective": "external domain name lookups are validated according to Domain Name System Security Extensions (DNSSEC).", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-18.6", "ao_id": "NET-18.6_A01", "objective": "Internet address to be blocked are documented on a denylist.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-18.6", "ao_id": "NET-18.6_A02", "objective": "Internet address denylisting protections blocks traffic received from or destined to a denylisted Internet address.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-18.7", "ao_id": "NET-18.7_A01", "objective": "bandwidth-intensive Internet categories are defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-18.7", "ao_id": "NET-18.7_A02", "objective": "bandwidth control technologies limit the amount of bandwidth used by categories of domains that are bandwidth-intensive.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-18.8", "ao_id": "NET-18.8_A01", "objective": "systems and processes are required to authenticate Internet-bound traffic with a proxy to enable user, group and/or location-aware security controls.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-18.9", "ao_id": "NET-18.9_A01", "objective": "a set of known bad certificates is documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-18.9", "ao_id": "NET-18.9_A02", "objective": "communication with systems and/or services that use known bad certificates is blocked.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-19", "ao_id": "NET-19_A01", "objective": "Automated Content Disarm and Reconstruction (CDR) technologies are implemented.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-19", "ao_id": "NET-19_A02", "objective": "Automated Content Disarm and Reconstruction (CDR) mechanisms are configured to detect the presence of unapproved active content and facilitate its removal, resulting in content with only known safe elements.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-20", "ao_id": "NET-20_A01", "objective": "an email filtering security service is implemented.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-20", "ao_id": "NET-20_A02", "objective": "email filtering security services are configured to detect malicious attachments in emails and prevent users from accessing them.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-20", "ao_id": "NET-20_A03", "objective": "email filtering security services are configured to prevent users from accessing malicious email attachments.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-20.1", "ao_id": "NET-20.1_A01", "objective": "domains associated with domain used for email purposes are identified.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-20.1", "ao_id": "NET-20.1_A02", "objective": "processes exist to monitor the organization's email domain’s reputation.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-20.2", "ao_id": "NET-20.2_A01", "objective": "a set of denylisted senders, domains and/or email servers is documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-20.2", "ao_id": "NET-20.2_A02", "objective": "email systems are configured to prevent the reception of email from denylisted senders, domains and/or email servers.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-20.3", "ao_id": "NET-20.3_A01", "objective": "email systems are configured to utilize an authenticated received chain that allows for an intermediary to sign its own authentication of the original email, allowing downstream entities to accept the intermediary’s authentication even if the email was changed.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-20.4", "ao_id": "NET-20.4_A01", "objective": "domain signature verification protections are implemented to authenticate incoming email according to the Domain-based Message Authentication Reporting and Conformance (DMARC).", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-20.5", "ao_id": "NET-20.5_A01", "objective": "email systems are configured to enable users to digitally sign their emails, allowing external parties to authenticate the email’s sender and its contents according to the Domain-based Message Authentication Reporting and Conformance (DMARC) email authentication protocol.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-20.6", "ao_id": "NET-20.6_A01", "objective": "email systems are configured to enable the encryption of outgoing emails.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-20.7", "ao_id": "NET-20.7_A01", "objective": "email systems are configured to utilize adaptive email protections that involve employing risk-based analysis in the application and enforcement of email protections.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-20.8", "ao_id": "NET-20.8_A01", "objective": "email systems are configured to implement email labeling that apply organization-defined tags to incoming email.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-20.8", "ao_id": "NET-20.8_A02", "objective": "email systems are configured to implement email labeling that apply organization-defined tags to outgoing email.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "NET-20.9", "ao_id": "NET-20.9_A01", "objective": "methods exist to receive submissions from users of phishing attempts, spam or otherwise malicious actions.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "OPS-01", "ao_id": "OPS-01_A01", "objective": "operations security controls to be employed to protect key organizational information throughout the system development life cycle are defined.", "pptdf": "Process", "origin": "53A_R5_SC-38_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "OPS-01", "ao_id": "OPS-01_A02", "objective": "operations security controls are employed to protect key organizational information throughout the system development life cycle.", "pptdf": "Process", "origin": "53A_R5_SC-38", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "OPS-01", "ao_id": "OPS-01_A03", "objective": "security operations are conducted according to documented policies, standards, procedures and/or other organizational directives.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "OPS-01", "ao_id": "OPS-01_A04", "objective": "adequate resources (e.g., people, processes, technologies, data and/or facilities) are provided to support security operations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "OPS-01", "ao_id": "OPS-01_A05", "objective": "responsibility and authority for the performance of security operations-related activities are assigned to designated personnel.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "OPS-01", "ao_id": "OPS-01_A06", "objective": "personnel performing security operations-related activities have the skills and knowledge needed to perform their assigned duties.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "OPS-01.1", "ao_id": "OPS-01.1_A01", "objective": "procedures needed to satisfy the security requirements for the protection of sensitive / regulated data are developed and documented.", "pptdf": "Process", "origin": "53A_R5_AC-01a.[03]\n53A_R5_AT-01a.[03]\n53A_R5_AU-01a.[03]\n53A_R5_CA-01a.[03]\n53A_R5_CM-01a.[03]\n53A_R5_CP-01a.[03]\n53A_R5_IA-01a.[03]\n53A_R5_IR-01a.[03]\n53A_R5_MA-01a.[03]\n53A_R5_MP-01a.[03]\n53A_R5_PE-01a.[03]\n53A_R5_PL-01a.[03]\n53A_R5_PS-01a.[03]\n53A_R5_PT-01a.[03]\n53A_R5_RA-01a.[03]\n53A_R5_SA-01a.[03]\n53A_R5_SC-01a.[03]\n53A_R5_SI-01a.[03]\n53A_R5_SR-01a.[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "OPS-01.1", "ao_id": "OPS-01.1_A02", "objective": "procedures needed to satisfy the security requirements for the protection of sensitive / regulated data are disseminated to organizational personnel or roles.", "pptdf": "Process", "origin": "53A_R5_AC-01a.[04]\n53A_R5_AT-01a.[04]\n53A_R5_AU-01a.[04]\n53A_R5_CA-01a.[04]\n53A_R5_CM-01a.[04]\n53A_R5_CP-01a.[04]\n53A_R5_IA-01a.[04]\n53A_R5_IR-01a.[04]\n53A_R5_MA-01a.[04]\n53A_R5_MP-01a.[04]\n53A_R5_PE-01a.[04]\n53A_R5_PL-01a.[04]\n53A_R5_PS-01a.[04]\n53A_R5_PT-01a.[04]\n53A_R5_RA-01a.[04]\n53A_R5_SA-01a.[04]\n53A_R5_SC-01a.[04]\n53A_R5_SI-01a.[04]\n53A_R5_SR-01a.[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "OPS-01.1", "ao_id": "OPS-01.1_A03", "objective": "the current cybersecurity / data privacy procedures are reviewed / updated frequently.", "pptdf": "Process", "origin": "53A_R5_AC-01c.02[01]\n53A_R5_AT-01c.02[01]\n53A_R5_AU-01c.02[01]\n53A_R5_CA-01c.02[01]\n53A_R5_CM-01c.02[01]\n53A_R5_CP-01c.02[01]\n53A_R5_IA-01c.02[01]\n53A_R5_IR-01c.02[01]\n53A_R5_MA-01c.02[01]\n53A_R5_MP-01c.02[01]\n53A_R5_PE-01c.02[01]\n53A_R5_PL-01c.02[01]\n53A_R5_PS-01c.02[01]\n53A_R5_PT-01c.02[01]\n53A_R5_RA-01c.02[01]\n53A_R5_SA-01c.02[01]\n53A_R5_SC-01c.02[01]\n53A_R5_SI-01c.02[01]\n53A_R5_SR-01c.02[01]", "assessment_rigor": "3", "scf_defined_parameters": "Review policies, standards and procedures at least annual and following significant changes", "org_defined_parameters": "" }, { "scf_control_id": "OPS-01.1", "ao_id": "OPS-01.1_A04", "objective": "the current cybersecurity / data privacy procedures are reviewed / updated following events.", "pptdf": "Process", "origin": "53A_R5_AC-01c.02[02]\n53A_R5_AT-01c.02[02]\n53A_R5_AU-01c.02[02]\n53A_R5_CA-01c.02[02]\n53A_R5_CM-01c.02[02]\n53A_R5_CP-01c.02[02]\n53A_R5_IA-01c.02[02]\n53A_R5_IR-01c.02[02]\n53A_R5_MA-01c.02[02]\n53A_R5_MP-01c.02[02]\n53A_R5_PE-01c.02[02]\n53A_R5_PL-01c.02[02]\n53A_R5_PS-01c.02[02]\n53A_R5_PT-01c.02[02]\n53A_R5_RA-01c.02[02]\n53A_R5_SA-01c.02[02]\n53A_R5_SC-01c.02[02]\n53A_R5_SI-01c.02[02]\n53A_R5_SR-01c.02[02]", "assessment_rigor": "3", "scf_defined_parameters": "Review policies, standards and procedures at least annual and following significant changes", "org_defined_parameters": "" }, { "scf_control_id": "OPS-01.1", "ao_id": "OPS-01.1_A05", "objective": "personnel or roles to whom cybersecurity / data privacy procedures are to be disseminated is/are defined.", "pptdf": "Process", "origin": "53A_R5_AC-01_ODP[02]\n53A_R5_AT-01_ODP[02]\n53A_R5_AU-01_ODP[02]\n53A_R5_CA-01_ODP[02]\n53A_R5_CM-01_ODP[02]\n53A_R5_CP-01_ODP[02]\n53A_R5_IA-01_ODP[02]\n53A_R5_IR-01_ODP[02]\n53A_R5_MA-01_ODP[02]\n53A_R5_MP-01_ODP[02]\n53A_R5_PE-01_ODP[02]\n53A_R5_PL-01_ODP[02]\n53A_R5_PS-01_ODP[02]\n53A_R5_PT-01_ODP[02]\n53A_R5_RA-01_ODP[02]\n53A_R5_SA-01_ODP[02]\n53A_R5_SC-01_ODP[02]\n53A_R5_SI-01_ODP[02]\n53A_R5_SR-01_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "OPS-01.1", "ao_id": "OPS-01.1_A06", "objective": "events that would require procedures to be reviewed / updated are defined.", "pptdf": "Process", "origin": "53A_R5_AC-01_ODP[08]\n53A_R5_AT-01_ODP[08]\n53A_R5_AU-01_ODP[08]\n53A_R5_CA-01_ODP[08]\n53A_R5_CM-01_ODP[08]\n53A_R5_CP-01_ODP[08]\n53A_R5_IA-01_ODP[08]\n53A_R5_IR-01_ODP[08]\n53A_R5_MA-01_ODP[08]\n53A_R5_MP-01_ODP[08]\n53A_R5_PE-01_ODP[08]\n53A_R5_PL-01_ODP[08]\n53A_R5_PS-01_ODP[08]\n53A_R5_PT-01_ODP[08]\n53A_R5_RA-01_ODP[08]\n53A_R5_SA-01_ODP[08]\n53A_R5_SC-01_ODP[08]\n53A_R5_SI-01_ODP[08]\n53A_R5_SR-01_ODP[08]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "OPS-01.1", "ao_id": "OPS-01.1_A07", "objective": "systems or system components that implement the security design principle of sufficient documentation are defined.", "pptdf": "Process", "origin": "53A_R5_SA-08(32)_ODP", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "OPS-01.1", "ao_id": "OPS-01.1_A08", "objective": "systems or system components implement the security design principle of sufficient documentation.", "pptdf": "Process", "origin": "53A_R5_SA-08(32)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "OPS-01.1", "ao_id": "OPS-01.1_A09", "objective": "policies and procedures are reviewed per an organization-defined frequency.", "pptdf": "Process", "origin": "53A_R5_AC-01_ODP[07]\n53A_R5_AT-01_ODP[07]\n53A_R5_AU-01_ODP[07]\n53A_R5_CA-01_ODP[07]\n53A_R5_CM-01_ODP[07]\n53A_R5_CP-01_ODP[07]\n53A_R5_IA-01_ODP[07]\n53A_R5_IR-01_ODP[07]\n53A_R5_MA-01_ODP[07]\n53A_R5_MP-01_ODP[07]\n53A_R5_PE-01_ODP[07]\n53A_R5_PL-01_ODP[07]\n53A_R5_PS-01_ODP[07]\n53A_R5_PT-01_ODP[07]\n53A_R5_RA-01_ODP[07]\n53A_R5_SA-01_ODP[07]\n53A_R5_SC-01_ODP[07]\n53A_R5_SI-01_ODP[07]\n53A_R5_SR-01_ODP[07]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "OPS-01.1", "ao_id": "OPS-01.1_A10", "objective": "policies and procedures are updated per an organization-defined frequency.", "pptdf": "Process", "origin": "53A_R5_AC-01_ODP[07]\n53A_R5_AT-01_ODP[07]\n53A_R5_AU-01_ODP[07]\n53A_R5_CA-01_ODP[07]\n53A_R5_CM-01_ODP[07]\n53A_R5_CP-01_ODP[07]\n53A_R5_IA-01_ODP[07]\n53A_R5_IR-01_ODP[07]\n53A_R5_MA-01_ODP[07]\n53A_R5_MP-01_ODP[07]\n53A_R5_PE-01_ODP[07]\n53A_R5_PL-01_ODP[07]\n53A_R5_PS-01_ODP[07]\n53A_R5_PT-01_ODP[07]\n53A_R5_RA-01_ODP[07]\n53A_R5_SA-01_ODP[07]\n53A_R5_SC-01_ODP[07]\n53A_R5_SI-01_ODP[07]\n53A_R5_SR-01_ODP[07]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "OPS-01.1", "ao_id": "OPS-01.1_A11", "objective": "procedures needed to satisfy the security requirements for the protection of CUI are developed and documented.", "pptdf": "Process", "origin": "171A_R3_A.03.15.01.a[03]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "OPS-01.1", "ao_id": "OPS-01.1_A12", "objective": "procedures needed to satisfy the security requirements for the protection of CUI are disseminated to organizational personnel or roles.", "pptdf": "Data", "origin": "171A_R3_A.03.15.01.a[04]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "OPS-01.1", "ao_id": "OPS-01.1_A13", "objective": "policies and procedures are reviewed .", "pptdf": "Process", "origin": "171A_R3_A.03.15.01.b[01]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "at least every 12 months, or when there are significant incidents or significant changes to risks", "org_defined_parameters": "" }, { "scf_control_id": "OPS-01.1", "ao_id": "OPS-01.1_A14", "objective": "policies and procedures are updated .", "pptdf": "Process", "origin": "171A_R3_A.03.15.01.b[02]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "at least every 12 months, or when there are significant incidents or significant changes to risks", "org_defined_parameters": "" }, { "scf_control_id": "OPS-02", "ao_id": "OPS-02_A02", "objective": "a Concept of Operations (CONOPS) for the system describing how the organization intends to operate the system from the perspective of cybersecurity / data privacy is developed.", "pptdf": "Process", "origin": "53A_R5_PL-07a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "OPS-02", "ao_id": "OPS-02_A01", "objective": "frequency for review / update of the Concept of Operations (CONOPS) is defined.", "pptdf": "Process", "origin": "53A_R5_PL-07_ODP", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "OPS-02", "ao_id": "OPS-02_A03", "objective": "the Concept of Operations (CONOPS) is reviewed / updated per an organization-defined frequency.", "pptdf": "Process", "origin": "53A_R5_PL-07b.", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "OPS-03", "ao_id": "OPS-03_A01", "objective": "supporting business processes are defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "OPS-03", "ao_id": "OPS-03_A02", "objective": "appropriate governance and service management is implemented to ensure appropriate planning, delivery and support of business functions, workforce, and/or customers.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "OPS-04", "ao_id": "OPS-04_A01", "objective": "a Security Operations Center (SOC) capability is established and maintained.", "pptdf": "Process", "origin": "172A_3.6.1e[a]\n172A_3.6.1e[c]\n53A_R5_IR-04(14)[01]\n53A_R5_IR-04(14)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "OPS-04", "ao_id": "OPS-04_A02", "objective": "a time period to operate a Security Operations Center (SOC) capability is defined.", "pptdf": "Process", "origin": "172A_3.6.1e_ODP[1]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "OPS-04", "ao_id": "OPS-04_A03", "objective": "the Security Operations Center (SOC) capability operates according to an organization-defined time period.", "pptdf": "Process", "origin": "172A_3.6.1e[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "OPS-05", "ao_id": "OPS-05_A01", "objective": "guidelines and recommendations for the secure use of products and/or services are generated to assist in the configuration, installation and use of the product and/or service.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "OPS-06", "ao_id": "OPS-06_A01", "objective": "Security Orchestration, Automation and Response (SOAR) tools are used to define, prioritize and automate responses to security incidents.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "OPS-07", "ao_id": "OPS-07_A01", "objective": "organizational policy prohibits unauthorized software, systems and services in use by the organization (e.g., shadow IT).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "OPS-07", "ao_id": "OPS-07_A02", "objective": "no less than annually, financial expenditures are reviewed for instances of unauthorized software, systems and services in use by the organization (e.g., shadow IT).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "OPS-07", "ao_id": "OPS-07_A03", "objective": "instances of unauthorized software, systems and services in use by the organization (e.g., shadow IT) are investigated as cybersecurity incidents.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "OPS-07", "ao_id": "OPS-07_A04", "objective": "personnel responsible for unauthorized software, systems and services are held accountable per the organization's disciplinary processes.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-01", "ao_id": "PES-01_A01", "objective": "the physical facility where organizational systems reside is protected.", "pptdf": "Facility", "origin": "171A_3.10.2[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-01", "ao_id": "PES-01_A02", "objective": "the location or site of the facility where the system resides is planned considering physical and environmental hazards.", "pptdf": "Facility", "origin": "53A_R5_PE-23a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-01", "ao_id": "PES-01_A03", "objective": "for existing facilities, physical and environmental hazards are considered in the organizational risk management strategy.", "pptdf": "Facility", "origin": "53A_R5_PE-23b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-01", "ao_id": "PES-01_A04", "objective": "the support infrastructure for organizational systems is protected.", "pptdf": "Facility", "origin": "171A_3.10.2[b]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-01", "ao_id": "PES-01_A05", "objective": "the physical facility where organizational systems reside is monitored.", "pptdf": "Facility", "origin": "171A_3.10.2[c]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-01", "ao_id": "PES-01_A06", "objective": "the support infrastructure for organizational systems is monitored.", "pptdf": "Facility", "origin": "171A_3.10.2[d]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-01", "ao_id": "PES-01_A07", "objective": "physical security operations are conducted according to documented policies, standards, procedures and/or other organizational directives.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-01", "ao_id": "PES-01_A08", "objective": "adequate resources (e.g., people, processes, technologies, data and/or facilities) are provided to support physical security operations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-01", "ao_id": "PES-01_A09", "objective": "responsibility and authority for the performance of physical security-related activities are assigned to designated personnel.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-01", "ao_id": "PES-01_A10", "objective": "personnel performing physical security-related activities have the skills and knowledge needed to perform their assigned duties.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-01.1", "ao_id": "PES-01.1_A01", "objective": "a Site Security Plan (SitePlan) is documented for each server and communications room to summarize the implemented security controls to protect physical access to technology assets, as well as applicable risks and threats.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-01.2", "ao_id": "PES-01.2_A01", "objective": "a zone-based approach to physical security is developed.", "pptdf": "Facility", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-01.2", "ao_id": "PES-01.2_A02", "objective": "a zone-based approach to physical security is implemented.", "pptdf": "Facility", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-02", "ao_id": "PES-02_A01", "objective": "authorized individuals allowed physical access are identified.", "pptdf": "Process", "origin": "171A_3.10.1[a]\n53A_R5_PE-02a.[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-02", "ao_id": "PES-02_A02", "objective": "physical access to operating environments is limited to authorized individuals.", "pptdf": "Facility", "origin": "171A_3.10.1[d]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-02", "ao_id": "PES-02_A03", "objective": "physical access to organizational systems is limited to authorized individuals.", "pptdf": "Facility", "origin": "171A_3.10.1[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-02", "ao_id": "PES-02_A04", "objective": "physical access to equipment is limited to authorized individuals.", "pptdf": "Facility", "origin": "171A_3.10.1[c]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-02", "ao_id": "PES-02_A05", "objective": "the frequency at which to review the access list detailing authorized facility access by individuals is defined.", "pptdf": "Process", "origin": "53A_R5_PE-02_ODP\n171A_R3_A.03.10.01.ODP[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-02", "ao_id": "PES-02_A06", "objective": "a list of individuals with authorized access to the facility where the system resides is approved.", "pptdf": "Process", "origin": "53A_R5_PE-02a.[02]\n171A_R3_A.03.10.01.a[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-02", "ao_id": "PES-02_A07", "objective": "a list of individuals with authorized access to the facility where the system resides is maintained.", "pptdf": "Process", "origin": "53A_R5_PE-02a.[03]\n171A_R3_A.03.10.01.a[03]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-02", "ao_id": "PES-02_A08", "objective": "authorization credentials are issued for facility access.", "pptdf": "Facility", "origin": "53A_R5_PE-02b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-02", "ao_id": "PES-02_A09", "objective": "the facility access list is reviewed per an organization-defined frequency.", "pptdf": "Process", "origin": "53A_R5_PE-02c.", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "PES-02", "ao_id": "PES-02_A10", "objective": "individuals from the facility access list are removed when access is no longer required.", "pptdf": "Facility", "origin": "53A_R5_PE-02d.\n171A_R3_A.03.10.01.d", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-02", "ao_id": "PES-02_A11", "objective": "physical access restrictions associated with changes to the system are approved.", "pptdf": "Process", "origin": "171A_R3_A.03.04.05[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-02", "ao_id": "PES-02_A12", "objective": "a list of individuals with authorized access to the facility where the system resides is developed.", "pptdf": "Process", "origin": "171A_R3_A.03.10.01.a[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-02", "ao_id": "PES-02_A13", "objective": "physical access authorizations are enforced at entry and exit points to the facility where the system resides by verifying individual physical access authorizations before granting access.", "pptdf": "Facility", "origin": "171A_R3_A.03.10.07.a.01", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-02", "ao_id": "PES-02_A14", "objective": "the facility access list is reviewed .", "pptdf": "Process", "origin": "171A_R3_A.03.10.01.c", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "at least every 12 months, or when there are significant incidents or significant changes to risks", "org_defined_parameters": "" }, { "scf_control_id": "PES-02.1", "ao_id": "PES-02.1_A01", "objective": "physical access to the facility where the system resides is authorized based on position or role.", "pptdf": "Facility", "origin": "53A_R5_PE-02(01)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-02.1", "ao_id": "PES-02.1_A02", "objective": "physical access restrictions associated with changes to the system are defined and documented.", "pptdf": "Process", "origin": "171A_R3_A.03.04.05[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-02.1", "ao_id": "PES-02.1_A03", "objective": "the frequency at which to review the access list detailing authorized facility access by individuals is defined.", "pptdf": "Process", "origin": "171A_R3_A.03.10.01.ODP[01]", "assessment_rigor": "2", "scf_defined_parameters": "at least annually or earlier as required by a security relevant event", "org_defined_parameters": "" }, { "scf_control_id": "PES-02.1", "ao_id": "PES-02.1_A04", "objective": "authorization credentials for facility access are issued.", "pptdf": "Facility", "origin": "171A_R3_A.03.10.01.b", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-02.2", "ao_id": "PES-02.2_A01", "objective": "a \"two-person rule\" is enforced for physical access by requiring two authorized individuals with separate access cards, keys or PINs, to access highly-sensitive areas (e.g., safe, high-security cage, etc.).", "pptdf": "Facility", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-03", "ao_id": "PES-03_A01", "objective": "physical access controls to control access to areas within the facility designated as publicly accessible are defined.", "pptdf": "Process", "origin": "53A_R5_PE-03_ODP[05]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-03", "ao_id": "PES-03_A02", "objective": "physical access authorizations are enforced at entry and exit points to the facility where the system resides by controlling ingress and egress with physical access control systems, devices, or guards.", "pptdf": "Facility", "origin": "53A_R5_PE-03a.01\n171A_R3_A.03.10.07.a.02", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-03", "ao_id": "PES-03_A03", "objective": "entry and exit points to the facility in which the system resides are defined.", "pptdf": "Process", "origin": "53A_R5_PE-03_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-03", "ao_id": "PES-03_A04", "objective": "entry or exit points for which physical access logs are maintained are defined.", "pptdf": "Process", "origin": "53A_R5_PE-03_ODP[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-03", "ao_id": "PES-03_A05", "objective": "physical access devices are identified.", "pptdf": "Process", "origin": "171A_3.10.5[a]\n53A_R5_PE-03_ODP[02]\n53A_R5_PE-03_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-03", "ao_id": "PES-03_A06", "objective": "physical access devices are controlled.", "pptdf": "Facility", "origin": "171A_3.10.5[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-03", "ao_id": "PES-03_A07", "objective": "physical access devices are managed.", "pptdf": "Facility", "origin": "171A_3.10.5[c]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-03", "ao_id": "PES-03_A08", "objective": "circumstances requiring visitor escorts and control of visitor activity are defined.", "pptdf": "Process", "origin": "53A_R5_PE-03_ODP[06]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-03", "ao_id": "PES-03_A09", "objective": "physical access devices to be inventoried are defined.", "pptdf": "Process", "origin": "53A_R5_PE-03_ODP[07]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-03", "ao_id": "PES-03_A10", "objective": "frequency at which to inventory physical access devices is defined.", "pptdf": "Process", "origin": "53A_R5_PE-03_ODP[08]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually or earlier as required by a security relevant event", "org_defined_parameters": "" }, { "scf_control_id": "PES-03", "ao_id": "PES-03_A11", "objective": "frequency at which to change combinations is defined.", "pptdf": "Process", "origin": "53A_R5_PE-03_ODP[09]", "assessment_rigor": "3", "scf_defined_parameters": "as required by a security relevant event", "org_defined_parameters": "" }, { "scf_control_id": "PES-03", "ao_id": "PES-03_A12", "objective": "frequency at which to change keys is defined.", "pptdf": "Process", "origin": "53A_R5_PE-03_ODP[10]", "assessment_rigor": "3", "scf_defined_parameters": "as required by a security relevant event", "org_defined_parameters": "" }, { "scf_control_id": "PES-03", "ao_id": "PES-03_A13", "objective": "physical access authorizations are enforced at entry and exit points by controlling ingress and egress to the facility.", "pptdf": "Facility", "origin": "53A_R5_PE-03a.02", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-03", "ao_id": "PES-03_A14", "objective": "physical access event logs are maintained for entry or exit points.", "pptdf": "Facility", "origin": "53A_R5_PE-03b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-03", "ao_id": "PES-03_A15", "objective": "access to areas within the facility designated as publicly accessible are maintained by implementing physical access controls.", "pptdf": "Facility", "origin": "53A_R5_PE-03c.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-03", "ao_id": "PES-03_A16", "objective": "visitors are escorted.", "pptdf": "Facility", "origin": "53A_R5_PE-03d.[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-03", "ao_id": "PES-03_A17", "objective": "visitor activity is controlled circumstances.", "pptdf": "Facility", "origin": "53A_R5_PE-03d.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-03", "ao_id": "PES-03_A18", "objective": "physical access devices are inventoried frequently.", "pptdf": "Process", "origin": "53A_R5_PE-03f.", "assessment_rigor": "3", "scf_defined_parameters": "at least annually or earlier as required by a security relevant event", "org_defined_parameters": "" }, { "scf_control_id": "PES-03", "ao_id": "PES-03_A19", "objective": "combinations are changed frequently, when combinations are compromised or when individuals possessing the combinations are transferred or terminated.", "pptdf": "Process", "origin": "53A_R5_PE-03g.[01]", "assessment_rigor": "3", "scf_defined_parameters": "as required by a security relevant event", "org_defined_parameters": "" }, { "scf_control_id": "PES-03", "ao_id": "PES-03_A20", "objective": "keys are changed frequency, when keys are lost or when individuals possessing the keys are transferred or terminated.", "pptdf": "Process", "origin": "53A_R5_PE-03g.[02]", "assessment_rigor": "3", "scf_defined_parameters": "as required by a security relevant event", "org_defined_parameters": "" }, { "scf_control_id": "PES-03", "ao_id": "PES-03_A21", "objective": "the frequency at which to perform security checks at the physical perimeter of the facility or system for exfiltration of information or removal of system components is defined.", "pptdf": "Process", "origin": "53A_R5_PE-03(02)_ODP", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-03", "ao_id": "PES-03_A22", "objective": "security checks are performed C at the physical perimeter of the facility or system for exfiltration of information or removal of system components.", "pptdf": "Process", "origin": "53A_R5_PE-03(02)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-03", "ao_id": "PES-03_A23", "objective": "physical access points to the facility where the system resides are defined.", "pptdf": "Process", "origin": "53A_R5_PE-03(03)_ODP", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-03", "ao_id": "PES-03_A24", "objective": "guards are employed to control physical access points to the facility where the system resides 24 hours per day, 7 days per week.", "pptdf": "Facility", "origin": "53A_R5_PE-03(03)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-03", "ao_id": "PES-03_A25", "objective": "physical access restrictions associated with changes to the system are enforced.", "pptdf": "Process", "origin": "171A_R3_A.03.04.05[03]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-03", "ao_id": "PES-03_A26", "objective": "keys, combinations, and other physical access devices are secured.", "pptdf": "Facility", "origin": "171A_R3_A.03.10.07.d\n53A_R5_PE-03e.[01]\n53A_R5_PE-03e.[02]\n53A_R5_PE-03e.[03]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-03.1", "ao_id": "PES-03.1_A01", "objective": "physical access control mechanisms limit physical access through controlled ingress and egress points.", "pptdf": "Facility", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-03.1", "ao_id": "PES-03.1_A02", "objective": "physical access control mechanisms monitor physical access through controlled ingress and egress points.", "pptdf": "Facility", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-03.2", "ao_id": "PES-03.2_A01", "objective": "system components to be protected from unauthorized physical access are defined.", "pptdf": "Process", "origin": "53A_R5_PE-03(04)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-03.2", "ao_id": "PES-03.2_A02", "objective": "lockable physical casings are used to protect system components from unauthorized access.", "pptdf": "Facility", "origin": "53A_R5_PE-03(04)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-03.3", "ao_id": "PES-03.3_A01", "objective": "physical access audit logs for entry or exit points are maintained.", "pptdf": "Facility", "origin": "171A_3.10.4\n171A_R3_A.03.10.07.b", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-03.3", "ao_id": "PES-03.3_A02", "objective": "time period for which to maintain visitor access records for the facility where the system resides is defined.", "pptdf": "Process", "origin": "53A_R5_PE-08_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "for a minimum of one (1) year", "org_defined_parameters": "" }, { "scf_control_id": "PES-03.3", "ao_id": "PES-03.3_A03", "objective": "visitor access records for the facility where the system resides are maintained for time period.", "pptdf": "Process", "origin": "53A_R5_PE-08a.", "assessment_rigor": "1", "scf_defined_parameters": "for a minimum of one (1) year", "org_defined_parameters": "" }, { "scf_control_id": "PES-03.3", "ao_id": "PES-03.3_A04", "objective": "the frequency at which to review visitor access records is defined.", "pptdf": "Process", "origin": "53A_R5_PE-08_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "at least monthly", "org_defined_parameters": "" }, { "scf_control_id": "PES-03.3", "ao_id": "PES-03.3_A05", "objective": "visitor access records are reviewed frequently.", "pptdf": "Process", "origin": "53A_R5_PE-08b.", "assessment_rigor": "1", "scf_defined_parameters": "at least monthly", "org_defined_parameters": "" }, { "scf_control_id": "PES-03.3", "ao_id": "PES-03.3_A06", "objective": "personnel to whom visitor access records anomalies are reported to is/are defined.", "pptdf": "Process", "origin": "53A_R5_PE-08_ODP[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-03.3", "ao_id": "PES-03.3_A07", "objective": "visitor access records anomalies are reported to personnel.", "pptdf": "Process", "origin": "53A_R5_PE-08c.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-03.3", "ao_id": "PES-03.3_A08", "objective": "audit logs of physical access are maintained.", "pptdf": "Facility", "origin": "CMMC L1 Assessment Guide", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-03.4", "ao_id": "PES-03.4_A01", "objective": "physical spaces are defined.", "pptdf": "Process", "origin": "53A_R5_PE-03(01)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-03.4", "ao_id": "PES-03.4_A02", "objective": "physical access controls are enforced for the facility at physical spaces.", "pptdf": "Facility", "origin": "53A_R5_PE-03(01)02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-03.4", "ao_id": "PES-03.4_A03", "objective": "physical access authorizations are enforced.", "pptdf": "Facility", "origin": "53A_R5_PE-03(01)[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-04", "ao_id": "PES-04_A01", "objective": "identify systems, equipment and respective operating environments that require limited physical access so that appropriate physical access controls are designed and implemented for offices, rooms and facilities.", "pptdf": "Facility", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-04.1", "ao_id": "PES-04.1_A01", "objective": "physical security access controls allow only authorized personnel access to secure areas.", "pptdf": "Facility", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-04.2", "ao_id": "PES-04.2_A01", "objective": "physical security personnel inspect individuals and their personal effects (e.g., personal property ordinarily worn or carried by the individual, including vehicles) to prevent the unauthorized exfiltration of data and technology assets.", "pptdf": "Facility", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-04.3", "ao_id": "PES-04.3_A01", "objective": "physical security personnel temporarily store undelivered packages or deliveries in a dedicated, secure area (e.g., security cage, secure room) that is locked, access-controlled and monitored with surveillance cameras and/or security guards.", "pptdf": "Facility", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-05", "ao_id": "PES-05_A01", "objective": "the frequency at which to review physical access logs is defined.", "pptdf": "Process", "origin": "53A_R5_PE-06_ODP[01]\n171A_R3_A.03.10.02.ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "at least monthly", "org_defined_parameters": "" }, { "scf_control_id": "PES-05", "ao_id": "PES-05_A02", "objective": "events or potential indications of events requiring physical access logs to be reviewed are defined.", "pptdf": "Process", "origin": "53A_R5_PE-06_ODP[02]\n171A_R3_A.03.10.02.ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-05", "ao_id": "PES-05_A03", "objective": "physical access to the facility where the system resides is monitored to detect physical security incidents.", "pptdf": "Facility", "origin": "53A_R5_PE-06a.\n171A_R3_A.03.10.02.a[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-05", "ao_id": "PES-05_A04", "objective": "physical access logs are reviewed per an organization-defined frequency.", "pptdf": "Process", "origin": "53A_R5_PE-06b.[01]", "assessment_rigor": "1", "scf_defined_parameters": "at least monthly", "org_defined_parameters": "" }, { "scf_control_id": "PES-05", "ao_id": "PES-05_A05", "objective": "physical access logs are reviewed upon occurrence of organization-defined events or potential indicators of events.", "pptdf": "Process", "origin": "53A_R5_PE-06b.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-05", "ao_id": "PES-05_A06", "objective": "results of reviews are coordinated with organizational incident response capabilities.", "pptdf": "Facility", "origin": "53A_R5_PE-06c.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-05", "ao_id": "PES-05_A07", "objective": "results of investigations are coordinated with organizational incident response capabilities.", "pptdf": "Facility", "origin": "53A_R5_PE-06c.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-05", "ao_id": "PES-05_A08", "objective": "physical security incidents are responded to.", "pptdf": "Facility", "origin": "171A_R3_A.03.10.02.a[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-05", "ao_id": "PES-05_A09", "objective": "physical access logs are reviewed .", "pptdf": "Process", "origin": "171A_R3_A.03.10.02.b[01]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "SDP values: at least every 45 days", "org_defined_parameters": "" }, { "scf_control_id": "PES-05", "ao_id": "PES-05_A10", "objective": "physical access logs are reviewed upon occurrence of .", "pptdf": "Process", "origin": "171A_R3_A.03.10.02.b[02]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "SDP values: significant, novel incidents, or significant changes to risks.", "org_defined_parameters": "" }, { "scf_control_id": "PES-05.1", "ao_id": "PES-05.1_A01", "objective": "physical access to the facility where the system resides is monitored using physical intrusion alarms.", "pptdf": "Facility", "origin": "53A_R5_PE-06(01)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-05.1", "ao_id": "PES-05.1_A02", "objective": "physical access to the facility where the system resides is monitored using physical surveillance equipment.", "pptdf": "Facility", "origin": "53A_R5_PE-06(01)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-05.2", "ao_id": "PES-05.2_A01", "objective": "physical spaces containing one or more components of the system are defined.", "pptdf": "Process", "origin": "53A_R5_PE-06(04)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-05.2", "ao_id": "PES-05.2_A02", "objective": "physical access to the system is monitored in addition to the physical access monitoring of the facility at physical spaces.", "pptdf": "Facility", "origin": "53A_R5_PE-06(04)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-06", "ao_id": "PES-06_A01", "objective": "visitors are escorted.", "pptdf": "Facility", "origin": "171A_3.10.3[a]\n171A_R3_A.03.10.07.c[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-06", "ao_id": "PES-06_A02", "objective": "visitor activity is controlled.", "pptdf": "Facility", "origin": "171A_3.10.3[b]\n171A_R3_A.03.10.07.c[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-06.1", "ao_id": "PES-06.1_A01", "objective": "physical access control mechanisms distinguish between onsite personnel and visitors, especially in areas where sensitive / regulated data is accessible.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-06.1", "ao_id": "PES-06.1_A02", "objective": "visitors are escorted.", "pptdf": "Facility", "origin": "171A_3.10.3[a]\n171A_R3_A.03.10.07.c[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-06.1", "ao_id": "PES-06.1_A03", "objective": "visitor activity is controlled.", "pptdf": "Facility", "origin": "171A_3.10.3[b]\n171A_R3_A.03.10.07.c[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-06.2", "ao_id": "PES-06.2_A01", "objective": "a list of acceptable forms of identification for visitor access to the facility where the system resides is defined.", "pptdf": "Process", "origin": "53A_R5_PE-02(02)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-06.2", "ao_id": "PES-06.2_A02", "objective": "two forms of identification are required from list of acceptable forms of identification for visitor access to the facility where the system resides.", "pptdf": "Facility", "origin": "53A_R5_PE-02(02)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-06.3", "ao_id": "PES-06.3_A01", "objective": "visitor activity is controlled.", "pptdf": "Facility", "origin": "171A_R3_A.03.10.07.c[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-06.3", "ao_id": "PES-06.3_A02", "objective": "unescorted access to the facility where the system resides is restricted.", "pptdf": "Facility", "origin": "53A_R5_PE-02(03)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-06.3", "ao_id": "PES-06.3_A03", "objective": "visitor activity is monitored.", "pptdf": "Facility", "origin": "171A_3.10.3[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-06.3", "ao_id": "PES-06.3_A04", "objective": "visitors are escorted.", "pptdf": "Facility", "origin": "171A_3.10.3[a]\n171A_R3_A.03.10.07.c[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-06.3", "ao_id": "PES-06.3_A05", "objective": "physical access authorizations for unescorted access to the facility where the system resides are defined.", "pptdf": "Process", "origin": "53A_R5_PE-02(03)_ODP[01]\n53A_R5_PE-02(03)_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-06.4", "ao_id": "PES-06.4_A01", "objective": "automated mechanisms used to maintain visitor access records are defined.", "pptdf": "Process", "origin": "53A_R5_PE-08(01)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-06.4", "ao_id": "PES-06.4_A02", "objective": "automated mechanisms used to review visitor access records are defined.", "pptdf": "Process", "origin": "53A_R5_PE-08(01)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-06.4", "ao_id": "PES-06.4_A03", "objective": "visitor access records are maintained using automated mechanisms.", "pptdf": "Technology", "origin": "53A_R5_PE-08(01)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-06.4", "ao_id": "PES-06.4_A04", "objective": "visitor access records are reviewed using automated mechanisms.", "pptdf": "Process", "origin": "53A_R5_PE-08(01)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-06.5", "ao_id": "PES-06.5_A01", "objective": "elements identified in the privacy risk assessment to limit Personal Data (PD) contained in visitor access logs are defined.", "pptdf": "Process", "origin": "53A_R5_PE-08(03)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-06.5", "ao_id": "PES-06.5_A02", "objective": "Personal Data (PD) contained in visitor access records is limited to elements identified in the privacy risk assessment.", "pptdf": "Process", "origin": "53A_R5_PE-08(03)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-06.5", "ao_id": "PES-06.5_A03", "objective": "processes that implement the privacy principle of minimization are defined.", "pptdf": "Process", "origin": "53A_R5_SA-08(33)_ODP", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-06.5", "ao_id": "PES-06.5_A04", "objective": "the privacy principle of minimization is implemented using organization-defined processes.", "pptdf": "Process", "origin": "53A_R5_SA-08(33)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-06.6", "ao_id": "PES-06.6_A01", "objective": "visitor badges, or other issued identification, are surrendered before visitors leave the facility or are deactivated at a pre-determined time/date of expiration.", "pptdf": "Facility", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-07", "ao_id": "PES-07_A01", "objective": "power equipment for the system is protected from damage and destruction.", "pptdf": "Facility", "origin": "53A_R5_PE-09[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-07", "ao_id": "PES-07_A02", "objective": "power cabling for the system is protected from damage and destruction.", "pptdf": "Facility", "origin": "53A_R5_PE-09[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-07.1", "ao_id": "PES-07.1_A01", "objective": "the critical system components that require automatic voltage controls are defined.", "pptdf": "Process", "origin": "53A_R5_PE-09(02)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-07.1", "ao_id": "PES-07.1_A02", "objective": "automatic voltage controls for critical system components are employed.", "pptdf": "Facility", "origin": "53A_R5_PE-09(02)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-07.2", "ao_id": "PES-07.2_A01", "objective": "system or individual system components that require the capability to shut off power in emergency situations is/are defined.", "pptdf": "Process", "origin": "53A_R5_PE-10_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-07.2", "ao_id": "PES-07.2_A02", "objective": "location of emergency shutoff switches or devices by system or system component is defined.", "pptdf": "Process", "origin": "53A_R5_PE-10_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-07.2", "ao_id": "PES-07.2_A03", "objective": "the capability to shut off power to system or individual system components in emergency situations is provided.", "pptdf": "Facility", "origin": "53A_R5_PE-10a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-07.2", "ao_id": "PES-07.2_A04", "objective": "emergency shutoff switches or devices are placed in location to facilitate access for authorized personnel.", "pptdf": "Facility", "origin": "53A_R5_PE-10b.", "assessment_rigor": "1", "scf_defined_parameters": "near more than one egress point of the IT area and ensures it is labeled and protected by a cover to prevent accidental shut-off", "org_defined_parameters": "" }, { "scf_control_id": "PES-07.2", "ao_id": "PES-07.2_A05", "objective": "the emergency power shutoff capability is protected from unauthorized activation.", "pptdf": "Technology", "origin": "53A_R5_PE-10c.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-07.3", "ao_id": "PES-07.3_A01", "objective": "an uninterruptible power supply is provided to facilitate selected organization-defined values in the event of a primary power source loss.", "pptdf": "Facility", "origin": "53A_R5_PE-11_ODP\n53A_R5_PE-11", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-07.3", "ao_id": "PES-07.3_A02", "objective": "an alternate power supply provided for the system is activated upon organization-defined criteria.", "pptdf": "Facility", "origin": "53A_R5_PE-11(01)_ODP\n53A_R5_PE-11(01)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-07.3", "ao_id": "PES-07.3_A03", "objective": "the alternate power supply provided for the system can maintain minimally required operational capability in the event of an extended loss of the primary power source.", "pptdf": "Facility", "origin": "53A_R5_PE-11(01)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-07.4", "ao_id": "PES-07.4_A01", "objective": "automatic emergency lighting that activates in the event of a power outage or disruption is employed for the system.", "pptdf": "Facility", "origin": "53A_R5_PE-12[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-07.4", "ao_id": "PES-07.4_A02", "objective": "automatic emergency lighting that activates in the event of a power outage or disruption is maintained for the system.", "pptdf": "Facility", "origin": "53A_R5_PE-12[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-07.4", "ao_id": "PES-07.4_A03", "objective": "automatic emergency lighting for the system covers emergency exits within the facility.", "pptdf": "Facility", "origin": "53A_R5_PE-12[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-07.4", "ao_id": "PES-07.4_A04", "objective": "automatic emergency lighting for the system covers evacuation routes within the facility.", "pptdf": "Facility", "origin": "53A_R5_PE-12[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-07.5", "ao_id": "PES-07.5_A01", "objective": "the system is protected from damage resulting from water leakage by providing master shutoff or isolation valves.", "pptdf": "Facility", "origin": "53A_R5_PE-15[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-07.5", "ao_id": "PES-07.5_A02", "objective": "the master shutoff or isolation valves are accessible.", "pptdf": "Facility", "origin": "53A_R5_PE-15[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-07.5", "ao_id": "PES-07.5_A03", "objective": "the master shutoff or isolation valves are working properly.", "pptdf": "Facility", "origin": "53A_R5_PE-15[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-07.5", "ao_id": "PES-07.5_A04", "objective": "the master shutoff or isolation valves are known to key personnel.", "pptdf": "Facility", "origin": "53A_R5_PE-15[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-07.6", "ao_id": "PES-07.6_A01", "objective": "personnel or roles to be alerted when the presence of water is detected near the system is/are defined.", "pptdf": "Process", "origin": "53A_R5_PE-15(01)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-07.6", "ao_id": "PES-07.6_A02", "objective": "automated mechanisms used to detect the presence of water near the system are defined.", "pptdf": "Process", "origin": "53A_R5_PE-15(01)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-07.6", "ao_id": "PES-07.6_A03", "objective": "the presence of water near the system can be detected automatically.", "pptdf": "Facility", "origin": "53A_R5_PE-15(01)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-07.6", "ao_id": "PES-07.6_A04", "objective": "organization-defined personnel or roles is/are alerted using organization-defined automated mechanisms.", "pptdf": "Technology", "origin": "53A_R5_PE-15(01)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-07.7", "ao_id": "PES-07.7_A01", "objective": "distance by which redundant power cabling paths are to be physically separated is defined.", "pptdf": "Process", "origin": "53A_R5_PE-09(01)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-07.7", "ao_id": "PES-07.7_A02", "objective": "redundant power cabling paths that are physically separated by organization-defined distance are employed.", "pptdf": "Facility", "origin": "53A_R5_PE-09(01)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-08", "ao_id": "PES-08_A01", "objective": "fire detection systems are employed.", "pptdf": "Facility", "origin": "53A_R5_PE-13[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-08", "ao_id": "PES-08_A02", "objective": "employed fire detection systems are supported by an independent energy source.", "pptdf": "Facility", "origin": "53A_R5_PE-13[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-08", "ao_id": "PES-08_A03", "objective": "employed fire detection systems are maintained.", "pptdf": "Facility", "origin": "53A_R5_PE-13[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-08", "ao_id": "PES-08_A04", "objective": "fire suppression systems are employed.", "pptdf": "Facility", "origin": "53A_R5_PE-13[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-08", "ao_id": "PES-08_A05", "objective": "employed fire suppression systems are supported by an independent energy source.", "pptdf": "Facility", "origin": "53A_R5_PE-13[05]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-08", "ao_id": "PES-08_A06", "objective": "employed fire suppression systems are maintained.", "pptdf": "Facility", "origin": "53A_R5_PE-13[06]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-08.1", "ao_id": "PES-08.1_A01", "objective": "personnel or roles to be notified in the event of a fire is/are defined.", "pptdf": "Process", "origin": "53A_R5_PE-13(01)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "service provider building maintenance/physical security personnel", "org_defined_parameters": "" }, { "scf_control_id": "PES-08.1", "ao_id": "PES-08.1_A02", "objective": "emergency responders to be notified in the event of a fire are defined.", "pptdf": "Process", "origin": "53A_R5_PE-13(01)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "service provider emergency responders with incident response responsibilities", "org_defined_parameters": "" }, { "scf_control_id": "PES-08.1", "ao_id": "PES-08.1_A03", "objective": "fire detection systems that activate automatically are employed in the event of a fire.", "pptdf": "Facility", "origin": "53A_R5_PE-13(01)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-08.1", "ao_id": "PES-08.1_A04", "objective": "fire detection systems that notify organization-defined personnel or roles automatically are employed in the event of a fire.", "pptdf": "Facility", "origin": "53A_R5_PE-13(01)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-08.1", "ao_id": "PES-08.1_A05", "objective": "fire detection systems that notify organization-defined emergency responders automatically are employed in the event of a fire.", "pptdf": "Facility", "origin": "53A_R5_PE-13(01)[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-08.2", "ao_id": "PES-08.2_A01", "objective": "fire suppression systems that notify organization-defined personnel or roles automatically are employed.", "pptdf": "Facility", "origin": "53A_R5_PE-13(02)(a)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-08.2", "ao_id": "PES-08.2_A02", "objective": "fire suppression systems that notify organization-defined emergency responders automatically are employed.", "pptdf": "Facility", "origin": "53A_R5_PE-13(02)(a)[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-08.2", "ao_id": "PES-08.2_A03", "objective": "personnel or roles to be notified in the event of a fire is/are defined.", "pptdf": "Process", "origin": "53A_R5_PE-13(02)_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-08.2", "ao_id": "PES-08.2_A04", "objective": "emergency responders to be notified in the event of a fire are defined.", "pptdf": "Process", "origin": "53A_R5_PE-13(02)_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-08.2", "ao_id": "PES-08.2_A05", "objective": "fire suppression systems that activate automatically are employed.", "pptdf": "Facility", "origin": "53A_R5_PE-13(02)(a)[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-08.3", "ao_id": "PES-08.3_A01", "objective": "an automatic fire suppression capability is employed when the facility is not staffed on a continuous basis.", "pptdf": "Facility", "origin": "53A_R5_PE-13(02)(b)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-09", "ao_id": "PES-09_A01", "objective": "environmental control(s) for which to maintain a specified level in the facility where the system resides are defined.", "pptdf": "Process", "origin": "53A_R5_PE-14_ODP[01]\n53A_R5_PE-14_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-09", "ao_id": "PES-09_A02", "objective": "acceptable levels for environmental controls are defined.", "pptdf": "Process", "origin": "53A_R5_PE-14_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-09", "ao_id": "PES-09_A03", "objective": "frequency at which to monitor environmental control levels is defined.", "pptdf": "Process", "origin": "53A_R5_PE-14_ODP[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-09", "ao_id": "PES-09_A04", "objective": "levels are maintained at acceptable levels within the facility where the system resides.", "pptdf": "Facility", "origin": "53A_R5_PE-14a.", "assessment_rigor": "1", "scf_defined_parameters": "consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments", "org_defined_parameters": "" }, { "scf_control_id": "PES-09", "ao_id": "PES-09_A05", "objective": "environmental control levels are monitored frequency.", "pptdf": "Process", "origin": "53A_R5_PE-14b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-09.1", "ao_id": "PES-09.1_A01", "objective": "personnel or roles to be notified by environmental control monitoring when environmental changes are potentially harmful to personnel or equipment is/are defined.", "pptdf": "Process", "origin": "53A_R5_PE-14(02)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-09.1", "ao_id": "PES-09.1_A02", "objective": "environmental control monitoring is employed.", "pptdf": "Facility", "origin": "53A_R5_PE-14(02)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-09.1", "ao_id": "PES-09.1_A03", "objective": "personnel or roles are notified when changes are potentially harmful to personnel or equipment.", "pptdf": "Facility", "origin": "53A_R5_PE-14(02)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-10", "ao_id": "PES-10_A01", "objective": "types of system components to be authorized and controlled when entering the facility are defined.", "pptdf": "Process", "origin": "53A_R5_PE-16_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-10", "ao_id": "PES-10_A02", "objective": "types of system components to be authorized and controlled when exiting the facility are defined.", "pptdf": "Process", "origin": "53A_R5_PE-16_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-10", "ao_id": "PES-10_A03", "objective": "types of system components are authorized and controlled when entering the facility.", "pptdf": "Facility", "origin": "53A_R5_PE-16a.[01]\n53A_R5_PE-16a.[02]", "assessment_rigor": "1", "scf_defined_parameters": "all information system components", "org_defined_parameters": "" }, { "scf_control_id": "PES-10", "ao_id": "PES-10_A04", "objective": "types of system components are authorized and controlled when exiting the facility.", "pptdf": "Facility", "origin": "53A_R5_PE-16a.[03]\n53A_R5_PE-16a.[04]", "assessment_rigor": "1", "scf_defined_parameters": "all information system components", "org_defined_parameters": "" }, { "scf_control_id": "PES-10", "ao_id": "PES-10_A05", "objective": "records of the system components are maintained.", "pptdf": "Facility", "origin": "53A_R5_PE-16b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-11", "ao_id": "PES-11_A01", "objective": "alternate work sites allowed for use by employees are defined.", "pptdf": "Process", "origin": "53A_R5_PE-17_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-11", "ao_id": "PES-11_A02", "objective": "security requirements to be employed at alternate work sites are defined.", "pptdf": "Process", "origin": "53A_R5_PE-17_ODP[02]\n171A_R3_A.03.10.06.ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-11", "ao_id": "PES-11_A03", "objective": "alternate work sites allowed for use by employees are determined.", "pptdf": "Facility", "origin": "53A_R5_PE-17a.\n171A_R3_A.03.10.06.a", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-11", "ao_id": "PES-11_A04", "objective": "organization-defined security requirements are employed at alternate work sites.", "pptdf": "Facility", "origin": "53A_R5_PE-17b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-11", "ao_id": "PES-11_A05", "objective": "the effectiveness of controls at alternate work sites is assessed.", "pptdf": "Process", "origin": "53A_R5_PE-17c.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-11", "ao_id": "PES-11_A06", "objective": "a means for employees to communicate with cybersecurity / data privacy personnel in case of incidents is provided.", "pptdf": "Process", "origin": "53A_R5_PE-17d.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-11", "ao_id": "PES-11_A07", "objective": "safeguarding measures for sensitive / regulated data are defined for alternate work sites.", "pptdf": "Process", "origin": "171A_3.10.6[a]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-11", "ao_id": "PES-11_A08", "objective": "safeguarding measures for sensitive / regulated data are enforced for alternate work sites.", "pptdf": "Data", "origin": "171A_3.10.6[b]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-11", "ao_id": "PES-11_A09", "objective": "the following security requirements are employed at alternate work sites: .", "pptdf": "Facility", "origin": "171A_R3_A.03.10.06.b", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "adequate security, comparable to organizational security requirements at the primary work site where practical, documented in policy, and covered by training", "org_defined_parameters": "" }, { "scf_control_id": "PES-12", "ao_id": "PES-12_A01", "objective": "the location or site of the facility where the system resides is planned considering physical and environmental hazards.", "pptdf": "Facility", "origin": "53A_R5_PE-23a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-12", "ao_id": "PES-12_A02", "objective": "for existing facilities, physical and environmental hazards are considered in the organizational risk management strategy.", "pptdf": "Facility", "origin": "53A_R5_PE-23b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-12", "ao_id": "PES-12_A03", "objective": "physical and environmental hazards that could result in potential damage to system components within the facility are defined.", "pptdf": "Process", "origin": "53A_R5_PE-18_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-12", "ao_id": "PES-12_A04", "objective": "system components are positioned within the facility to minimize potential damage from physical and environmental hazards and to minimize the opportunity for unauthorized access.", "pptdf": "Facility", "origin": "53A_R5_PE-18", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-12", "ao_id": "PES-12_A05", "objective": "managed interfaces to be protected against unauthorized physical connections are defined.", "pptdf": "Process", "origin": "53A_R5_SC-07(14)_ODP", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-12", "ao_id": "PES-12_A06", "objective": "managed interfaces are protected against unauthorized physical connections.", "pptdf": "Facility", "origin": "53A_R5_SC-07(14)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-12.1", "ao_id": "PES-12.1_A01", "objective": "system distribution and transmission lines requiring physical access controls are defined.", "pptdf": "Process", "origin": "53A_R5_PE-04_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-12.1", "ao_id": "PES-12.1_A02", "objective": "security controls to be implemented to control physical access to system distribution and transmission lines within the organizational facility are defined.", "pptdf": "Process", "origin": "53A_R5_PE-04_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-12.1", "ao_id": "PES-12.1_A03", "objective": "physical access to system distribution and transmission lines within organizational facilities is controlled.", "pptdf": "Facility", "origin": "53A_R5_PE-04\n171A_R3_A.03.10.08", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-12.1", "ao_id": "PES-12.1_A04", "objective": "managed interfaces to be protected against unauthorized physical connections are defined.", "pptdf": "Process", "origin": "53A_R5_SC-07(14)_ODP", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-12.1", "ao_id": "PES-12.1_A05", "objective": "managed interfaces are protected against unauthorized physical connections.", "pptdf": "Facility", "origin": "53A_R5_SC-07(14)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-12.2", "ao_id": "PES-12.2_A01", "objective": "output devices that require physical access control to output are defined.", "pptdf": "Process", "origin": "53A_R5_PE-05_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-12.2", "ao_id": "PES-12.2_A02", "objective": "physical access to output devices is controlled to prevent unauthorized individuals from obtaining access to sensitive / regulated data.", "pptdf": "Technology", "origin": "53A_R5_PE-05", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-12.2", "ao_id": "PES-12.2_A03", "objective": "physical access to output devices is controlled to prevent unauthorized individuals from obtaining access to CUI.", "pptdf": "Data", "origin": "171A_R3_A.03.10.07.e", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-13", "ao_id": "PES-13_A01", "objective": "the system is protected from information leakage due to electromagnetic signal emanations.", "pptdf": "Facility", "origin": "53A_R5_PE-19", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-14", "ao_id": "PES-14_A01", "objective": "asset location technologies to be employed to track and monitor the location and movement of assets is defined.", "pptdf": "Process", "origin": "53A_R5_PE-20_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-14", "ao_id": "PES-14_A02", "objective": "assets whose location and movement are to be tracked and monitored are defined.", "pptdf": "Process", "origin": "53A_R5_PE-20_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-14", "ao_id": "PES-14_A03", "objective": "controlled areas within which asset location and movement are to be tracked and monitored are defined.", "pptdf": "Process", "origin": "53A_R5_PE-20_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-14", "ao_id": "PES-14_A04", "objective": "asset location technologies are employed to track and monitor the location and movement of assets within controlled areas.", "pptdf": "Facility", "origin": "53A_R5_PE-20", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-15", "ao_id": "PES-15_A01", "objective": "protective measures to be employed against electromagnetic pulse damage are defined.", "pptdf": "Process", "origin": "53A_R5_PE-21_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-15", "ao_id": "PES-15_A02", "objective": "system and system components requiring protection against electromagnetic pulse damage are defined.", "pptdf": "Process", "origin": "53A_R5_PE-21_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-15", "ao_id": "PES-15_A03", "objective": "protective measures are employed against electromagnetic pulse damage for system and system components.", "pptdf": "Facility", "origin": "53A_R5_PE-21", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-16", "ao_id": "PES-16_A01", "objective": "system hardware components to be marked indicating the impact level or classification level of the information permitted to be processed, stored or transmitted by the hardware component are defined.", "pptdf": "Process", "origin": "53A_R5_PE-22_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-16", "ao_id": "PES-16_A02", "objective": "system hardware components are marked indicating the impact level or classification level of the information permitted to be processed, stored or transmitted by the hardware component.", "pptdf": "Process", "origin": "53A_R5_PE-22", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-17", "ao_id": "PES-17_A01", "objective": "physical proximity to robotic or autonomous platforms is monitored to reduce applied force or stop the operation when sensors indicate a potentially dangerous scenario.", "pptdf": "Facility", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-18", "ao_id": "PES-18_A01", "objective": "client-specific Intellectual Property (IP) is isolated from other data when client-specific IP is processed or stored within multi-client workspaces.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-19", "ao_id": "PES-19_A01", "objective": "the organization's physical access devices (e.g., RFID cards, access fobs and door keys) are identified.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PES-19", "ao_id": "PES-19_A02", "objective": "an accurate inventory of all physical access devices (e.g., RFID cards, access fobs and door keys) is established and maintained.", "pptdf": "Facility", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-01", "ao_id": "PRI-01_A01", "objective": "an organization-wide privacy program plan that provides an overview of the agency’s privacy program is developed.", "pptdf": "Process", "origin": "53A_R5_PM-18a.[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-01", "ao_id": "PRI-01_A02", "objective": "the privacy program plan includes a description of the structure of the privacy program.", "pptdf": "Process", "origin": "53A_R5_PM-18a.01[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-01", "ao_id": "PRI-01_A03", "objective": "the privacy program plan includes a description of the resources dedicated to the privacy program.", "pptdf": "Process", "origin": "53A_R5_PM-18a.01[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-01", "ao_id": "PRI-01_A04", "objective": "the privacy program plan provides an overview of the requirements for the privacy program.", "pptdf": "Process", "origin": "53A_R5_PM-18a.02[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-01", "ao_id": "PRI-01_A05", "objective": "the privacy program plan provides a description of the privacy program management controls in place or planned for meeting the requirements of the privacy program.", "pptdf": "Process", "origin": "53A_R5_PM-18a.02[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-01", "ao_id": "PRI-01_A06", "objective": "the privacy program plan provides a description of common controls in place or planned for meeting the requirements of the privacy program.", "pptdf": "Process", "origin": "53A_R5_PM-18a.02[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-01", "ao_id": "PRI-01_A07", "objective": "the privacy program plan includes the role of the senior organization official for privacy.", "pptdf": "Process", "origin": "53A_R5_PM-18a.03[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-01", "ao_id": "PRI-01_A08", "objective": "the privacy program plan includes the identification and assignment of the roles of other privacy officials and staff and their responsibilities.", "pptdf": "Process", "origin": "53A_R5_PM-18a.03[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-01", "ao_id": "PRI-01_A09", "objective": "the privacy program plan describes management commitment.", "pptdf": "Process", "origin": "53A_R5_PM-18a.04[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-01", "ao_id": "PRI-01_A10", "objective": "the privacy program plan describes compliance.", "pptdf": "Process", "origin": "53A_R5_PM-18a.04[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-01", "ao_id": "PRI-01_A11", "objective": "the privacy program plan describes the strategic goals and objectives of the privacy program.", "pptdf": "Process", "origin": "53A_R5_PM-18a.04[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-01", "ao_id": "PRI-01_A12", "objective": "the privacy program plan reflects coordination among organizational entities responsible for the different aspects of privacy.", "pptdf": "Process", "origin": "53A_R5_PM-18a.05", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-01", "ao_id": "PRI-01_A13", "objective": "the privacy program plan is approved by a senior official with responsibility and accountability for the privacy risk being incurred by organizational operations (including, mission, functions, image and reputation), organizational assets, individuals, other organizations and the Nation.", "pptdf": "Process", "origin": "53A_R5_PM-18a.06", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-01", "ao_id": "PRI-01_A14", "objective": "the privacy program plan is disseminated.", "pptdf": "Process", "origin": "53A_R5_PM-18a.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-01", "ao_id": "PRI-01_A15", "objective": "the frequency of updates to the privacy program plan is defined.", "pptdf": "Process", "origin": "53A_R5_PM-18_ODP", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-01", "ao_id": "PRI-01_A16", "objective": "the privacy program plan is updated per an organization-defined frequency.", "pptdf": "Process", "origin": "53A_R5_PM-18b.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-01", "ao_id": "PRI-01_A17", "objective": "the privacy program plan is updated to address changes in federal privacy laws and policies.", "pptdf": "Process", "origin": "53A_R5_PM-18b.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-01", "ao_id": "PRI-01_A18", "objective": "the privacy program plan is updated to address organizational changes.", "pptdf": "Process", "origin": "53A_R5_PM-18b.[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-01", "ao_id": "PRI-01_A19", "objective": "the privacy program plan is updated to address problems identified during plan implementation or privacy control assessments.", "pptdf": "Process", "origin": "53A_R5_PM-18b.[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-01", "ao_id": "PRI-01_A20", "objective": "data privacy operations are conducted according to documented policies, standards, procedures and/or other organizational directives.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-01", "ao_id": "PRI-01_A21", "objective": "adequate resources (e.g., people, processes, technologies, data and/or facilities) are provided to support data privacy operations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-01", "ao_id": "PRI-01_A22", "objective": "responsibility and authority for the performance of data privacy-related activities are assigned to designated personnel.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-01", "ao_id": "PRI-01_A23", "objective": "personnel performing data privacy-related activities have the skills and knowledge needed to perform their assigned duties.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-01.1", "ao_id": "PRI-01.1_A01", "objective": "a senior organization official for privacy with authority, mission, accountability and resources is appointed.", "pptdf": "Process", "origin": "53A_R5_PM-19[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-01.1", "ao_id": "PRI-01.1_A02", "objective": "the senior organization official for privacy coordinates applicable privacy requirements.", "pptdf": "Process", "origin": "53A_R5_PM-19[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-01.1", "ao_id": "PRI-01.1_A03", "objective": "the senior organization official for privacy develops applicable privacy requirements.", "pptdf": "Process", "origin": "53A_R5_PM-19[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-01.1", "ao_id": "PRI-01.1_A04", "objective": "the senior organization official for privacy implements applicable privacy requirements.", "pptdf": "Process", "origin": "53A_R5_PM-19[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-01.1", "ao_id": "PRI-01.1_A05", "objective": "the senior organization official for privacy manages privacy risks through the organization-wide privacy program.", "pptdf": "Process", "origin": "53A_R5_PM-19[05]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-01.2", "ao_id": "PRI-01.2_A01", "objective": "Privacy Act statements are included on forms that collect information that will be maintained in a Privacy Act system of records or Privacy Act statements are provided on separate forms that can be retained by individuals.", "pptdf": "Data", "origin": "53A_R5_PT-05(02)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-01.3", "ao_id": "PRI-01.3_A01", "objective": "a central resource webpage is maintained on the organization's principal public website.", "pptdf": "Process", "origin": "53A_R5_PM-20[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-01.3", "ao_id": "PRI-01.3_A02", "objective": "the webpage serves as a central source of information about the organization's privacy program.", "pptdf": "Process", "origin": "53A_R5_PM-20[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-01.3", "ao_id": "PRI-01.3_A03", "objective": "the webpage ensures that the public has access to information about organizational privacy activities.", "pptdf": "Technology", "origin": "53A_R5_PM-20a.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-01.3", "ao_id": "PRI-01.3_A04", "objective": "the webpage ensures that the public can communicate with its senior organization official for privacy.", "pptdf": "Process", "origin": "53A_R5_PM-20a.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-01.3", "ao_id": "PRI-01.3_A05", "objective": "the webpage ensures that organizational privacy practices are publicly available.", "pptdf": "Technology", "origin": "53A_R5_PM-20b.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-01.3", "ao_id": "PRI-01.3_A06", "objective": "the webpage ensures that organizational privacy reports are publicly available.", "pptdf": "Technology", "origin": "53A_R5_PM-20b.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-01.3", "ao_id": "PRI-01.3_A07", "objective": "the webpage employs publicly facing email addresses and/or phone numbers to enable the public to provide feedback and/or direct questions to privacy offices regarding privacy practices.", "pptdf": "Technology", "origin": "53A_R5_PM-20c.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-01.4", "ao_id": "PRI-01.4_A01", "objective": "a Data Protection Officer (DPO) is appointed based on the basis of professional qualities.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-01.4", "ao_id": "PRI-01.4_A02", "objective": "the role of the Data Protection Officer (DPO) is involved in all issues related to the protection of Personal Data (PD).", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-01.5", "ao_id": "PRI-01.5_A01", "objective": "Binding Corporate Rules (BCR) are used to legally-bind all parties engaged in a joint economic activity that contractually states enforceable rights on data subjects with regard to the processing of their Personal Data (PD).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-01.6", "ao_id": "PRI-01.6_A01", "objective": "Personal Data (PD) is protected by security safeguards that are sufficient and appropriately scoped to protect the confidentiality and integrity of the PD.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-01.7", "ao_id": "PRI-01.7_A01", "objective": "the disclosure of Personal Data (PD) is restricted to authorized parties for the sole purpose for which the PD was obtained.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-01.8", "ao_id": "PRI-01.8_A01", "objective": "an individual, or role, is appointed to determine along the purpose and means of processing of Personal Data (PD).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-01.8", "ao_id": "PRI-01.8_A02", "objective": "the purpose and means of processing of Personal Data (PD) is documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-01.9", "ao_id": "PRI-01.9_A01", "objective": "the role and responsibilities associated with a Personal Data Process Manager are defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-01.9", "ao_id": "PRI-01.9_A02", "objective": "accountability is assigned to the Personal Data Process Manager to ensure data is used according to the Data Subject's consent.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-01.10", "ao_id": "PRI-01.10_A01", "objective": "any financial incentives offered to data subjects for Personal Data (PD) are reviewed by a Data Protection Officer (DPO), or similar role, to ensure compliance with applicable legal and regulatory requirements.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-01.11", "ao_id": "PRI-01.11_A01", "objective": "reasonable consumer expectations are defined for what is necessary and proportionate for collecting, receiving, processing, storage, transmission, sharing, updating and/or disposal of Personal Data (PD).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-01.11", "ao_id": "PRI-01.11_A02", "objective": "organization-specific practices are defined to limit the collection, receiving, processing, storage, transmission, sharing, updating and/or disposal of Personal Data (PD) according to reasonable consumer expectations for what is necessary and proportionate.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-01.11", "ao_id": "PRI-01.11_A03", "objective": "the collection, receiving, processing, storage, transmission, sharing, updating and/or disposal of Personal Data (PD) is limited to reasonable consumer expectations for what is necessary and proportionate.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02", "ao_id": "PRI-02_A01", "objective": "privacy notice(s) are developed and posted on all external-facing websites.", "pptdf": "Technology", "origin": "53A_R5_PM-20(01)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02", "ao_id": "PRI-02_A02", "objective": "privacy notice(s) are developed and posted on all mobile applications.", "pptdf": "Technology", "origin": "53A_R5_PM-20(01)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02", "ao_id": "PRI-02_A03", "objective": "privacy notice(s) are developed and posted on all other digital services.", "pptdf": "Technology", "origin": "53A_R5_PM-20(01)[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02", "ao_id": "PRI-02_A04", "objective": "the privacy notice(s) are written in plain language.", "pptdf": "Process", "origin": "53A_R5_PM-20(01)(a)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02", "ao_id": "PRI-02_A05", "objective": "the privacy notice(s) are organized in a way that is easy to understand and navigate.", "pptdf": "Process", "origin": "53A_R5_PM-20(01)(a)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02", "ao_id": "PRI-02_A06", "objective": "the privacy notice(s) provide the information needed by the public to make an informed decision about whether to interact with the organization.", "pptdf": "Process", "origin": "53A_R5_PM-20(01)(b)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02", "ao_id": "PRI-02_A07", "objective": "the privacy notice(s) provide the information needed by the public to make an informed decision about how to interact with the organization.", "pptdf": "Process", "origin": "53A_R5_PM-20(01)(b)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02", "ao_id": "PRI-02_A08", "objective": "the privacy notice(s) are updated whenever the organization makes a substantive change to the practices it describes.", "pptdf": "Process", "origin": "53A_R5_PM-20(01)(c)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02", "ao_id": "PRI-02_A09", "objective": "the privacy notice(s) include a time/date stamp to inform the public of the date of the most recent changes.", "pptdf": "Technology", "origin": "53A_R5_PM-20(01)(c)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02", "ao_id": "PRI-02_A10", "objective": "the frequency at which a notice is provided to individuals after initial interaction with an organization is defined.", "pptdf": "Process", "origin": "53A_R5_PT-05_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02", "ao_id": "PRI-02_A11", "objective": "information to be included with the notice about the processing of Personal Data (PD) is defined.", "pptdf": "Process", "origin": "53A_R5_PT-05_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02", "ao_id": "PRI-02_A12", "objective": "a notice to individuals about the processing of Personal Data (PD) is provided such that the notice is available to individuals upon first interacting with an organization.", "pptdf": "Technology", "origin": "53A_R5_PT-05a.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02", "ao_id": "PRI-02_A13", "objective": "a notice to individuals about the processing of Personal Data (PD) is provided such that the notice is subsequently available to individuals frequency.", "pptdf": "Technology", "origin": "53A_R5_PT-05a.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02", "ao_id": "PRI-02_A14", "objective": "a notice to individuals about the processing of Personal Data (PD) is provided that is clear, easy-to-understand and expresses information about Personal Data (PD) processing in plain language.", "pptdf": "Technology", "origin": "53A_R5_PT-05b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02", "ao_id": "PRI-02_A15", "objective": "a notice to individuals about the processing of Personal Data (PD) that identifies the authority that authorizes the processing of Personal Data (PD) is provided.", "pptdf": "Technology", "origin": "53A_R5_PT-05c.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02", "ao_id": "PRI-02_A16", "objective": "a notice to individuals about the processing of Personal Data (PD) that identifies the purpose for which Personal Data (PD) is to be processed is provided.", "pptdf": "Technology", "origin": "53A_R5_PT-05d.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02", "ao_id": "PRI-02_A17", "objective": "a notice to individuals about the processing of Personal Data (PD) which includes information is provided.", "pptdf": "Technology", "origin": "53A_R5_PT-05e.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02.1", "ao_id": "PRI-02.1_A01", "objective": "the purpose(s) for processing Personal Data (PD) is/are defined.", "pptdf": "Process", "origin": "53A_R5_PT-03_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02.1", "ao_id": "PRI-02.1_A02", "objective": "the processing of Personal Data (PD) to be restricted is defined.", "pptdf": "Process", "origin": "53A_R5_PT-03_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02.1", "ao_id": "PRI-02.1_A03", "objective": "mechanisms to be implemented for ensuring any changes in the processing of Personal Data (PD) are made in accordance with requirements are defined.", "pptdf": "Process", "origin": "53A_R5_PT-03_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02.1", "ao_id": "PRI-02.1_A04", "objective": "requirements for changing the processing of Personal Data (PD) are defined.", "pptdf": "Process", "origin": "53A_R5_PT-03_ODP[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02.1", "ao_id": "PRI-02.1_A05", "objective": "the purpose(s) for processing Personal Data (PD) is/are identified and documented.", "pptdf": "Process", "origin": "53A_R5_PT-03a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02.1", "ao_id": "PRI-02.1_A06", "objective": "the purpose(s) is/are described in the public privacy notices of the organization.", "pptdf": "Process", "origin": "53A_R5_PT-03b.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02.1", "ao_id": "PRI-02.1_A07", "objective": "the purpose(s) is/are described in the policies of the organization.", "pptdf": "Process", "origin": "53A_R5_PT-03b.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02.1", "ao_id": "PRI-02.1_A08", "objective": "the processing of Personal Data (PD) is restricted to only that which is compatible with the identified purpose(s).", "pptdf": "Process", "origin": "53A_R5_PT-03c.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02.1", "ao_id": "PRI-02.1_A09", "objective": "changes in the processing of Personal Data (PD) are monitored.", "pptdf": "Process", "origin": "53A_R5_PT-03d.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02.1", "ao_id": "PRI-02.1_A10", "objective": "mechanisms are implemented to ensure that any changes are made in accordance with requirements.", "pptdf": "Process", "origin": "53A_R5_PT-03d.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02.2", "ao_id": "PRI-02.2_A01", "objective": "automated mechanisms used to manage enforcement of the authorized processing of Personal Data (PD) are defined.", "pptdf": "Process", "origin": "53A_R5_PT-02(02)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02.2", "ao_id": "PRI-02.2_A02", "objective": "enforcement of the authorized processing of Personal Data (PD) is managed using automated mechanisms.", "pptdf": "Technology", "origin": "53A_R5_PT-02(02)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02.3", "ao_id": "PRI-02.3_A01", "objective": "approval to conduct the matching program is obtained from the data integrity board/function when a system or organization processes information for the purpose of conducting a matching program.", "pptdf": "Process", "origin": "53A_R5_PT-08a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02.3", "ao_id": "PRI-02.3_A02", "objective": "a computer matching agreement is developed when a system or organization processes information for the purpose of conducting a matching program.", "pptdf": "Process", "origin": "53A_R5_PT-08b.[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02.3", "ao_id": "PRI-02.3_A03", "objective": "a computer matching agreement is entered into when a system or organization processes information for the purpose of conducting a matching program.", "pptdf": "Process", "origin": "53A_R5_PT-08b.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02.3", "ao_id": "PRI-02.3_A04", "objective": "a matching notice is published in the Federal Register when a system or organization processes information for the purpose of conducting a matching program.", "pptdf": "Technology", "origin": "53A_R5_PT-08c.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02.3", "ao_id": "PRI-02.3_A05", "objective": "the information produced by the matching program is independently verified before taking adverse action against an individual, if required, when a system or organization processes information for the purpose of conducting a matching program.", "pptdf": "Process", "origin": "53A_R5_PT-08d.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02.3", "ao_id": "PRI-02.3_A06", "objective": "individuals are provided with notice when a system or organization processes information for the purpose of conducting a matching program.", "pptdf": "Technology", "origin": "53A_R5_PT-08e.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02.3", "ao_id": "PRI-02.3_A07", "objective": "individuals are provided with an opportunity to contest the findings before adverse action is taken against them when a system or organization processes information for the purpose of conducting a matching program.", "pptdf": "Process", "origin": "53A_R5_PT-08e.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02.4", "ao_id": "PRI-02.4_A01", "objective": "System of Records Notices (SORNs) are drafted in accordance with OMB guidance for systems that process information that will be maintained in a Privacy Act system of records.", "pptdf": "Process", "origin": "53A_R5_PT-06a.[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02.4", "ao_id": "PRI-02.4_A02", "objective": "new and significantly modified system of records notices are submitted to the OMB and appropriate congressional committees for advance review for systems that process information that will be maintained in a Privacy Act system of records.", "pptdf": "Process", "origin": "53A_R5_PT-06a.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02.4", "ao_id": "PRI-02.4_A03", "objective": "System of Records Notices (SORNs) are published in the Federal Register for systems that process information that will be maintained in a Privacy Act system of records.", "pptdf": "Process", "origin": "53A_R5_PT-06b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02.4", "ao_id": "PRI-02.4_A04", "objective": "System of Records Notices (SORNs) are kept accurate, up-to-date and scoped in accordance with policy for systems that process information that will be maintained in a Privacy Act system of records.", "pptdf": "Process", "origin": "53A_R5_PT-06c.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02.5", "ao_id": "PRI-02.5_A01", "objective": "the frequency at which to review all routine uses published in the System of Records Notice (SORN) is defined.", "pptdf": "Process", "origin": "53A_R5_PT-06(01)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02.5", "ao_id": "PRI-02.5_A02", "objective": "all routine uses published in the system of records notice are reviewed frequently to ensure continued accuracy and to ensure that routine uses continue to be compatible with the purpose for which the information was collected.", "pptdf": "Process", "origin": "53A_R5_PT-06(01)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02.6", "ao_id": "PRI-02.6_A01", "objective": "the frequency at which to review all Privacy Act exemptions claimed for the system of records is defined.", "pptdf": "Process", "origin": "53A_R5_PT-06(02)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02.6", "ao_id": "PRI-02.6_A02", "objective": "all Privacy Act exemptions claimed for the system of records are reviewed frequently to ensure that they remain appropriate and necessary in accordance with law.", "pptdf": "Process", "origin": "53A_R5_PT-06(02)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02.6", "ao_id": "PRI-02.6_A03", "objective": "all Privacy Act exemptions claimed for the system of records are reviewed frequently to ensure that they have been promulgated as regulations.", "pptdf": "Process", "origin": "53A_R5_PT-06(02)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02.6", "ao_id": "PRI-02.6_A04", "objective": "all Privacy Act exemptions claimed for the system of records are reviewed frequently to ensure that they are accurately described in the system of records notice.", "pptdf": "Process", "origin": "53A_R5_PT-06(02)[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02.7", "ao_id": "PRI-02.7_A01", "objective": "real-time and/or layered notices are generated to provide data subjects with a summary of key points or more detailed information that is specific to the organization's privacy notice.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02.8", "ao_id": "PRI-02.8_A01", "objective": "the cadence to periodically assess disclosed purposes for which Personal Data (PD) is collected, received, processed, stored, transmitted and/or shared is defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02.8", "ao_id": "PRI-02.8_A02", "objective": "reasonable consumer expectations for disclosed purposes for which Personal Data (PD) is collected, received, processed, stored, transmitted and/or shared is identified.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02.8", "ao_id": "PRI-02.8_A03", "objective": "disclosed purposes for which Personal Data (PD) is collected, received, processed, stored, transmitted and/or shared are periodically assessed to ensure compatibility with reasonable consumer expectations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02.9", "ao_id": "PRI-02.9_A01", "objective": "reasonable methods to accommodate data privacy notice formatting for consumers requiring alternative formatting due to accessibility needs are defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02.9", "ao_id": "PRI-02.9_A02", "objective": "reasonable methods to accommodate data privacy notice formatting for consumers requiring alternative formatting due to accessibility needs are implemented.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02.10", "ao_id": "PRI-02.10_A01", "objective": "methods to implement symmetry in choice are identified, where options presented to consumers for more protective options are not longer, more difficult, nor more time-consuming than less protective options.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02.10", "ao_id": "PRI-02.10_A02", "objective": "symmetry in choice are implemented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02.11", "ao_id": "PRI-02.11_A01", "objective": "choice architecture that enables data subjects to make well-informed choices is defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02.11", "ao_id": "PRI-02.11_A02", "objective": "choice architecture that supports data subjects' ability to make well-informed choices is implemented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02.12", "ao_id": "PRI-02.12_A01", "objective": "methods to perform testing of choice architecture to ensure it does not undermine a consumer’s ability to submit choice selections are defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02.12", "ao_id": "PRI-02.12_A02", "objective": "testing of choice architecture is performed to ensure it does not undermine a consumer’s ability to submit choice selections.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02.13", "ao_id": "PRI-02.13_A01", "objective": "data privacy notices alert data subjects to their right to limit the use and disclosure of their sensitive Personal Data (sPD).", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02.13", "ao_id": "PRI-02.13_A02", "objective": "data privacy notices alert data subjects to methods available to exercise that right to limit the use and disclosure of their sensitive Personal Data (sPD).", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02.14", "ao_id": "PRI-02.14_A01", "objective": "alternative methods to deliver a data privacy notice are defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02.14", "ao_id": "PRI-02.14_A02", "objective": "alternative methods to deliver a data privacy notice are implemented.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-02.14", "ao_id": "PRI-02.14_A03", "objective": "data subjects are provided with a data privacy notice through alternative means for interactions that do not utilize an interface on a website or application.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-03", "ao_id": "PRI-03_A01", "objective": "the tools or mechanisms to be implemented for individuals to consent to the processing of their Personal Data (PD) are defined.", "pptdf": "Process", "origin": "53A_R5_PT-04_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-03", "ao_id": "PRI-03_A02", "objective": "tools or mechanisms are implemented for individuals to consent to the processing of their Personal Data (PD) prior to its collection that facilitates individuals’ informed decision-making.", "pptdf": "Technology", "origin": "53A_R5_PT-04", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-03.1", "ao_id": "PRI-03.1_A01", "objective": "tailoring mechanisms for processing selected elements of Personal Data (PD) permissions are defined.", "pptdf": "Process", "origin": "53A_R5_PT-04(01)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-03.1", "ao_id": "PRI-03.1_A02", "objective": "mechanisms are provided to allow individuals to tailor processing permissions to selected elements of Personal Data (PD).", "pptdf": "Process", "origin": "53A_R5_PT-04(01)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-03.2", "ao_id": "PRI-03.2_A01", "objective": "consent mechanisms to be presented to individuals are defined.", "pptdf": "Process", "origin": "53A_R5_PT-04(02)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-03.2", "ao_id": "PRI-03.2_A02", "objective": "the frequency at which to present consent mechanisms to individuals is defined.", "pptdf": "Process", "origin": "53A_R5_PT-04(02)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-03.2", "ao_id": "PRI-03.2_A03", "objective": "Personal Data (PD) processing to be presented in conjunction with organization-defined consent mechanisms is defined.", "pptdf": "Process", "origin": "53A_R5_PT-04(02)_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-03.2", "ao_id": "PRI-03.2_A04", "objective": "consent mechanisms are presented to individuals frequently and in conjunction with Personal Data (PD) processing.", "pptdf": "Process", "origin": "53A_R5_PT-04(02)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-03.3", "ao_id": "PRI-03.3_A01", "objective": "Personal Data (PD) identified as \"do not sell\" by the data subject is identified.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-03.3", "ao_id": "PRI-03.3_A02", "objective": "the sale of Personal Data (PD) identified as \"do not sell\" is prevented anywhere the PD is stored and/or processed.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-03.4", "ao_id": "PRI-03.4_A01", "objective": "the tools or mechanisms to be implemented for revoking consent to the processing of Personal Data (PD) are defined.", "pptdf": "Process", "origin": "53A_R5_PT-04(03)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-03.4", "ao_id": "PRI-03.4_A02", "objective": "the tools or mechanisms are implemented for individuals to revoke consent to the processing of their Personal Data (PD).", "pptdf": "Technology", "origin": "53A_R5_PT-04(03)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-03.5", "ao_id": "PRI-03.5_A01", "objective": "processes exist to prevent the refusal of products and/or services on the grounds that a data subject does not agree to the processing of Personal Data (PD) or withdraws consent.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-03.6", "ao_id": "PRI-03.6_A01", "objective": "data subjects are empowered to authorize another person or entity, acting on the data subject's behalf, to make Personal Data (PD) processing decisions.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-03.7", "ao_id": "PRI-03.7_A01", "objective": "data subjects are compelled to select the level of consent deemed appropriate by the data subject for the relevant business purpose (e.g., opt-in, opt-out, accept all cookies, etc.).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-03.8", "ao_id": "PRI-03.8_A01", "objective": "consumer-facing technologies are configured to empower data subjects with functionality to exercise pre-selected opt-out preferences (e.g., opt-out signal).", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-03.9", "ao_id": "PRI-03.9_A01", "objective": "a process exists to notify affected the Personal Data Process Manager, or similar role, when a data subject withdraws consent.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-03.9", "ao_id": "PRI-03.9_A02", "objective": "a process exists to cease processing Personal Data (PD), once notification of consent revocation is received.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-03.10", "ao_id": "PRI-03.10_A01", "objective": "a process to decouple Personal Data (PD) from business processes in a timely manner is defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-03.10", "ao_id": "PRI-03.10_A02", "objective": "upon consent revocation by the data subject, processes decouple Personal Data (PD) from business processes.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-03.11", "ao_id": "PRI-03.11_A01", "objective": "a process exists to contact data subjects.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-03.11", "ao_id": "PRI-03.11_A02", "objective": "a process exists to notify affected data subjects of processing changes affecting their Personal Data (PD), including:\n (1) Erasure of PD;\n (2) Remediation of incorrect PD; and/or\n (3) Processing restrictions affecting their PD.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-03.12", "ao_id": "PRI-03.12_A01", "objective": "consent is obtained from data subject for collecting Personal Data (PD).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-03.12", "ao_id": "PRI-03.12_A02", "objective": "consent is obtained from data subject for receiving Personal Data (PD).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-03.12", "ao_id": "PRI-03.12_A03", "objective": "consent is obtained from data subject for processing Personal Data (PD).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-03.12", "ao_id": "PRI-03.12_A04", "objective": "consent is obtained from data subject for storing Personal Data (PD).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-03.12", "ao_id": "PRI-03.12_A05", "objective": "consent is obtained from data subject for transmitting Personal Data (PD).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-03.12", "ao_id": "PRI-03.12_A06", "objective": "consent is obtained from data subject for sharing Personal Data (PD).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-03.12", "ao_id": "PRI-03.12_A07", "objective": "consent is obtained from data subject for updating Personal Data (PD).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-03.13", "ao_id": "PRI-03.13_A01", "objective": "processes that may involve minors are identified.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-03.13", "ao_id": "PRI-03.13_A02", "objective": "reasonable consumer expectations to obtain parental or guardian consent for Personal Data (PD) processing actions when the data subject is a minor are identified.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-03.13", "ao_id": "PRI-03.13_A03", "objective": "parental or guardian consent for Personal Data (PD) processing actions through reasonable consumer expectations, when the data subject is a minor, is obtained.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-04", "ao_id": "PRI-04_A01", "objective": "the type of processing of Personal Data (PD) is defined.", "pptdf": "Process", "origin": "53A_R5_PT-02_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-04", "ao_id": "PRI-04_A02", "objective": "the type of processing of Personal Data (PD) to be restricted is defined.", "pptdf": "Process", "origin": "53A_R5_PT-02_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-04.1", "ao_id": "PRI-04.1_A01", "objective": "the authority to permit the processing of Personal Data (PD) is defined.", "pptdf": "Process", "origin": "53A_R5_PT-02_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-04.1", "ao_id": "PRI-04.1_A02", "objective": "the authority that permits the processing of Personal Data (PD) is determined and documented.", "pptdf": "Process", "origin": "53A_R5_PT-02a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-04.1", "ao_id": "PRI-04.1_A03", "objective": "the processing of Personal Data (PD) is restricted to only that which is authorized.", "pptdf": "Process", "origin": "53A_R5_PT-02b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-04.2", "ao_id": "PRI-04.2_A01", "objective": "processes exist to ensure that whenever possible, Personal Data (PD) is directly collected from the data subject.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-04.3", "ao_id": "PRI-04.3_A01", "objective": "the business case(s) is defined for the collection, processing, storage and sharing of photographic and/or video surveillance image collection that can identify individuals.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-04.3", "ao_id": "PRI-04.3_A02", "objective": "the collection, processing, storage and sharing of photographic and/or video surveillance image collection that can identify individuals is restricted to legitimate business needs.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-04.4", "ao_id": "PRI-04.4_A01", "objective": "data subjects are promptly informed of the utilization purpose when their Personal Data (PD) is acquired and not received directly from the data subject, except where that utilization purpose was disclosed in advance to the data subject.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-04.5", "ao_id": "PRI-04.5_A01", "objective": "data subjects, or authorized representatives, are prompted to validate Personal Data (PD) during the collection process.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-04.6", "ao_id": "PRI-04.6_A01", "objective": "data subjects, or authorized representatives, are prompted to re-validate that Personal Data (PD) acquired during the collection process is still accurate.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-04.7", "ao_id": "PRI-04.7_A01", "objective": "Personal Data (PD) collection methods are defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-04.7", "ao_id": "PRI-04.7_A02", "objective": "a process exists to ensure that Personal Data (PD) collection methods are:\n (1) Appropriate for the circumstances of the data subject;\n (2) Unambiguous; and\n (3) Secure.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05", "ao_id": "PRI-05_A01", "objective": "techniques used to dispose of information following the retention period are defined.", "pptdf": "Process", "origin": "53A_R5_SI-12(03)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05", "ao_id": "PRI-05_A02", "objective": "techniques used to destroy information following the retention period are defined.", "pptdf": "Process", "origin": "53A_R5_SI-12(03)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05", "ao_id": "PRI-05_A03", "objective": "techniques used to erase information following the retention period are defined.", "pptdf": "Process", "origin": "53A_R5_SI-12(03)_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05", "ao_id": "PRI-05_A04", "objective": "organization-defined techniques are used to dispose of information following the retention period.", "pptdf": "Process", "origin": "53A_R5_SI-12(03)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05", "ao_id": "PRI-05_A05", "objective": "organization-defined techniques are used to destroy information following the retention period.", "pptdf": "Process", "origin": "53A_R5_SI-12(03)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05", "ao_id": "PRI-05_A06", "objective": "organization-defined techniques are used to erase information following the retention period.", "pptdf": "Process", "origin": "53A_R5_SI-12(03)[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05", "ao_id": "PRI-05_A07", "objective": "information within the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines and operational requirements.", "pptdf": "Data", "origin": "53A_R5_SI-12[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05", "ao_id": "PRI-05_A08", "objective": "information output from the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines and operational requirements.", "pptdf": "Data", "origin": "53A_R5_SI-12[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05", "ao_id": "PRI-05_A09", "objective": "information within the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines and operational requirements.", "pptdf": "Data", "origin": "53A_R5_SI-12[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05", "ao_id": "PRI-05_A10", "objective": "information output from the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines and operational requirements.", "pptdf": "Data", "origin": "53A_R5_SI-12[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.1", "ao_id": "PRI-05.1_A01", "objective": "elements of Personal Data (PD) being processed in the information life cycle are defined.", "pptdf": "Process", "origin": "53A_R5_SI-12(01)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.1", "ao_id": "PRI-05.1_A02", "objective": "techniques used to minimize the use of Personal Data (PD) for research, testing and training are defined.", "pptdf": "Process", "origin": "53A_R5_SI-12(02)_ODP[01]\n53A_R5_SI-12(02)_ODP[02]\n53A_R5_SI-12(02)_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.1", "ao_id": "PRI-05.1_A03", "objective": "organization-defined techniques are used to minimize the use of Personal Data (PD) for research, testing and training.", "pptdf": "Process", "origin": "53A_R5_SI-12(02)[01]\n53A_R5_SI-12(02)[02]\n53A_R5_SI-12(02)[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.1", "ao_id": "PRI-05.1_A04", "objective": "Personal Data (PD) being processed in the information life cycle is limited to organization-defined elements of Personal Data (PD).", "pptdf": "Process", "origin": "53A_R5_SI-12(01)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.1", "ao_id": "PRI-05.1_A05", "objective": "the frequency for reviewing policies that address the use of Personal Data (PD) for internal testing, training and research is defined.", "pptdf": "Process", "origin": "53A_R5_PM-25_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.1", "ao_id": "PRI-05.1_A06", "objective": "the frequency for updating policies that address the use of Personal Data (PD) for internal testing, training and research is defined.", "pptdf": "Process", "origin": "53A_R5_PM-25_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.1", "ao_id": "PRI-05.1_A07", "objective": "the frequency for reviewing procedures that address the use of Personal Data (PD) for internal testing, training and research is defined.", "pptdf": "Process", "origin": "53A_R5_PM-25_ODP[03]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.1", "ao_id": "PRI-05.1_A08", "objective": "the frequency for updating procedures that address the use of Personal Data (PD) for internal testing, training and research is defined.", "pptdf": "Process", "origin": "53A_R5_PM-25_ODP[04]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.1", "ao_id": "PRI-05.1_A09", "objective": "policies that address the use of Personal Data (PD) for internal research, testing and training are developed and documented.", "pptdf": "Process", "origin": "53A_R5_PM-25a.[01]\n53A_R5_PM-25a.[02]\n53A_R5_PM-25a.[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.1", "ao_id": "PRI-05.1_A10", "objective": "procedures that address the use of Personal Data (PD) for internal research, testing and training are developed and documented.", "pptdf": "Process", "origin": "53A_R5_PM-25a.[04]\n53A_R5_PM-25a.[05]\n53A_R5_PM-25a.[06]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.1", "ao_id": "PRI-05.1_A11", "objective": "policies that address the use of Personal Data (PD) for internal research, testing and training are implemented.", "pptdf": "Process", "origin": "53A_R5_PM-25a.[07]\n53A_R5_PM-25a.[08]\n53A_R5_PM-25a.[09]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.1", "ao_id": "PRI-05.1_A12", "objective": "procedures that address the use of Personal Data (PD) for internal research, testing and training are implemented.", "pptdf": "Process", "origin": "53A_R5_PM-25a.[10]\n53A_R5_PM-25a.[11]\n53A_R5_PM-25a.[12]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.1", "ao_id": "PRI-05.1_A13", "objective": "the amount of Personal Data (PD) used for internal research, testing and training purposes is limited or minimized.", "pptdf": "Process", "origin": "53A_R5_PM-25b.[01]\n53A_R5_PM-25b.[02]\n53A_R5_PM-25b.[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.1", "ao_id": "PRI-05.1_A14", "objective": "the required use of Personal Data (PD) for internal research, testing and training is authorized.", "pptdf": "Process", "origin": "53A_R5_PM-25c.[01]\n53A_R5_PM-25c.[02]\n53A_R5_PM-25c.[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.1", "ao_id": "PRI-05.1_A15", "objective": "policies are reviewed frequently.", "pptdf": "Process", "origin": "53A_R5_PM-25d.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.1", "ao_id": "PRI-05.1_A16", "objective": "policies are updated frequently.", "pptdf": "Process", "origin": "53A_R5_PM-25d.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.1", "ao_id": "PRI-05.1_A17", "objective": "procedures are reviewed frequently.", "pptdf": "Process", "origin": "53A_R5_PM-25d.[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.1", "ao_id": "PRI-05.1_A18", "objective": "procedures are updated frequently.", "pptdf": "Process", "origin": "53A_R5_PM-25d.[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.1", "ao_id": "PRI-05.1_A19", "objective": "the authority to permit the processing of Personal Data (PD) is defined.", "pptdf": "Process", "origin": "53A_R5_PT-02_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.1", "ao_id": "PRI-05.1_A20", "objective": "the type of processing of Personal Data (PD) is defined.", "pptdf": "Process", "origin": "53A_R5_PT-02_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.1", "ao_id": "PRI-05.1_A21", "objective": "the type of processing of Personal Data (PD) to be restricted is defined.", "pptdf": "Process", "origin": "53A_R5_PT-02_ODP[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.1", "ao_id": "PRI-05.1_A22", "objective": "the authority that permits the processing of Personal Data (PD) is determined and documented.", "pptdf": "Process", "origin": "53A_R5_PT-02a.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.1", "ao_id": "PRI-05.1_A23", "objective": "the processing of Personal Data (PD) is restricted to only that which is authorized.", "pptdf": "Process", "origin": "53A_R5_PT-02b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.1", "ao_id": "PRI-05.1_A24", "objective": "the purpose(s) for processing Personal Data (PD) is/are defined.", "pptdf": "Process", "origin": "53A_R5_PT-03_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.1", "ao_id": "PRI-05.1_A25", "objective": "the processing of Personal Data (PD) to be restricted is defined.", "pptdf": "Process", "origin": "53A_R5_PT-03_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.1", "ao_id": "PRI-05.1_A26", "objective": "mechanisms to be implemented for ensuring any changes in the processing of Personal Data (PD) are made in accordance with requirements are defined.", "pptdf": "Process", "origin": "53A_R5_PT-03_ODP[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.1", "ao_id": "PRI-05.1_A27", "objective": "requirements for changing the processing of Personal Data (PD) are defined.", "pptdf": "Process", "origin": "53A_R5_PT-03_ODP[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.1", "ao_id": "PRI-05.1_A28", "objective": "the purpose(s) for processing Personal Data (PD) is/are identified and documented.", "pptdf": "Process", "origin": "53A_R5_PT-03a.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.1", "ao_id": "PRI-05.1_A29", "objective": "the purpose(s) is/are described in the public privacy notices of the organization.", "pptdf": "Process", "origin": "53A_R5_PT-03b.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.1", "ao_id": "PRI-05.1_A30", "objective": "the purpose(s) is/are described in the policies of the organization.", "pptdf": "Process", "origin": "53A_R5_PT-03b.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.1", "ao_id": "PRI-05.1_A31", "objective": "the processing of Personal Data (PD) is restricted to only that which is compatible with the identified purpose(s).", "pptdf": "Process", "origin": "53A_R5_PT-03c.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.1", "ao_id": "PRI-05.1_A32", "objective": "changes in the processing of Personal Data (PD) are monitored.", "pptdf": "Process", "origin": "53A_R5_PT-03d.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.1", "ao_id": "PRI-05.1_A33", "objective": "mechanisms are implemented to ensure that any changes are made in accordance with requirements.", "pptdf": "Process", "origin": "53A_R5_PT-03d.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.2", "ao_id": "PRI-05.2_A01", "objective": "a data integrity board/function is established.", "pptdf": "Process", "origin": "53A_R5_PM-24", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.2", "ao_id": "PRI-05.2_A02", "objective": "the data integrity board/function reviews proposals to conduct or participate in a matching program.", "pptdf": "Process", "origin": "53A_R5_PM-24a.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.2", "ao_id": "PRI-05.2_A03", "objective": "the data integrity board/function conducts an annual review of all matching programs in which the agency has participated.", "pptdf": "Process", "origin": "53A_R5_PM-24b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.3", "ao_id": "PRI-05.3_A01", "objective": "direct identifiers in a dataset are removed, masked, encrypted, hashed or replaced.", "pptdf": "Data", "origin": "53A_R5_SI-19(04)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.4", "ao_id": "PRI-05.4_A01", "objective": "the authority to permit the processing of Personal Data (PD) is defined.", "pptdf": "Process", "origin": "53A_R5_PT-02_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.4", "ao_id": "PRI-05.4_A02", "objective": "the type of processing of Personal Data (PD) is defined.", "pptdf": "Process", "origin": "53A_R5_PT-02_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.4", "ao_id": "PRI-05.4_A03", "objective": "the type of processing of Personal Data (PD) to be restricted is defined.", "pptdf": "Process", "origin": "53A_R5_PT-02_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.4", "ao_id": "PRI-05.4_A04", "objective": "the authority that permits the processing of Personal Data (PD) is determined and documented.", "pptdf": "Process", "origin": "53A_R5_PT-02a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.4", "ao_id": "PRI-05.4_A05", "objective": "the processing of Personal Data (PD) is restricted to only that which is authorized.", "pptdf": "Process", "origin": "53A_R5_PT-02b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.4", "ao_id": "PRI-05.4_A06", "objective": "processing conditions to be applied for specific categories of Personal Data (PD) are defined.", "pptdf": "Process", "origin": "53A_R5_PT-07_ODP", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.4", "ao_id": "PRI-05.4_A07", "objective": "processing conditions are applied for specific categories of Personal Data (PD).", "pptdf": "Process", "origin": "53A_R5_PT-07", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.4", "ao_id": "PRI-05.4_A08", "objective": "data mining prevention and detection techniques are defined.", "pptdf": "Process", "origin": "53A_R5_AC-23_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.4", "ao_id": "PRI-05.4_A09", "objective": "data storage objects to be protected against unauthorized data mining are defined.", "pptdf": "Process", "origin": "53A_R5_AC-23_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.4", "ao_id": "PRI-05.4_A10", "objective": "organization-defined techniques are employed for organization-defined data storage objects to detect and protect against unauthorized data mining.", "pptdf": "Technology", "origin": "53A_R5_AC-23", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.4", "ao_id": "PRI-05.4_A11", "objective": "the frequency for reviewing policies that address the use of Personal Data (PD) for internal testing, training and research is defined.", "pptdf": "Process", "origin": "53A_R5_PM-25_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.4", "ao_id": "PRI-05.4_A12", "objective": "the frequency for updating policies that address the use of Personal Data (PD) for internal testing, training and research is defined.", "pptdf": "Process", "origin": "53A_R5_PM-25_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.4", "ao_id": "PRI-05.4_A13", "objective": "the frequency for reviewing procedures that address the use of Personal Data (PD) for internal testing, training and research is defined.", "pptdf": "Process", "origin": "53A_R5_PM-25_ODP[03]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.4", "ao_id": "PRI-05.4_A14", "objective": "the frequency for updating procedures that address the use of Personal Data (PD) for internal testing, training and research is defined.", "pptdf": "Process", "origin": "53A_R5_PM-25_ODP[04]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.4", "ao_id": "PRI-05.4_A15", "objective": "policies that address the use of Personal Data (PD) for internal testing are developed and documented.", "pptdf": "Process", "origin": "53A_R5_PM-25a.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.4", "ao_id": "PRI-05.4_A16", "objective": "policies that address the use of Personal Data (PD) for internal training are developed and documented.", "pptdf": "Process", "origin": "53A_R5_PM-25a.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.4", "ao_id": "PRI-05.4_A17", "objective": "policies that address the use of Personal Data (PD) for internal research are developed and documented.", "pptdf": "Process", "origin": "53A_R5_PM-25a.[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.4", "ao_id": "PRI-05.4_A18", "objective": "procedures that address the use of Personal Data (PD) for internal testing are developed and documented.", "pptdf": "Process", "origin": "53A_R5_PM-25a.[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.4", "ao_id": "PRI-05.4_A19", "objective": "procedures that address the use of Personal Data (PD) for internal training are developed and documented.", "pptdf": "Process", "origin": "53A_R5_PM-25a.[05]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.4", "ao_id": "PRI-05.4_A20", "objective": "procedures that address the use of Personal Data (PD) for internal research are developed and documented.", "pptdf": "Process", "origin": "53A_R5_PM-25a.[06]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.4", "ao_id": "PRI-05.4_A21", "objective": "policies that address the use of Personal Data (PD) for internal testing are implemented.", "pptdf": "Process", "origin": "53A_R5_PM-25a.[07]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.4", "ao_id": "PRI-05.4_A22", "objective": "policies that address the use of Personal Data (PD) for training are implemented.", "pptdf": "Process", "origin": "53A_R5_PM-25a.[08]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.4", "ao_id": "PRI-05.4_A23", "objective": "policies that address the use of Personal Data (PD) for research are implemented.", "pptdf": "Process", "origin": "53A_R5_PM-25a.[09]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.4", "ao_id": "PRI-05.4_A24", "objective": "procedures that address the use of Personal Data (PD) for internal testing are implemented.", "pptdf": "Process", "origin": "53A_R5_PM-25a.[10]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.4", "ao_id": "PRI-05.4_A25", "objective": "procedures that address the use of Personal Data (PD) for training are implemented.", "pptdf": "Process", "origin": "53A_R5_PM-25a.[11]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.4", "ao_id": "PRI-05.4_A26", "objective": "procedures that address the use of Personal Data (PD) for research are implemented.", "pptdf": "Process", "origin": "53A_R5_PM-25a.[12]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.4", "ao_id": "PRI-05.4_A27", "objective": "the amount of Personal Data (PD) used for internal testing purposes is limited or minimized.", "pptdf": "Data", "origin": "53A_R5_PM-25b.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.4", "ao_id": "PRI-05.4_A28", "objective": "the amount of Personal Data (PD) used for internal training purposes is limited or minimized.", "pptdf": "Data", "origin": "53A_R5_PM-25b.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.4", "ao_id": "PRI-05.4_A29", "objective": "the amount of Personal Data (PD) used for internal research purposes is limited or minimized.", "pptdf": "Data", "origin": "53A_R5_PM-25b.[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.4", "ao_id": "PRI-05.4_A30", "objective": "the required use of Personal Data (PD) for internal testing is authorized.", "pptdf": "Data", "origin": "53A_R5_PM-25c.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.4", "ao_id": "PRI-05.4_A31", "objective": "the required use of Personal Data (PD) for internal training is authorized.", "pptdf": "Data", "origin": "53A_R5_PM-25c.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.4", "ao_id": "PRI-05.4_A32", "objective": "the required use of Personal Data (PD) for internal research is authorized.", "pptdf": "Data", "origin": "53A_R5_PM-25c.[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.4", "ao_id": "PRI-05.4_A33", "objective": "policies are reviewed frequently.", "pptdf": "Process", "origin": "53A_R5_PM-25d.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.4", "ao_id": "PRI-05.4_A34", "objective": "policies are updated frequently.", "pptdf": "Process", "origin": "53A_R5_PM-25d.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.4", "ao_id": "PRI-05.4_A35", "objective": "procedures are reviewed frequently.", "pptdf": "Process", "origin": "53A_R5_PM-25d.[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.4", "ao_id": "PRI-05.4_A36", "objective": "procedures are updated frequently.", "pptdf": "Process", "origin": "53A_R5_PM-25d.[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.5", "ao_id": "PRI-05.5_A01", "objective": "the frequency at which to update the inventory of systems, applications and projects that process Personal Data (PD) is defined.", "pptdf": "Process", "origin": "53A_R5_PM-05(01)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.5", "ao_id": "PRI-05.5_A02", "objective": "an inventory of all systems, applications and projects that process Personal Data (PD) is established.", "pptdf": "Process", "origin": "53A_R5_PM-05(01)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.5", "ao_id": "PRI-05.5_A03", "objective": "an inventory of all systems, applications and projects that process Personal Data (PD) is maintained.", "pptdf": "Process", "origin": "53A_R5_PM-05(01)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.5", "ao_id": "PRI-05.5_A04", "objective": "an inventory of all systems, applications and projects that process Personal Data (PD) is updated frequently.", "pptdf": "Process", "origin": "53A_R5_PM-05(01)[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.6", "ao_id": "PRI-05.6_A01", "objective": "automated mechanisms are implemented to inventory Personal Data (PD) across the organization.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.7", "ao_id": "PRI-05.7_A01", "objective": "processing conditions to be applied for specific categories of Personal Data (PD) are defined.", "pptdf": "Process", "origin": "53A_R5_PT-07_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.7", "ao_id": "PRI-05.7_A02", "objective": "processing conditions are applied for specific categories of Personal Data (PD).", "pptdf": "Process", "origin": "53A_R5_PT-07", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.7", "ao_id": "PRI-05.7_A03", "objective": "when a system processes Social Security numbers, the unnecessary collection, maintenance and use of Social Security numbers are eliminated.", "pptdf": "Process", "origin": "53A_R5_PT-07(01)(a)[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.7", "ao_id": "PRI-05.7_A04", "objective": "when a system processes Social Security numbers, alternatives to the use of Social Security Numbers as a personal identifier are explored.", "pptdf": "Process", "origin": "53A_R5_PT-07(01)(a)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.7", "ao_id": "PRI-05.7_A05", "objective": "when a system processes Social Security numbers, individual rights, benefits or privileges provided by law are not denied because of an individual’s refusal to disclose their Social Security number.", "pptdf": "Process", "origin": "53A_R5_PT-07(01)(b)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.7", "ao_id": "PRI-05.7_A06", "objective": "when a system processes Social Security numbers, any individual who is asked to disclose their Social Security number is informed whether that disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited and what uses will be made of it.", "pptdf": "Process", "origin": "53A_R5_PT-07(01)(c)[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.7", "ao_id": "PRI-05.7_A07", "objective": "when a system processes Social Security numbers, any individual who is asked to disclose their Social Security number is informed by what statutory or other authority the number is solicited.", "pptdf": "Process", "origin": "53A_R5_PT-07(01)(c)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.7", "ao_id": "PRI-05.7_A08", "objective": "when a system processes Social Security numbers, any individual who is asked to disclose their Social Security number is informed what uses will be made of it.", "pptdf": "Process", "origin": "53A_R5_PT-07(01)(c)[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.7", "ao_id": "PRI-05.7_A09", "objective": "the processing of information describing how any individual exercises rights guaranteed by the First Amendment is prohibited unless expressly authorized by statute or by the individual or unless pertinent to and within the scope of an authorized law enforcement activity.", "pptdf": "Process", "origin": "53A_R5_PT-07(02)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.8", "ao_id": "PRI-05.8_A01", "objective": "a data retention schedule, or similar process, dictates the maximum timeline necessary to maintain Personal Data (PD), based on purposes for which the PD are processed.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.8", "ao_id": "PRI-05.8_A02", "objective": "processes are defined to implement the data retention schedule for Personal Data (PD).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-05.8", "ao_id": "PRI-05.8_A03", "objective": "processes remove Personal Data (PD) which permits the identification of data subjects once it is no longer necessary for the purposes for which the PD are processed.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-06", "ao_id": "PRI-06_A01", "objective": "mechanisms enabling individuals to have access to elements of their Personal Data (PD) are defined.", "pptdf": "Process", "origin": "53A_R5_AC-03(14)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-06", "ao_id": "PRI-06_A02", "objective": "elements of Personal Data (PD) to which individuals have access are defined.", "pptdf": "Process", "origin": "53A_R5_AC-03(14)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-06", "ao_id": "PRI-06_A03", "objective": "organization-defined mechanisms are provided to enable individuals to have access to organization-defined elements of their Personal Data (PD).", "pptdf": "Process", "origin": "53A_R5_AC-03(14)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-06.1", "ao_id": "PRI-06.1_A01", "objective": "recipients of Personal Data (PD) to be notified when the Personal Data (PD) has been corrected or deleted are defined.", "pptdf": "Process", "origin": "53A_R5_SI-18(05)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-06.1", "ao_id": "PRI-06.1_A02", "objective": "recipients and individuals are notified when the Personal Data (PD) has been corrected or deleted.", "pptdf": "Process", "origin": "53A_R5_SI-18(05)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-06.2", "ao_id": "PRI-06.2_A01", "objective": "recipients of Personal Data (PD) to be notified when the Personal Data (PD) has been corrected or deleted are defined.", "pptdf": "Process", "origin": "53A_R5_SI-18(05)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-06.2", "ao_id": "PRI-06.2_A02", "objective": "recipients and individuals are notified when the Personal Data (PD) has been corrected or deleted.", "pptdf": "Process", "origin": "53A_R5_SI-18(05)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-06.3", "ao_id": "PRI-06.3_A01", "objective": "a process for receiving & acknowledging complaints, concerns or questions from individuals about organizational cybersecurity / data privacy practices is implemented.", "pptdf": "Process", "origin": "53A_R5_PM-26[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-06.3", "ao_id": "PRI-06.3_A02", "objective": "a process for responding to complaints, concerns or questions from individuals about organizational cybersecurity / data privacy practices is implemented.", "pptdf": "Process", "origin": "53A_R5_PM-26[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-06.3", "ao_id": "PRI-06.3_A03", "objective": "the time period in which complaints (including concerns or questions) from individuals are to be reviewed and acknowledging is defined.", "pptdf": "Process", "origin": "53A_R5_PM-26_ODP[01]\n53A_R5_PM-26_ODP[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-06.3", "ao_id": "PRI-06.3_A04", "objective": "the time period in which complaints (including concerns or questions) from individuals are to be addressed is defined.", "pptdf": "Process", "origin": "53A_R5_PM-26_ODP[02]\n53A_R5_PM-26_ODP[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-06.3", "ao_id": "PRI-06.3_A05", "objective": "the complaint management process includes mechanisms that are easy to use by the public.", "pptdf": "Process", "origin": "53A_R5_PM-26a.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-06.3", "ao_id": "PRI-06.3_A06", "objective": "the complaint management process includes mechanisms that are readily accessible by the public.", "pptdf": "Process", "origin": "53A_R5_PM-26a.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-06.3", "ao_id": "PRI-06.3_A07", "objective": "the complaint management process includes all information necessary for successfully filing complaints.", "pptdf": "Process", "origin": "53A_R5_PM-26b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-06.3", "ao_id": "PRI-06.3_A08", "objective": "the complaint management process includes tracking mechanisms to ensure that all complaints are reviewed within an organization-defined time period.", "pptdf": "Process", "origin": "53A_R5_PM-26c.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-06.3", "ao_id": "PRI-06.3_A09", "objective": "the complaint management process includes tracking mechanisms to ensure that all complaints are addressed within an organization-defined time period.", "pptdf": "Process", "origin": "53A_R5_PM-26c.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-06.3", "ao_id": "PRI-06.3_A10", "objective": "the complaint management process includes acknowledging the receipt of complaints, concerns or questions from individuals within an organization-defined time period.", "pptdf": "Process", "origin": "53A_R5_PM-26d.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-06.3", "ao_id": "PRI-06.3_A11", "objective": "the complaint management process includes responding to complaints, concerns or questions from individuals within an organization-defined time period.", "pptdf": "Process", "origin": "53A_R5_PM-26e.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-06.4", "ao_id": "PRI-06.4_A01", "objective": "the time period in which complaints (including concerns or questions) from individuals are to be reviewed and acknowledging is defined.", "pptdf": "Process", "origin": "53A_R5_PM-26_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-06.4", "ao_id": "PRI-06.4_A02", "objective": "the time period in which complaints (including concerns or questions) from individuals are to be addressed is defined.", "pptdf": "Process", "origin": "53A_R5_PM-26_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-06.4", "ao_id": "PRI-06.4_A03", "objective": "the time period for acknowledging the receipt of complaints is defined.", "pptdf": "Process", "origin": "53A_R5_PM-26_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-06.4", "ao_id": "PRI-06.4_A04", "objective": "the time period for responding to complaints is defined.", "pptdf": "Process", "origin": "53A_R5_PM-26_ODP[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-06.4", "ao_id": "PRI-06.4_A05", "objective": "a process for receiving & acknowledging complaints, concerns or questions from individuals about organizational cybersecurity / data privacy practices is implemented.", "pptdf": "Process", "origin": "53A_R5_PM-26[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-06.4", "ao_id": "PRI-06.4_A06", "objective": "a process for responding to complaints, concerns or questions from individuals about organizational cybersecurity / data privacy practices is implemented.", "pptdf": "Process", "origin": "53A_R5_PM-26[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-06.4", "ao_id": "PRI-06.4_A07", "objective": "the complaint management process includes mechanisms that are easy to use by the public.", "pptdf": "Process", "origin": "53A_R5_PM-26a.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-06.4", "ao_id": "PRI-06.4_A08", "objective": "the complaint management process includes mechanisms that are readily accessible by the public.", "pptdf": "Process", "origin": "53A_R5_PM-26a.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-06.4", "ao_id": "PRI-06.4_A09", "objective": "the complaint management process includes all information necessary for successfully filing complaints.", "pptdf": "Process", "origin": "53A_R5_PM-26b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-06.4", "ao_id": "PRI-06.4_A10", "objective": "the complaint management process includes tracking mechanisms to ensure that all complaints are reviewed within an organization-defined time period.", "pptdf": "Process", "origin": "53A_R5_PM-26c.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-06.4", "ao_id": "PRI-06.4_A11", "objective": "the complaint management process includes tracking mechanisms to ensure that all complaints are addressed within an organization-defined time period.", "pptdf": "Process", "origin": "53A_R5_PM-26c.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-06.4", "ao_id": "PRI-06.4_A12", "objective": "the complaint management process includes acknowledging the receipt of complaints, concerns or questions from individuals within an organization-defined time period.", "pptdf": "Process", "origin": "53A_R5_PM-26d.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-06.4", "ao_id": "PRI-06.4_A13", "objective": "the complaint management process includes responding to complaints, concerns or questions from individuals within an organization-defined time period.", "pptdf": "Process", "origin": "53A_R5_PM-26e.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-06.5", "ao_id": "PRI-06.5_A01", "objective": "administrative processes exist to intake data subject requests to erase Personal Data (PD) erase Personal Data (PD).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-06.5", "ao_id": "PRI-06.5_A02", "objective": "technical processes exist to securely erase Personal Data (PD) without delay, once a legitimate data subject request for erasure is received.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-06.6", "ao_id": "PRI-06.6_A01", "objective": "export Personal Data (PD) in a structured, commonly used and machine-readable format that allows the data subject to transmit the data to another controller without hindrance.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-06.7", "ao_id": "PRI-06.7_A01", "objective": "Personal Data (PD) is capable of being digitally exported in a secure manner upon request by the data subject.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-06.8", "ao_id": "PRI-06.8_A01", "objective": "reasonable consumer expectations to verify a data subject's identity, prior to taking action to disclose, share, correct, amend and/or delete Personal Data (PD), are identified.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-06.8", "ao_id": "PRI-06.8_A02", "objective": "reasonable consumer expectations are utilized to verify a data subject's identity, prior to taking action to disclose, share, correct, amend and/or delete Personal Data (PD).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-07", "ao_id": "PRI-07_A01", "objective": "information-sharing circumstances where user discretion is required to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions are defined.", "pptdf": "Process", "origin": "53A_R5_AC-21_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-07", "ao_id": "PRI-07_A02", "objective": "authorized users are enabled to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for information-sharing circumstances.", "pptdf": "People", "origin": "53A_R5_AC-21a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-07", "ao_id": "PRI-07_A03", "objective": "automated mechanisms or manual processes that assist users in making information-sharing and collaboration decisions are defined.", "pptdf": "Process", "origin": "53A_R5_AC-21_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-07", "ao_id": "PRI-07_A04", "objective": "automated mechanisms are employed to assist users in making information-sharing and collaboration decisions.", "pptdf": "Technology", "origin": "53A_R5_AC-21b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-07.1", "ao_id": "PRI-07.1_A01", "objective": "includes privacy requirements in contracts and other acquisition-related documents that establish privacy roles and responsibilities for contractors and service providers.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-07.2", "ao_id": "PRI-07.2_A01", "objective": "clearly define and communicate the organization's role in processing Personal Data (PD) in the data processing ecosystem.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-07.3", "ao_id": "PRI-07.3_A01", "objective": "inform applicable third-parties of any modification, deletion or other change that affects shared Personal Data (PD).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-07.4", "ao_id": "PRI-07.4_A01", "objective": "reject unauthorized disclosure requests.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-07.5", "ao_id": "PRI-07.5_A01", "objective": "criteria to define what constitutes \"repetitious or harassing\" requests for access from data subjects is defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-07.5", "ao_id": "PRI-07.5_A02", "objective": "a process exists to document data subject requests.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-07.5", "ao_id": "PRI-07.5_A03", "objective": "data subject requests for access are analyzed for legitimacy.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-07.5", "ao_id": "PRI-07.5_A04", "objective": "a process exists to reject repetitious, or harassing, requests for access from data subjects.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-08", "ao_id": "PRI-08_A01", "objective": "a process is implemented for ensuring that organizational plans for conducting cybersecurity / data privacy testing, training and monitoring activities associated with organizational systems are developed.", "pptdf": "Process", "origin": "53A_R5_PM-14a.01[01]\n53A_R5_PM-14a.01[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-08", "ao_id": "PRI-08_A02", "objective": "a process is implemented for ensuring that organizational plans for conducting cybersecurity / data privacy testing, training and monitoring activities associated with organizational systems are maintained.", "pptdf": "Process", "origin": "53A_R5_PM-14a.01[02]\n53A_R5_PM-14a.01[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-08", "ao_id": "PRI-08_A03", "objective": "a process is implemented for ensuring that organizational plans for conducting cybersecurity / data privacy testing, training and monitoring activities associated with organizational systems continue to be executed.", "pptdf": "Process", "origin": "53A_R5_PM-14a.02[01]\n53A_R5_PM-14a.02[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-08", "ao_id": "PRI-08_A04", "objective": "testing plans are reviewed for consistency with the organizational risk management strategy.", "pptdf": "Process", "origin": "53A_R5_PM-14b.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-08", "ao_id": "PRI-08_A05", "objective": "training plans are reviewed for consistency with the organizational risk management strategy.", "pptdf": "Process", "origin": "53A_R5_PM-14b.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-08", "ao_id": "PRI-08_A06", "objective": "monitoring plans are reviewed for consistency with the organizational risk management strategy.", "pptdf": "Process", "origin": "53A_R5_PM-14b.[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-08", "ao_id": "PRI-08_A07", "objective": "testing plans are reviewed for consistency with organization-wide priorities for risk response actions.", "pptdf": "Process", "origin": "53A_R5_PM-14b.[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-08", "ao_id": "PRI-08_A08", "objective": "training plans are reviewed for consistency with organization-wide priorities for risk response actions.", "pptdf": "Process", "origin": "53A_R5_PM-14b.[05]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-08", "ao_id": "PRI-08_A09", "objective": "monitoring plans are reviewed for consistency with organization-wide priorities for risk response actions.", "pptdf": "Process", "origin": "53A_R5_PM-14b.[06]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-09", "ao_id": "PRI-09_A01", "objective": "records of data disclosures and sharing are maintained.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-09", "ao_id": "PRI-09_A02", "objective": "records of data disclosures and sharing can be accessed for review or transmission/disclosure.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-09", "ao_id": "PRI-09_A03", "objective": "records of data provenance and lineage are maintained", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-09", "ao_id": "PRI-09_A04", "objective": "records of data provenance and lineage can be accessed for review or transmission/disclosure.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-10", "ao_id": "PRI-10_A01", "objective": "the responsibilities of the organization's data governance body are defined.", "pptdf": "Process", "origin": "53A_R5_PM-23_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-10", "ao_id": "PRI-10_A02", "objective": "a data governance body is established.", "pptdf": "Process", "origin": "53A_R5_PM-24", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-10", "ao_id": "PRI-10_A03", "objective": "the organization's data governance body consisting of roles with responsibilities is established.", "pptdf": "Process", "origin": "53A_R5_PM-23", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-10", "ao_id": "PRI-10_A04", "objective": "the data integrity board/function reviews proposals to conduct or participate in a matching program.", "pptdf": "Process", "origin": "53A_R5_PM-24a.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-10", "ao_id": "PRI-10_A05", "objective": "the data integrity board/function conducts an annual review of all matching programs in which the agency has participated.", "pptdf": "Process", "origin": "53A_R5_PM-24b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-10", "ao_id": "PRI-10_A06", "objective": "organization-wide policies for Personal Data (PD) quality management are developed and documented.", "pptdf": "Process", "origin": "53A_R5_PM-22[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-10", "ao_id": "PRI-10_A07", "objective": "organization-wide procedures for Personal Data (PD) quality management are developed and documented.", "pptdf": "Process", "origin": "53A_R5_PM-22[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-10", "ao_id": "PRI-10_A08", "objective": "the policies address reviewing the accuracy of Personal Data (PD) across the information life cycle.", "pptdf": "Process", "origin": "53A_R5_PM-22a.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-10", "ao_id": "PRI-10_A09", "objective": "the policies address reviewing the relevance of Personal Data (PD) across the information life cycle.", "pptdf": "Process", "origin": "53A_R5_PM-22a.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-10", "ao_id": "PRI-10_A10", "objective": "the policies address reviewing the timeliness of Personal Data (PD) across the information life cycle.", "pptdf": "Process", "origin": "53A_R5_PM-22a.[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-10", "ao_id": "PRI-10_A11", "objective": "the policies address reviewing the completeness of Personal Data (PD) across the information life cycle.", "pptdf": "Process", "origin": "53A_R5_PM-22a.[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-10", "ao_id": "PRI-10_A12", "objective": "the procedures address reviewing the accuracy of Personal Data (PD) across the information life cycle.", "pptdf": "Process", "origin": "53A_R5_PM-22a.[05]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-10", "ao_id": "PRI-10_A13", "objective": "the procedures address reviewing the relevance of Personal Data (PD) across the information life cycle.", "pptdf": "Process", "origin": "53A_R5_PM-22a.[06]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-10", "ao_id": "PRI-10_A14", "objective": "the procedures address reviewing the timeliness of Personal Data (PD) across the information life cycle.", "pptdf": "Process", "origin": "53A_R5_PM-22a.[07]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-10", "ao_id": "PRI-10_A15", "objective": "the procedures address reviewing the completeness of Personal Data (PD) across the information life cycle.", "pptdf": "Process", "origin": "53A_R5_PM-22a.[08]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-10", "ao_id": "PRI-10_A16", "objective": "the policies address correcting or deleting inaccurate or outdated Personal Data (PD).", "pptdf": "Process", "origin": "53A_R5_PM-22b.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-10", "ao_id": "PRI-10_A17", "objective": "the procedures address correcting or deleting inaccurate or outdated Personal Data (PD).", "pptdf": "Process", "origin": "53A_R5_PM-22b.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-10", "ao_id": "PRI-10_A18", "objective": "the policies address disseminating notice of corrected or deleted Personal Data (PD) to individuals or other appropriate entities.", "pptdf": "Process", "origin": "53A_R5_PM-22c.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-10", "ao_id": "PRI-10_A19", "objective": "the procedures address disseminating notice of corrected or deleted Personal Data (PD) to individuals or other appropriate entities.", "pptdf": "Process", "origin": "53A_R5_PM-22c.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-10", "ao_id": "PRI-10_A20", "objective": "the policies address appeals of adverse decisions on correction or deletion requests.", "pptdf": "Process", "origin": "53A_R5_PM-22d.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-10", "ao_id": "PRI-10_A21", "objective": "the procedures address appeals of adverse decisions on correction or deletion requests.", "pptdf": "Process", "origin": "53A_R5_PM-22d.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-10", "ao_id": "PRI-10_A22", "objective": "the roles of the organization's data governance body are defined.", "pptdf": "Process", "origin": "53A_R5_PM-23_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-10.1", "ao_id": "PRI-10.1_A01", "objective": "automated mechanisms for tracking the processing purposes of Personal Data (PD) are defined.", "pptdf": "Process", "origin": "53A_R5_PT-03(02)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-10.1", "ao_id": "PRI-10.1_A02", "objective": "the processing purposes of Personal Data (PD) are tracked using automated mechanisms.", "pptdf": "Technology", "origin": "53A_R5_PT-03(02)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-10.2", "ao_id": "PRI-10.2_A01", "objective": "potential data analytics biases are defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-10.2", "ao_id": "PRI-10.2_A02", "objective": "the organization evaluates its analytical processes for potential data analytics bias.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-11", "ao_id": "PRI-11_A01", "objective": "processing purposes to be contained in data tags are defined.", "pptdf": "Process", "origin": "53A_R5_PT-03(01)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-11", "ao_id": "PRI-11_A02", "objective": "elements of Personal Data (PD) to be tagged are defined.", "pptdf": "Process", "origin": "53A_R5_PT-03(01)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-11", "ao_id": "PRI-11_A03", "objective": "data tags containing processing purposes are attached to elements of Personal Data (PD).", "pptdf": "Technology", "origin": "53A_R5_PT-03(01)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-12", "ao_id": "PRI-12_A01", "objective": "processes to identify and record the method under which Personal Data (PD) is updated and the frequency that such updates occur are defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-12", "ao_id": "PRI-12_A02", "objective": "processes to identify and record the method under which Personal Data (PD) is updated and the frequency that such updates occur are implemented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-12.1", "ao_id": "PRI-12.1_A01", "objective": "the capability, or processes, to enable data subjects to update their Personal Data (PD) is defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-12.1", "ao_id": "PRI-12.1_A02", "objective": "upon a validated request, data subjects are enabled to update their Personal Data (PD).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-13", "ao_id": "PRI-13_A01", "objective": "a data integrity board/function is established.", "pptdf": "Process", "origin": "53A_R5_PM-24", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-13", "ao_id": "PRI-13_A02", "objective": "the data integrity board/function reviews proposals to conduct or participate in a matching program.", "pptdf": "Process", "origin": "53A_R5_PM-24a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-13", "ao_id": "PRI-13_A03", "objective": "the data integrity board/function conducts an annual review of all matching programs in which the agency has participated.", "pptdf": "Process", "origin": "53A_R5_PM-24b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-13", "ao_id": "PRI-13_A04", "objective": "the roles of the organization's data governance body are defined.", "pptdf": "Process", "origin": "53A_R5_PM-23_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-13", "ao_id": "PRI-13_A05", "objective": "the responsibilities of the organization's data governance body are defined.", "pptdf": "Process", "origin": "53A_R5_PM-23_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-13", "ao_id": "PRI-13_A06", "objective": "the organization's data governance body consisting of roles with responsibilities is established.", "pptdf": "Process", "origin": "53A_R5_PM-23", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-14", "ao_id": "PRI-14_A01", "objective": "privacy reports are defined.", "pptdf": "Process", "origin": "53A_R5_PM-27_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-14", "ao_id": "PRI-14_A02", "objective": "privacy oversight bodies are defined.", "pptdf": "Process", "origin": "53A_R5_PM-27_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-14", "ao_id": "PRI-14_A03", "objective": "officials responsible for monitoring privacy program compliance are defined.", "pptdf": "Process", "origin": "53A_R5_PM-27_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-14", "ao_id": "PRI-14_A04", "objective": "the frequency for reviewing and updating privacy reports is defined.", "pptdf": "Process", "origin": "53A_R5_PM-27_ODP[04]", "assessment_rigor": "1", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "PRI-14", "ao_id": "PRI-14_A05", "objective": "privacy reports are developed.", "pptdf": "Process", "origin": "53A_R5_PM-27a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-14", "ao_id": "PRI-14_A06", "objective": "privacy reports are disseminated to oversight bodies to demonstrate accountability with statutory, regulatory and policy privacy mandates.", "pptdf": "Process", "origin": "53A_R5_PM-27a.01", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-14", "ao_id": "PRI-14_A07", "objective": "privacy reports are disseminated to officials.", "pptdf": "Process", "origin": "53A_R5_PM-27a.02[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-14", "ao_id": "PRI-14_A08", "objective": "privacy reports are disseminated to other personnel responsible for monitoring privacy program compliance.", "pptdf": "Process", "origin": "53A_R5_PM-27a.02[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-14", "ao_id": "PRI-14_A09", "objective": "privacy reports are reviewed / updated frequently.", "pptdf": "Process", "origin": "53A_R5_PM-27b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-14.1", "ao_id": "PRI-14.1_A01", "objective": "an accurate accounting of disclosures of Personal Data (PD) is developed and maintained.", "pptdf": "Process", "origin": "53A_R5_PM-21a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-14.1", "ao_id": "PRI-14.1_A02", "objective": "the accounting includes the date of each disclosure.", "pptdf": "Process", "origin": "53A_R5_PM-21a.01[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-14.1", "ao_id": "PRI-14.1_A03", "objective": "the accounting includes the nature of each disclosure.", "pptdf": "Process", "origin": "53A_R5_PM-21a.01[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-14.1", "ao_id": "PRI-14.1_A04", "objective": "the accounting includes the purpose of each disclosure.", "pptdf": "Process", "origin": "53A_R5_PM-21a.01[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-14.1", "ao_id": "PRI-14.1_A05", "objective": "the accounting includes the name of the individual or organization to whom the disclosure was made.", "pptdf": "Process", "origin": "53A_R5_PM-21a.02[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-14.1", "ao_id": "PRI-14.1_A06", "objective": "the accounting includes the address or other contact information of the individual or organization to whom the disclosure was made.", "pptdf": "Process", "origin": "53A_R5_PM-21a.02[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-14.1", "ao_id": "PRI-14.1_A07", "objective": "the accounting of disclosures is retained for the length of time that the Personal Data (PD) is maintained or five years after the disclosure is made, whichever is longer.", "pptdf": "Data", "origin": "53A_R5_PM-21b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-14.1", "ao_id": "PRI-14.1_A08", "objective": "the accounting of disclosures is made available to the individual to whom the Personal Data (PD) relates upon request.", "pptdf": "Process", "origin": "53A_R5_PM-21c.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-14.2", "ao_id": "PRI-14.2_A01", "objective": "data subjects are provided notice of applicable legal requests to disclose their Personal Data (PD).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-15", "ao_id": "PRI-15_A01", "objective": "a list of Data Authorities that require database registration is created and maintained.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-15", "ao_id": "PRI-15_A02", "objective": "as required by a law or regulation, databases containing Personal Data (PD) are registered with the appropriate Data Authority.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-16", "ao_id": "PRI-16_A01", "objective": "executive leadership, along with legal counsel, formally identifies risks associated with non-compliance (e.g., fines, operational impacts, etc.).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-16", "ao_id": "PRI-16_A02", "objective": "executive leadership, along with legal counsel, formally identifies primary risks associated with compliance (e.g., loss of confidentiality and/or integrity considerations with data governance).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-16", "ao_id": "PRI-16_A03", "objective": "executive leadership, along with legal counsel, formally identifies secondary risks associated with compliance (e.g., non-compliance with other laws, regulations and contractual agreements).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-16", "ao_id": "PRI-16_A04", "objective": "executive leadership, along with legal counsel, formally identifies tertiary risks associated with compliance (e.g., human rights abuses, theft of intellectual property, espionage, etc.).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-17", "ao_id": "PRI-17_A01", "objective": "disclosures and communications to data subjects are made easily accessible.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-17", "ao_id": "PRI-17_A02", "objective": "disclosures and communications to data subjects are written in a manner that is concise, unambiguous and understandable by a reasonable person.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-17.1", "ao_id": "PRI-17.1_A01", "objective": "a conspicuous link to the organization's privacy notice exists on all consumer-facing websites.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-17.1", "ao_id": "PRI-17.1_A02", "objective": "a conspicuous link to the organization's privacy notice exists on all consumer-facing mobile applications.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-17.2", "ao_id": "PRI-17.2_A01", "objective": "data subjects are provided with a Notice of Financial Incentive that explains the material terms of a financial incentive, price or service difference so the data subject can make an informed decision about whether to participate.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-17.3", "ao_id": "PRI-17.3_A01", "objective": "the timeline to maintain records of data subject requests and responses adhere to applicable statutory, regulatory and/or contractual obligations is defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-17.3", "ao_id": "PRI-17.3_A02", "objective": "records of data subject requests and responses are retained in accordance with an established documentation retention schedule that adheres to applicable statutory, regulatory and/or contractual obligations.", "pptdf": "Data", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-17.4", "ao_id": "PRI-17.4_A01", "objective": "metrics associated with data subject requests and responses are defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-17.4", "ao_id": "PRI-17.4_A02", "objective": "metrics associated with data subject requests and responses are collected.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-17.5", "ao_id": "PRI-17.5_A01", "objective": "applicable statutory and/or regulatory obligations to publicly disclose data subject communications metrics are identified.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-17.5", "ao_id": "PRI-17.5_A02", "objective": "applicable data subject communications metrics are publicly disclosed, as required by statutory and/or regulatory obligations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-18", "ao_id": "PRI-18_A01", "objective": "the organization has processes to respond to data controls communications pertaining to data subject requests.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-18", "ao_id": "PRI-18_A02", "objective": "the organization has processes to respond to data controls communications pertaining to updating/correcting Personal Data (PD) under its control.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-18", "ao_id": "PRI-18_A03", "objective": "the organization has processes to respond to data controls communications pertaining to the disclosure of Personal Data (PD).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-18", "ao_id": "PRI-18_A04", "objective": "the organization has processes to respond to data controls communications pertaining to accounting for Personal Data (PD) that is stored, processed and/or transmitted on behalf of the data controller.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-19", "ao_id": "PRI-19_A01", "objective": "Automated Decision-Making Technology (ADMT), where computation replaces, or substantially replaces, human decision-making for data subject actions, are identified.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-19", "ao_id": "PRI-19_A02", "objective": "applicable statutory, regulatory and/or contractual obligations for Automated Decision-Making Technology (ADMT), where computation replaces, or substantially replaces, human decision-making for data subject actions, are identified.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-19", "ao_id": "PRI-19_A03", "objective": "the use of Automated Decision-Making Technology (ADMT), where computation replaces, or substantially replaces, human decision-making for data subject actions, conforms with all applicable statutory, regulatory and/or contractual obligations.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-19.1", "ao_id": "PRI-19.1_A01", "objective": "processes using Automated Decision-Making Technology (ADMT) are identified.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-19.1", "ao_id": "PRI-19.1_A02", "objective": "data subjects are notified of their rights through a pre-use notice when their Personal Data (PD) will be processed by an Automated Decision-Making Technology (ADMT).", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-19.2", "ao_id": "PRI-19.2_A01", "objective": "data subject-focused instructions pertaining to Automated Decision-Making Technology (ADMT) are documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-19.2", "ao_id": "PRI-19.2_A02", "objective": "data subjects are provided concise, unambiguous and understandable instructions on how a data subjects can opt-out of Automated Decision-Making Technology (ADMT).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-19.3", "ao_id": "PRI-19.3_A01", "objective": "sufficient details of the logic and parameters used by Automated Decision-Making Technology (ADMT) to process the Personal Data (PD) to generate an output with respect to the data subject are documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-19.3", "ao_id": "PRI-19.3_A02", "objective": "data subjects are provided with sufficient details of the logic and parameters used by Automated Decision-Making Technology (ADMT) to process the Personal Data (PD) to generate an output with respect to the data subject.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-20", "ao_id": "PRI-20_A01", "objective": "sources of Personal Data (PD) other than directly from a data subject are documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-20", "ao_id": "PRI-20_A02", "objective": "formal contracts exist with data brokers.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-20", "ao_id": "PRI-20_A03", "objective": "data brokers that collect Personal Data (PD) from a source other than directly from the data subject are required to adhere to all applicable statutory, regulatory and/or contractual obligations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-21", "ao_id": "PRI-21_A01", "objective": "data privacy notices inform data subjects of their right to direct an organization that sells or shares their Personal Data (PD) to stop selling or sharing their PD.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-21", "ao_id": "PRI-21_A02", "objective": "data privacy notices inform data subjects of methods available to exercise that right to direct an organization to stop selling or sharing their Personal Data (PD).", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-21.1", "ao_id": "PRI-21.1_A01", "objective": "conspicuous links are published for data subjects to exercise their rights to limit the collection and/or use of Personal Data (PD).", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-21.1", "ao_id": "PRI-21.1_A02", "objective": "conspicuous links are published for data subjects to exercise their rights for their Personal Data (PD) to not be sold and/or shared.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-21.2", "ao_id": "PRI-21.2_A01", "objective": "a single, clearly-labeled link is published that allows data subjects to efficiently exercise their opt-out rights to limit the collection and/or use of Personal Data (PD).", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRI-21.2", "ao_id": "PRI-21.2_A02", "objective": "a single, clearly-labeled link is published that allows data subjects to efficiently exercise their opt-out rights for their Personal Data (PD) to not be sold and/or shared.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-01", "ao_id": "PRM-01_A01", "objective": "the organization-defined official is designated to manage the development, documentation, and dissemination of the planning policy and procedures.", "pptdf": "People", "origin": "53A_R5_PL-01b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-01", "ao_id": "PRM-01_A02", "objective": "planning procedures facilitate the implementation of the planning policy and associated planning controls are developed and documented.", "pptdf": "Process", "origin": "53A_R5_PL-01a.[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-01", "ao_id": "PRM-01_A03", "objective": "personnel or roles to whom the planning policy is to be disseminated is/are defined.", "pptdf": "Process", "origin": "53A_R5_PL-01_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-01", "ao_id": "PRM-01_A04", "objective": "personnel or roles to whom the planning procedures are to be disseminated is/are defined.", "pptdf": "Process", "origin": "53A_R5_PL-01_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-01", "ao_id": "PRM-01_A05", "objective": "one or more of the following organization-defined criteria is/are selected: mission/business process-level /system-level.", "pptdf": "Process", "origin": "53A_R5_PL-01_ODP[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-01", "ao_id": "PRM-01_A06", "objective": "an official to manage the planning policy and procedures is defined.", "pptdf": "People", "origin": "53A_R5_PL-01_ODP[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-01", "ao_id": "PRM-01_A07", "objective": "the frequency with which the current planning policy is reviewed / updated is defined.", "pptdf": "Process", "origin": "53A_R5_PL-01_ODP[05]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "PRM-01", "ao_id": "PRM-01_A08", "objective": "events that would require the current planning policy to be reviewed / updated are defined.", "pptdf": "Process", "origin": "53A_R5_PL-01_ODP[06]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-01", "ao_id": "PRM-01_A09", "objective": "the frequency with which the current planning procedures are reviewed / updated is defined.", "pptdf": "Process", "origin": "53A_R5_PL-01_ODP[07]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "PRM-01", "ao_id": "PRM-01_A10", "objective": "events that would require procedures to be reviewed / updated are defined.", "pptdf": "Process", "origin": "53A_R5_PL-01_ODP[08]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-01", "ao_id": "PRM-01_A11", "objective": "a planning policy is developed and documented.", "pptdf": "Process", "origin": "53A_R5_PL-01a.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-01", "ao_id": "PRM-01_A12", "objective": "the planning policy is disseminated to organization-defined personnel or roles.", "pptdf": "Process", "origin": "53A_R5_PL-01a.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-01", "ao_id": "PRM-01_A13", "objective": "the planning procedures are disseminated to organization-defined personnel or roles.", "pptdf": "Process", "origin": "53A_R5_PL-01a.[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-01", "ao_id": "PRM-01_A14", "objective": "the organization's planning policy addresses purpose.", "pptdf": "Process", "origin": "53A_R5_PL-01a.01(a)[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-01", "ao_id": "PRM-01_A15", "objective": "the organization's planning policy addresses scope.", "pptdf": "Process", "origin": "53A_R5_PL-01a.01(a)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-01", "ao_id": "PRM-01_A16", "objective": "the organization's planning policy addresses roles.", "pptdf": "Process", "origin": "53A_R5_PL-01a.01(a)[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-01", "ao_id": "PRM-01_A17", "objective": "the organization's planning policy addresses responsibilities.", "pptdf": "Process", "origin": "53A_R5_PL-01a.01(a)[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-01", "ao_id": "PRM-01_A18", "objective": "the organization's planning policy addresses management commitment.", "pptdf": "Process", "origin": "53A_R5_PL-01a.01(a)[05]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-01", "ao_id": "PRM-01_A19", "objective": "the organization's planning policy addresses coordination among organizational entities.", "pptdf": "Process", "origin": "53A_R5_PL-01a.01(a)[06]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-01", "ao_id": "PRM-01_A20", "objective": "the organization's planning policy addresses compliance.", "pptdf": "Process", "origin": "53A_R5_PL-01a.01(a)[07]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-01", "ao_id": "PRM-01_A21", "objective": "the organization's planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines.", "pptdf": "Process", "origin": "53A_R5_PL-01a.01(b)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-01", "ao_id": "PRM-01_A22", "objective": "the current planning policy is reviewed / updated organization-defined frequency.", "pptdf": "Process", "origin": "53A_R5_PL-01c.01[01]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "PRM-01", "ao_id": "PRM-01_A23", "objective": "the current planning policy is reviewed / updated following organization-defined events.", "pptdf": "Process", "origin": "53A_R5_PL-01c.01[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-01", "ao_id": "PRM-01_A24", "objective": "the current planning procedures are reviewed / updated organization-defined frequency.", "pptdf": "Process", "origin": "53A_R5_PL-01c.02[01]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "PRM-01", "ao_id": "PRM-01_A25", "objective": "the current planning procedures are reviewed / updated following organization-defined events.", "pptdf": "Process", "origin": "53A_R5_PL-01c.02[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-01", "ao_id": "PRM-01_A26", "objective": "Project & Resource Management (PRM) operations are conducted according to documented policies, standards, procedures and/or other organizational directives.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-01", "ao_id": "PRM-01_A27", "objective": "adequate resources (e.g., people, processes, technologies, data and/or facilities) are provided to support Project & Resource Management (PRM) operations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-01", "ao_id": "PRM-01_A28", "objective": "responsibility and authority for the performance of Project & Resource Management (PRM)-related activities are assigned to designated personnel.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-01", "ao_id": "PRM-01_A29", "objective": "personnel performing Project & Resource Management (PRM)-related activities have the skills and knowledge needed to perform their assigned duties.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-01.1", "ao_id": "PRM-01.1_A01", "objective": "a documented strategic cybersecurity / data privacy-specific business plan exists.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-01.1", "ao_id": "PRM-01.1_A02", "objective": "a documented set of objectives to achieve that cybersecurity and privacy-specific business plan exists.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-01.2", "ao_id": "PRM-01.2_A01", "objective": "the organization defines a Capability Maturity Model (CMM) it will use to benchmark maturity.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-01.2", "ao_id": "PRM-01.2_A02", "objective": "targeted capability maturity levels are defined at the domain and/or control level.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-02", "ao_id": "PRM-02_A01", "objective": "the resources needed to implement the cybersecurity / data privacy program are included in capital planning and investment requests and all exceptions are documented.", "pptdf": "Process", "origin": "53A_R5_PM-03a.[01]\n53A_R5_PM-03a.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-02", "ao_id": "PRM-02_A02", "objective": "the documentation required for addressing the cybersecurity / data privacy program in capital planning and investment requests is prepared in accordance with applicable laws, executive orders, directives, policies, regulations, standards.", "pptdf": "Process", "origin": "53A_R5_PM-03b.[01]\n53A_R5_PM-03b.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-02", "ao_id": "PRM-02_A03", "objective": "cybersecurity / data privacy resources are made available for expenditure as planned.", "pptdf": "Process", "origin": "53A_R5_PM-03c.[01]\n53A_R5_PM-03c.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-02.1", "ao_id": "PRM-02.1_A01", "objective": "foundational cybersecurity practices are defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-02.1", "ao_id": "PRM-02.1_A02", "objective": "foundational cybersecurity practices are integrated with advanced technologies to maintain situation awareness of and minimize the organization's exposure to evolving risks and threats.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-03", "ao_id": "PRM-03_A01", "objective": "the high-level cybersecurity / data privacy requirements for the system or system service are determined in mission and business process planning.", "pptdf": "Process", "origin": "53A_R5_SA-02a.[01]\n53A_R5_SA-02a.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-03", "ao_id": "PRM-03_A02", "objective": "the resources required to protect the system or system service are determined and documented as part of the organizational capital planning and investment control process.", "pptdf": "Process", "origin": "53A_R5_SA-02b.[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-03", "ao_id": "PRM-03_A03", "objective": "the resources required to protect the system or system service are allocated as part of the organizational capital planning and investment control process.", "pptdf": "Process", "origin": "53A_R5_SA-02b.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-03", "ao_id": "PRM-03_A04", "objective": "a discrete line item for is established in organizational programming and budgeting documentation.", "pptdf": "Process", "origin": "53A_R5_SA-02c.[01]\n53A_R5_SA-02c.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-04", "ao_id": "PRM-04_A01", "objective": "controls are assessed in the system and its environment of operation per an organization-defined assessment frequency to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting established cybersecurity / data privacy requirements.", "pptdf": "Process", "origin": "53A_R5_CA-02d.[01]\n53A_R5_CA-02d.[02]", "assessment_rigor": "1", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "PRM-04", "ao_id": "PRM-04_A02", "objective": "an appropriate assessor or assessment team is selected for the type of assessment to be conducted.", "pptdf": "Process", "origin": "53A_R5_CA-02a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-04", "ao_id": "PRM-04_A03", "objective": "a control assessment report is produced that documents the results of the assessment.", "pptdf": "Process", "origin": "53A_R5_CA-02e.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-04", "ao_id": "PRM-04_A04", "objective": "the results of the control assessment are provided to individuals or roles.", "pptdf": "Process", "origin": "53A_R5_CA-02f.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-04", "ao_id": "PRM-04_A05", "objective": "the frequency at which to assess controls in the system and its environment of operation is defined.", "pptdf": "Process", "origin": "53A_R5_CA-02_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "PRM-04", "ao_id": "PRM-04_A06", "objective": "individuals or roles to whom control assessment results are to be provided are defined.", "pptdf": "Process", "origin": "53A_R5_CA-02_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-04", "ao_id": "PRM-04_A07", "objective": "a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment.", "pptdf": "Process", "origin": "53A_R5_CA-02b.01", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-04", "ao_id": "PRM-04_A08", "objective": "a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness.", "pptdf": "Process", "origin": "53A_R5_CA-02b.02", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-04", "ao_id": "PRM-04_A09", "objective": "a control assessment plan is developed that describes the scope of the assessment, including the assessment environment.", "pptdf": "Process", "origin": "53A_R5_CA-02b.03[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-04", "ao_id": "PRM-04_A10", "objective": "a control assessment plan is developed that describes the scope of the assessment, including the assessment team.", "pptdf": "Process", "origin": "53A_R5_CA-02b.03[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-04", "ao_id": "PRM-04_A11", "objective": "a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities.", "pptdf": "Process", "origin": "53A_R5_CA-02b.03[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-04", "ao_id": "PRM-04_A12", "objective": "the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment.", "pptdf": "Process", "origin": "53A_R5_CA-02c.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-05", "ao_id": "PRM-05_A01", "objective": "systems, system components or system services to be analyzed for criticality are defined.", "pptdf": "Process", "origin": "53A_R5_RA-09_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-05", "ao_id": "PRM-05_A02", "objective": "decision points in the system development life cycle when a criticality analysis is to be performed are defined.", "pptdf": "Process", "origin": "53A_R5_RA-09_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-05", "ao_id": "PRM-05_A03", "objective": "critical system components and functions are identified by performing a criticality analysis for systems, system components or system services at decision points in the system development life cycle.", "pptdf": "Process", "origin": "53A_R5_RA-09", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-06", "ao_id": "PRM-06_A01", "objective": "organizational mission and business processes are defined with consideration for cybersecurity / data privacy.", "pptdf": "Process", "origin": "53A_R5_PM-11a.[01]\n53A_R5_PM-11a.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-06", "ao_id": "PRM-06_A02", "objective": "organizational mission and business processes are defined with consideration for the resulting risk to organizational operations, organizational assets, individuals, other organizations and the Nation.", "pptdf": "Process", "origin": "53A_R5_PM-11a.[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-06", "ao_id": "PRM-06_A03", "objective": "the frequency at which to review and revise the mission and business processes is defined.", "pptdf": "Process", "origin": "53A_R5_PM-11_ODP", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "PRM-06", "ao_id": "PRM-06_A04", "objective": "information protection needs arising from the defined mission and business processes are determined.", "pptdf": "Process", "origin": "53A_R5_PM-11b.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-06", "ao_id": "PRM-06_A05", "objective": "Personal Data (PD) processing needs arising from the defined mission and business processes are determined.", "pptdf": "Process", "origin": "53A_R5_PM-11b.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-06", "ao_id": "PRM-06_A06", "objective": "the mission and business processes are reviewed and revised per an organization-defined frequency.", "pptdf": "Process", "origin": "53A_R5_PM-11c.", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "PRM-07", "ao_id": "PRM-07_A01", "objective": "system development life cycle is defined.", "pptdf": "Process", "origin": "53A_R5_SA-03_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-07", "ao_id": "PRM-07_A02", "objective": "the system is acquired, developed and managed using organization-defined system-development life cycle that incorporates information cybersecurity / data privacy considerations.", "pptdf": "Process", "origin": "53A_R5_SA-03a.[01]\n53A_R5_SA-03a.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-07", "ao_id": "PRM-07_A03", "objective": "cybersecurity / data privacy roles and responsibilities are defined and documented throughout the system development life cycle.", "pptdf": "Process", "origin": "53A_R5_SA-03b.[01]\n53A_R5_SA-03b.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-07", "ao_id": "PRM-07_A04", "objective": "individuals with cybersecurity / data privacy roles and responsibilities are identified.", "pptdf": "Process", "origin": "53A_R5_SA-03c.[01]\n53A_R5_SA-03c.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-07", "ao_id": "PRM-07_A05", "objective": "organizational cybersecurity / data privacy risk management processes are integrated into system development life cycle activities.", "pptdf": "Process", "origin": "53A_R5_SA-03d.[01]\n53A_R5_SA-03d.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-07", "ao_id": "PRM-07_A06", "objective": "system pre-production environments are protected commensurate with risk throughout the system development life cycle for the system, system component or system service.", "pptdf": "Process", "origin": "53A_R5_SA-03(01)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-07", "ao_id": "PRM-07_A07", "objective": "systems or system components that implement the security design principle of procedural rigor are defined.", "pptdf": "Process", "origin": "53A_R5_SA-08(30)_ODP", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-07", "ao_id": "PRM-07_A08", "objective": "systems or system components implement the security design principle of procedural rigor.", "pptdf": "Process", "origin": "53A_R5_SA-08(30)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-08", "ao_id": "PRM-08_A01", "objective": "critical organizational knowledge is defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-08", "ao_id": "PRM-08_A02", "objective": "organizational knowledge of the cybersecurity / data privacy staff is documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "PRM-08", "ao_id": "PRM-08_A03", "objective": "cross-training is performed to maintain organizational knowledge.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-01", "ao_id": "RSK-01_A01", "objective": "a comprehensive strategy is developed to manage cybersecurity / data privacy risk to organizational operations and assets, individuals and other organizations associated with the operation and use of organizational systems.", "pptdf": "Process", "origin": "53A_R5_PM-09a.01\n53A_R5_PM-09a.02", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-01", "ao_id": "RSK-01_A02", "objective": "the risk management strategy is implemented consistently across the organization.", "pptdf": "Process", "origin": "53A_R5_PM-09b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-01", "ao_id": "RSK-01_A03", "objective": "a senior organizational position for Risk Management aligns cybersecurity / data privacy management processes with strategic, operational and budgetary planning processes.", "pptdf": "Process", "origin": "53A_R5_PM-29a.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-01", "ao_id": "RSK-01_A04", "objective": "for existing facilities, physical and environmental hazards are considered in the organizational risk management strategy.", "pptdf": "Facility", "origin": "53A_R5_PE-23b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-01", "ao_id": "RSK-01_A05", "objective": "the frequency at which to review / update the risk management strategy is defined.", "pptdf": "Process", "origin": "53A_R5_PM-09_ODP", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "RSK-01", "ao_id": "RSK-01_A06", "objective": "the risk management strategy is reviewed / updated per an organization-defined frequency or as required to address organizational changes.", "pptdf": "Process", "origin": "53A_R5_PM-09c.", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "RSK-01", "ao_id": "RSK-01_A07", "objective": "a senior organizational position for Risk Management is appointed.", "pptdf": "Process", "origin": "53A_R5_PM-29a.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-01", "ao_id": "RSK-01_A08", "objective": "a risk executive function is established.", "pptdf": "Process", "origin": "53A_R5_PM-29b.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-01", "ao_id": "RSK-01_A09", "objective": "a risk executive function views and analyzes risk from an organization-wide perspective.", "pptdf": "Process", "origin": "53A_R5_PM-29b.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-01", "ao_id": "RSK-01_A10", "objective": "a risk executive function ensures that the management of risk is consistent across the organization.", "pptdf": "Process", "origin": "53A_R5_PM-29b.[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-01", "ao_id": "RSK-01_A11", "objective": "organization-defined security requirements are enforced to protect against supply chain risks to the system, system components, or system services and to limit the harm or consequences of supply chain-related events.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-01", "ao_id": "RSK-01_A12", "objective": "the following security requirements are enforced to protect against supply chain risks to the system, system components, or system services and to limit the harm or consequences of supply chain-related events: .", "pptdf": "Process", "origin": "171A_R3_A.03.17.03.b", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "at a minimum, integrate Supply Chain Risk Management (SCRM) into acquisition/procurement policies, provide adequate SCRM resources, define the SCRM control baseline, establish processes to ensure suppliers disclose significant vulnerabilities and significant incidents", "org_defined_parameters": "" }, { "scf_control_id": "RSK-01", "ao_id": "RSK-01_A13", "objective": "risk management operations are conducted according to documented policies, standards, procedures and/or other organizational directives.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-01", "ao_id": "RSK-01_A14", "objective": "adequate resources (e.g., people, processes, technologies, data and/or facilities) are provided to support risk management operations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-01", "ao_id": "RSK-01_A15", "objective": "responsibility and authority for the performance of risk management-related activities are assigned to designated personnel.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-01", "ao_id": "RSK-01_A16", "objective": "personnel performing risk management-related activities have the skills and knowledge needed to perform their assigned duties.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-01.1", "ao_id": "RSK-01.1_A01", "objective": "the personnel to receive the results of risk framing activities is/are defined.", "pptdf": "Process", "origin": "53A_R5_PM-28_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-01.1", "ao_id": "RSK-01.1_A02", "objective": "the frequency for reviewing and updating risk framing considerations is defined.", "pptdf": "Process", "origin": "53A_R5_PM-28_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "RSK-01.1", "ao_id": "RSK-01.1_A03", "objective": "assumptions affecting risk assessments are identified and documented.", "pptdf": "Process", "origin": "53A_R5_PM-28a.01[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-01.1", "ao_id": "RSK-01.1_A04", "objective": "assumptions affecting risk responses are identified and documented.", "pptdf": "Process", "origin": "53A_R5_PM-28a.01[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-01.1", "ao_id": "RSK-01.1_A05", "objective": "assumptions affecting risk monitoring are identified and documented.", "pptdf": "Process", "origin": "53A_R5_PM-28a.01[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-01.1", "ao_id": "RSK-01.1_A06", "objective": "constraints affecting risk assessments are identified and documented.", "pptdf": "Process", "origin": "53A_R5_PM-28a.02[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-01.1", "ao_id": "RSK-01.1_A07", "objective": "constraints affecting risk responses are identified and documented.", "pptdf": "Process", "origin": "53A_R5_PM-28a.02[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-01.1", "ao_id": "RSK-01.1_A08", "objective": "constraints affecting risk monitoring are identified and documented.", "pptdf": "Process", "origin": "53A_R5_PM-28a.02[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-01.1", "ao_id": "RSK-01.1_A09", "objective": "priorities considered by the organization for managing risk are identified and documented.", "pptdf": "Process", "origin": "53A_R5_PM-28a.03[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-01.1", "ao_id": "RSK-01.1_A10", "objective": "trade-offs considered by the organization for managing risk are identified and documented.", "pptdf": "Process", "origin": "53A_R5_PM-28a.03[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-01.1", "ao_id": "RSK-01.1_A11", "objective": "organizational risk tolerance is identified and documented.", "pptdf": "Process", "origin": "53A_R5_PM-28a.04", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-01.1", "ao_id": "RSK-01.1_A12", "objective": "the results of risk framing activities are distributed to personnel.", "pptdf": "Process", "origin": "53A_R5_PM-28b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-01.1", "ao_id": "RSK-01.1_A13", "objective": "risk framing considerations are reviewed / updated frequently.", "pptdf": "Process", "origin": "53A_R5_PM-28c.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-01.1", "ao_id": "RSK-01.1_A14", "objective": "the risk (including supply chain risk) of unauthorized disclosure resulting from the processing, storage, or transmission of sensitive / regulated data is assessed.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-01.1", "ao_id": "RSK-01.1_A15", "objective": "the risk (including supply chain risk) of unauthorized disclosure resulting from the processing, storage, or transmission of CUI is assessed.", "pptdf": "Data", "origin": "171A_R3_A.03.11.01.a", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-01.2", "ao_id": "RSK-01.2_A01", "objective": "an executive steering committee, or advisory board, identifies necessary resourcing for the capability required to manage technology-related risks.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-01.2", "ao_id": "RSK-01.2_A02", "objective": "the organization's incident response capability is resourced accordingly so it can reduce the magnitude or likelihood of potential impacts from technology-related risks.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-01.2", "ao_id": "RSK-01.2_A03", "objective": "recurring reviews of incident response operations are used to benchmark resourcing requirements for incident response operations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-01.3", "ao_id": "RSK-01.3_A01", "objective": "an executive steering committee, or advisory board, defines the organization's risk tolerance.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-01.4", "ao_id": "RSK-01.4_A01", "objective": "an executive steering committee, or advisory board, defines the organization's risk threshold.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-01.5", "ao_id": "RSK-01.5_A01", "objective": "an executive steering committee, or advisory board, defines the organization's risk appetite.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-02", "ao_id": "RSK-02_A01", "objective": "systems, applications, services and the information processed, stored and/or transmitted are categorized.", "pptdf": "Process", "origin": "53A_R5_RA-02a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-02", "ao_id": "RSK-02_A02", "objective": "the security categorization results, including supporting rationale, are documented in the security plan for the system.", "pptdf": "Process", "origin": "53A_R5_RA-02b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-02", "ao_id": "RSK-02_A03", "objective": "the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.", "pptdf": "People", "origin": "53A_R5_RA-02c.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-02.1", "ao_id": "RSK-02.1_A01", "objective": "an impact-level prioritization of organizational systems is conducted to obtain additional granularity on system impact levels.", "pptdf": "Process", "origin": "53A_R5_RA-02(01)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-03", "ao_id": "RSK-03_A01", "objective": "a process exists to identify applicable internal and external risks.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-03", "ao_id": "RSK-03_A02", "objective": "applicable internal and external risks are documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-03", "ao_id": "RSK-03_A03", "objective": "the risk (including supply chain risk) of unauthorized disclosure resulting from the processing, storage, or transmission of sensitive / regulated data is assessed.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-03", "ao_id": "RSK-03_A04", "objective": "the risk (including supply chain risk) of unauthorized disclosure resulting from the processing, storage, or transmission of CUI is assessed.", "pptdf": "Data", "origin": "171A_R3_A.03.11.01.a", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-03.1", "ao_id": "RSK-03.1_A01", "objective": "a risk catalog, or similar solution, exists that keeps current a catalog of applicable risks associated with the organization's business operations and technologies in use.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-03.1", "ao_id": "RSK-03.1_A02", "objective": "the risk (including supply chain risk) of unauthorized disclosure resulting from the processing, storage, or transmission of sensitive / regulated data is assessed.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-03.1", "ao_id": "RSK-03.1_A03", "objective": "the risk (including supply chain risk) of unauthorized disclosure resulting from the processing, storage, or transmission of CUI is assessed.", "pptdf": "Data", "origin": "171A_R3_A.03.11.01.a", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-04", "ao_id": "RSK-04_A01", "objective": "the frequency to assess risk to organizational operations, organizational assets and individuals is defined.", "pptdf": "Process", "origin": "171A_3.11.1[a]\n172A_3.11.5e_ODP[1]", "assessment_rigor": "1", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "RSK-04", "ao_id": "RSK-04_A02", "objective": "a document in which risk assessment results are to be documented (if not documented in the cybersecurity / data privacy plans or risk assessment report) is defined.", "pptdf": "Process", "origin": "53A_R5_RA-03_ODP[01]\n53A_R5_RA-03_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-04", "ao_id": "RSK-04_A03", "objective": "a risk assessment is conducted to determine the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification or destruction of the system. the information it processes, stores or transmits. and any related information.", "pptdf": "Process", "origin": "53A_R5_RA-03a.02", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-04", "ao_id": "RSK-04_A04", "objective": "personnel or roles to whom risk assessment results are to be disseminated is/are defined.", "pptdf": "Process", "origin": "53A_R5_RA-03_ODP[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-04", "ao_id": "RSK-04_A05", "objective": "risk assessment results are disseminated to personnel or roles.", "pptdf": "Process", "origin": "53A_R5_RA-03e.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-04", "ao_id": "RSK-04_A06", "objective": "the frequency to update the risk assessment is defined.", "pptdf": "Process", "origin": "53A_R5_RA-03_ODP[05]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "RSK-04", "ao_id": "RSK-04_A07", "objective": "the frequency to review risk assessment results is defined.", "pptdf": "Process", "origin": "53A_R5_RA-03_ODP[03]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "RSK-04", "ao_id": "RSK-04_A08", "objective": "a risk assessment is conducted to identify threats to and vulnerabilities in the system.", "pptdf": "Process", "origin": "53A_R5_RA-03a.01", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-04", "ao_id": "RSK-04_A09", "objective": "security solutions are identified.", "pptdf": "Process", "origin": "172A_3.11.5e[a]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-04", "ao_id": "RSK-04_A10", "objective": "current and accumulated threat intelligence is identified.", "pptdf": "Process", "origin": "172A_3.11.5e[b]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-04", "ao_id": "RSK-04_A11", "objective": "Anticipated risk to organizational systems and the organization based on current and accumulated threat intelligence is identified.", "pptdf": "Process", "origin": "172A_3.11.5e[c]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-04", "ao_id": "RSK-04_A12", "objective": "the effectiveness of security solutions is assessed frequency to address anticipated risk to organizational systems and the organization based on current and accumulated threat intelligence.", "pptdf": "Process", "origin": "172A_3.11.5e[d]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "RSK-04", "ao_id": "RSK-04_A13", "objective": "a risk assessment is conducted to determine the likelihood and impact of adverse effects on individuals arising from the processing of Personal Data (PD).", "pptdf": "Process", "origin": "53A_R5_RA-03a.03", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-04", "ao_id": "RSK-04_A14", "objective": "risk assessment results and risk management decisions from the organization and mission or business process perspectives are integrated with system-level risk assessments.", "pptdf": "Process", "origin": "53A_R5_RA-03b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-04", "ao_id": "RSK-04_A15", "objective": "risk assessment results are documented per organization-defined criteria.", "pptdf": "Process", "origin": "53A_R5_RA-03c.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-04", "ao_id": "RSK-04_A16", "objective": "risk assessment results are reviewed frequently.", "pptdf": "Process", "origin": "53A_R5_RA-03d.", "assessment_rigor": "3", "scf_defined_parameters": "at least annually and when a significant change occurs", "org_defined_parameters": "" }, { "scf_control_id": "RSK-04", "ao_id": "RSK-04_A17", "objective": "the risk assessment is updated frequently or when there are significant changes to the system, its environment of operation or other conditions that may impact the cybersecurity / data privacy state of the system.", "pptdf": "Process", "origin": "53A_R5_RA-03f.", "assessment_rigor": "3", "scf_defined_parameters": "at least annually and when a significant change occurs", "org_defined_parameters": "" }, { "scf_control_id": "RSK-04", "ao_id": "RSK-04_A18", "objective": "risk to organizational operations, organizational assets and individuals resulting from the operation of an organizational system that processes, stores or transmits sensitive / regulated data is assessed with the defined frequency.", "pptdf": "Process", "origin": "171A_3.11.1[b]", "assessment_rigor": "2", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "RSK-04", "ao_id": "RSK-04_A19", "objective": "the risk (including supply chain risk) of unauthorized disclosure resulting from the processing, storage, or transmission of sensitive / regulated data is assessed.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-04", "ao_id": "RSK-04_A20", "objective": "risk assessments are updated per an organization-defined frequency.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "at least every 12 months, or when there are significant\nincidents or significant changes to risks", "org_defined_parameters": "" }, { "scf_control_id": "RSK-04", "ao_id": "RSK-04_A21", "objective": "the risk (including supply chain risk) of unauthorized disclosure resulting from the processing, storage, or transmission of CUI is assessed.", "pptdf": "Data", "origin": "171A_R3_A.03.11.01.a", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-04", "ao_id": "RSK-04_A22", "objective": "risk assessments are updated .", "pptdf": "Process", "origin": "171A_R3_A.03.11.01.b", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "at least every 12 months, or when there are significant\nincidents or significant changes to risks", "org_defined_parameters": "" }, { "scf_control_id": "RSK-04.1", "ao_id": "RSK-04.1_A01", "objective": "a risk register is maintained to facilitate the monitoring and reporting of risks.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-04.2", "ao_id": "RSK-04.2_A01", "objective": "a risk assessment methodology that can cover the organization's components relevant for secure, compliant and resilient operations is defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-04.2", "ao_id": "RSK-04.2_A02", "objective": "a risk assessment methodology that covers the organization's components relevant for secure, compliant and resilient operations is implemented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-04.3", "ao_id": "RSK-04.3_A01", "objective": "instances that require a risk assessment to be performed are defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-04.4", "ao_id": "RSK-04.4_A01", "objective": "applicable stakeholders for each risk assessment are identified.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-04.4", "ao_id": "RSK-04.4_A02", "objective": "identified stakeholders are involved in the risk assessment process.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-04.4", "ao_id": "RSK-04.4_A03", "objective": "identified stakeholders are provided with results of the risk assessment, upon completion.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-05", "ao_id": "RSK-05_A01", "objective": "newly discovered risks are ranked based on industry-recognized practices.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-06", "ao_id": "RSK-06_A01", "objective": "a defined risk threshold exists to determine what risk is and is not acceptable.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-06", "ao_id": "RSK-06_A02", "objective": "data / process owners are held accountable to remediate risks to an acceptable level.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-06", "ao_id": "RSK-06_A03", "objective": "the organization utilizes compensating controls to remediate control deficiencies to an acceptable level.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-06.1", "ao_id": "RSK-06.1_A01", "objective": "findings from security assessments are responded to in accordance with organizational risk tolerance.", "pptdf": "Process", "origin": "53A_R5_RA-07[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-06.1", "ao_id": "RSK-06.1_A02", "objective": "findings from security assessments are responded to.", "pptdf": "Process", "origin": "53A_R5_RA-07[02]\n171A_R3_A.03.11.04[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-06.1", "ao_id": "RSK-06.1_A03", "objective": "findings from security monitoring are responded to.", "pptdf": "Process", "origin": "53A_R5_RA-07[03]\n171A_R3_A.03.11.04[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-06.1", "ao_id": "RSK-06.1_A04", "objective": "findings from security audits are responded to.", "pptdf": "Process", "origin": "53A_R5_RA-07[04]\n171A_R3_A.03.11.04[03]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-06.2", "ao_id": "RSK-06.2_A01", "objective": "identify and implement compensating countermeasures to reduce risk and exposure to threats.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-06.3", "ao_id": "RSK-06.3_A01", "objective": "risk treatment options are defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-06.3", "ao_id": "RSK-06.3_A02", "objective": "appropriate risk treatment options, based on applicable risk assessment findings, are selected.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-06.4", "ao_id": "RSK-06.4_A01", "objective": "a Risk Treatment Plan (RTP) format is defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-06.4", "ao_id": "RSK-06.4_A02", "objective": "a Risk Treatment Plan (RTP) is utilized for applicable stakeholders to remediate identified risks according to a defined timeline.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-07", "ao_id": "RSK-07_A01", "objective": "the frequency at which to update the risk assessment is defined.", "pptdf": "Process", "origin": "171A_R3_A.03.11.01.ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "at least every 12 months, or when there are significant\nincidents or significant changes to risks", "org_defined_parameters": "" }, { "scf_control_id": "RSK-07", "ao_id": "RSK-07_A02", "objective": "risk assessments are updated per an organization-defined frequency.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "at least every 12 months, or when there are significant\nincidents or significant changes to risks", "org_defined_parameters": "" }, { "scf_control_id": "RSK-07", "ao_id": "RSK-07_A03", "objective": "risk assessments are updated .", "pptdf": "Process", "origin": "171A_R3_A.03.11.01.b", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "at least every 12 months, or when there are significant\nincidents or significant changes to risks", "org_defined_parameters": "" }, { "scf_control_id": "RSK-08", "ao_id": "RSK-08_A01", "objective": "a Business Impact Analysis (BIA) is conducted to identify and evaluate the impacts of possible disruptions.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-09", "ao_id": "RSK-09_A01", "objective": "an organization-wide strategy for managing supply chain risks is developed.", "pptdf": "Process", "origin": "53A_R5_PM-30a.[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-09", "ao_id": "RSK-09_A02", "objective": "supply chain risks associated with organizational systems and system components are identified.", "pptdf": "Process", "origin": "172A_3.11.7e[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-09", "ao_id": "RSK-09_A03", "objective": "the supply chain risk management strategy is implemented consistently across the organization.", "pptdf": "Process", "origin": "53A_R5_PM-30b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-09", "ao_id": "RSK-09_A04", "objective": "a plan for managing supply chain risks is developed.", "pptdf": "Process", "origin": "172A_3.11.7e[c]\n171A_R3_A.03.17.01.a[01]\n53A_R5_SR-02a.[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-09", "ao_id": "RSK-09_A05", "objective": "security requirements to protect against supply chain risks to the system, system components, or system services and to limit the harm or consequences from supply chain-related events are defined.", "pptdf": "Process", "origin": "53A_R5_SR-02_ODP[01]\n172A_3.11.7e[b]\n171A_R3_A.03.17.03.ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-09", "ao_id": "RSK-09_A06", "objective": "the supply chain risk management strategy is reviewed / updated per an organization-defined frequency or as required to address organizational changes.", "pptdf": "Process", "origin": "53A_R5_PM-30c.", "assessment_rigor": "3", "scf_defined_parameters": "at least every 12 months, or when there are significant\nincidents or significant changes to risks", "org_defined_parameters": "" }, { "scf_control_id": "RSK-09", "ao_id": "RSK-09_A07", "objective": "the frequency at which to review and update the supply chain risk management plan is defined.", "pptdf": "Process", "origin": "53A_R5_PM-30_ODP\n53A_R5_SR-02_ODP[02]\n172A_3.11.7e_ODP[1]\n171A_R3_A.03.17.01.ODP[01]", "assessment_rigor": "2", "scf_defined_parameters": "at least every 12 months, or when there are significant\nincidents or significant changes to risks", "org_defined_parameters": "" }, { "scf_control_id": "RSK-09", "ao_id": "RSK-09_A08", "objective": "the plan for managing supply chain risks is updated frequently.", "pptdf": "Process", "origin": "172A_3.11.7e[d]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-09", "ao_id": "RSK-09_A09", "objective": "the SCRM plan addresses risks associated with the research and development of the system, system components, or system services.", "pptdf": "Process", "origin": "53A_R5_SR-02a.[02]\n53A_R5_PM-30a.[02]\n53A_R5_PM-30a.[03]\n53A_R5_PM-30a.[04]\n171A_R3_A.03.17.01.a[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-09", "ao_id": "RSK-09_A10", "objective": "the SCRM plan addresses risks associated with the design of the system, system components, or system services.", "pptdf": "Process", "origin": "53A_R5_SR-02a.[03]\n171A_R3_A.03.17.01.a[03]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-09", "ao_id": "RSK-09_A11", "objective": "the SCRM plan addresses risks associated with the manufacturing of the system, system components, or system services.", "pptdf": "Process", "origin": "53A_R5_SR-02a.[04]\n171A_R3_A.03.17.01.a[04]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-09", "ao_id": "RSK-09_A12", "objective": "the SCRM plan addresses risks associated with the acquisition of the system, system components, or system services.", "pptdf": "Process", "origin": "53A_R5_PM-30a.[05]\n53A_R5_PM-30a.[06]\n53A_R5_PM-30a.[07]\n53A_R5_SR-02a.[05]\n171A_R3_A.03.17.01.a[05]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-09", "ao_id": "RSK-09_A13", "objective": "the SCRM plan addresses risks associated with the delivery of the system, system components, or system services.", "pptdf": "Process", "origin": "53A_R5_SR-02a.[06]\n171A_R3_A.03.17.01.a[06]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-09", "ao_id": "RSK-09_A14", "objective": "the SCRM plan addresses risks associated with the integration of the system, system components, or system services.", "pptdf": "Process", "origin": "53A_R5_SR-02a.[07]\n171A_R3_A.03.17.01.a[07]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-09", "ao_id": "RSK-09_A15", "objective": "the SCRM plan addresses risks associated with the operation of the system, system components, or system services.", "pptdf": "Process", "origin": "53A_R5_PM-30a.[08]\n53A_R5_PM-30a.[09]\n53A_R5_PM-30a.[10]\n53A_R5_SR-02a.[08]\n171A_R3_A.03.17.01.a[08]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-09", "ao_id": "RSK-09_A16", "objective": "the SCRM plan addresses risks associated with the maintenance of the system, system components, or system services.", "pptdf": "Process", "origin": "53A_R5_PM-30a.[08]\n53A_R5_PM-30a.[09]\n53A_R5_PM-30a.[10]\n53A_R5_SR-02a.[08]\n171A_R3_A.03.17.01.a[09]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-09", "ao_id": "RSK-09_A17", "objective": "the SCRM plan addresses risks associated with the disposal of the system, system components, or system services.", "pptdf": "Process", "origin": "53A_R5_PM-30a.[11]\n53A_R5_PM-30a.[12]\n53A_R5_PM-30a.[13]\n53A_R5_SR-02a.[09]\n171A_R3_A.03.17.01.a[10]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-09", "ao_id": "RSK-09_A18", "objective": "the SCRM plan is reviewed per an organization-defined frequency.", "pptdf": "Process", "origin": "53A_R5_SR-02b.", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "RSK-09", "ao_id": "RSK-09_A19", "objective": "the SCRM plan is updated per an organization-defined frequency.", "pptdf": "Process", "origin": "53A_R5_SR-02b.", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "RSK-09", "ao_id": "RSK-09_A20", "objective": "the SCRM plan is protected from unauthorized disclosure.", "pptdf": "Technology", "origin": "53A_R5_SR-02c.[01]\n171A_R3_A.03.17.01.c", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-09", "ao_id": "RSK-09_A21", "objective": "the supply chain risk management plan is protected from unauthorized modification.", "pptdf": "Technology", "origin": "53A_R5_SR-02c.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-09", "ao_id": "RSK-09_A22", "objective": "Operations Security (OPSEC) controls to protect supply chain-related information for the system, system component or system service are defined.", "pptdf": "Process", "origin": "53A_R5_SR-07_ODP", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-09", "ao_id": "RSK-09_A23", "objective": "OPSEC controls are employed to protect supply chain-related information for the system, system component or system service.", "pptdf": "Process", "origin": "53A_R5_SR-07", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-09", "ao_id": "RSK-09_A24", "objective": "the risk (including supply chain risk) of unauthorized disclosure resulting from the processing, storage, or transmission of sensitive / regulated data is assessed.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-09", "ao_id": "RSK-09_A25", "objective": "a process for identifying weaknesses or deficiencies in the supply chain elements and processes is established.", "pptdf": "Process", "origin": "171A_R3_A.03.17.03.a[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-09", "ao_id": "RSK-09_A26", "objective": "organization-defined security requirements are enforced to protect against supply chain risks to the system, system components, or system services and to limit the harm or consequences of supply chain-related events.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-09", "ao_id": "RSK-09_A27", "objective": "a process for addressing weaknesses or deficiencies in the supply chain elements and processes is established.", "pptdf": "Process", "origin": "171A_R3_A.03.17.03.a[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-09", "ao_id": "RSK-09_A28", "objective": "the risk (including supply chain risk) of unauthorized disclosure resulting from the processing, storage, or transmission of CUI is assessed.", "pptdf": "Data", "origin": "171A_R3_A.03.11.01.a", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-09", "ao_id": "RSK-09_A29", "objective": "the SCRM plan is reviewed .", "pptdf": "Process", "origin": "171A_R3_A.03.17.01.b[01]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "at least every 12 months, or when there are significant incidents or significant changes to risks", "org_defined_parameters": "" }, { "scf_control_id": "RSK-09", "ao_id": "RSK-09_A30", "objective": "the SCRM plan is updated .", "pptdf": "Process", "origin": "171A_R3_A.03.17.01.b[02]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "at least every 12 months, or when there are significant incidents or significant changes to risks", "org_defined_parameters": "" }, { "scf_control_id": "RSK-09", "ao_id": "RSK-09_A31", "objective": "the following security requirements are enforced to protect against supply chain risks to the system, system components, or system services and to limit the harm or consequences of supply chain-related events: .", "pptdf": "Process", "origin": "171A_R3_A.03.17.03.b", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "at a minimum, integrate Supply Chain Risk Management (SCRM) into acquisition/procurement policies, provide adequate SCRM resources, define the SCRM control baseline, establish processes to ensure suppliers disclose significant vulnerabilities and significant incidents", "org_defined_parameters": "" }, { "scf_control_id": "RSK-09.1", "ao_id": "RSK-09.1_A01", "objective": "supply chain risks associated with organizational systems and system components are identified.", "pptdf": "Process", "origin": "172A_3.11.6e[a]\n53A_R5_RA-03(01)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-09.1", "ao_id": "RSK-09.1_A02", "objective": "supply chain risks associated with organizational systems and system components are assessed.", "pptdf": "Process", "origin": "172A_3.11.6e[b]\n53A_R5_RA-03(01)(a)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-09.1", "ao_id": "RSK-09.1_A03", "objective": "supply chain risks associated with organizational systems and system components are responded to.", "pptdf": "Process", "origin": "172A_3.11.6e[c]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-09.1", "ao_id": "RSK-09.1_A04", "objective": "supply chain risks associated with organizational systems and system components are monitored.", "pptdf": "Process", "origin": "172A_3.11.6e[d]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-09.1", "ao_id": "RSK-09.1_A05", "objective": "the frequency at which to update the supply chain risk assessment is defined.", "pptdf": "Process", "origin": "53A_R5_RA-03(01)_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "at least every 12 months, or when there are significant\nincidents or significant changes to risks", "org_defined_parameters": "" }, { "scf_control_id": "RSK-09.1", "ao_id": "RSK-09.1_A06", "objective": "the supply chain risk assessment is updated frequently, when there are significant changes to the relevant supply chain or when changes to the system, environments of operation or other conditions may necessitate a change in the supply chain.", "pptdf": "Process", "origin": "53A_R5_RA-03(01)(b)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-09.2", "ao_id": "RSK-09.2_A01", "objective": "Supply Chain Risk Management (SCRM) practices address Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks and benefits arising from the organization's supply chain, including third-party software and data.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-10", "ao_id": "RSK-10_A01", "objective": "Data Protection Impact Assessments (DPIAs) are conducted for systems, programs or other activities before developing or procuring information technology that processes Personal Data (PD).", "pptdf": "Process", "origin": "53A_R5_RA-08a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-10", "ao_id": "RSK-10_A02", "objective": "Data Protection Impact Assessments (DPIAs) are conducted for systems, programs or other activities before initiating a collection of Personal Data (PD) that will be processed using information technology.", "pptdf": "Process", "origin": "53A_R5_RA-08b.[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-10", "ao_id": "RSK-10_A03", "objective": "Data Protection Impact Assessments (DPIAs) are conducted for systems, programs or other activities before initiating a collection of Personal Data (PD) that includes Personal Data (PD) permitting the physical or virtual (online) contacting of a specific individual.", "pptdf": "Process", "origin": "53A_R5_RA-08b.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-11", "ao_id": "RSK-11_A01", "objective": "risk monitoring is an integral part of the continuous monitoring strategy.", "pptdf": "Process", "origin": "53A_R5_CA-07(04)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-11", "ao_id": "RSK-11_A02", "objective": "effectiveness monitoring is included in risk monitoring.", "pptdf": "Process", "origin": "53A_R5_CA-07(04)(a)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-11", "ao_id": "RSK-11_A03", "objective": "compliance monitoring is included in risk monitoring.", "pptdf": "Process", "origin": "53A_R5_CA-07(04)(b)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-11", "ao_id": "RSK-11_A04", "objective": "change monitoring is included in risk monitoring.", "pptdf": "Process", "origin": "53A_R5_CA-07(04)(c)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-12", "ao_id": "RSK-12_A01", "objective": "an executive steering committee, or advisory board, defines the organization's risk culture.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-12", "ao_id": "RSK-12_A02", "objective": "a Chief Risk Officer (CRO), or similar position, is tasked with operationalizing the defined risk culture criteria throughout the organization's Business As Usual (BAU) activities.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-13", "ao_id": "RSK-13_A01", "objective": "material risk thresholds are defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-13", "ao_id": "RSK-13_A02", "objective": "executive leadership approval for risk management decisions involving material risk is defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-13", "ao_id": "RSK-13_A03", "objective": "executive leadership approval for risk management decisions involving material risk is obtained.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-13", "ao_id": "RSK-13_A04", "objective": "executive leadership approval for risk management decisions involving material risk is documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-13.1", "ao_id": "RSK-13.1_A01", "objective": "potential courses of action are developed to manage material risks with necessary information to make an informed decision.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-13.1", "ao_id": "RSK-13.1_A02", "objective": "potential courses of action to manage material risks are presented to executive leadership.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-13.2", "ao_id": "RSK-13.3_A01", "objective": "acceptable methods to document executive leadership justification for selecting a specific course of action to manage material risk are defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "RSK-13.2", "ao_id": "RSK-13.3_A02", "objective": "executive leadership justification for selecting a specific course of action to manage material risk are documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-01", "ao_id": "SAT-01_A01", "objective": "a cybersecurity / data privacy workforce development and improvement program is established.", "pptdf": "Process", "origin": "53A_R5_PM-13[01]\n53A_R5_PM-13[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-01", "ao_id": "SAT-01_A02", "objective": "the cybersecurity / data privacy education and awareness program is organization-wide.", "pptdf": "Process", "origin": "53A_R5_AT-01_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-01", "ao_id": "SAT-01_A03", "objective": "the frequency at which to provide security literacy training to system users after initial training is defined.", "pptdf": "Process", "origin": "171A_R3_A.03.02.01.ODP[01]", "assessment_rigor": "2", "scf_defined_parameters": "at least every 12 months, or when there are significant\nincidents or significant changes to risks", "org_defined_parameters": "" }, { "scf_control_id": "SAT-01", "ao_id": "SAT-01_A04", "objective": "events that require security literacy training for system users are defined.", "pptdf": "Process", "origin": "171A_R3_A.03.02.01.ODP[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-01", "ao_id": "SAT-01_A05", "objective": "security literacy training is provided to system users as part of initial training for new users.", "pptdf": "People", "origin": "171A_R3_A.03.02.01.a.01[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-01", "ao_id": "SAT-01_A06", "objective": "security literacy training is provided to system users after initial training.", "pptdf": "Process", "origin": "171A_R3_A.03.02.01.a.01[02]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "at least every 12 months", "org_defined_parameters": "" }, { "scf_control_id": "SAT-01", "ao_id": "SAT-01_A07", "objective": "Security Awareness & Training (SAT) operations are conducted according to documented policies, standards, procedures and/or other organizational directives.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-01", "ao_id": "SAT-01_A08", "objective": "adequate resources (e.g., people, processes, technologies, data and/or facilities) are provided to support Security Awareness & Training (SAT) operations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-01", "ao_id": "SAT-01_A09", "objective": "responsibility and authority for the performance of Security Awareness & Training (SAT)-related activities are assigned to designated personnel.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-01", "ao_id": "SAT-01_A10", "objective": "personnel performing Security Awareness & Training (SAT)-related activities have the skills and knowledge needed to perform their assigned duties.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-01.1", "ao_id": "SAT-01.1_A01", "objective": "security workforce development and awareness training is periodically reviewed to account for changes to organizational policies, standards and procedures.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-01.1", "ao_id": "SAT-01.1_A02", "objective": "security workforce development and awareness training is periodically reviewed to account for changes to assigned roles and responsibilities.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-01.1", "ao_id": "SAT-01.1_A03", "objective": "security workforce development and awareness training is periodically reviewed to account for changes to relevant threats and risks.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-01.1", "ao_id": "SAT-01.1_A04", "objective": "security workforce development and awareness training is periodically reviewed to account for changes to technological developments.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-02", "ao_id": "SAT-02_A01", "objective": "cybersecurity / data privacy literacy training is provided to system users (including managers, senior executives and contractors) as part of initial training for new users.", "pptdf": "People", "origin": "53A_R5_AT-02a.01[01]\n53A_R5_AT-02a.01[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-02", "ao_id": "SAT-02_A02", "objective": "cybersecurity / data privacy literacy training is provided to system users (including managers, senior executives and contractors) organization-defined frequency thereafter.", "pptdf": "Process", "origin": "53A_R5_AT-02a.01[03]\n53A_R5_AT-02a.01[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-02", "ao_id": "SAT-02_A03", "objective": "cybersecurity / data privacy literacy training is provided to system users (including managers, senior executives and contractors) when required by system changes or following organization-defined events.", "pptdf": "People", "origin": "53A_R5_AT-02a.02[01]\n53A_R5_AT-02a.02[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-02", "ao_id": "SAT-02_A04", "objective": "security risks associated with organizational activities involving sensitive / regulated data are identified.", "pptdf": "Process", "origin": "171A_3.2.1[a]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-02", "ao_id": "SAT-02_A05", "objective": "policies, standards and procedures related to the security of the system are identified.", "pptdf": "Process", "origin": "171A_3.2.1[b]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-02", "ao_id": "SAT-02_A06", "objective": "managers, systems administrators and users of the system are made aware of the security risks associated with their activities.", "pptdf": "People", "origin": "171A_3.2.1[c]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-02", "ao_id": "SAT-02_A07", "objective": "managers, systems administrators and users of the system are made aware of the applicable policies, standards and procedures related to the security of the system.", "pptdf": "Process", "origin": "171A_3.2.1[d]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-02", "ao_id": "SAT-02_A08", "objective": "the frequency at which to provide cybersecurity / data privacy literacy training to system users (including managers, senior executives and contractors) after initial training is defined.", "pptdf": "Process", "origin": "53A_R5_AT-02_ODP[01]\n53A_R5_AT-02_ODP[02]\nAT-02_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "at least every 12 months, or when there are significant\nincidents or significant changes to risks", "org_defined_parameters": "" }, { "scf_control_id": "SAT-02", "ao_id": "SAT-02_A09", "objective": "events that require cybersecurity / data privacy literacy training for system users are defined.", "pptdf": "Process", "origin": "53A_R5_AT-02_ODP[03]\n53A_R5_AT-02_ODP[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-02", "ao_id": "SAT-02_A10", "objective": "techniques to be employed to increase the cybersecurity / data privacy awareness of system users are defined.", "pptdf": "Process", "origin": "53A_R5_AT-02_ODP[05]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-02", "ao_id": "SAT-02_A11", "objective": "events that require security literacy training for system users are defined.", "pptdf": "Process", "origin": "53A_R5_AT-02_ODP[06]\n172A_3.2.1e_ODP[2]\n171A_R3_A.03.02.01.ODP[03]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-02", "ao_id": "SAT-02_A12", "objective": "events that require security literacy training content updates are defined.", "pptdf": "Process", "origin": "53A_R5_AT-02_ODP[07]\n171A_R3_A.03.02.01.ODP[04]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-02", "ao_id": "SAT-02_A13", "objective": "awareness training is updated frequently or when there are significant changes to the threat.", "pptdf": "Process", "origin": "172A_3.2.1e[d]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-02", "ao_id": "SAT-02_A14", "objective": "organization-defined awareness techniques are employed to increase the cybersecurity / data privacy awareness of system users.", "pptdf": "Process", "origin": "53A_R5_AT-02b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-02", "ao_id": "SAT-02_A15", "objective": "literacy training and awareness content is updated organization-defined frequency.", "pptdf": "Process", "origin": "53A_R5_AT-02c.[01]", "assessment_rigor": "3", "scf_defined_parameters": "at least every 12 months, or when there are significant\nincidents or significant changes to risks", "org_defined_parameters": "" }, { "scf_control_id": "SAT-02", "ao_id": "SAT-02_A16", "objective": "literacy training and awareness content is updated following organization-defined events.", "pptdf": "Process", "origin": "53A_R5_AT-02c.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-02", "ao_id": "SAT-02_A17", "objective": "lessons learned from internal or external security incidents or breaches are incorporated into literacy training and awareness techniques.", "pptdf": "Process", "origin": "53A_R5_AT-02d.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-02.1", "ao_id": "SAT-02.1_A01", "objective": "practical exercises are identified.", "pptdf": "Process", "origin": "172A_3.2.2e[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-02.1", "ao_id": "SAT-02.1_A02", "objective": "current threat scenarios are identified.", "pptdf": "Process", "origin": "172A_3.2.2e[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-02.1", "ao_id": "SAT-02.1_A03", "objective": "practical exercises in literacy training that simulate events and incidents are provided.", "pptdf": "Process", "origin": "53A_R5_AT-02(01)", "assessment_rigor": "1", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "SAT-02.1", "ao_id": "SAT-02.1_A04", "objective": "individuals involved in training and their supervisors are identified.", "pptdf": "Process", "origin": "172A_3.2.2e[c]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-02.1", "ao_id": "SAT-02.1_A05", "objective": "practical exercises that are aligned with current threat scenarios are included in awareness training for roles.", "pptdf": "Process", "origin": "172A_3.2.2e[d]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-02.1", "ao_id": "SAT-02.1_A06", "objective": "frequency at which to provide feedback on organizational training results is defined.", "pptdf": "Process", "origin": "53A_R5_AT-06_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-02.1", "ao_id": "SAT-02.1_A07", "objective": "personnel to whom feedback on organizational training results will be provided is/are assigned.", "pptdf": "Process", "origin": "53A_R5_AT-06_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-02.1", "ao_id": "SAT-02.1_A08", "objective": "feedback on organizational training results is provided organization-defined frequency to organization-defined personnel.", "pptdf": "Process", "origin": "53A_R5_AT-06\n172A_3.2.2e[e]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-02.2", "ao_id": "SAT-02.2_A01", "objective": "threats from social engineering, advanced persistent threat actors, breaches and suspicious behaviors are identified.", "pptdf": "Process", "origin": "172A_3.2.1e[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-02.2", "ao_id": "SAT-02.2_A02", "objective": "security literacy training is provided to system users on recognizing indicators of social engineering.", "pptdf": "People", "origin": "53A_R5_AT-02(03)[01]\n172A_3.2.1e[b]\n171A_R3_A.03.02.01.a.03[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-02.2", "ao_id": "SAT-02.2_A03", "objective": "security literacy training is provided to system users on reporting indicators of social engineering.", "pptdf": "People", "origin": "53A_R5_AT-02(03)[02]\n172A_3.2.1e[b]\n171A_R3_A.03.02.01.a.03[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-02.2", "ao_id": "SAT-02.2_A04", "objective": "security literacy training is provided to system users on recognizing indicators of social mining.", "pptdf": "People", "origin": "53A_R5_AT-02(03)[03]\n172A_3.2.1e[b]\n171A_R3_A.03.02.01.a.03[05]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-02.2", "ao_id": "SAT-02.2_A05", "objective": "security literacy training is provided to system users on reporting indicators of social mining.", "pptdf": "People", "origin": "53A_R5_AT-02(03)[04]\n172A_3.2.1e[b]\n171A_R3_A.03.02.01.a.03[06]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-02.2", "ao_id": "SAT-02.2_A06", "objective": "significant changes to the threats from social engineering, advanced persistent threat actors, breaches and suspicious behaviors are identified.", "pptdf": "Process", "origin": "172A_3.2.1e[c]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-02.2", "ao_id": "SAT-02.2_A07", "objective": "awareness training is updated per an organization-defined frequency or when there are significant changes to the threat.", "pptdf": "Process", "origin": "172A_3.2.1e[d]", "assessment_rigor": "3", "scf_defined_parameters": "at least every 12 months, or when there are significant\nincidents or significant changes to risks", "org_defined_parameters": "" }, { "scf_control_id": "SAT-03", "ao_id": "SAT-03_A01", "objective": "roles and responsibilities for role-based cybersecurity / data privacy training are defined.", "pptdf": "Process", "origin": "53A_R5_AT-03_ODP[01]\n53A_R5_AT-03_ODP[02]\n171A_3.2.2[a]\n171A_3.2.2[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-03", "ao_id": "SAT-03_A02", "objective": "events that require role-based security training content updates are defined.", "pptdf": "Process", "origin": "53A_R5_AT-03_ODP[05]\n171A_R3_A.03.02.02.ODP[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-03", "ao_id": "SAT-03_A03", "objective": "role-based cybersecurity / data privacy training is provided to organizational personnel before authorizing access to the system or sensitive / regulated data.", "pptdf": "People", "origin": "53A_R5_AT-03a.01[01]\n171A_3.2.2[c]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-03", "ao_id": "SAT-03_A04", "objective": "role-based security training is provided to organizational personnel before performing assigned duties.", "pptdf": "People", "origin": "53A_R5_AT-03a.01[02]\n171A_R3_A.03.02.02.a.01[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-03", "ao_id": "SAT-03_A05", "objective": "role-based cybersecurity / data privacy training is provided to organizational personnel per an organization-defined frequency after initial training.", "pptdf": "People", "origin": "53A_R5_AT-03a.01[03]\n53A_R5_AT-03a.01[04]\n171A_3.2.2[c]", "assessment_rigor": "1", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "SAT-03", "ao_id": "SAT-03_A06", "objective": "role-based cybersecurity / data privacy training is provided to organizational personnel when required by system changes or following organization-defined events.", "pptdf": "People", "origin": "53A_R5_AT-03a.02[01]\n53A_R5_AT-03a.02[02]\n171A_3.2.2[c]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-03", "ao_id": "SAT-03_A07", "objective": "the frequency at which to provide role-based security training to assigned personnel after initial training is defined.", "pptdf": "Process", "origin": "53A_R5_AT-03_ODP[03]\n171A_R3_A.03.02.02.ODP[01]", "assessment_rigor": "2", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "SAT-03", "ao_id": "SAT-03_A08", "objective": "the frequency at which to update role-based security training content is defined.", "pptdf": "Process", "origin": "53A_R5_AT-03_ODP[04]\n171A_R3_A.03.02.02.ODP[03]", "assessment_rigor": "2", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "SAT-03", "ao_id": "SAT-03_A09", "objective": "role-based security training content is updated per an organization-defined frequency.", "pptdf": "Process", "origin": "53A_R5_AT-03b.[01]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "SAT-03", "ao_id": "SAT-03_A10", "objective": "role-based security training content is updated following organization-defined events.", "pptdf": "Process", "origin": "53A_R5_AT-03b.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-03", "ao_id": "SAT-03_A11", "objective": "lessons learned from internal or external security incidents or breaches are incorporated into role-based training.", "pptdf": "Process", "origin": "53A_R5_AT-03c.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-03", "ao_id": "SAT-03_A12", "objective": "events that require role-based security training are defined.", "pptdf": "Process", "origin": "171A_R3_A.03.02.02.ODP[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-03", "ao_id": "SAT-03_A13", "objective": "incident response training for system users consistent with assigned roles and responsibilities is provided within an organization-defined time period of assuming an incident response role or responsibility or acquiring system access.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-03", "ao_id": "SAT-03_A14", "objective": "incident response training for system users consistent with assigned roles and responsibilities is provided when required by system changes.", "pptdf": "People", "origin": "171A_R3_A.03.06.04.a.02", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-03", "ao_id": "SAT-03_A15", "objective": "incident response training for system users consistent with assigned roles and responsibilities is provided per an organization-defined frequency thereafter.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "at least every 12 months, or when there are significant\nincidents or significant changes to risks", "org_defined_parameters": "" }, { "scf_control_id": "SAT-03", "ao_id": "SAT-03_A16", "objective": "role-based security training is provided to organizational personnel before authorizing access to the system or CUI.", "pptdf": "People", "origin": "171A_R3_A.03.02.02.a.01[01]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-03", "ao_id": "SAT-03_A17", "objective": "role-based security training is provided to organizational personnel after initial training.", "pptdf": "People", "origin": "171A_R3_A.03.02.02.a.01[03]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "at least every 12 months", "org_defined_parameters": "" }, { "scf_control_id": "SAT-03", "ao_id": "SAT-03_A18", "objective": "role-based security training is provided to organizational personnel when required by system changes or following .", "pptdf": "People", "origin": "171A_R3_A.03.02.02.a.02", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "significant, novel incidents, or significant changes to risks", "org_defined_parameters": "" }, { "scf_control_id": "SAT-03", "ao_id": "SAT-03_A19", "objective": "role-based security training content is updated .", "pptdf": "Process", "origin": "A.03.02.02.b[01]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "at least every 12 months", "org_defined_parameters": "" }, { "scf_control_id": "SAT-03", "ao_id": "SAT-03_A20", "objective": "role-based security training content is updated following .", "pptdf": "Process", "origin": "A.03.02.02.b[02]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "significant, novel incidents, or significant changes to risks", "org_defined_parameters": "" }, { "scf_control_id": "SAT-03", "ao_id": "SAT-03_A21", "objective": "incident response training for system users consistent with assigned roles and responsibilities is provided within of assuming an incident response role or responsibility or acquiring system access.", "pptdf": "People", "origin": "171A_R3_A.03.06.04.a.01", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "ten (10) days for privileged users, thirty (30) days for all other roles", "org_defined_parameters": "" }, { "scf_control_id": "SAT-03", "ao_id": "SAT-03_A22", "objective": "incident response training for system users consistent with assigned roles and responsibilities is provided thereafter.", "pptdf": "People", "origin": "171A_R3_A.03.06.04.a.03", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "at least every 12 months", "org_defined_parameters": "" }, { "scf_control_id": "SAT-03.1", "ao_id": "SAT-03.1_A01", "objective": "practical exercises in cybersecurity / data privacy training that reinforce training objectives are provided.", "pptdf": "Process", "origin": "53A_R5_AT-03(03)[01]\n53A_R5_AT-03(03)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-03.2", "ao_id": "SAT-03.2_A01", "objective": "indicators of malicious code are defined.", "pptdf": "Process", "origin": "53A_R5_AT-02(04)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-03.2", "ao_id": "SAT-03.2_A02", "objective": "literacy training on recognizing suspicious communications and anomalous behavior in organizational systems using organization-defined indicators of malicious code is provided.", "pptdf": "Process", "origin": "53A_R5_AT-02(04)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-03.2", "ao_id": "SAT-03.2_A03", "objective": "literacy training on the advanced persistent threat is provided.", "pptdf": "Process", "origin": "53A_R5_AT-02(05)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-03.3", "ao_id": "SAT-03.3_A01", "objective": "personnel or roles to be provided with initial and refresher training in the employment and operation of sensitive / regulated data processing and transparency controls is/are defined.", "pptdf": "Process", "origin": "53A_R5_AT-03(05)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "SAT-03.3", "ao_id": "SAT-03.3_A02", "objective": "the frequency at which to provide refresher training in the employment and operation of sensitive / regulated data processing and transparency controls is defined.", "pptdf": "Process", "origin": "53A_R5_AT-03(05)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "SAT-03.3", "ao_id": "SAT-03.3_A03", "objective": "organization-defined personnel or roles are provided with initial and refresher training organization-defined frequency in the employment and operation of sensitive / regulated data processing and transparency controls.", "pptdf": "Process", "origin": "53A_R5_AT-03(05)", "assessment_rigor": "1", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "SAT-03.4", "ao_id": "SAT-03.4_A01", "objective": "vendor-specific security training is provided to support new technology initiatives.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-03.5", "ao_id": "SAT-03.5_A01", "objective": "specific training for privileged users is provided to ensure privileged users understand their unique roles and responsibilities", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-03.6", "ao_id": "SAT-03.6_A01", "objective": "literacy training on the cyber threat environment is provided.", "pptdf": "Process", "origin": "53A_R5_AT-02(06)(a)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-03.6", "ao_id": "SAT-03.6_A02", "objective": "system operations reflect current cyber threat information.", "pptdf": "Process", "origin": "53A_R5_AT-02(06)(b)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-03.6", "ao_id": "SAT-03.6_A03", "objective": "the frequency of providing awareness training is defined.", "pptdf": "Process", "origin": "172A_3.2.1e_ODP[1]", "assessment_rigor": "3", "scf_defined_parameters": "at least every 12 months, or when there are significant\nincidents or significant changes to risks", "org_defined_parameters": "" }, { "scf_control_id": "SAT-03.6", "ao_id": "SAT-03.6_A04", "objective": "the frequency of updating awareness training is defined.", "pptdf": "Process", "origin": "172A_3.2.1e_ODP[2]", "assessment_rigor": "3", "scf_defined_parameters": "at least every 12 months, or when there are significant\nincidents or significant changes to risks", "org_defined_parameters": "" }, { "scf_control_id": "SAT-03.6", "ao_id": "SAT-03.6_A05", "objective": "security literacy training is provided to system users when required by system changes or following .", "pptdf": "Process", "origin": "171A_R3_A.03.02.01.a.02", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "significant, novel incidents, or significant changes to risks", "org_defined_parameters": "" }, { "scf_control_id": "SAT-03.6", "ao_id": "SAT-03.6_A06", "objective": "security literacy training content is updated .", "pptdf": "Process", "origin": "171A_R3_A.03.02.01.b[01]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "at least every 12 months", "org_defined_parameters": "" }, { "scf_control_id": "SAT-03.6", "ao_id": "SAT-03.6_A07", "objective": "security literacy training content is updated following .", "pptdf": "Process", "origin": "171A_R3_A.03.02.01.b[02]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "significant, novel incidents, or significant changes to risks", "org_defined_parameters": "" }, { "scf_control_id": "SAT-03.7", "ao_id": "SAT-03.7_A01", "objective": "cybersecurity / data privacy personnel receive Continuing Professional Education (CPE) training to maintain currency and proficiency with industry-recognized secure practices that are pertinent to their assigned roles and responsibilities.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-03.8", "ao_id": "SAT-03.8_A01", "objective": "application development and operations (DevOps) personnel receive Continuing Professional Education (CPE) training on Secure Software Development Practices (SSDP) to appropriately address evolving threats.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-03.9", "ao_id": "SAT-03.9_A01", "objective": "specialized counterintelligence awareness training is provided to personnel to collect, interpret and act upon a range of data sources that may signal the presence of a hostile actor.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-04", "ao_id": "SAT-04_A01", "objective": "cybersecurity / data privacy training activities, including cybersecurity / data privacy awareness training and specific role-based cybersecurity / data privacy training, are documented.", "pptdf": "Process", "origin": "53A_R5_AT-04a.[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-04", "ao_id": "SAT-04_A02", "objective": "time period for retaining individual training records is defined.", "pptdf": "Process", "origin": "53A_R5_AT-04_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-04", "ao_id": "SAT-04_A03", "objective": "individual training records are retained for organization-defined time period.", "pptdf": "Data", "origin": "53A_R5_AT-04b.", "assessment_rigor": "1", "scf_defined_parameters": "five (5) years or 5 years after completion of a specific training program", "org_defined_parameters": "" }, { "scf_control_id": "SAT-04", "ao_id": "SAT-04_A04", "objective": "cybersecurity / data privacy training activities, including cybersecurity / data privacy awareness training and specific role-based cybersecurity / data privacy training, are monitored.", "pptdf": "Process", "origin": "53A_R5_AT-04a.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-05", "ao_id": "SAT-05_A01", "objective": "a process to improve cybersecurity and data protection knowledge sharing across security personnel is defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SAT-05", "ao_id": "SAT-05_A02", "objective": "cybersecurity and data protection knowledge sharing is implemented across security personnel allowing for more rapid and effective response to incidents.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-01", "ao_id": "SEA-01_A01", "objective": "secure engineering principles are defined.", "pptdf": "Process", "origin": "53A_R5_SA-08_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-01", "ao_id": "SEA-01_A02", "objective": "data privacy engineering principles are defined.", "pptdf": "Process", "origin": "53A_R5_SA-08_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-01", "ao_id": "SEA-01_A03", "objective": "architectural designs that promote effective cybersecurity / data privacy are identified.", "pptdf": "Process", "origin": "171A_3.13.2[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-01", "ao_id": "SEA-01_A04", "objective": "systems engineering principles that promote effective cybersecurity / data privacy are identified.", "pptdf": "Process", "origin": "171A_3.13.2[c]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-01", "ao_id": "SEA-01_A05", "objective": "identified architectural designs that promote effective cybersecurity / data privacy are employed.", "pptdf": "Process", "origin": "171A_3.13.2[d]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-01", "ao_id": "SEA-01_A06", "objective": "identified systems engineering principles that promote effective cybersecurity / data privacy are employed.", "pptdf": "Process", "origin": "171A_3.13.2[f]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-01", "ao_id": "SEA-01_A07", "objective": "systems security engineering principles to be applied to the development or modification of the system and system components are defined.", "pptdf": "Process", "origin": "171A_R3_A.03.16.01.ODP[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-01", "ao_id": "SEA-01_A08", "objective": "systems security engineering principles are applied in the specification of the system and system components.", "pptdf": "Process", "origin": "53A_R5_SA-08[01]\n53A_R5_SA-08[06]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-01", "ao_id": "SEA-01_A09", "objective": "cybersecurity / data privacy engineering principles are applied in the design of the system and system components.", "pptdf": "Process", "origin": "53A_R5_SA-08[02]\n53A_R5_SA-08[07]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-01", "ao_id": "SEA-01_A10", "objective": "cybersecurity / data privacy engineering principles are applied in the development of the system and system components.", "pptdf": "Process", "origin": "53A_R5_SA-08[03]\n53A_R5_SA-08[08]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-01", "ao_id": "SEA-01_A11", "objective": "cybersecurity / data privacy engineering principles are applied in the implementation of the system and system components.", "pptdf": "Process", "origin": "53A_R5_SA-08[04]\n53A_R5_SA-08[09]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-01", "ao_id": "SEA-01_A12", "objective": "cybersecurity / data privacy engineering principles are applied in the modification of the system and system components.", "pptdf": "Process", "origin": "53A_R5_SA-08[05]\n53A_R5_SA-08[10]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-01", "ao_id": "SEA-01_A13", "objective": "thresholds to which attack surfaces are to be reduced are defined.", "pptdf": "Process", "origin": "53A_R5_SA-15(05)_ODP", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-01", "ao_id": "SEA-01_A14", "objective": "the developer of the system, system component, or system service is required to reduce attack surfaces to organization-defined thresholds.", "pptdf": "Process", "origin": "53A_R5_SA-15(05)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-01", "ao_id": "SEA-01_A15", "objective": "systems are prevented from entering unsecure states in the event of an operational failure of a boundary protection device.", "pptdf": "Technology", "origin": "53A_R5_SC-07(18)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-01", "ao_id": "SEA-01_A16", "objective": "Secure Engineering & Architecture (SEA) operations are conducted according to documented policies, standards, procedures and/or other organizational directives.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-01", "ao_id": "SEA-01_A17", "objective": "adequate resources (e.g., people, processes, technologies, data and/or facilities) are provided to support Secure Engineering & Architecture (SEA) operations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-01", "ao_id": "SEA-01_A18", "objective": "responsibility and authority for the performance of Secure Engineering & Architecture (SEA)-related activities are assigned to designated personnel.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-01", "ao_id": "SEA-01_A19", "objective": "personnel performing Secure Engineering & Architecture (SEA)-related activities have the skills and knowledge needed to perform their assigned duties.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-01.1", "ao_id": "SEA-01.1_A01", "objective": "cybersecurity / data privacy controls and related processes to be centrally managed are defined.", "pptdf": "Process", "origin": "53A_R5_PL-09_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-01.1", "ao_id": "SEA-01.1_A02", "objective": "controls and related processes are centrally managed.", "pptdf": "Process", "origin": "53A_R5_PL-09", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-01.2", "ao_id": "SEA-01.2_A01", "objective": "the organization's goals for resiliency are defined for normal and adverse situations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-01.2", "ao_id": "SEA-01.2_A02", "objective": "solutions exist to achieve resilience requirements in normal situations.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-01.2", "ao_id": "SEA-01.2_A03", "objective": "solutions exist to achieve resilience requirements in adverse situations.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-01.3", "ao_id": "SEA-01.3_A01", "objective": "cybersecurity and data protection controls are designed and implemented to provide resistance to unintentional errors (by users or software).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-01.3", "ao_id": "SEA-01.3_A02", "objective": "cybersecurity and data protection controls are designed and implemented to provide resistance to intentional attack or circumvention.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-02", "ao_id": "SEA-02_A01", "objective": "an enterprise architecture is developed with consideration for cybersecurity / data privacy.", "pptdf": "Process", "origin": "53A_R5_PM-07[01]\n53A_R5_PM-07[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-02", "ao_id": "SEA-02_A02", "objective": "an enterprise architecture is maintained with consideration for cybersecurity / data privacy.", "pptdf": "Process", "origin": "53A_R5_PM-07[02]\n53A_R5_PM-07[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-02", "ao_id": "SEA-02_A03", "objective": "an enterprise architecture is developed with consideration for the resulting risk to organizational operations and assets, individuals and other organizations.", "pptdf": "Process", "origin": "53A_R5_PM-07[05]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-02", "ao_id": "SEA-02_A04", "objective": "an enterprise architecture is maintained with consideration for the resulting risk to organizational operations and assets, individuals and other organizations.", "pptdf": "Process", "origin": "53A_R5_PM-07[06]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-02", "ao_id": "SEA-02_A05", "objective": "frequency for review / update to reflect changes in the enterprise architecture.", "pptdf": "Process", "origin": "53A_R5_PL-08_ODP", "assessment_rigor": "3", "scf_defined_parameters": "at least every 12 months, or when there are significant\nincidents or significant changes to risks", "org_defined_parameters": "" }, { "scf_control_id": "SEA-02", "ao_id": "SEA-02_A06", "objective": "a cybersecurity / data privacy architecture for the system describes the requirements and approach to be taken for protecting the confidentiality, integrity and availability of organizational information.", "pptdf": "Process", "origin": "53A_R5_PL-08a.01\n53A_R5_PL-08a.02", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-02", "ao_id": "SEA-02_A07", "objective": "a cybersecurity / data privacy architecture for the system describes how the architecture is integrated into and supports the enterprise architecture.", "pptdf": "Process", "origin": "53A_R5_PL-08a.03[01]\n53A_R5_PL-08a.03[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-02", "ao_id": "SEA-02_A08", "objective": "a cybersecurity / data privacy architecture for the system describes any assumptions about and dependencies on external systems and services.", "pptdf": "Process", "origin": "53A_R5_PL-08a.04[01]\n53A_R5_PL-08a.04[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-02", "ao_id": "SEA-02_A09", "objective": "changes in the enterprise architecture are reviewed / updated per an organization-defined frequency to reflect changes in the enterprise architecture.", "pptdf": "Process", "origin": "53A_R5_PL-08b.", "assessment_rigor": "3", "scf_defined_parameters": "at least annually and when a significant change occurs", "org_defined_parameters": "" }, { "scf_control_id": "SEA-02", "ao_id": "SEA-02_A10", "objective": "planned architecture changes are reflected in the cybersecurity / data privacy plan.", "pptdf": "Process", "origin": "53A_R5_PL-08c.[01]\n53A_R5_PL-08c.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-02", "ao_id": "SEA-02_A11", "objective": "planned architecture changes are reflected in the Concept of Operations (CONOPS).", "pptdf": "Process", "origin": "53A_R5_PL-08c.[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-02", "ao_id": "SEA-02_A12", "objective": "planned architecture changes are reflected in criticality analysis.", "pptdf": "Process", "origin": "53A_R5_PL-08c.[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-02", "ao_id": "SEA-02_A13", "objective": "planned architecture changes are reflected in organizational procedures.", "pptdf": "Process", "origin": "53A_R5_PL-08c.[05]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-02", "ao_id": "SEA-02_A14", "objective": "planned architecture changes are reflected in procurements and acquisitions.", "pptdf": "Process", "origin": "53A_R5_PL-08c.[06]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-02.1", "ao_id": "SEA-02.1_A01", "objective": "technology and process terminology is standardized to reduce confusion amongst groups and departments.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-02.2", "ao_id": "SEA-02.2_A01", "objective": "non-essential functions or services to be offloaded are defined.", "pptdf": "Process", "origin": "53A_R5_PM-07(01)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-02.2", "ao_id": "SEA-02.2_A02", "objective": "non-essential functions or services are offloaded to other systems, system components or an external provider.", "pptdf": "Process", "origin": "53A_R5_PM-07(01)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-02.3", "ao_id": "SEA-02.3_A01", "objective": "“technical debt” reviews of hardware and software technologies are routinely conducted.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-02.3", "ao_id": "SEA-02.3_A02", "objective": "the results of “technical debt” reviews are leveraged as justification to remediate outdated and/or unsupported technologies.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-03", "ao_id": "SEA-03_A01", "objective": "security functions are implemented as a layered structure, minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.", "pptdf": "Process", "origin": "53A_R5_SC-03(05)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-03", "ao_id": "SEA-03_A02", "objective": "the cybersecurity / data privacy architecture for the system is designed using a defense-in-depth approach that allocates controls to locations and architectural layers.", "pptdf": "Process", "origin": "53A_R5_PL-08(01)(a)[01]\n53A_R5_PL-08(01)(a)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-03", "ao_id": "SEA-03_A03", "objective": "the cybersecurity / data privacy architecture for the system is designed using a defense-in-depth approach that ensures the allocated controls operate in a coordinated and mutually reinforcing manner.", "pptdf": "Process", "origin": "53A_R5_PL-08(01)(b)[01]\n53A_R5_PL-08(01)(b)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-03", "ao_id": "SEA-03_A04", "objective": "controls to be allocated are defined.", "pptdf": "Process", "origin": "53A_R5_PL-08(01)_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-03", "ao_id": "SEA-03_A05", "objective": "locations and architectural layers are defined.", "pptdf": "Process", "origin": "53A_R5_PL-08(01)_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-03.1", "ao_id": "SEA-03.1_A01", "objective": "system components to reside in separate physical or logical domains or environments based on circumstances for the physical or logical separation of components are defined.", "pptdf": "Process", "origin": "53A_R5_SC-32_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-03.1", "ao_id": "SEA-03.1_A02", "objective": "circumstances for the physical or logical separation of components are defined.", "pptdf": "Process", "origin": "53A_R5_SC-32_ODP[02]\n53A_R5_SC-32_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-03.1", "ao_id": "SEA-03.1_A03", "objective": "the system is partitioned into system components residing in separate organization-defined criteria domains or environments based on circumstances for the physical or logical separation of components.", "pptdf": "Technology", "origin": "53A_R5_SC-32", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-03.2", "ao_id": "SEA-03.2_A01", "objective": "user functionality is identified.", "pptdf": "Process", "origin": "171A_3.13.3[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-03.2", "ao_id": "SEA-03.2_A02", "objective": "system management functionality is identified.", "pptdf": "Process", "origin": "171A_3.13.3[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-03.2", "ao_id": "SEA-03.2_A03", "objective": "user functionality is separated from system management functionality.", "pptdf": "Technology", "origin": "171A_3.13.3[c]\n53A_R5_SC-02", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-03.2", "ao_id": "SEA-03.2_A04", "objective": "the presentation of system management functionality is prevented at interfaces to non-privileged users.", "pptdf": "Technology", "origin": "53A_R5_SC-02(01)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-03.2", "ao_id": "SEA-03.2_A05", "objective": "state information is stored separately from applications and software.", "pptdf": "Technology", "origin": "53A_R5_SC-02(02)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-04", "ao_id": "SEA-04_A01", "objective": "a separate execution domain is maintained for each executing system process.", "pptdf": "Technology", "origin": "53A_R5_SC-39", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-04.1", "ao_id": "SEA-04.1_A01", "objective": "security functions are isolated from non-security functions.", "pptdf": "Technology", "origin": "53A_R5_SC-03", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-04.2", "ao_id": "SEA-04.2_A01", "objective": "hardware separation is implemented to facilitate process isolation.", "pptdf": "Technology", "origin": "53A_R5_SC-39(01)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-04.3", "ao_id": "SEA-04.3_A01", "objective": "multi-thread processing for which a separate execution domain is to be maintained for each thread is defined.", "pptdf": "Process", "origin": "53A_R5_SC-39(02)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-04.3", "ao_id": "SEA-04.3_A02", "objective": "a separate execution domain is maintained for each thread in organization-defined multi-threaded processing.", "pptdf": "Technology", "origin": "53A_R5_SC-39(02)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-04.4", "ao_id": "SEA-04.4_A01", "objective": "systems are configured to isolate, or logically separate, any application, service and/or process running with system privileges.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-05", "ao_id": "SEA-05_A01", "objective": "unauthorized information transfer via shared system resources is prevented.", "pptdf": "Technology", "origin": "53A_R5_SC-04[01]\n171A_3.13.4\n171A_R3_A.03.13.04[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-05", "ao_id": "SEA-05_A02", "objective": "unintended information transfer via shared system resources is prevented.", "pptdf": "Technology", "origin": "53A_R5_SC-04[02]\n171A_R3_A.03.13.04[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-06", "ao_id": "SEA-06_A01", "objective": "policies, rules of behavior, and/or access agreements regarding software program usage and restrictions are defined.", "pptdf": "Process", "origin": "53A_R5_CM-07(02)_ODP[01]\n53A_R5_CM-07(02)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-06", "ao_id": "SEA-06_A02", "objective": "program execution is prevented in accordance with organization-defined criteria.", "pptdf": "Technology", "origin": "53A_R5_CM-07(02)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-07", "ao_id": "SEA-07_A01", "objective": "system components for which Mean Time to Failure (MTTF) should be determined are defined.", "pptdf": "Process", "origin": "53A_R5_SI-13_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-07", "ao_id": "SEA-07_A02", "objective": "Mean Time to Failure (MTTF) substitution criteria to be used as a means to exchange active and standby components are defined.", "pptdf": "Process", "origin": "53A_R5_SI-13_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-07", "ao_id": "SEA-07_A03", "objective": "Mean Time to Failure (MTTF) is determined for system components in specific environments of operation.", "pptdf": "Process", "origin": "53A_R5_SI-13a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-07", "ao_id": "SEA-07_A04", "objective": "substitute system components and a means to exchange active and standby components are provided in accordance with Mean Time to Failure (MTTF) substitution criteria.", "pptdf": "Process", "origin": "53A_R5_SI-13b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-07.1", "ao_id": "SEA-07.1_A01", "objective": "a technology refresh schedule is planned for the system throughout the system development life cycle.", "pptdf": "Process", "origin": "53A_R5_SA-03(03)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-07.1", "ao_id": "SEA-07.1_A02", "objective": "a technology refresh schedule is implemented for the system throughout the system development life cycle.", "pptdf": "Process", "origin": "53A_R5_SA-03(03)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-07.1", "ao_id": "SEA-07.1_A03", "objective": "system pre-production environments are protected commensurate with risk throughout the system development life cycle for the system, system component or system service.", "pptdf": "Technology", "origin": "53A_R5_SA-03(01)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-07.2", "ao_id": "SEA-07.2_A01", "objective": "restrictions for safe mode of operation are defined.", "pptdf": "Process", "origin": "53A_R5_CP-12_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-07.2", "ao_id": "SEA-07.2_A02", "objective": "conditions detected to enter a safe mode of operation are defined.", "pptdf": "Process", "origin": "53A_R5_CP-12_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-07.2", "ao_id": "SEA-07.2_A03", "objective": "a safe mode of operation is entered with restrictions when conditions are detected.", "pptdf": "Technology", "origin": "53A_R5_CP-12", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-07.2", "ao_id": "SEA-07.2_A04", "objective": "systems or system components that implement the security design principle of secure failure are defined.", "pptdf": "Process", "origin": "53A_R5_SA-08(24)_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-07.2", "ao_id": "SEA-07.2_A05", "objective": "systems or system components that implement the security design principle of secure recovery are defined.", "pptdf": "Process", "origin": "53A_R5_SA-08(24)_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-07.2", "ao_id": "SEA-07.2_A06", "objective": "systems or system components implement the security design principle of secure failure.", "pptdf": "Technology", "origin": "53A_R5_SA-08(24)[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-07.2", "ao_id": "SEA-07.2_A07", "objective": "systems or system components implement the security design principle of secure recovery.", "pptdf": "Technology", "origin": "53A_R5_SA-08(24)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-07.2", "ao_id": "SEA-07.2_A08", "objective": "types of system failures for which the system components fail to a known state are defined.", "pptdf": "Process", "origin": "53A_R5_SC-24_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-07.2", "ao_id": "SEA-07.2_A09", "objective": "known system state to which system components fail in the event of a system failure is defined.", "pptdf": "Process", "origin": "53A_R5_SC-24_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-07.2", "ao_id": "SEA-07.2_A10", "objective": "system state information to be preserved in the event of a system failure is defined.", "pptdf": "Process", "origin": "53A_R5_SC-24_ODP[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-07.2", "ao_id": "SEA-07.2_A11", "objective": "types of system failures on system components fail to a known system state while preserving system state information in failure.", "pptdf": "Technology", "origin": "53A_R5_SC-24", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-07.3", "ao_id": "SEA-07.3_A01", "objective": "fail-safe procedures associated with failure conditions are defined.", "pptdf": "Process", "origin": "53A_R5_SI-17_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-07.3", "ao_id": "SEA-07.3_A02", "objective": "a list of failure conditions requiring fail-safe procedures is defined.", "pptdf": "Process", "origin": "53A_R5_SI-17_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-07.3", "ao_id": "SEA-07.3_A03", "objective": "fail-safe procedures are implemented when list of failure conditions occur.", "pptdf": "Process", "origin": "53A_R5_SI-17", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-08", "ao_id": "SEA-08_A01", "objective": "non-persistent system components and services to be implemented are defined.", "pptdf": "Process", "origin": "53A_R5_SI-14_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-08", "ao_id": "SEA-08_A02", "objective": "the frequency at which to terminate non-persistent components and services that are initiated in a known state is defined.", "pptdf": "Process", "origin": "53A_R5_SI-14_ODP[02]\n53A_R5_SI-14_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-08", "ao_id": "SEA-08_A03", "objective": "non-persistent system components and services that are initiated in a known state are implemented.", "pptdf": "Technology", "origin": "53A_R5_SI-14[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-08", "ao_id": "SEA-08_A04", "objective": "non-persistent system components and services are terminated per organization-defined criteria.", "pptdf": "Technology", "origin": "53A_R5_SI-14[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-08.1", "ao_id": "SEA-08.1_A01", "objective": "a technology refresh schedule is planned for the system throughout the system development life cycle.", "pptdf": "Process", "origin": "53A_R5_SA-03(03)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-08.1", "ao_id": "SEA-08.1_A02", "objective": "a technology refresh schedule is implemented for the system throughout the system development life cycle.", "pptdf": "Process", "origin": "53A_R5_SA-03(03)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-08.1", "ao_id": "SEA-08.1_A03", "objective": "trusted sources to obtain software and data for system component and service refreshes are defined.", "pptdf": "Process", "origin": "53A_R5_SI-14(01)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-08.1", "ao_id": "SEA-08.1_A04", "objective": "the software and data employed during system component and service refreshes are obtained from organization-defined trusted sources.", "pptdf": "Process", "origin": "53A_R5_SI-14(01)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-08.1", "ao_id": "SEA-08.1_A05", "objective": "approved systems and system components are identified.", "pptdf": "Process", "origin": "172A_3.4.1e[a]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-08.1", "ao_id": "SEA-08.1_A06", "objective": "implemented system components are identified.", "pptdf": "Process", "origin": "172A_3.4.1e[b]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-08.1", "ao_id": "SEA-08.1_A07", "objective": "an authoritative source and repository are established to provide a trusted source and accountability for approved and implemented system components.", "pptdf": "Technology", "origin": "172A_3.4.1e[c]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-08.1", "ao_id": "SEA-08.1_A08", "objective": "an authoritative source and repository are maintained to provide a trusted source and accountability for approved and implemented system components.", "pptdf": "Technology", "origin": "172A_3.4.1e[d]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-08.1", "ao_id": "SEA-08.1_A09", "objective": "systems and system components to refresh from a known, trusted state are defined.", "pptdf": "Process", "origin": "172A_3.14.4e_ODP[1]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-08.1", "ao_id": "SEA-08.1_A10", "objective": "the frequency to refresh systems and systems components is defined.", "pptdf": "Process", "origin": "172A_3.14.4e_ODP[2]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-08.1", "ao_id": "SEA-08.1_A11", "objective": "a known, trusted state is identified for systems and system components.", "pptdf": "Process", "origin": "172A_3.14.4e[a]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-08.1", "ao_id": "SEA-08.1_A12", "objective": "systems and system components are refreshed from a known, trusted state per an organization-defined frequency.", "pptdf": "Process", "origin": "172A_3.14.4e[b]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-09", "ao_id": "SEA-09_A01", "objective": "software programs and/or applications whose information output requires validation are defined.", "pptdf": "Process", "origin": "53A_R5_SI-15_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-09", "ao_id": "SEA-09_A02", "objective": "information output from organization-defined software programs and/or applications is validated to ensure that the information is consistent with the expected content.", "pptdf": "Technology", "origin": "53A_R5_SI-15", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-09.1", "ao_id": "SEA-09.1_A01", "objective": "the dissemination of Personal Data (PD) is restricted to organization-defined elements identified in the Data Protection Impact Assessment (DPIA) and consistent with authorized purposes.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-10", "ao_id": "SEA-10_A01", "objective": "controls to be implemented to protect the system memory from unauthorized code execution are defined.", "pptdf": "Process", "origin": "53A_R5_SI-16_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-10", "ao_id": "SEA-10_A02", "objective": "controls are implemented to protect the system memory from unauthorized code execution.", "pptdf": "Technology", "origin": "53A_R5_SI-16", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-11", "ao_id": "SEA-11_A01", "objective": "environments or resources which may contain or may be related to anomalous or suspected adversarial behavior are defined.", "pptdf": "Process", "origin": "53A_R5_IR-04(13)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-11", "ao_id": "SEA-11_A02", "objective": "anomalous or suspected adversarial behavior in or related to organization-defined environments or resources are analyzed.", "pptdf": "Technology", "origin": "53A_R5_IR-04(13)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-11", "ao_id": "SEA-11_A03", "objective": "components within organizational systems specifically designed to be the target of malicious attacks are included to detect such attacks.", "pptdf": "Technology", "origin": "53A_R5_SC-26[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-11", "ao_id": "SEA-11_A04", "objective": "components within organizational systems specifically designed to be the target of malicious attacks are included to deflect such attacks.", "pptdf": "Technology", "origin": "53A_R5_SC-26[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-11", "ao_id": "SEA-11_A05", "objective": "components within organizational systems specifically designed to be the target of malicious attacks are included to analyze such attacks.", "pptdf": "Technology", "origin": "53A_R5_SC-26[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-11", "ao_id": "SEA-11_A06", "objective": "technical and procedural means to confuse and mislead adversaries are defined.", "pptdf": "Process", "origin": "172A_3.13.3e_ODP[1]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-11", "ao_id": "SEA-11_A07", "objective": "technical and procedural means are employed to confuse and mislead adversaries.", "pptdf": "Process", "origin": "172A_3.13.3e[a]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-12", "ao_id": "SEA-12_A01", "objective": "system components that proactively seek to identify network-based malicious code or malicious websites are included.", "pptdf": "Technology", "origin": "53A_R5_SC-35", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-12", "ao_id": "SEA-12_A02", "objective": "environments or resources which may contain or may be related to anomalous or suspected adversarial behavior are defined.", "pptdf": "Process", "origin": "53A_R5_IR-04(13)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-12", "ao_id": "SEA-12_A03", "objective": "anomalous or suspected adversarial behavior in or related to organization-defined environments or resources are analyzed.", "pptdf": "Technology", "origin": "53A_R5_IR-04(13)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-13", "ao_id": "SEA-13_A01", "objective": "diversity in system components is created to reduce the extent of malicious code propagation.", "pptdf": "Technology", "origin": "172A_3.13.1e[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-13", "ao_id": "SEA-13_A02", "objective": "system components requiring a diverse set of information technologies to be employed in the implementation of the system are defined.", "pptdf": "Process", "origin": "53A_R5_SC-29_ODP\n172A_3.13.1e_ODP[1]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-13", "ao_id": "SEA-13_A03", "objective": "a diverse set of information technologies is employed for organization-defined system components in the implementation of the system.", "pptdf": "Process", "origin": "53A_R5_SC-29", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-13.1", "ao_id": "SEA-13.1_A01", "objective": "the frequency at which to change the diversity of operating systems and applications deployed using virtualization techniques is defined.", "pptdf": "Process", "origin": "53A_R5_SC-29(01)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-13.1", "ao_id": "SEA-13.1_A02", "objective": "virtualization techniques are employed to support the deployment of a diverse range of operating systems and applications that are changed per an organization-defined frequency.", "pptdf": "Process", "origin": "53A_R5_SC-29(01)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-14", "ao_id": "SEA-14_A01", "objective": "concealment and misdirection techniques to be employed to confuse and mislead adversaries potentially targeting systems are defined.", "pptdf": "Process", "origin": "53A_R5_SC-30_ODP[01]\n172A_3.13.3e_ODP[1]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-14", "ao_id": "SEA-14_A02", "objective": "systems for which concealment and misdirection techniques are to be employed are defined.", "pptdf": "Process", "origin": "53A_R5_SC-30_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-14", "ao_id": "SEA-14_A03", "objective": "time periods to employ concealment and misdirection techniques for systems are defined.", "pptdf": "Process", "origin": "53A_R5_SC-30_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-14", "ao_id": "SEA-14_A04", "objective": "concealment and misdirection techniques are employed for systems for time periods to confuse and mislead adversaries.", "pptdf": "Process", "origin": "53A_R5_SC-30\n172A_3.13.3e[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-14.1", "ao_id": "SEA-14.1_A01", "objective": "changes to organizational systems and system components to introduce a degree of unpredictability into operations are defined.", "pptdf": "Process", "origin": "172A_3.13.2e_ODP[1]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-14.1", "ao_id": "SEA-14.1_A02", "objective": "the frequency of changes by system and system components is defined.", "pptdf": "Process", "origin": "172A_3.13.2e_ODP[2]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-14.1", "ao_id": "SEA-14.1_A03", "objective": "organizational systems and system components necessitating unpredictability are identified.", "pptdf": "Process", "origin": "172A_3.13.2e[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-14.1", "ao_id": "SEA-14.1_A04", "objective": "changes to organizational systems and system components are implemented frequently to introduce a degree of unpredictability into operations.", "pptdf": "Process", "origin": "172A_3.13.2e[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-14.1", "ao_id": "SEA-14.1_A05", "objective": "technical and procedural means to confuse and mislead adversaries are defined.", "pptdf": "Process", "origin": "172A_3.13.3e_ODP[1]\n53A_R5_SC-30(02)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-14.1", "ao_id": "SEA-14.1_A06", "objective": "technical and procedural means are employed to confuse and mislead adversaries.", "pptdf": "Process", "origin": "172A_3.13.3e[a]\n53A_R5_SC-30(02)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-14.2", "ao_id": "SEA-14.2_A01", "objective": "processing and/or storage locations to be changed are defined.", "pptdf": "Process", "origin": "53A_R5_SC-30(03)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-14.2", "ao_id": "SEA-14.2_A02", "objective": "time frequency at which to change the location of processing and/or storage is defined.", "pptdf": "Process", "origin": "53A_R5_SC-30(03)_ODP[02]\n53A_R5_SC-30(03)_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-14.2", "ao_id": "SEA-14.2_A03", "objective": "the location of processing and/or storage is changed per an organization-defined criteria.", "pptdf": "Technology", "origin": "53A_R5_SC-30(03)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-15", "ao_id": "SEA-15_A01", "objective": "the logical and physical location where the system resides is planned considering physical and environmental hazards.", "pptdf": "Facility", "origin": "53A_R5_PE-23a.\n53A_R5_SC-36_ODP[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-15", "ao_id": "SEA-15_A02", "objective": "for existing facilities, physical and environmental hazards are considered in the organizational risk management strategy.", "pptdf": "Facility", "origin": "53A_R5_PE-23b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-15", "ao_id": "SEA-15_A03", "objective": "processing components to be distributed across multiple locations/domains are defined.", "pptdf": "Process", "origin": "53A_R5_SC-36_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-15", "ao_id": "SEA-15_A04", "objective": "storage components to be distributed across multiple locations/domains are defined.", "pptdf": "Process", "origin": "53A_R5_SC-36_ODP[02]\n53A_R5_SC-36_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-15", "ao_id": "SEA-15_A05", "objective": "processing components are distributed across organization-defined locations.", "pptdf": "Technology", "origin": "53A_R5_SC-36[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-15", "ao_id": "SEA-15_A06", "objective": "storage components are distributed across organization-defined locations.", "pptdf": "Technology", "origin": "53A_R5_SC-36[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-15", "ao_id": "SEA-15_A07", "objective": "system functions or resources to distribute and relocate are defined.", "pptdf": "Process", "origin": "172A_3.13.5e_ODP[1]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-15", "ao_id": "SEA-15_A08", "objective": "frequency to distribute and relocate system functions or resources is defined.", "pptdf": "Process", "origin": "172A_3.13.5e_ODP[2]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-15", "ao_id": "SEA-15_A09", "objective": "system functions or resources are distributed and relocated frequency.", "pptdf": "Process", "origin": "172A_3.13.5e[a]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-16", "ao_id": "SEA-16_A01", "objective": "system components for which the operating environment and applications are to be loaded and executed from hardware-enforced, read-only media are defined.", "pptdf": "Process", "origin": "53A_R5_SC-34_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-16", "ao_id": "SEA-16_A02", "objective": "applications to be loaded and executed from hardware-enforced, read-only media are defined.", "pptdf": "Process", "origin": "53A_R5_SC-34_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-16", "ao_id": "SEA-16_A03", "objective": "the operating environment for system components is loaded and executed from hardware-enforced, read-only media.", "pptdf": "Technology", "origin": "53A_R5_SC-34a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-16", "ao_id": "SEA-16_A04", "objective": "applications for system components are loaded and executed from hardware-enforced, read-only media.", "pptdf": "Technology", "origin": "53A_R5_SC-34b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-17", "ao_id": "SEA-17_A01", "objective": "a trusted communications path is used between the user and the security functions of the system (e.g., Ctrl+Alt+Del).", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-18", "ao_id": "SEA-18_A01", "objective": "system use notification message or banner to be displayed by the system to users before granting access to the system is defined.", "pptdf": "Process", "origin": "53A_R5_AC-08_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-18", "ao_id": "SEA-18_A02", "objective": "conditions for system use to be displayed by the system before granting further access are defined.", "pptdf": "Process", "origin": "53A_R5_AC-08_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-18", "ao_id": "SEA-18_A03", "objective": "organization-defined system use notification is displayed to users before granting access to the system that provides privacy and security notices consistent with applicable laws, Executive Orders, directives, regulations, policies, standards and guidelines.", "pptdf": "Process", "origin": "53A_R5_AC-08a.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-18", "ao_id": "SEA-18_A04", "objective": "the system use notification states that users are accessing a protected system.", "pptdf": "Technology", "origin": "53A_R5_AC-08a.01", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-18", "ao_id": "SEA-18_A05", "objective": "the system use notification states that system usage may be monitored, recorded and subject to audit.", "pptdf": "Technology", "origin": "53A_R5_AC-08a.02", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-18", "ao_id": "SEA-18_A06", "objective": "the system use notification states that unauthorized use of the system is prohibited and subject to criminal and civil penalties.", "pptdf": "Technology", "origin": "53A_R5_AC-08a.03", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-18", "ao_id": "SEA-18_A07", "objective": "the system use notification states that use of the system indicates consent to monitoring and recording.", "pptdf": "Technology", "origin": "53A_R5_AC-08a.04", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-18", "ao_id": "SEA-18_A08", "objective": "the notification message or banner is retained on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system.", "pptdf": "Data", "origin": "53A_R5_AC-08b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-18", "ao_id": "SEA-18_A09", "objective": "for publicly accessible systems, system use information organization-defined conditions is displayed before granting further access to the publicly accessible system.", "pptdf": "Technology", "origin": "53A_R5_AC-08c.01", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-18", "ao_id": "SEA-18_A10", "objective": "for publicly accessible systems, any references to monitoring, recording or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities are displayed.", "pptdf": "Technology", "origin": "53A_R5_AC-08c.02", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-18", "ao_id": "SEA-18_A11", "objective": "for publicly accessible systems, a description of the authorized uses of the system is included.", "pptdf": "Technology", "origin": "53A_R5_AC-08c.03", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-18", "ao_id": "SEA-18_A12", "objective": "a system use notification message with privacy and security notices consistent with applicable CUI rules is displayed before granting access to the system.", "pptdf": "Technology", "origin": "171A_R3_A.03.01.09", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-18", "ao_id": "SEA-18_A13", "objective": "privacy and security notices required by statutory/regulatory-specified rules are identified, consistent, and associated with the specific sensitive/regulated data category.", "pptdf": "Technology", "origin": "171A_3.1.9[a]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-18", "ao_id": "SEA-18_A14", "objective": "privacy and security notices are displayed.", "pptdf": "Technology", "origin": "171A_3.1.9[b]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-18.1", "ao_id": "SEA-18.1_A01", "objective": "Microsoft Windows-based systems are configured to display an approved logon banner before granting access to the system that provides privacy and security notices.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-18.1", "ao_id": "SEA-18.1_A02", "objective": "a system use notification message with privacy and security notices consistent with applicable CUI rules is displayed before granting access to the system.", "pptdf": "Technology", "origin": "171A_R3_A.03.01.09", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-18.2", "ao_id": "SEA-18.2_A01", "objective": "where technically feasible, systems utilize a truncated system use notification / logon banner on systems not capable of displaying a logon banner from a centralized source (e.g., Active Directory).", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-18.2", "ao_id": "SEA-18.2_A02", "objective": "a system use notification message with privacy and security notices consistent with applicable CUI rules is displayed before granting access to the system.", "pptdf": "Technology", "origin": "171A_R3_A.03.01.09", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-19", "ao_id": "SEA-19_A01", "objective": "the user is notified, upon successful logon to the system, of the date and time of the last logon.", "pptdf": "Technology", "origin": "53A_R5_AC-09", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-20", "ao_id": "SEA-20_A01", "objective": "granularity of time measurement for audit record timestamps is defined.", "pptdf": "Process", "origin": "53A_R5_AU-08_ODP", "assessment_rigor": "1", "scf_defined_parameters": "one second granularity of time measurement", "org_defined_parameters": "" }, { "scf_control_id": "SEA-20", "ao_id": "SEA-20_A02", "objective": "internal system clocks are used to generate timestamps for audit records.", "pptdf": "Technology", "origin": "53A_R5_AU-08a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-21", "ao_id": "SEA-21_A01", "objective": "application containers (virtualization approach) are used to isolate to a known set of dependencies, access methods and interfaces.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-22", "ao_id": "SEA-22_A01", "objective": "unprivileged operating environments are defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-22", "ao_id": "SEA-22_A02", "objective": "privileged operating environments are defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "SEA-22", "ao_id": "SEA-22_A03", "objective": "privileged operating environments are prohibited from existing within unprivileged operating environments, including physical or virtual deployments of Assets, Applications & Services (AAS).", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-01", "ao_id": "TDA-01_A01", "objective": "a system and services acquisition policy is developed and documented.", "pptdf": "Process", "origin": "53A_R5_SA-01a.[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-01", "ao_id": "TDA-01_A02", "objective": "system and services acquisition procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls are developed and documented.", "pptdf": "Process", "origin": "53A_R5_SA-01a.[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-01", "ao_id": "TDA-01_A03", "objective": "acquisition strategies, contract tools, and procurement methods are implemented to identify supply chain risks.", "pptdf": "Process", "origin": "171A_R3_A.03.17.02[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-01", "ao_id": "TDA-01_A04", "objective": "acquisition strategies, contract tools, and procurement methods are implemented to protect against supply chain risks.", "pptdf": "Process", "origin": "171A_R3_A.03.17.02[05]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-01", "ao_id": "TDA-01_A05", "objective": "acquisition strategies, contract tools, and procurement methods are implemented to mitigate supply chain risks.", "pptdf": "Process", "origin": "171A_R3_A.03.17.02[06]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-01", "ao_id": "TDA-01_A06", "objective": "personnel or roles to whom the system and services acquisition policy is to be disseminated is/are defined.", "pptdf": "Process", "origin": "53A_R5_SA-01_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-01", "ao_id": "TDA-01_A07", "objective": "personnel or roles to whom the system and services acquisition procedures are to be disseminated is/are defined.", "pptdf": "Process", "origin": "53A_R5_SA-01_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-01", "ao_id": "TDA-01_A08", "objective": "one or more of the following organization-defined criteria is/are selected: {organization-level. mission/business process-level. system-level}.", "pptdf": "Process", "origin": "53A_R5_SA-01_ODP[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-01", "ao_id": "TDA-01_A09", "objective": "an official to manage the system and services acquisition policy and procedures is defined.", "pptdf": "People", "origin": "53A_R5_SA-01_ODP[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-01", "ao_id": "TDA-01_A10", "objective": "the frequency at which the current system and services acquisition policy is reviewed / updated is defined.", "pptdf": "Process", "origin": "53A_R5_SA-01_ODP[05]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-01", "ao_id": "TDA-01_A11", "objective": "events that would require the current system and services acquisition policy to be reviewed / updated are defined.", "pptdf": "Process", "origin": "53A_R5_SA-01_ODP[06]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-01", "ao_id": "TDA-01_A12", "objective": "the frequency at which the current system and services acquisition procedures are reviewed / updated is defined.", "pptdf": "Process", "origin": "53A_R5_SA-01_ODP[07]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-01", "ao_id": "TDA-01_A13", "objective": "events that would require the system and services acquisition procedures to be reviewed / updated are defined.", "pptdf": "Process", "origin": "53A_R5_SA-01_ODP[08]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-01", "ao_id": "TDA-01_A14", "objective": "the system and services acquisition policy is disseminated to organization-defined personnel or roles.", "pptdf": "Process", "origin": "53A_R5_SA-01a.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-01", "ao_id": "TDA-01_A15", "objective": "the system and services acquisition procedures are disseminated to organization-defined personnel or roles.", "pptdf": "Process", "origin": "53A_R5_SA-01a.[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-01", "ao_id": "TDA-01_A16", "objective": "the organization's system and services acquisition policy addresses purpose.", "pptdf": "Process", "origin": "53A_R5_SA-01a.01(a)[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-01", "ao_id": "TDA-01_A17", "objective": "the organization's system and services acquisition policy addresses scope.", "pptdf": "Process", "origin": "53A_R5_SA-01a.01(a)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-01", "ao_id": "TDA-01_A18", "objective": "the organization's system and services acquisition policy addresses roles.", "pptdf": "Process", "origin": "53A_R5_SA-01a.01(a)[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-01", "ao_id": "TDA-01_A19", "objective": "the organization's system and services acquisition policy addresses responsibilities.", "pptdf": "Process", "origin": "53A_R5_SA-01a.01(a)[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-01", "ao_id": "TDA-01_A20", "objective": "the organization's system and services acquisition policy addresses management commitment.", "pptdf": "Process", "origin": "53A_R5_SA-01a.01(a)[05]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-01", "ao_id": "TDA-01_A21", "objective": "the organization's system and services acquisition policy addresses coordination among organizational entities.", "pptdf": "Process", "origin": "53A_R5_SA-01a.01(a)[06]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-01", "ao_id": "TDA-01_A22", "objective": "the organization's system and services acquisition policy addresses compliance.", "pptdf": "Process", "origin": "53A_R5_SA-01a.01(a)[07]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-01", "ao_id": "TDA-01_A23", "objective": "the organization's system and services acquisition policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines.", "pptdf": "Process", "origin": "53A_R5_SA-01a.01(b)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-01", "ao_id": "TDA-01_A24", "objective": "the organization-defined official is designated to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures.", "pptdf": "People", "origin": "53A_R5_SA-01b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-01", "ao_id": "TDA-01_A25", "objective": "the system and services acquisition policy is reviewed / updated organization-defined frequency.", "pptdf": "Process", "origin": "53A_R5_SA-01c.01[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-01", "ao_id": "TDA-01_A26", "objective": "the current system and services acquisition policy is reviewed / updated following organization-defined events.", "pptdf": "Process", "origin": "53A_R5_SA-01c.01[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-01", "ao_id": "TDA-01_A27", "objective": "the current system and services acquisition procedures are reviewed / updated organization-defined frequency.", "pptdf": "Process", "origin": "53A_R5_SA-01c.02[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-01", "ao_id": "TDA-01_A28", "objective": "the current system and services acquisition procedures are reviewed / updated following organization-defined events.", "pptdf": "Process", "origin": "53A_R5_SA-01c.02[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-01", "ao_id": "TDA-01_A29", "objective": "systems or system components supporting mission-essential services or functions are defined.", "pptdf": "Process", "origin": "53A_R5_SA-23_ODP[01]\n53A_R5_SA-23_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-01", "ao_id": "TDA-01_A30", "objective": "organization's is employed on organization-defined systems or system components supporting essential services or functions to increase the trustworthiness in those systems or components.", "pptdf": "Process", "origin": "53A_R5_SA-23", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-01", "ao_id": "TDA-01_A31", "objective": "systems security engineering principles to be applied to the development or modification of the system and system components are defined.", "pptdf": "Process", "origin": "171A_R3_A.03.16.01.ODP[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-01", "ao_id": "TDA-01_A32", "objective": "Technology Development & Acquisition (TDA) operations are conducted according to documented policies, standards, procedures and/or other organizational directives.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-01", "ao_id": "TDA-01_A33", "objective": "adequate resources (e.g., people, processes, technologies, data and/or facilities) are provided to support Technology Development & Acquisition (TDA) operations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-01", "ao_id": "TDA-01_A34", "objective": "responsibility and authority for the performance of Technology Development & Acquisition (TDA)-related activities are assigned to designated personnel.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-01", "ao_id": "TDA-01_A35", "objective": "personnel performing Technology Development & Acquisition (TDA)-related activities have the skills and knowledge needed to perform their assigned duties.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-01.1", "ao_id": "TDA-01.1_A01", "objective": "product management processes are designed and implemented to ensure products, including systems, software and services, are routinely updated to improve functionality and correct security deficiencies.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-01.1", "ao_id": "TDA-01.1_A02", "objective": "systems or system components supporting mission-essential services or functions are defined.", "pptdf": "Process", "origin": "53A_R5_SA-23_ODP[01]\n53A_R5_SA-23_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-01.1", "ao_id": "TDA-01.1_A03", "objective": "organization-defined criteria are employed on systems or system components supporting essential services or functions to increase the trustworthiness in those systems or components.", "pptdf": "Process", "origin": "53A_R5_SA-23", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-01.2", "ao_id": "TDA-01.2_A01", "objective": "integrity validation mechanisms are utilized for security updates.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-01.3", "ao_id": "TDA-01.3_A01", "objective": "at least one (1) malware detection tool is used to identify if any known malware exists in the final binaries of the product or security update.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-01.4", "ao_id": "TDA-01.4_A01", "objective": "cybersecurity / data privacy is integrated into emerging Development and Operations (DevOps) to prioritize secure practices throughout the Software Development Lifecycle (SDLC).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-02", "ao_id": "TDA-02_A01", "objective": "cybersecurity / data privacy functional requirements, descriptions and criteria are included explicitly or by reference using in the acquisition contract for the system, system component or system service.", "pptdf": "Process", "origin": "53A_R5_SA-04a.[01]\n53A_R5_SA-04a.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-02", "ao_id": "TDA-02_A02", "objective": "strength of mechanism requirements, descriptions and criteria are included explicitly or by reference using in the acquisition contract for the system, system component or system service.", "pptdf": "Process", "origin": "53A_R5_SA-04b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-02", "ao_id": "TDA-02_A03", "objective": "cybersecurity / data privacy assurance requirements, descriptions and criteria are included explicitly or by reference using in the acquisition contract for the system, system component or system service.", "pptdf": "Process", "origin": "53A_R5_SA-04c.[01]\n53A_R5_SA-04c.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-02", "ao_id": "TDA-02_A04", "objective": "controls needed to satisfy the cybersecurity / data requirements, descriptions and criteria are included explicitly or by reference using in the acquisition contract for the system, system component or system service.", "pptdf": "Process", "origin": "53A_R5_SA-04d.[01]\n53A_R5_SA-04d.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-02", "ao_id": "TDA-02_A05", "objective": "cybersecurity / data privacy documentation requirements, descriptions and criteria are included explicitly or by reference using in the acquisition contract for the system, system component or system service.", "pptdf": "Process", "origin": "53A_R5_SA-04e.[01]\n53A_R5_SA-04e.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-02", "ao_id": "TDA-02_A06", "objective": "requirements for protecting cybersecurity / data privacy documentation, descriptions and criteria are included explicitly or by reference using in the acquisition contract for the system, system component or system service.", "pptdf": "Process", "origin": "53A_R5_SA-04f.[01]\n53A_R5_SA-04f.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-02", "ao_id": "TDA-02_A07", "objective": "the description of the system development environment and environment in which the system is intended to operate, requirements and criteria are included explicitly or by reference using in the acquisition contract for the system, system component or system service.", "pptdf": "Process", "origin": "53A_R5_SA-04g.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-02", "ao_id": "TDA-02_A08", "objective": "the allocation of responsibility or identification of parties responsible for cybersecurity / data privacy requirements, descriptions and criteria are included explicitly or by reference using in the acquisition contract for the system, system component or system service.", "pptdf": "Process", "origin": "53A_R5_SA-04h.[01]\n53A_R5_SA-04h.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-02", "ao_id": "TDA-02_A09", "objective": "the allocation of responsibility or identification of parties responsible for supply chain risk management requirements, descriptions and criteria are included explicitly or by reference using organization-defined criteria.", "pptdf": "Process", "origin": "53A_R5_SA-04h.[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-02", "ao_id": "TDA-02_A10", "objective": "acceptance criteria requirements and descriptions are included explicitly or by reference using in the acquisition contract for the system, system component or system service.", "pptdf": "Process", "origin": "53A_R5_SA-04i.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-02.1", "ao_id": "TDA-02.1_A01", "objective": "the developer of the system, system component or system service is required to identify the functions intended for organizational use.", "pptdf": "Process", "origin": "53A_R5_SA-04(09)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-02.1", "ao_id": "TDA-02.1_A02", "objective": "the developer of the system, system component or system service is required to identify the ports intended for organizational use.", "pptdf": "Process", "origin": "53A_R5_SA-04(09)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-02.1", "ao_id": "TDA-02.1_A03", "objective": "the developer of the system, system component or system service is required to identify the protocols intended for organizational use.", "pptdf": "Process", "origin": "53A_R5_SA-04(09)[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-02.1", "ao_id": "TDA-02.1_A04", "objective": "the developer of the system, system component or system service is required to identify the services intended for organizational use.", "pptdf": "Process", "origin": "53A_R5_SA-04(09)[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-02.2", "ao_id": "TDA-02.2_A01", "objective": "as required per statutory, regulatory or contractual obligations, only information technology products on the FIPS 201-approved products list for the Personal Identity Verification (PIV) capability implemented within organizational systems are employed.", "pptdf": "Technology", "origin": "53A_R5_SA-04(10)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-02.3", "ao_id": "TDA-02.3_A01", "objective": "cybersecurity / data privacy systems engineering methods are defined.", "pptdf": "Process", "origin": "53A_R5_SA-04(03)_ODP[01]\n53A_R5_SA-04(03)_ODP[02]\n53A_R5_SA-04(03)_ODP[03]\n53A_R5_SA-04(03)_ODP[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-02.3", "ao_id": "TDA-02.3_A02", "objective": "software development methods are defined.", "pptdf": "Process", "origin": "53A_R5_SA-04(03)_ODP[05]\n53A_R5_SA-04(03)_ODP[06]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-02.3", "ao_id": "TDA-02.3_A03", "objective": "testing, evaluation, assessment, verification and validation methods are defined.", "pptdf": "Process", "origin": "53A_R5_SA-04(03)_ODP[07]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-02.3", "ao_id": "TDA-02.3_A04", "objective": "quality control processes are defined.", "pptdf": "Process", "origin": "53A_R5_SA-04(03)_ODP[08]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-02.3", "ao_id": "TDA-02.3_A05", "objective": "the developer of the system, system component or system service is required to demonstrate the use of a system development life cycle process that includes organization-defined system security engineering methods.", "pptdf": "Process", "origin": "53A_R5_SA-04(03)(a)\n53A_R5_SA-04(03)(b)\n53A_R5_SA-04(03)(c)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-02.3", "ao_id": "TDA-02.3_A06", "objective": "systems security engineering principles to be applied to the development or modification of the system and system components are defined.", "pptdf": "Process", "origin": "171A_R3_A.03.16.01.ODP[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-02.3", "ao_id": "TDA-02.3_A07", "objective": " are applied to the development or modification of the system and system components.", "pptdf": "Process", "origin": "171A_R3_A.03.16.01", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "Guidance: At a minimum, documentation that provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation should be based on the degree to which organizations depend on the capabilities, functions, or mechanisms to meet risk response expectations. Requirements can include mandated configuration settings that specify allowed functions, ports, protocols, and services. Acceptance criteria for systems, system components, and system services are defined in the same manner as the criteria for any organizational acquisition or procurement.", "org_defined_parameters": "" }, { "scf_control_id": "TDA-02.4", "ao_id": "TDA-02.4_A01", "objective": "pre-established security configurations for the system, component or service are defined.", "pptdf": "Process", "origin": "53A_R5_SA-04(05)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-02.4", "ao_id": "TDA-02.4_A02", "objective": "the developer of the system, system component or system service is required to deliver the system, component or service with pre-established security configurations implemented.", "pptdf": "Process", "origin": "53A_R5_SA-04(05)(a)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-02.4", "ao_id": "TDA-02.4_A03", "objective": "the pre-established configurations are used as the default for any subsequent system, component or service reinstallation or upgrade.", "pptdf": "Technology", "origin": "53A_R5_SA-04(05)(b)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-02.5", "ao_id": "TDA-02.5_A01", "objective": "process owners identify necessary ports, protocols and other services necessary to operate their technology solutions.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-02.5", "ao_id": "TDA-02.5_A02", "objective": "process owners document legitimate business justifications for the ports, protocols and other services necessary to operate their technology solutions.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-02.6", "ao_id": "TDA-02.6_A01", "objective": "risks associated with the use of insecure ports, protocols and services necessary to operate technology solutions are appropriately mitigated.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-02.7", "ao_id": "TDA-02.7_A01", "objective": "cybersecurity / data privacy representatives to be included in the configuration change management and control process are defined.", "pptdf": "Process", "origin": "53A_R5_SA-10(07)_ODP[01]\n53A_R5_SA-10(07)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-02.7", "ao_id": "TDA-02.7_A02", "objective": "configuration change management and control processes in which cybersecurity / data privacy representatives are required to be included are defined.", "pptdf": "Process", "origin": "53A_R5_SA-10(07)_ODP[03]\n53A_R5_SA-10(07)_ODP[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-02.7", "ao_id": "TDA-02.7_A03", "objective": "organization-defined cybersecurity / data privacy representatives are required to be included in the organization-defined configuration change management and control processes.", "pptdf": "Process", "origin": "53A_R5_SA-10(07)[01]\n53A_R5_SA-10(07)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-02.8", "ao_id": "TDA-02.8_A01", "objective": "the attack surface of products and/or services is minimized by reasonably mitigating known exploitable vulnerabilities.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-02.9", "ao_id": "TDA-02.9_A01", "objective": "security updates are delivered to products and/or services, where applicable, through automatic updates.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-02.9", "ao_id": "TDA-02.9_A02", "objective": "security updates are delivered to products and/or services, where applicable, through notification of available updates to affected users.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-02.10", "ao_id": "TDA-02.10_A01", "objective": "an appropriate level of security and resiliency for products and/or services is defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-02.10", "ao_id": "TDA-02.10_A02", "objective": "products and/or services are regularly reviewed for an appropriate level of security and resiliency based on applicable risks and threats.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-02.11", "ao_id": "TDA-02.11_A01", "objective": "stakeholder vulnerability disclosures contain a description of the vulnerability(ies).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-02.11", "ao_id": "TDA-02.11_A02", "objective": "stakeholder vulnerability disclosures contain information about affected product(s) and/or service(s).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-02.11", "ao_id": "TDA-02.11_A03", "objective": "stakeholder vulnerability disclosures contain information about potential impact of the vulnerability(ies).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-02.11", "ao_id": "TDA-02.11_A04", "objective": "stakeholder vulnerability disclosures contain information about the severity of the vulnerability(ies).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-02.11", "ao_id": "TDA-02.11_A05", "objective": "stakeholder vulnerability disclosures contain information about guidance to remediate the vulnerability(ies).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-02.12", "ao_id": "TDA-02.12_A01", "objective": "a categorization scheme for products and/or services with digital elements is developed to define security and resiliency requirements.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-02.12", "ao_id": "TDA-02.12_A02", "objective": "products and/or services with digital elements are categorized according to applicable security and resiliency requirements.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-02.13", "ao_id": "TDA-02.13_A01", "objective": "applicable stakeholders are notified about potentially exploitable vulnerabilities in organization-developed products and/or services, as required by statutory, regulatory and/or contractual obligations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-02.14", "ao_id": "TDA-02.14_A01", "objective": "industry-defined secure logging formats are used to generate event logs.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-03", "ao_id": "TDA-03_A01", "objective": "the organization only uses Commercial Off-the-Shelf (COTS) security products.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-03", "ao_id": "TDA-03_A02", "objective": "for classified environments, only Government Off-The-Shelf (GOTS)or Commercial Off-The-Shelf (COTS) information assurance and information assurance-enabled information technology products that compose an NSA-approved solution are employed.", "pptdf": "Technology", "origin": "53A_R5_SA-04(06)(a)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-03", "ao_id": "TDA-03_A03", "objective": "for classified environments, GOTS and COTS products have been evaluated and/or validated by NSA or in accordance with NSA-approved procedures.", "pptdf": "Process", "origin": "53A_R5_SA-04(06)(b)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-03.1", "ao_id": "TDA-03.1_A01", "objective": "system components with a diverse set of sources are defined.", "pptdf": "Process", "origin": "53A_R5_SR-03(01)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-03.1", "ao_id": "TDA-03.1_A02", "objective": "services with a diverse set of sources are defined.", "pptdf": "Process", "origin": "53A_R5_SR-03(01)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-03.1", "ao_id": "TDA-03.1_A03", "objective": "a diverse set of sources is employed for system components.", "pptdf": "Process", "origin": "53A_R5_SR-03(01)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-03.1", "ao_id": "TDA-03.1_A04", "objective": "a diverse set of sources is employed for services.", "pptdf": "Process", "origin": "53A_R5_SR-03(01)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-03.1", "ao_id": "TDA-03.1_A05", "objective": "controls to be allocated are defined.", "pptdf": "Process", "origin": "53A_R5_PL-08(02)_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-03.1", "ao_id": "TDA-03.1_A06", "objective": "locations and architectural layers are defined.", "pptdf": "Process", "origin": "53A_R5_PL-08(02)_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-03.1", "ao_id": "TDA-03.1_A07", "objective": "controls that are allocated to locations and architectural layers are required to be obtained from different suppliers.", "pptdf": "Process", "origin": "53A_R5_PL-08(02)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-04", "ao_id": "TDA-04_A01", "objective": "administrator documentation for the system, system component or system service that describes the secure configuration of the system, component or service is obtained or developed.", "pptdf": "Process", "origin": "53A_R5_SA-05a.01[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-04", "ao_id": "TDA-04_A02", "objective": "administrator documentation for the system, system component or system service that describes the secure installation of the system, component or service is obtained or developed.", "pptdf": "Process", "origin": "53A_R5_SA-05a.01[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-04", "ao_id": "TDA-04_A03", "objective": "administrator documentation for the system, system component or system service that describes the secure operation of the system, component or service is obtained or developed.", "pptdf": "Process", "origin": "53A_R5_SA-05a.01[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-04", "ao_id": "TDA-04_A04", "objective": "administrator documentation for the system, system component or system service that describes the effective use of cybersecurity / data privacy functions and mechanisms is obtained or developed.", "pptdf": "Process", "origin": "53A_R5_SA-05a.02[01]\n53A_R5_SA-05a.02[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-04", "ao_id": "TDA-04_A05", "objective": "administrator documentation for the system, system component or system service that describes the effective maintenance of cybersecurity / data privacy functions and mechanisms is obtained or developed.", "pptdf": "Process", "origin": "53A_R5_SA-05a.02[02]\n53A_R5_SA-05a.02[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-04", "ao_id": "TDA-04_A06", "objective": "user documentation for the system, system component or system service that describes user-accessible cybersecurity / data privacy functions and mechanisms is obtained or developed.", "pptdf": "Process", "origin": "53A_R5_SA-05b.01[01]\n53A_R5_SA-05b.01[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-04", "ao_id": "TDA-04_A07", "objective": "user documentation for the system, system component or system service that describes how to effectively use those (user-accessible cybersecurity / data privacy) functions and mechanisms is obtained or developed.", "pptdf": "Process", "origin": "53A_R5_SA-05b.01[02]\n53A_R5_SA-05b.01[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-04", "ao_id": "TDA-04_A08", "objective": "user documentation for the system, system component or system service that describes methods for user interaction, which enable individuals to use the system, component or service in a more secure manner is obtained or developed.", "pptdf": "Process", "origin": "53A_R5_SA-05b.02[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-04", "ao_id": "TDA-04_A09", "objective": "user documentation for the system, system component or system service that describes methods for user interaction, which enable individuals to use the system, component or service to protect individual privacy is obtained or developed.", "pptdf": "Process", "origin": "53A_R5_SA-05b.02[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-04", "ao_id": "TDA-04_A10", "objective": "user documentation for the system, system component or system service that describes user responsibilities for maintaining the cybersecurity / data privacy of the system, component or service is obtained or developed.", "pptdf": "Process", "origin": "53A_R5_SA-05b.03[01]\n53A_R5_SA-05b.03[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-04", "ao_id": "TDA-04_A11", "objective": "actions to take when system, system component or system service documentation is either unavailable or nonexistent are defined.", "pptdf": "Process", "origin": "53A_R5_SA-05_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-04", "ao_id": "TDA-04_A12", "objective": "personnel or roles to distribute system documentation to is/are defined.", "pptdf": "Process", "origin": "53A_R5_SA-05_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-04", "ao_id": "TDA-04_A13", "objective": "administrator documentation for the system, system component or system service that describes known vulnerabilities regarding the configuration of administrative or privileged functions is obtained or developed.", "pptdf": "Process", "origin": "53A_R5_SA-05a.03[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-04", "ao_id": "TDA-04_A14", "objective": "administrator documentation for the system, system component or system service that describes known vulnerabilities regarding the use of administrative or privileged functions is obtained or developed.", "pptdf": "Process", "origin": "53A_R5_SA-05a.03[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-04", "ao_id": "TDA-04_A15", "objective": "attempts to obtain system, system component or system service documentation when such documentation is either unavailable or nonexistent is documented.", "pptdf": "Process", "origin": "53A_R5_SA-05c.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-04", "ao_id": "TDA-04_A16", "objective": "after attempts to obtain system, system component or system service documentation when such documentation is either unavailable or nonexistent, actions are taken in response.", "pptdf": "Process", "origin": "53A_R5_SA-05c.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-04", "ao_id": "TDA-04_A17", "objective": "documentation is distributed to personnel or roles.", "pptdf": "Process", "origin": "53A_R5_SA-05d.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-04.1", "ao_id": "TDA-04.1_A01", "objective": "the developer of the system, system component or system service is required to provide a description of the functional properties of the controls to be implemented.", "pptdf": "Process", "origin": "53A_R5_SA-04(01)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-04.1", "ao_id": "TDA-04.1_A02", "objective": "organization-defined criteria for security-relevant information pertaining to external system interfaces, high-level design, low-level design, source code or hardware schematics and design and implementation information are documented in a System Security & Privacy Plan (SSPP), or similar document.", "pptdf": "Process", "origin": "53A_R5_SA-04(02)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "at a minimum to include security-relevant external system interfaces; high-level design; low-level design; source code or network and data flow diagram", "org_defined_parameters": "" }, { "scf_control_id": "TDA-04.1", "ao_id": "TDA-04.1_A03", "objective": "design and implementation information is defined.", "pptdf": "Process", "origin": "53A_R5_SA-04(02)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-04.1", "ao_id": "TDA-04.1_A04", "objective": "level of detail is defined.", "pptdf": "Process", "origin": "53A_R5_SA-04(02)_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-04.1", "ao_id": "TDA-04.1_A05", "objective": "the developer of the system, system component or system service is required to provide design and implementation information for the controls that includes using at level of detail.", "pptdf": "Process", "origin": "53A_R5_SA-04(02)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-04.2", "ao_id": "TDA-04.2_A01", "objective": "a Software Bill of Materials (SBOM) for systems, applications and services lists software packages in use, including versions and applicable licenses.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-05", "ao_id": "TDA-05_A01", "objective": "the developer of the system, system component or system service is required to produce a design specification and cybersecurity / data privacy architecture that are consistent with the organization's security architecture, which is an integral part the organization's enterprise architecture.", "pptdf": "Process", "origin": "53A_R5_SA-17(a)[01]\n53A_R5_SA-17(a)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-05", "ao_id": "TDA-05_A02", "objective": "the developer of the system, system component or system service is required to produce a design specification and cybersecurity / data privacy architecture that accurately and completely describe the required security functionality and the allocation of controls among physical and logical components.", "pptdf": "Process", "origin": "53A_R5_SA-17(b)[01]\n53A_R5_SA-17(b)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-05", "ao_id": "TDA-05_A03", "objective": "the developer of the system, system component or system service is required to produce a design specification and cybersecurity / data privacy architecture that express how individual security functions, mechanisms and services work together to provide required security capabilities and a unified approach to protection.", "pptdf": "Process", "origin": "53A_R5_SA-17(c)[01]\n53A_R5_SA-17(c)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-05.1", "ao_id": "TDA-05.1_A01", "objective": "physical diagnostic and test interfaces are secured to prevent misuse.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-05.2", "ao_id": "TDA-05.2_A01", "objective": "endpoint devices are configured to log events and generate alerts for attempts to access diagnostic and test interfaces.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-06", "ao_id": "TDA-06_A01", "objective": "software development techniques that promote effective cybersecurity / data privacy are identified.", "pptdf": "Process", "origin": "171A_3.13.2[b]\n53A_R5_SA-04(03)_ODP[01]\n53A_R5_SA-04(03)_ODP[02]\n53A_R5_SA-04(03)_ODP[03]\n53A_R5_SA-04(03)_ODP[04]\n53A_R5_SA-04(03)_ODP[05]\n53A_R5_SA-04(03)_ODP[06]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-06", "ao_id": "TDA-06_A02", "objective": "testing, evaluation, assessment, verification and validation methods are defined.", "pptdf": "Process", "origin": "53A_R5_SA-04(03)_ODP[07]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-06", "ao_id": "TDA-06_A03", "objective": "cybersecurity / data privacy requirements to be satisfied by the process, standards, tools, tool options and tool configurations are defined.", "pptdf": "Process", "origin": "53A_R5_SA-15_ODP[02]\n53A_R5_SA-15_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-06", "ao_id": "TDA-06_A04", "objective": "identified software development techniques that promote effective cybersecurity / data privacy are employed.", "pptdf": "Process", "origin": "171A_3.13.2[e]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-06", "ao_id": "TDA-06_A05", "objective": "quality control processes are defined.", "pptdf": "Process", "origin": "53A_R5_SA-04(03)_ODP[08]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-06", "ao_id": "TDA-06_A06", "objective": "frequency at which to review the development process, standards, tools, tool options and tool configurations is defined.", "pptdf": "Process", "origin": "53A_R5_SA-15_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "at least every 12 months, or when there are significant\nincidents or significant changes to risks", "org_defined_parameters": "" }, { "scf_control_id": "TDA-06", "ao_id": "TDA-06_A07", "objective": "the developer of the system, system component or system service is required to follow a documented development process that explicitly addresses security requirements.", "pptdf": "Process", "origin": "53A_R5_SA-15a.01[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-06", "ao_id": "TDA-06_A08", "objective": "the developer of the system, system component or system service is required to follow a documented development process that explicitly addresses privacy requirements.", "pptdf": "Process", "origin": "53A_R5_SA-15a.01[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-06", "ao_id": "TDA-06_A09", "objective": "the developer of the system, system component or system service is required to follow a documented development process that identifies the standards used in the development process.", "pptdf": "Process", "origin": "53A_R5_SA-15a.02[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-06", "ao_id": "TDA-06_A10", "objective": "the developer of the system, system component or system service is required to follow a documented development process that identifies the tools used in the development process.", "pptdf": "Process", "origin": "53A_R5_SA-15a.02[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-06", "ao_id": "TDA-06_A11", "objective": "the developer of the system, system component or system service is required to follow a documented development process that documents the specific tool used in the development process.", "pptdf": "Process", "origin": "53A_R5_SA-15a.03[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-06", "ao_id": "TDA-06_A12", "objective": "the developer of the system, system component or system service is required to follow a documented development process that documents the specific tool configurations used in the development process.", "pptdf": "Process", "origin": "53A_R5_SA-15a.03[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-06", "ao_id": "TDA-06_A13", "objective": "the developer of the system, system component or system service is required to follow a documented development process that documents, manages and ensures the integrity of changes to the process and/or tools used in development.", "pptdf": "Process", "origin": "53A_R5_SA-15a.04", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-06", "ao_id": "TDA-06_A14", "objective": "the developer of the system, system component or system service is required to follow a documented development process in which the development process, standards, tools, tool options and tool configurations are reviewed frequently to determine that the process, standards, tools, tool options and tool configurations selected and employed satisfy security requirements.", "pptdf": "Process", "origin": "53A_R5_SA-15b.[01]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "TDA-06", "ao_id": "TDA-06_A15", "objective": "the developer of the system, system component or system service is required to follow a documented development process in which the development process, standards, tools, tool options and tool configurations are reviewed frequently to determine that the process, standards, tools, tool options and tool configurations selected and employed satisfy privacy requirements.", "pptdf": "Process", "origin": "53A_R5_SA-15b.[02]", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "TDA-06", "ao_id": "TDA-06_A16", "objective": "the developer of the system, system component or system service is required to demonstrate the use of a system development life cycle process that includes organization-defined system security engineering methods.", "pptdf": "Process", "origin": "53A_R5_SA-04(03)(a)\n53A_R5_SA-04(03)(b)\n53A_R5_SA-04(03)(c)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-06.1", "ao_id": "TDA-06.1_A01", "objective": "decision points in the system development life cycle are defined.", "pptdf": "Process", "origin": "53A_R5_SA-15(03)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-06.1", "ao_id": "TDA-06.1_A02", "objective": "the breadth of criticality analysis is defined.", "pptdf": "Process", "origin": "53A_R5_SA-15(03)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-06.1", "ao_id": "TDA-06.1_A03", "objective": "the depth of criticality analysis is defined.", "pptdf": "Process", "origin": "53A_R5_SA-15(03)_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-06.1", "ao_id": "TDA-06.1_A04", "objective": "the developer of the system, system component, or system service is required to perform a criticality analysis at organization-defined decision points in the system development life cycle.", "pptdf": "Process", "origin": "53A_R5_SA-15(03)(a)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-06.1", "ao_id": "TDA-06.1_A05", "objective": "the developer of the system, system component, or system service is required to perform a criticality analysis per an organization-defined breadth.", "pptdf": "Process", "origin": "53A_R5_SA-15(03)(b)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-06.1", "ao_id": "TDA-06.1_A06", "objective": "the developer of the system, system component, or system service is required to perform a criticality analysis per an organization-defined depth.", "pptdf": "Process", "origin": "53A_R5_SA-15(03)(b)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-06.1", "ao_id": "TDA-06.1_A07", "objective": "suppliers of critical or mission-essential technologies, products and services are identified.", "pptdf": "Process", "origin": "53A_R5_PM-30(01)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-06.1", "ao_id": "TDA-06.1_A08", "objective": "suppliers of critical or mission-essential technologies, products and services are prioritized.", "pptdf": "Process", "origin": "53A_R5_PM-30(01)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-06.1", "ao_id": "TDA-06.1_A09", "objective": "suppliers of critical or mission-essential technologies, products and services are assessed.", "pptdf": "Process", "origin": "53A_R5_PM-30(01)[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-06.2", "ao_id": "TDA-06.2_A01", "objective": "threat modelling and other secure design techniques are used to ensure that threats to software and solutions are identified and accounted for.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-06.3", "ao_id": "TDA-06.3_A01", "objective": "a Software Assurance Maturity Model (SAMM) governs a secure development lifecycle for the development of systems, applications and services.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-06.4", "ao_id": "TDA-06.4_A01", "objective": "a supporting toolchain helps ensure the accuracy, consistency and comprehensiveness of secure practices throughout the asset's lifecycle.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-06.5", "ao_id": "TDA-06.5_A01", "objective": "an independent review of the software design confirms that all cybersecurity / data privacy requirements are met and that any identified risks are satisfactorily addressed.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-06.6", "ao_id": "TDA-06.6_A01", "objective": "software design processes include conducting Root Cause Analysis (RCA) to identify the underlying causes of issues or failures.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-06.6", "ao_id": "TDA-06.6_A02", "objective": "software design processes include developing actions to address the root cause of the issue or failure.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-06.6", "ao_id": "TDA-06.6_A03", "objective": "software design processes include implementing the actions and monitor the implementation for effectiveness.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-07", "ao_id": "TDA-07_A01", "objective": "system pre-production environments are protected commensurate with risk throughout the system development life cycle for the system, system component or system service.", "pptdf": "Technology", "origin": "53A_R5_SA-03(01)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-08", "ao_id": "TDA-08_A01", "objective": "changes to the system are analyzed in a separate test environment before implementation in an operational environment.", "pptdf": "Process", "origin": "53A_R5_CM-04(01)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-08", "ao_id": "TDA-08_A02", "objective": "changes to the system are analyzed for cybersecurity / data privacy impacts due to flaws.", "pptdf": "Process", "origin": "53A_R5_CM-04(01)[02]\n53A_R5_CM-04(01)[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-08", "ao_id": "TDA-08_A03", "objective": "changes to the system are analyzed for cybersecurity / data privacy impacts due to weaknesses.", "pptdf": "Process", "origin": "53A_R5_CM-04(01)[04]\n53A_R5_CM-04(01)[05]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-08", "ao_id": "TDA-08_A04", "objective": "changes to the system are analyzed for cybersecurity / data privacy impacts due to incompatibility.", "pptdf": "Process", "origin": "53A_R5_CM-04(01)[06]\n53A_R5_CM-04(01)[07]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-08", "ao_id": "TDA-08_A05", "objective": "changes to the system are analyzed for cybersecurity / data privacy impacts due to intentional malice.", "pptdf": "Process", "origin": "53A_R5_CM-04(01)[08]\n53A_R5_CM-04(01)[09]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-08.1", "ao_id": "TDA-08.1_A01", "objective": "secure migration practices purge systems, applications and services of test/development/staging data and accounts before it is migrated into a production environment.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-09", "ao_id": "TDA-09_A01", "objective": "the developer of the system, system component or system service is required to demonstrate the use of a system development life cycle process that includes organization-defined system security engineering methods.", "pptdf": "Process", "origin": "53A_R5_SA-04(03)(a)\n53A_R5_SA-04(03)(b)\n53A_R5_SA-04(03)(c)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-09", "ao_id": "TDA-09_A02", "objective": "the developer of the system, system component or system service is required to perform attack surface reviews.", "pptdf": "Process", "origin": "53A_R5_SA-11(06)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-09", "ao_id": "TDA-09_A03", "objective": "the breadth of testing and evaluation of required controls is defined.", "pptdf": "Process", "origin": "53A_R5_SA-11(07)_ODP[01]\n53A_R5_SA-11_ODP[03]\n53A_R5_SA-11_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-09", "ao_id": "TDA-09_A04", "objective": "the depth of testing and evaluation of required controls is defined.", "pptdf": "Process", "origin": "53A_R5_SA-11(07)_ODP[02]\n53A_R5_SA-11_ODP[03]\n53A_R5_SA-11_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-09", "ao_id": "TDA-09_A05", "objective": "frequency at which to conduct testing/evaluation is defined.", "pptdf": "Process", "origin": "53A_R5_SA-11_ODP[02]\n53A_R5_SA-11_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-09", "ao_id": "TDA-09_A06", "objective": "the developer of the system, system component or system service is required at all post-design stages of the system development life cycle to develop a plan for ongoing security assessments.", "pptdf": "Process", "origin": "53A_R5_SA-11a.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-09", "ao_id": "TDA-09_A07", "objective": "the developer of the system, system component or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing security assessments.", "pptdf": "Process", "origin": "53A_R5_SA-11a.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-09", "ao_id": "TDA-09_A08", "objective": "the developer of the system, system component or system service is required at all post-design stages of the system development life cycle to develop a plan for privacy assessments.", "pptdf": "Process", "origin": "53A_R5_SA-11a.[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-09", "ao_id": "TDA-09_A09", "objective": "the developer of the system, system component or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing privacy assessments.", "pptdf": "Process", "origin": "53A_R5_SA-11a.[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-09", "ao_id": "TDA-09_A10", "objective": "the developer of the system, system component or system service is required at all post-design stages of the system development life cycle to perform testing/evaluation frequency to conduct at depth and coverage.", "pptdf": "Process", "origin": "53A_R5_SA-11b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-09", "ao_id": "TDA-09_A11", "objective": "the developer of the system, system component or system service is required at all post-design stages of the system development life cycle to produce evidence of the execution of the assessment plan.", "pptdf": "Process", "origin": "53A_R5_SA-11c.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-09", "ao_id": "TDA-09_A12", "objective": "the developer of the system, system component or system service is required at all post-design stages of the system development life cycle to produce the results of the testing and evaluation.", "pptdf": "Process", "origin": "53A_R5_SA-11c.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-09", "ao_id": "TDA-09_A13", "objective": "the developer of the system, system component or system service is required at all post-design stages of the system development life cycle to implement a verifiable flaw remediation process.", "pptdf": "Process", "origin": "53A_R5_SA-11d.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-09", "ao_id": "TDA-09_A14", "objective": "the developer of the system, system component or system service is required at all post-design stages of the system development life cycle to correct flaws identified during testing and evaluation.", "pptdf": "Process", "origin": "53A_R5_SA-11e.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-09", "ao_id": "TDA-09_A15", "objective": "the developer of the system, system component, or system service is required to verify that the scope of testing and evaluation provides complete coverage of the required controls per an organization-defined breadth.", "pptdf": "Process", "origin": "53A_R5_SA-11(07)[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-09", "ao_id": "TDA-09_A16", "objective": "the developer of the system, system component, or system service is required to verify that the scope of testing and evaluation provides complete coverage of the required controls per an organization-defined depth.", "pptdf": "Process", "origin": "53A_R5_SA-11(07)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-09.1", "ao_id": "TDA-09.1_A01", "objective": "the developer of the system, system component or system service is required to produce a plan for the continuous monitoring of control effectiveness that is consistent with the continuous monitoring program of the organization.", "pptdf": "Process", "origin": "53A_R5_SA-04(08)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-09.2", "ao_id": "TDA-09.2_A01", "objective": "the developer of the system, system component or system service is required to employ static code analysis tools to identify common flaws.", "pptdf": "Process", "origin": "53A_R5_SA-11(01)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-09.2", "ao_id": "TDA-09.2_A02", "objective": "the developer of the system, system component or system service is required to employ static code analysis tools to document the results of the analysis.", "pptdf": "Process", "origin": "53A_R5_SA-11(01)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-09.3", "ao_id": "TDA-09.3_A01", "objective": "the developer of the system, system component or system service is required to employ dynamic code analysis tools to identify common flaws.", "pptdf": "Process", "origin": "53A_R5_SA-11(08)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-09.3", "ao_id": "TDA-09.3_A02", "objective": "the developer of the system, system component or system service is required to document the results of the analysis.", "pptdf": "Process", "origin": "53A_R5_SA-11(08)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-09.4", "ao_id": "TDA-09.4_A01", "objective": "the developer of the system, system component, or system service is required to perform testing to ensure it continues to operate as intended when subject to invalid or unexpected inputs on its interfaces.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-09.5", "ao_id": "TDA-09.5_A01", "objective": "the developer of the system, system component, or system service is required to perform penetration testing per an organization-defined breadth.", "pptdf": "Process", "origin": "53A_R5_SA-11(05)(a)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-09.5", "ao_id": "TDA-09.5_A02", "objective": "the developer of the system, system component, or system service is required to perform penetration testing per an organization-defined depth.", "pptdf": "Process", "origin": "53A_R5_SA-11(05)(a)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-09.5", "ao_id": "TDA-09.5_A03", "objective": "the developer of the system, system component, or system service is required to perform penetration testing under organization-defined constraints.", "pptdf": "Process", "origin": "53A_R5_SA-11(05)(b)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-09.5", "ao_id": "TDA-09.5_A04", "objective": "the developer of the system, system component or system service is required to perform attack surface reviews.", "pptdf": "Process", "origin": "53A_R5_SA-11(06)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-09.6", "ao_id": "TDA-09.6_A01", "objective": "default secure configuration settings reduce the likelihood of software being deployed with weak security settings that would put the asset at a greater risk of compromise.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-09.7", "ao_id": "TDA-09.7_A01", "objective": "specific code requiring manual code review is defined.", "pptdf": "Process", "origin": "53A_R5_SA-11(04)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-09.7", "ao_id": "TDA-09.7_A02", "objective": "processes, procedures, and/or techniques used for manual code reviews are defined.", "pptdf": "Process", "origin": "53A_R5_SA-11(04)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-09.7", "ao_id": "TDA-09.7_A03", "objective": "the developer of the system, system component, or system service is required to perform a manual code review of organization-defined specific code using organization-defined processes, procedures, and/or techniques.", "pptdf": "Process", "origin": "53A_R5_SA-11(04)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-10", "ao_id": "TDA-10_A01", "objective": "the use of live data in pre-production environments is approved for the system, system component or system service.", "pptdf": "Data", "origin": "53A_R5_SA-03(02)a.[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-10", "ao_id": "TDA-10_A02", "objective": "the use of live data in pre-production environments is documented for the system, system component or system service.", "pptdf": "Data", "origin": "53A_R5_SA-03(02)a.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-10", "ao_id": "TDA-10_A03", "objective": "the use of live data in pre-production environments is controlled for the system, system component or system service.", "pptdf": "Data", "origin": "53A_R5_SA-03(02)a.[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-10", "ao_id": "TDA-10_A04", "objective": "pre-production environments for the system, system component or system service are protected at the same impact or classification level as any live data in use within the pre-production environments.", "pptdf": "Technology", "origin": "53A_R5_SA-03(02)b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-10.1", "ao_id": "TDA-10.1_A01", "objective": "the integrity of test data is ensured through existing cybersecurity / data privacy controls.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-11", "ao_id": "TDA-11_A01", "objective": "controls to validate that the system or system component received is genuine are defined.", "pptdf": "Process", "origin": "53A_R5_SR-04(03)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-11", "ao_id": "TDA-11_A02", "objective": "controls to validate that the system or system component received has not been altered are defined.", "pptdf": "Process", "origin": "53A_R5_SR-04(03)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-11", "ao_id": "TDA-11_A03", "objective": "controls are employed to validate that the system or system component received is genuine.", "pptdf": "Technology", "origin": "53A_R5_SR-04(03)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-11", "ao_id": "TDA-11_A04", "objective": "controls are employed to validate that the system or system component received has not been altered.", "pptdf": "Technology", "origin": "53A_R5_SR-04(03)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-11", "ao_id": "TDA-11_A05", "objective": "controls employed to ensure that the integrity of the system and system component are defined.", "pptdf": "Process", "origin": "53A_R5_SR-04(04)_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-11", "ao_id": "TDA-11_A06", "objective": "an analysis method to be conducted to validate the internal composition and provenance of critical or mission-essential technologies, products and services to ensure the integrity of the system and system component is defined.", "pptdf": "Process", "origin": "53A_R5_SR-04(04)_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-11", "ao_id": "TDA-11_A07", "objective": "controls are employed to ensure the integrity of the system and system components.", "pptdf": "Technology", "origin": "53A_R5_SR-04(04)[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-11", "ao_id": "TDA-11_A08", "objective": "analysis method is conducted to ensure the integrity of the system and system components.", "pptdf": "Process", "origin": "53A_R5_SR-04(04)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-11", "ao_id": "TDA-11_A09", "objective": "systems or system components that require inspection are defined.", "pptdf": "Process", "origin": "53A_R5_SR-10_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-11", "ao_id": "TDA-11_A10", "objective": "frequency at which to inspect systems or system components is defined.", "pptdf": "Process", "origin": "53A_R5_SR-10_ODP[02]\n53A_R5_SR-10_ODP[03]", "assessment_rigor": "3", "scf_defined_parameters": "at least every 12 months, or when there are significant\nincidents or significant changes to risks", "org_defined_parameters": "" }, { "scf_control_id": "TDA-11", "ao_id": "TDA-11_A11", "objective": "indications of the need for an inspection of systems or system components are defined.", "pptdf": "Process", "origin": "53A_R5_SR-10_ODP[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-11", "ao_id": "TDA-11_A12", "objective": "systems or system components are inspected to detect tampering.", "pptdf": "Process", "origin": "53A_R5_SR-10", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-11", "ao_id": "TDA-11_A13", "objective": "external reporting organizations to whom counterfeit system components are to be reported is/are defined.", "pptdf": "Process", "origin": "53A_R5_SR-11_ODP[01]\n53A_R5_SR-11_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-11", "ao_id": "TDA-11_A14", "objective": "personnel or roles to whom counterfeit system components are to be reported is/are defined.", "pptdf": "Process", "origin": "53A_R5_SR-11_ODP[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-11", "ao_id": "TDA-11_A15", "objective": "anti-counterfeit procedures are developed and implemented.", "pptdf": "Process", "origin": "53A_R5_SR-11a.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-11", "ao_id": "TDA-11_A16", "objective": "the anti-counterfeit procedures include the means to detect counterfeit components entering the system.", "pptdf": "Process", "origin": "53A_R5_SR-11a.[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-11", "ao_id": "TDA-11_A17", "objective": "the anti-counterfeit procedures include the means to prevent counterfeit components from entering the system.", "pptdf": "Process", "origin": "53A_R5_SR-11a.[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-11", "ao_id": "TDA-11_A18", "objective": "counterfeit system components are reported per organization-defined criteria.", "pptdf": "Process", "origin": "53A_R5_SR-11b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-11", "ao_id": "TDA-11_A19", "objective": "the frequency at which to scan for counterfeit system components is defined.", "pptdf": "Process", "origin": "53A_R5_SR-11(03)_ODP", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-11", "ao_id": "TDA-11_A20", "objective": "scanning for counterfeit system components is conducted per an organization-defined frequency.", "pptdf": "Process", "origin": "53A_R5_SR-11(03)", "assessment_rigor": "3", "scf_defined_parameters": "continuous", "org_defined_parameters": "" }, { "scf_control_id": "TDA-11.1", "ao_id": "TDA-11.1_A01", "objective": "personnel or roles requiring training to detect counterfeit system components (including hardware, software and firmware) is/are defined.", "pptdf": "Process", "origin": "53A_R5_SR-11(01)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-11.1", "ao_id": "TDA-11.1_A02", "objective": "personnel or roles are trained to detect counterfeit system components (including hardware, software and firmware).", "pptdf": "Process", "origin": "53A_R5_SR-11(01)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-11.2", "ao_id": "TDA-11.2_A01", "objective": "N/A [deprecated – incorporated into AST-09]", "pptdf": "N/A", "origin": "N/A", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-12", "ao_id": "TDA-12_A01", "objective": "suppliers of critical or mission-essential technologies, products and services are identified.", "pptdf": "Process", "origin": "53A_R5_PM-30(01)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-12", "ao_id": "TDA-12_A02", "objective": "suppliers of critical or mission-essential technologies, products and services are prioritized.", "pptdf": "Process", "origin": "53A_R5_PM-30(01)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-12", "ao_id": "TDA-12_A03", "objective": "suppliers of critical or mission-essential technologies, products and services are assessed.", "pptdf": "Process", "origin": "53A_R5_PM-30(01)[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-12", "ao_id": "TDA-12_A04", "objective": "critical system components to be reimplemented or custom-developed are defined.", "pptdf": "Process", "origin": "53A_R5_SA-20_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-12", "ao_id": "TDA-12_A05", "objective": "critical systems are reimplemented or custom-developed.", "pptdf": "Technology", "origin": "53A_R5_SA-20", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-12", "ao_id": "TDA-12_A06", "objective": "systems or system components supporting mission-essential services or functions are defined.", "pptdf": "Process", "origin": "53A_R5_SA-23_ODP[01]\n53A_R5_SA-23_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-12", "ao_id": "TDA-12_A07", "objective": "organization-defined criteria are employed on systems or system components supporting essential services or functions to increase the trustworthiness in those systems or components.", "pptdf": "Technology", "origin": "53A_R5_SA-23", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-13", "ao_id": "TDA-13_A01", "objective": "the system, systems component or system service that the developer has access to is/are defined.", "pptdf": "Process", "origin": "53A_R5_SA-21_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-13", "ao_id": "TDA-13_A02", "objective": "official duties assigned to the developer are defined.", "pptdf": "Process", "origin": "53A_R5_SA-21_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-13", "ao_id": "TDA-13_A03", "objective": "additional personnel screening criteria for the developer are defined.", "pptdf": "Process", "origin": "53A_R5_SA-21_ODP[03]\n172A_3.9.1e_ODP[1]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-14", "ao_id": "TDA-14_A01", "objective": "the developer of system, systems component or system service is required to have appropriate access authorizations as determined by assigned official duties.", "pptdf": "People", "origin": "53A_R5_SA-21a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-14", "ao_id": "TDA-14_A02", "objective": "configuration items under configuration management are defined.", "pptdf": "Process", "origin": "53A_R5_SA-10_ODP[01]\n53A_R5_SA-10_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-14", "ao_id": "TDA-14_A03", "objective": "personnel to whom security flaws and flaw resolutions within the system, component or service are reported is/are defined.", "pptdf": "Process", "origin": "53A_R5_SA-10_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-14", "ao_id": "TDA-14_A04", "objective": "the developer of the system, system component or system service is required to perform configuration management during system, component or service per organization-defined criteria.", "pptdf": "Process", "origin": "53A_R5_SA-10a.", "assessment_rigor": "1", "scf_defined_parameters": "development, implementation, AND operation", "org_defined_parameters": "" }, { "scf_control_id": "TDA-14", "ao_id": "TDA-14_A05", "objective": "the developer of the system, system component or system service is required to document the integrity of changes to configuration items.", "pptdf": "Process", "origin": "53A_R5_SA-10b.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-14", "ao_id": "TDA-14_A06", "objective": "the developer of the system, system component or system service is required to manage the integrity of changes to configuration items.", "pptdf": "Process", "origin": "53A_R5_SA-10b.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-14", "ao_id": "TDA-14_A07", "objective": "the developer of the system, system component or system service is required to control the integrity of changes to configuration items.", "pptdf": "Process", "origin": "53A_R5_SA-10b.[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-14", "ao_id": "TDA-14_A08", "objective": "the developer of the system, system component or system service is required to implement only organization-approved changes to the system, component or service.", "pptdf": "Process", "origin": "53A_R5_SA-10c.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-14", "ao_id": "TDA-14_A09", "objective": "the developer of the system, system component or system service is required to document approved changes to the system, component or service.", "pptdf": "Process", "origin": "53A_R5_SA-10d.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-14", "ao_id": "TDA-14_A10", "objective": "the developer of the system, system component or system service is required to document the potential security impacts of approved changes.", "pptdf": "Process", "origin": "53A_R5_SA-10d.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-14", "ao_id": "TDA-14_A11", "objective": "the developer of the system, system component or system service is required to document the potential privacy impacts of approved changes.", "pptdf": "Process", "origin": "53A_R5_SA-10d.[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-14", "ao_id": "TDA-14_A12", "objective": "the developer of the system, system component or system service is required to track security flaws within the system, component or service.", "pptdf": "Process", "origin": "53A_R5_SA-10e.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-14", "ao_id": "TDA-14_A13", "objective": "the developer of the system, system component or system service is required to track security flaw resolutions within the system, component or service.", "pptdf": "Process", "origin": "53A_R5_SA-10e.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-14", "ao_id": "TDA-14_A14", "objective": "the developer of the system, system component or system service is required to report findings to personnel.", "pptdf": "Process", "origin": "53A_R5_SA-10e.[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-14", "ao_id": "TDA-14_A15", "objective": "an alternate configuration management process has been provided using organizational personnel in the absence of a dedicated developer configuration management team.", "pptdf": "Process", "origin": "53A_R5_SA-10(02)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-14", "ao_id": "TDA-14_A16", "objective": "the frequency with which to reassess individual positions and access to sensitive / regulated data is defined.", "pptdf": "Process", "origin": "172A_3.9.1e_ODP[2]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-14", "ao_id": "TDA-14_A17", "objective": "individuals that require enhanced personnel screening are identified.", "pptdf": "Process", "origin": "172A_3.9.1e[a]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-14", "ao_id": "TDA-14_A18", "objective": "positions that require access to sensitive / regulated data are identified.", "pptdf": "Process", "origin": "172A_3.9.1e[b]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-14", "ao_id": "TDA-14_A19", "objective": "organization-defined enhanced personnel screening is conducted for individuals.", "pptdf": "Process", "origin": "53A_R5_SA-21b.\n172A_3.9.1e_ODP[1]\n172A_3.9.1e[c]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-14", "ao_id": "TDA-14_A20", "objective": "individual positions and access to sensitive / regulated data is reassessed per an organization-defined frequency.", "pptdf": "Process", "origin": "172A_3.9.1e[d]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-14", "ao_id": "TDA-14_A21", "objective": "individuals with access to sensitive / regulated data are identified.", "pptdf": "Process", "origin": "172A_3.9.2e[a]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-14", "ao_id": "TDA-14_A22", "objective": "adverse information about individuals with access to sensitive / regulated data is defined.", "pptdf": "Process", "origin": "172A_3.9.2e[b]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-14", "ao_id": "TDA-14_A23", "objective": "organizational systems to which individuals have access are identified.", "pptdf": "Process", "origin": "172A_3.9.2e[c]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-14", "ao_id": "TDA-14_A24", "objective": "mechanisms are in place to protect organizational systems if adverse information develops or is obtained about individuals with access to sensitive / regulated data.", "pptdf": "Process", "origin": "172A_3.9.2e[d]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-14.1", "ao_id": "TDA-14.1_A01", "objective": "the developer of the system, system component or system service is required to enable integrity verification of software and firmware components.", "pptdf": "Process", "origin": "53A_R5_SA-10(01)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-14.2", "ao_id": "TDA-14.2_A01", "objective": "the developer of the system, system component or system service is required to enable integrity verification of hardware components.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-14.2", "ao_id": "TDA-14.2_A02", "objective": "the integrity of hardware components is verified.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-14.2", "ao_id": "TDA-14.2_A03", "objective": "independence criteria to be satisfied by an independent agent are defined.", "pptdf": "Process", "origin": "53A_R5_SA-11(03)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-14.2", "ao_id": "TDA-14.2_A04", "objective": "an independent agent is required to satisfy organization-defined independence criteria to verify the correct implementation of the developer security assessment plan and the evidence produced during testing and evaluation.", "pptdf": "Process", "origin": "53A_R5_SA-11(03)(a)[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-14.2", "ao_id": "TDA-14.2_A05", "objective": "an independent agent is required to satisfy organization-defined independence criteria to verify the correct implementation of the developer privacy assessment plan and the evidence produced during testing and evaluation.", "pptdf": "Process", "origin": "53A_R5_SA-11(03)(a)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-14.2", "ao_id": "TDA-14.2_A06", "objective": "the independent agent is provided with sufficient information to complete the verification process or granted the authority to obtain such information.", "pptdf": "Process", "origin": "53A_R5_SA-11(03)(b)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-15", "ao_id": "TDA-15_A01", "objective": "information concerning impact, environment of operations, known or assumed threats and acceptable risk levels to be used as contextual information for threat modeling and vulnerability analyses is defined.", "pptdf": "Process", "origin": "53A_R5_SA-11(02)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-15", "ao_id": "TDA-15_A02", "objective": "the tools and methods to be employed for threat modeling and vulnerability analyses are defined.", "pptdf": "Process", "origin": "53A_R5_SA-11(02)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-15", "ao_id": "TDA-15_A03", "objective": "the breadth and depth of threat modeling to be conducted is defined.", "pptdf": "Process", "origin": "53A_R5_SA-11(02)_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-15", "ao_id": "TDA-15_A04", "objective": "the breadth and depth of vulnerability analyses to be conducted is defined.", "pptdf": "Process", "origin": "53A_R5_SA-11(02)_ODP[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-15", "ao_id": "TDA-15_A05", "objective": "acceptance criteria to be met by produced evidence for threat modeling are defined.", "pptdf": "Process", "origin": "53A_R5_SA-11(02)_ODP[05]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-15", "ao_id": "TDA-15_A06", "objective": "acceptance criteria to be met by produced evidence for vulnerability analyses are defined.", "pptdf": "Process", "origin": "53A_R5_SA-11(02)_ODP[06]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-15", "ao_id": "TDA-15_A07", "objective": "the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that uses organization-defined information.", "pptdf": "Process", "origin": "53A_R5_SA-11(02)(a)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-15", "ao_id": "TDA-15_A08", "objective": "the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that uses organization-defined information.", "pptdf": "Process", "origin": "53A_R5_SA-11(02)(a)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-15", "ao_id": "TDA-15_A09", "objective": "the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that uses organization-defined information.", "pptdf": "Process", "origin": "53A_R5_SA-11(02)(a)[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-15", "ao_id": "TDA-15_A10", "objective": "the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that uses organization-defined information.", "pptdf": "Process", "origin": "53A_R5_SA-11(02)(a)[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-15", "ao_id": "TDA-15_A11", "objective": "the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that employs organization-defined tools and methods.", "pptdf": "Process", "origin": "53A_R5_SA-11(02)(b)[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-15", "ao_id": "TDA-15_A12", "objective": "the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that employs organization-defined tools and methods.", "pptdf": "Process", "origin": "53A_R5_SA-11(02)(b)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-15", "ao_id": "TDA-15_A13", "objective": "the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that employs organization-defined tools and methods.", "pptdf": "Process", "origin": "53A_R5_SA-11(02)(b)[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-15", "ao_id": "TDA-15_A14", "objective": "the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that employs organization-defined tools and methods.", "pptdf": "Process", "origin": "53A_R5_SA-11(02)(b)[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-15", "ao_id": "TDA-15_A15", "objective": "the developer of the system, system component, or system service is required to perform threat modeling per an organization-defined breadth and depth during development of the system, component or service.", "pptdf": "Process", "origin": "53A_R5_SA-11(02)(c)[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-15", "ao_id": "TDA-15_A16", "objective": "the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that conducts modeling and analyses per an organization-defined breadth and depth.", "pptdf": "Process", "origin": "53A_R5_SA-11(02)(c)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-15", "ao_id": "TDA-15_A17", "objective": "the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that produces evidence that meets organization-defined acceptance criteria.", "pptdf": "Process", "origin": "53A_R5_SA-11(02)(d)[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-15", "ao_id": "TDA-15_A18", "objective": "the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that produces evidence that meets organization-defined acceptance criteria.", "pptdf": "Process", "origin": "53A_R5_SA-11(02)(d)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-15", "ao_id": "TDA-15_A19", "objective": "the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that produces evidence that meets organization-defined acceptance criteria.", "pptdf": "Process", "origin": "53A_R5_SA-11(02)(d)[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-15", "ao_id": "TDA-15_A20", "objective": "the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that produces evidence that meets organization-defined acceptance criteria.", "pptdf": "Process", "origin": "53A_R5_SA-11(02)(d)[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-16", "ao_id": "TDA-16_A01", "objective": "training on the correct use and operation of the implemented cybersecurity / data privacy functions, controls, and/or mechanisms provided by the developer of the system, system component or system service is defined.", "pptdf": "Process", "origin": "53A_R5_SA-16_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-16", "ao_id": "TDA-16_A02", "objective": "the developer of the system, system component, or system service is required to provide training on the correct use and operation of the implemented cybersecurity / data privacy functions , controls, and/or mechanisms.", "pptdf": "Process", "origin": "53A_R5_SA-16", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-17", "ao_id": "TDA-17_A01", "objective": "support from external providers is defined.", "pptdf": "Process", "origin": "53A_R5_SA-22_ODP[01]\n53A_R5_SA-22_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-17", "ao_id": "TDA-17_A02", "objective": "system components are replaced when support for the components is no longer available from the developer, vendor, or manufacturer.", "pptdf": "Process", "origin": "53A_R5_SA-22a.\n171A_R3_A.03.16.02.a", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-17.1", "ao_id": "TDA-17.1_A01", "objective": "options for risk mitigation or alternative sources for continued support for unsupported components that cannot be replaced are provided.", "pptdf": "Process", "origin": "53A_R5_SA-22b.\n171A_R3_A.03.16.02.b", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-18", "ao_id": "TDA-18_A01", "objective": "information inputs to the system requiring validity checks are defined.", "pptdf": "Process", "origin": "53A_R5_SI-10_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-18", "ao_id": "TDA-18_A02", "objective": "the validity of the organization-defined information inputs is checked.", "pptdf": "Technology", "origin": "53A_R5_SI-10", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-18", "ao_id": "TDA-18_A03", "objective": "approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies.", "pptdf": "Technology", "origin": "53A_R5_AC-03", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-19", "ao_id": "TDA-19_A01", "objective": "personnel or roles to whom error messages are to be revealed is/are defined.", "pptdf": "Process", "origin": "53A_R5_SI-11_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-19", "ao_id": "TDA-19_A02", "objective": "error messages that provide the information necessary for corrective actions are generated without revealing information that could be exploited.", "pptdf": "Technology", "origin": "53A_R5_SI-11a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-19", "ao_id": "TDA-19_A03", "objective": "error messages are revealed only to organization-defined personnel or roles.", "pptdf": "Technology", "origin": "53A_R5_SI-11b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-20", "ao_id": "TDA-20_A01", "objective": "organization-defined criteria for security-relevant information pertaining to external system interfaces, high-level design, low-level design, source code or hardware schematics and design and implementation information are documented in a System Security Plan (SSP).", "pptdf": "Process", "origin": "53A_R5_SA-04(02)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-20", "ao_id": "TDA-20_A04", "objective": "the developer of the system, system component or system service is required to provide design and implementation information for the controls that includes using at level of detail.", "pptdf": "Process", "origin": "53A_R5_SA-04(02)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-20.1", "ao_id": "TDA-20.1_A01", "objective": "integrity verification information is published for software releases.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-20.2", "ao_id": "TDA-20.2_A01", "objective": "software releases and all of their components (e.g., code, package files, third-party libraries, documentation) are securely archived to maintain integrity verification information.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-20.3", "ao_id": "TDA-20.3_A01", "objective": "source code and supporting documentation are escrowed to ensure software availability in the event the software provider goes out of business or is unable to provide support.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-20.4", "ao_id": "TDA-20.4_A01", "objective": "approval of binaries and code for production use is governed through organizational change control processes.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-21", "ao_id": "TDA-21_A01", "objective": "developed products and/or services conform to applicable statutory and regulatory requirements, based on the product's and/or service's use case(s).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-21", "ao_id": "TDA-21_A02", "objective": "developed products and/or services conform to applicable statutory and regulatory requirements, based on the product's and/or service's geographic markets.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-22", "ao_id": "TDA-22_A01", "objective": "appropriate technical documentation artifacts are generated for products and/or services in sufficient detail to demonstrate conformity with applicable statutory, regulatory and contractual compliance requirements.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TDA-22.1", "ao_id": "TDA-22.1_A01", "objective": "a detailed cybersecurity risk assessment is included in the technical documentation for products and/or services to demonstrate applicable risks in approved use cases.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-01", "ao_id": "THR-01_A01", "objective": "a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence is implemented.", "pptdf": "Process", "origin": "53A_R5_PM-16", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-01", "ao_id": "THR-01_A02", "objective": "sources of threat intelligence are defined.", "pptdf": "Process", "origin": "172A_3.11.1e_ODP[1]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-01", "ao_id": "THR-01_A03", "objective": "a risk assessment methodology is identified.", "pptdf": "Process", "origin": "172A_3.11.1e[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-01", "ao_id": "THR-01_A04", "objective": "sources of threat intelligence are employed as part of a risk assessment to guide and inform the development of organizational systems and security architectures.", "pptdf": "Process", "origin": "172A_3.11.1e[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-01", "ao_id": "THR-01_A05", "objective": "sources of threat intelligence are employed as part of a risk assessment to guide and inform the selection of security solutions.", "pptdf": "Process", "origin": "172A_3.11.1e[c]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-01", "ao_id": "THR-01_A06", "objective": "sources of threat intelligence are employed as part of a risk assessment to guide and inform system monitoring activities.", "pptdf": "Process", "origin": "172A_3.11.1e[d]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-01", "ao_id": "THR-01_A07", "objective": "sources of threat intelligence are employed as part of a risk assessment to guide and inform threat hunting activities.", "pptdf": "Process", "origin": "172A_3.11.1e[e]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-01", "ao_id": "THR-01_A08", "objective": "sources of threat intelligence are employed as part of a risk assessment to guide and inform response and recovery activities.", "pptdf": "Process", "origin": "172A_3.11.1e[f]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-01", "ao_id": "THR-01_A09", "objective": "contact is established and institutionalized with selected groups and associations within the cybersecurity / data privacy community to facilitate ongoing security education and training for organizational personnel.", "pptdf": "Process", "origin": "53A_R5_PM-15a.[01]\n53A_R5_PM-15a.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-01", "ao_id": "THR-01_A10", "objective": "contact is established and institutionalized with selected groups and associations within the cybersecurity / data privacy community to maintain currency with recommended security practices, techniques and technologies.", "pptdf": "Process", "origin": "53A_R5_PM-15b.[01]\n53A_R5_PM-15b.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-01", "ao_id": "THR-01_A11", "objective": "contact is established and institutionalized with selected groups and associations within the cybersecurity / data privacy community to share current security information, including threats, vulnerabilities and incidents.", "pptdf": "Process", "origin": "53A_R5_PM-15c.[01]\n53A_R5_PM-15c.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-01", "ao_id": "THR-01_A12", "objective": "threat management operations are conducted according to documented policies, standards, procedures and/or other organizational directives.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-01", "ao_id": "THR-01_A13", "objective": "adequate resources (e.g., people, processes, technologies, data and/or facilities) are provided to support threat management operations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-01", "ao_id": "THR-01_A14", "objective": "responsibility and authority for the performance of threat management-related activities are assigned to designated personnel.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-01", "ao_id": "THR-01_A15", "objective": "personnel performing threat management-related activities have the skills and knowledge needed to perform their assigned duties.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-02", "ao_id": "THR-02_A01", "objective": "Indicators of Exposure (IOE) exist for personnel to understand the potential attack vectors that attackers could use to attack the organization.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-03", "ao_id": "THR-03_A01", "objective": "external organizations from whom system security alerts, advisories and directives are to be received on an ongoing basis are defined.", "pptdf": "Process", "origin": "53A_R5_SI-05_ODP[01]\n172A_3.14.6e_ODP[1]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-03", "ao_id": "THR-03_A02", "objective": "personnel or roles to whom security alerts, advisories and directives are to be disseminated is/are defined.", "pptdf": "Process", "origin": "53A_R5_SI-05_ODP[02]\n53A_R5_SI-05_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-03", "ao_id": "THR-03_A03", "objective": "elements within the organization to whom security alerts, advisories and directives are to be disseminated are defined.", "pptdf": "Process", "origin": "53A_R5_SI-05_ODP[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-03", "ao_id": "THR-03_A04", "objective": "external organizations to whom security alerts, advisories and directives are to be disseminated are defined.", "pptdf": "Process", "origin": "53A_R5_SI-05_ODP[05]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-03", "ao_id": "THR-03_A05", "objective": "system security alerts, advisories, and directives from external organizations are received on an ongoing basis.", "pptdf": "Process", "origin": "53A_R5_SI-05a.\n171A_R3_A.03.14.03.a", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-03", "ao_id": "THR-03_A06", "objective": "threat indicator information is identified.", "pptdf": "Process", "origin": "172A_3.14.6e[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-03", "ao_id": "THR-03_A07", "objective": "effective mitigations are identified.", "pptdf": "Process", "origin": "172A_3.14.6e[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-03", "ao_id": "THR-03_A08", "objective": "intrusion detection approaches are identified.", "pptdf": "Process", "origin": "172A_3.14.6e[c]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-03", "ao_id": "THR-03_A09", "objective": "threat hunting activities are identified.", "pptdf": "Process", "origin": "172A_3.14.6e[d]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-03", "ao_id": "THR-03_A10", "objective": "internal security alerts, advisories and directives are generated as deemed necessary.", "pptdf": "Process", "origin": "53A_R5_SI-05b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-03", "ao_id": "THR-03_A11", "objective": "security alerts, advisories and directives are disseminated per organization-defined criteria.", "pptdf": "Process", "origin": "53A_R5_SI-05c.", "assessment_rigor": "3", "scf_defined_parameters": "to include system security personnel and administrators with configuration/patch-management responsibilities", "org_defined_parameters": "" }, { "scf_control_id": "THR-03", "ao_id": "THR-03_A12", "objective": "security directives are implemented in accordance with established time frames or if the issuing organization is notified of the degree of noncompliance.", "pptdf": "Process", "origin": "53A_R5_SI-05d.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-03", "ao_id": "THR-03_A13", "objective": "external organizations from which to obtain threat indicator information and effective mitigations are defined.", "pptdf": "Process", "origin": "172A_3.14.6e_ODP[1]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-03.1", "ao_id": "THR-03.1_A01", "objective": "internal security alerts, advisories, and directives are generated, as necessary.", "pptdf": "Process", "origin": "171A_R3_A.03.14.03.b[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-03.1", "ao_id": "THR-03.1_A02", "objective": "internal security alerts, advisories, and directives are disseminated, as necessary.", "pptdf": "Process", "origin": "171A_R3_A.03.14.03.b[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-03", "ao_id": "THR-03.1_A03", "objective": "automated mechanisms used to broadcast security alert and advisory information throughout the organization are defined.", "pptdf": "Process", "origin": "53A_R5_SI-05(01)_ODP", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-03", "ao_id": "THR-03.1_A04", "objective": "automated mechanisms are used to broadcast security alerts and advisory information throughout the organization.", "pptdf": "Technology", "origin": "53A_R5_SI-05(01)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-03", "ao_id": "THR-03.1_A05", "objective": "automated mechanisms are employed to maximize the effectiveness of sharing threat intelligence information.", "pptdf": "Technology", "origin": "53A_R5_PM-16(01)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-04", "ao_id": "THR-04_A01", "objective": "an insider threat program that includes a cross-discipline insider threat incident handling team is implemented.", "pptdf": "Process", "origin": "53A_R5_PM-12", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-04", "ao_id": "THR-04_A02", "objective": "threat indicator information and effective mitigations obtained from external organizations are used to guide and inform intrusion detection and threat hunting.", "pptdf": "Process", "origin": "172A_3.14.6e[e]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-05", "ao_id": "THR-05_A01", "objective": "potential indicators associated with insider threats are identified.", "pptdf": "Process", "origin": "171A_3.2.3[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-05", "ao_id": "THR-05_A02", "objective": "security literacy training is provided to system users on recognizing indicators of insider threat.", "pptdf": "People", "origin": "171A_R3_A.03.02.01.a.03[01]\n53A_R5_AT-02(02)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-05", "ao_id": "THR-05_A03", "objective": "security literacy training is provided to system users on reporting indicators of insider threat.", "pptdf": "People", "origin": "171A_R3_A.03.02.01.a.03[02]\n53A_R5_AT-02(02)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-05", "ao_id": "THR-05_A04", "objective": "security awareness training on recognizing and reporting potential indicators of insider threat is provided to managers and employees.", "pptdf": "People", "origin": "171A_3.2.3[b]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-06", "ao_id": "THR-06_A01", "objective": "a public reporting channel is established for receiving reports of vulnerabilities in organizational systems and system components.", "pptdf": "Process", "origin": "53A_R5_RA-05(11)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-06.1", "ao_id": "THR-06.1_A01", "objective": "a process to enable public submissions of discovered or potential security vulnerabilities is defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-06.1", "ao_id": "THR-06.1_A02", "objective": "a process to receive public submissions of discovered or potential security vulnerabilities is implemented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-07", "ao_id": "THR-07_A01", "objective": "a cyber threat capability is established and maintained to search for Indicators of Compromise (IOC) in organizational systems.", "pptdf": "Process", "origin": "53A_R5_RA-10a.01", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-07", "ao_id": "THR-07_A02", "objective": "a cyber threat capability is established and maintained to detect, track and disrupt threats that evade existing controls.", "pptdf": "Process", "origin": "53A_R5_RA-10a.02", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-07", "ao_id": "THR-07_A03", "objective": "cyber threat hunting activities are conducted according to an organization-defined frequency and/or organization-defined event to detect, track and disrupt threats that evade existing controls.", "pptdf": "Process", "origin": "172A_3.11.2e[b]\n172A_3.11.2e[c]\n53A_R5_RA-10b.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-07", "ao_id": "THR-07_A04", "objective": "sensors and monitoring capabilities to be relocated are defined.", "pptdf": "Process", "origin": "53A_R5_SC-48_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-07", "ao_id": "THR-07_A05", "objective": "locations to where sensors and monitoring capabilities are to be relocated are defined.", "pptdf": "Process", "origin": "53A_R5_SC-48_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-07", "ao_id": "THR-07_A06", "objective": "conditions or circumstances for relocating sensors and monitoring capabilities are defined.", "pptdf": "Process", "origin": "53A_R5_SC-48_ODP[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-07", "ao_id": "THR-07_A07", "objective": "sensors and monitoring capabilities are relocated to locations under organization-defined conditions or circumstances.", "pptdf": "Process", "origin": "53A_R5_SC-48", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-07", "ao_id": "THR-07_A08", "objective": "Indicators of Compromise (IOC) are defined.", "pptdf": "Process", "origin": "172A_3.11.2e[a]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-07", "ao_id": "THR-07_A09", "objective": "organizational systems to search for Indicators of Compromise (IOC) are defined.", "pptdf": "Process", "origin": "172A_3.11.2e_ODP[4]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-07", "ao_id": "THR-07_A10", "objective": "the frequency with which to conduct cyber threat hunting activities is defined.", "pptdf": "Process", "origin": "172A_3.11.2e_ODP[1]\n172A_3.11.2e_ODP[2]\n53A_R5_RA-10_ODP", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-07", "ao_id": "THR-07_A11", "objective": "the event triggering cyber threat hunting activities is defined.", "pptdf": "Process", "origin": "172A_3.11.2e_ODP[3]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-08", "ao_id": "THR-08_A01", "objective": "the systems or system components with data or capabilities to be embedded are defined.", "pptdf": "Process", "origin": "53A_R5_SI-20_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-08", "ao_id": "THR-08_A02", "objective": "data or capabilities are embedded in systems or system components to determine if organizational data has been exfiltrated or improperly removed from the organization.", "pptdf": "Technology", "origin": "53A_R5_SI-20", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-09", "ao_id": "THR-09_A01", "objective": "the organization maintains a threat catalog that documents applicable internal and external threats that are specific to the organization.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-09", "ao_id": "THR-09_A02", "objective": "the threat catalog documents both natural and manmade threats.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-09", "ao_id": "THR-09_A03", "objective": "on at least an annual basis, a threat assessment is performed to identify and assess applicable internal and external threats.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-09", "ao_id": "THR-09_A04", "objective": "the threat catalog is updated, based on a current threat assessment.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-10", "ao_id": "THR-10_A01", "objective": "on at least an annual basis, a threat assessment is performed to identify and assess applicable internal and external threats.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-10", "ao_id": "THR-10_A02", "objective": "a threat catalog captures applicable internal and external threats from the threat assessment.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-10", "ao_id": "THR-10_A03", "objective": "each item in the threat catalog is prioritized, based on the potential threat to the organization.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-11", "ao_id": "THR-11_A01", "objective": "baselines are captured to establish behavioral baselines about user and entity behavior.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "THR-11", "ao_id": "THR-11_A02", "objective": "behavioral baselines about user and entity behavior are leveraged for dynamic threat discovery purposes.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-01", "ao_id": "TPM-01_A01", "objective": "security requirements to protect against supply chain risks to the system, system components, or system services and to limit the harm or consequences from supply chain-related events are defined.", "pptdf": "Process", "origin": "171A_R3_A.03.17.03.ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-01", "ao_id": "TPM-01_A02", "objective": "cybersecurity / data privacy functional requirements, descriptions and criteria are included explicitly or by reference using in the acquisition contract for the system, system component or system service.", "pptdf": "Process", "origin": "53A_R5_SA-04a.[01]\n53A_R5_SA-04a.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-01", "ao_id": "TPM-01_A03", "objective": "requirements for protecting cybersecurity / data privacy documentation, descriptions and criteria are included explicitly or by reference using in the acquisition contract for the system, system component or system service.", "pptdf": "Process", "origin": "53A_R5_SA-04f.[01]\n53A_R5_SA-04f.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-01", "ao_id": "TPM-01_A04", "objective": "strength of mechanism requirements, descriptions and criteria are included explicitly or by reference using in the acquisition contract for the system, system component or system service.", "pptdf": "Process", "origin": "53A_R5_SA-04b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-01", "ao_id": "TPM-01_A05", "objective": "cybersecurity / data privacy assurance requirements, descriptions and criteria are included explicitly or by reference using in the acquisition contract for the system, system component or system service.", "pptdf": "Process", "origin": "53A_R5_SA-04c.[01]\n53A_R5_SA-04c.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-01", "ao_id": "TPM-01_A06", "objective": "controls needed to satisfy the cybersecurity / data privacy requirements, descriptions and criteria are included explicitly or by reference using in the acquisition contract for the system, system component or system service.", "pptdf": "Process", "origin": "53A_R5_SA-04d.[01]\n53A_R5_SA-04d.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-01", "ao_id": "TPM-01_A07", "objective": "cybersecurity / data privacy documentation requirements, descriptions and criteria are included explicitly or by reference using in the acquisition contract for the system, system component or system service.", "pptdf": "Process", "origin": "53A_R5_SA-04e.[01]\n53A_R5_SA-04e.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-01", "ao_id": "TPM-01_A08", "objective": "the description of the system development environment and environment in which the system is intended to operate, requirements and criteria are included explicitly or by reference using in the acquisition contract for the system, system component or system service.", "pptdf": "Process", "origin": "53A_R5_SA-04g.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-01", "ao_id": "TPM-01_A09", "objective": "the allocation of responsibility or identification of parties responsible for cybersecurity / data privacy requirements, descriptions and criteria are included explicitly or by reference using in the acquisition contract for the system, system component or system service.", "pptdf": "Process", "origin": "53A_R5_SA-04h.[01]\n53A_R5_SA-04h.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-01", "ao_id": "TPM-01_A10", "objective": "the allocation of responsibility or identification of parties responsible for supply chain risk management requirements, descriptions and criteria are included explicitly or by reference using organization-defined criteria.", "pptdf": "Process", "origin": "53A_R5_SA-04h.[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-01", "ao_id": "TPM-01_A11", "objective": "acceptance criteria requirements and descriptions are included explicitly or by reference using in the acquisition contract for the system, system component or system service.", "pptdf": "Process", "origin": "53A_R5_SA-04i.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-01", "ao_id": "TPM-01_A12", "objective": "contract language is defined.", "pptdf": "Process", "origin": "53A_R5_SA-04_ODP[01]\n53A_R5_SA-04_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-01", "ao_id": "TPM-01_A13", "objective": "third-party management operations are conducted according to documented policies, standards, procedures and/or other organizational directives.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-01", "ao_id": "TPM-01_A14", "objective": "adequate resources (e.g., people, processes, technologies, data and/or facilities) are provided to support third-party management operations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-01", "ao_id": "TPM-01_A15", "objective": "responsibility and authority for the performance of third-party management-related activities are assigned to designated personnel.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-01", "ao_id": "TPM-01_A16", "objective": "personnel performing third-party management-related activities have the skills and knowledge needed to perform their assigned duties.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-01.1", "ao_id": "TPM-01.1_A01", "objective": "a current, accurate and complete list of Third-Party Service Providers (TSP) that can potentially impact the Sensitivity, Integrity, Availability and/or Safety (CIAS) of the organization's systems, applications, services and data is maintained.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-02", "ao_id": "TPM-02_A01", "objective": "systems, system components or system services to be analyzed for criticality are defined.", "pptdf": "Process", "origin": "53A_R5_RA-09_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-02", "ao_id": "TPM-02_A02", "objective": "decision points in the system development life cycle when a criticality analysis is to be performed are defined.", "pptdf": "Process", "origin": "53A_R5_RA-09_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-02", "ao_id": "TPM-02_A03", "objective": "critical system components and functions are identified by performing a criticality analysis for systems, system components or system services at decision points in the system development life cycle.", "pptdf": "Process", "origin": "53A_R5_RA-09", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-02", "ao_id": "TPM-02_A04", "objective": "suppliers of critical or mission-essential technologies, products and services are identified.", "pptdf": "Process", "origin": "53A_R5_PM-30(01)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-02", "ao_id": "TPM-02_A05", "objective": "suppliers of critical or mission-essential technologies, products and services are prioritized.", "pptdf": "Process", "origin": "53A_R5_PM-30(01)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-02", "ao_id": "TPM-02_A06", "objective": "suppliers of critical or mission-essential technologies, products and services are assessed.", "pptdf": "Process", "origin": "53A_R5_PM-30(01)[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-03", "ao_id": "TPM-03_A01", "objective": "the personnel, roles and responsibilities of the supply chain risk management team are defined.", "pptdf": "Process", "origin": "53A_R5_SR-02(01)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-03", "ao_id": "TPM-03_A02", "objective": "supply chain risk management activities are defined.", "pptdf": "Process", "origin": "53A_R5_SR-02(01)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-03", "ao_id": "TPM-03_A03", "objective": "a supply chain risk management team consisting of personnel, roles and responsibilities is established to lead and support supply chain risk management activities.", "pptdf": "Process", "origin": "53A_R5_SR-02(01)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-03", "ao_id": "TPM-03_A04", "objective": "the supply chain risk management plan addresses risks associated with the research and development of systems, system components or system services.", "pptdf": "Process", "origin": "53A_R5_SR-02a.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-03", "ao_id": "TPM-03_A05", "objective": "the supply chain risk management plan addresses risks associated with the design of systems, system components or system services.", "pptdf": "Process", "origin": "53A_R5_SR-02a.[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-03", "ao_id": "TPM-03_A06", "objective": "the supply chain risk management plan addresses risks associated with the manufacturing of systems, system components or system services.", "pptdf": "Process", "origin": "53A_R5_SR-02a.[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-03", "ao_id": "TPM-03_A07", "objective": "the supply chain risk management plan addresses risks associated with the acquisition of systems, system components or system services.", "pptdf": "Process", "origin": "53A_R5_SR-02a.[05]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-03", "ao_id": "TPM-03_A08", "objective": "the supply chain risk management plan addresses risks associated with the delivery of systems, system components or system services.", "pptdf": "Process", "origin": "53A_R5_SR-02a.[06]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-03", "ao_id": "TPM-03_A09", "objective": "the supply chain risk management plan addresses risks associated with the integration of systems, system components or system services.", "pptdf": "Process", "origin": "53A_R5_SR-02a.[07]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-03", "ao_id": "TPM-03_A10", "objective": "the supply chain risk management plan addresses risks associated with the operation and maintenance of systems, system components or system services.", "pptdf": "Process", "origin": "53A_R5_SR-02a.[08]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-03", "ao_id": "TPM-03_A11", "objective": "the supply chain risk management plan addresses risks associated with the disposal of systems, system components or system services.", "pptdf": "Process", "origin": "53A_R5_SR-02a.[09]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-03", "ao_id": "TPM-03_A12", "objective": "systems, system components or system services for which a supply chain risk management plan is developed are defined.", "pptdf": "Process", "origin": "53A_R5_SR-02_ODP[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-03", "ao_id": "TPM-03_A13", "objective": "the frequency at which to review / update the supply chain risk management plan is defined.", "pptdf": "Process", "origin": "53A_R5_SR-02_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-03", "ao_id": "TPM-03_A14", "objective": "a plan for managing supply chain risks is developed.", "pptdf": "Process", "origin": "53A_R5_SR-02a.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-03", "ao_id": "TPM-03_A15", "objective": "the supply chain risk management plan is reviewed / updated frequently or as required to address threat, organizational or environmental changes.", "pptdf": "Process", "origin": "53A_R5_SR-02b.", "assessment_rigor": "3", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "TPM-03", "ao_id": "TPM-03_A16", "objective": "the supply chain risk management plan is protected from unauthorized disclosure.", "pptdf": "Technology", "origin": "53A_R5_SR-02c.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-03", "ao_id": "TPM-03_A17", "objective": "the supply chain risk management plan is protected from unauthorized modification.", "pptdf": "Technology", "origin": "53A_R5_SR-02c.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-03.1", "ao_id": "TPM-03.1_A01", "objective": "acquisition strategies, contract tools and procurement methods to protect against, identify and mitigate supply chain risks are defined.", "pptdf": "Process", "origin": "53A_R5_SR-05_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-03.1", "ao_id": "TPM-03.1_A02", "objective": "acquisition strategies, contract tools, and procurement method protect against, identify and mitigate supply chain risks are developed.", "pptdf": "Process", "origin": "53A_R5_SR-05[01]\n53A_R5_SR-05[02]\n53A_R5_SR-05[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-03.1", "ao_id": "TPM-03.1_A03", "objective": "acquisition strategies, contract tools, and procurement methods are developed to identify supply chain risks.", "pptdf": "Process", "origin": "171A_R3_A.03.17.02[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-03.1", "ao_id": "TPM-03.1_A04", "objective": "acquisition strategies, contract tools, and procurement methods are developed to protect against supply chain risks.", "pptdf": "Process", "origin": "171A_R3_A.03.17.02[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-03.1", "ao_id": "TPM-03.1_A05", "objective": "acquisition strategies, contract tools, and procurement methods are developed to mitigate supply chain risks.", "pptdf": "Process", "origin": "171A_R3_A.03.17.02[03]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-03.2", "ao_id": "TPM-03.2_A01", "objective": "controls to limit harm from potential supply chain adversaries are defined.", "pptdf": "Process", "origin": "53A_R5_SR-03(02)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-03.2", "ao_id": "TPM-03.2_A02", "objective": "controls are employed to limit harm from potential adversaries identifying and targeting the organizational supply chain.", "pptdf": "Process", "origin": "53A_R5_SR-03(02)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-03.3", "ao_id": "TPM-03.3_A01", "objective": "the system or system component requiring a process or processes to identify and address weaknesses or deficiencies is defined.", "pptdf": "Process", "origin": "53A_R5_SR-03_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-03.3", "ao_id": "TPM-03.3_A02", "objective": "supply chain personnel with whom to coordinate the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes is/are defined.", "pptdf": "Process", "origin": "53A_R5_SR-03_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-03.3", "ao_id": "TPM-03.3_A03", "objective": "supply chain controls employed to protect against supply chain risks to the system, system component or system service and to limit the harm or consequences from supply chain-related events are defined.", "pptdf": "Process", "origin": "53A_R5_SR-03_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-03.3", "ao_id": "TPM-03.3_A04", "objective": "the document identifying the selected and implemented supply chain processes and controls is defined.", "pptdf": "Process", "origin": "53A_R5_SR-03_ODP[04]\n53A_R5_SR-03_ODP[05]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-03.3", "ao_id": "TPM-03.3_A05", "objective": "a process or processes is/are established to identify and address weaknesses or deficiencies in the supply chain elements and processes of system or system component.", "pptdf": "Process", "origin": "53A_R5_SR-03a.[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-03.3", "ao_id": "TPM-03.3_A06", "objective": "the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of system or system component is/are coordinated with supply chain personnel.", "pptdf": "Process", "origin": "53A_R5_SR-03a.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-03.3", "ao_id": "TPM-03.3_A07", "objective": "supply chain controls are employed to protect against supply chain risks to the system, system component or system service and to limit the harm or consequences from supply chain-related events.", "pptdf": "Process", "origin": "53A_R5_SR-03b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-03.3", "ao_id": "TPM-03.3_A08", "objective": "the selected and implemented supply chain processes and controls are documented in accordance with organization-defined criteria.", "pptdf": "Process", "origin": "53A_R5_SR-03c.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-03.4", "ao_id": "TPM-03.4_A01", "objective": "controls to ensure an adequate supply of critical system components are defined.", "pptdf": "Process", "origin": "53A_R5_SR-05(01)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-03.4", "ao_id": "TPM-03.4_A02", "objective": "critical system components of which an adequate supply is required are defined.", "pptdf": "Process", "origin": "53A_R5_SR-05(01)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-03.4", "ao_id": "TPM-03.4_A03", "objective": "controls are employed to ensure an adequate supply of critical system components.", "pptdf": "Process", "origin": "53A_R5_SR-05(01)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-04", "ao_id": "TPM-04_A01", "objective": "controls to be employed by external system service providers are defined.", "pptdf": "Process", "origin": "53A_R5_SA-09_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-04", "ao_id": "TPM-04_A02", "objective": "processes, methods and techniques employed to monitor control compliance by external service providers are defined.", "pptdf": "Process", "origin": "53A_R5_SA-09_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-04", "ao_id": "TPM-04_A03", "objective": "providers of external system services comply with organizational cybersecurity / data privacy requirements.", "pptdf": "Process", "origin": "53A_R5_SA-09a.[01]\n53A_R5_SA-09a.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-04", "ao_id": "TPM-04_A04", "objective": "providers of external system services employ controls.", "pptdf": "Process", "origin": "53A_R5_SA-09a.[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-04", "ao_id": "TPM-04_A05", "objective": "organizational oversight with regard to external system services are defined and documented.", "pptdf": "Process", "origin": "53A_R5_SA-09b.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-04", "ao_id": "TPM-04_A06", "objective": "user roles and responsibilities with regard to external system services are defined and documented.", "pptdf": "Process", "origin": "53A_R5_SA-09b.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-04", "ao_id": "TPM-04_A07", "objective": "processes, methods and techniques are employed to monitor control compliance by external service providers on an ongoing basis.", "pptdf": "Process", "origin": "53A_R5_SA-09c.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-04.1", "ao_id": "TPM-04.1_A01", "objective": "personnel or roles that approve the acquisition or outsourcing of dedicated cybersecurity services is/are defined.", "pptdf": "Process", "origin": "53A_R5_SA-09(01)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-04.1", "ao_id": "TPM-04.1_A02", "objective": "an organizational assessment of risk is conducted prior to the acquisition or outsourcing of cybersecurity services.", "pptdf": "Process", "origin": "53A_R5_SA-09(01)(a)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-04.1", "ao_id": "TPM-04.1_A03", "objective": "personnel or roles approve the acquisition or outsourcing of dedicated cybersecurity services.", "pptdf": "Process", "origin": "53A_R5_SA-09(01)(b)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-04.1", "ao_id": "TPM-04.1_A04", "objective": "a process for identifying weaknesses or deficiencies in the supply chain elements and processes is established.", "pptdf": "Process", "origin": "171A_R3_A.03.17.03.a[01]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-04.2", "ao_id": "TPM-04.2_A01", "objective": "external system services that require the identification of functions, ports, protocols and other services are defined.", "pptdf": "Process", "origin": "53A_R5_SA-09(02)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-04.2", "ao_id": "TPM-04.2_A02", "objective": "providers of external system services are required to identify the functions, ports, protocols and other services required for the use of such services.", "pptdf": "Process", "origin": "53A_R5_SA-09(02)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-04.3", "ao_id": "TPM-04.3_A01", "objective": "external service providers are defined.", "pptdf": "Process", "origin": "53A_R5_SA-09(04)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-04.3", "ao_id": "TPM-04.3_A02", "objective": "actions to be taken to verify that the interests of external service providers are consistent with and reflect organizational interests are defined.", "pptdf": "Process", "origin": "53A_R5_SA-09(04)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-04.3", "ao_id": "TPM-04.3_A03", "objective": "actions are taken to verify that the interests of external service providers are consistent with and reflect organizational interests.", "pptdf": "Process", "origin": "53A_R5_SA-09(04)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-04.4", "ao_id": "TPM-04.4_A01", "objective": "locations where information processing and data storage is/are to be restricted are defined.", "pptdf": "Process", "origin": "53A_R5_SA-09(05)_ODP[01]\n53A_R5_SA-09(05)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "information processing, information or data, AND system services", "org_defined_parameters": "" }, { "scf_control_id": "TPM-04.4", "ao_id": "TPM-04.4_A02", "objective": "requirements or conditions for restricting the location of information processing, information storage or information services are defined.", "pptdf": "Process", "origin": "53A_R5_SA-09(05)_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-04.4", "ao_id": "TPM-04.4_A03", "objective": "based on requirements, information processing, information storage or information services is/are restricted to locations.", "pptdf": "Process", "origin": "53A_R5_SA-09(05)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-04.4", "ao_id": "TPM-04.4_A04", "objective": "the location or site of the facility where the system resides is planned considering physical and environmental hazards.", "pptdf": "Facility", "origin": "53A_R5_PE-23a.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-04.4", "ao_id": "TPM-04.4_A05", "objective": "for existing facilities, physical and environmental hazards are considered in the organizational risk management strategy.", "pptdf": "Facility", "origin": "53A_R5_PE-23b.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-05", "ao_id": "TPM-05_A01", "objective": "legally-binding contracts are executed to enforce cybersecurity / data privacy requirements by third-parties.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-05", "ao_id": "TPM-05_A02", "objective": "before sharing sensitive / regulated data, Non-Disclosure Agreements (NDAs) are executed with third parties.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-05", "ao_id": "TPM-05_A03", "objective": "security requirements to be satisfied by external system service providers are defined.", "pptdf": "Process", "origin": "171A_R3_A.03.16.03.ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-05", "ao_id": "TPM-05_A04", "objective": "the providers of external system services used for the processing, storage, or transmission of sensitive / regulated data comply with organization-defined security requirements.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-05", "ao_id": "TPM-05_A05", "objective": "the providers of external system services used for the processing, storage, or transmission of CUI comply with the following security requirements: .", "pptdf": "Data", "origin": "171A_R3_A.03.16.03.a", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "SDP values: \n(1) For cloud service providers:\n (i) FedRAMP Authorized at the FedRAMP Moderate (or higher) baseline in accordance with the FedRAMP Marketplace; or\n (ii) meets security requirements established by the government equivalent to the FedRAMP Moderate (or higher) baseline.\n(2) All other external service providers must meet NIST SP 800-171 R2.", "org_defined_parameters": "" }, { "scf_control_id": "TPM-05.1", "ao_id": "TPM-05.1_A01", "objective": "security requirements to be satisfied by external system service providers are defined.", "pptdf": "Process", "origin": "53A_R5_SR-08_ODP[01]\n53A_R5_SR-08_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "notification of supply chain compromises and results of assessment or audits", "org_defined_parameters": "" }, { "scf_control_id": "TPM-05.1", "ao_id": "TPM-05.1_A02", "objective": "agreements and procedures are established with entities involved in the supply chain for the system, system components or system service per organization-defined criteria.", "pptdf": "Process", "origin": "53A_R5_SR-08", "assessment_rigor": "1", "scf_defined_parameters": "notification of supply chain compromises and results of assessment or audits", "org_defined_parameters": "" }, { "scf_control_id": "TPM-05.1", "ao_id": "TPM-05.1_A03", "objective": "External Service Providers (ESPs) are contractually obligated to provide notification of actual or potential compromises in the supply chain that can potentially affect or have adversely affected systems, applications and/or services that the organization utilizes.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-05.2", "ao_id": "TPM-05.2_A01", "objective": "the controls included in the contracts of prime contractors are also included in the contracts of subcontractors.", "pptdf": "Process", "origin": "53A_R5_SR-03(03)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-05.2", "ao_id": "TPM-05.2_A02", "objective": "security requirements to be satisfied by external system service providers are defined.", "pptdf": "Process", "origin": "171A_R3_A.03.16.03.ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-05.3", "ao_id": "TPM-05.3_A01", "objective": "Third-Party Service Providers (TSP) are obligated to use unique authentication factors for each of its customers.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-05.4", "ao_id": "TPM-05.4_A01", "objective": "a Responsible, Accountable, Supportive, Consulted & Informed (RASCI) matrix, or similar documentation, delineates assignment for cybersecurity / data privacy controls between internal stakeholders and Third-Party Service Providers (TSP).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-05.4", "ao_id": "TPM-05.4_A02", "objective": "user roles and responsibilities with regard to external system services, including shared responsibilities with external service providers, are defined and documented.", "pptdf": "Process", "origin": "171A_R3_A.03.16.03.b", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-05.5", "ao_id": "TPM-05.5_A01", "objective": "recurring validation of the Responsible, Accountable, Supportive, Consulted & Informed (RASCI) matrix, or similar documentation, is performed to ensure cybersecurity / data privacy control assignments accurately reflect current business practices, compliance obligations, technologies and stakeholders.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-05.5", "ao_id": "TPM-05.5_A02", "objective": "processes, methods, and techniques to monitor security requirement compliance by external service providers on an ongoing basis are implemented.", "pptdf": "Process", "origin": "171A_R3_A.03.16.03.c", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-05.6", "ao_id": "TPM-05.6_A01", "objective": "a First-Party Declaration (1PD) is obtained from applicable Third-Party Service Providers (TSP) that provides assurance of compliance with specified statutory, regulatory and contractual obligations for cybersecurity / data privacy controls, including any flow-down requirements to subcontractors.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-05.6", "ao_id": "TPM-05.6_A02", "objective": "processes, methods, and techniques to monitor security requirement compliance by external service providers on an ongoing basis are implemented.", "pptdf": "Process", "origin": "171A_R3_A.03.16.03.c", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-05.7", "ao_id": "TPM-05.7_A01", "objective": "contracts with third-parties include \"break clauses\" to enable the organization to exit a contract due to a third-party's non-compliance with contract requirements for cybersecurity / data privacy controls.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-05.8", "ao_id": "TPM-05.8_A01", "objective": "statutory, regulatory and/or contractual obligations requiring a conformity assessment by an independent Third-Party Assessment Organization (3PAO) are identified.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-05.8", "ao_id": "TPM-05.8_A02", "objective": "a current and passing conformity assessment by an independent Third-Party Assessment Organization (3PAO) exists for each applicable statutory, regulatory and/or contractual obligation requiring a 3PAO's attestation.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-05.8", "ao_id": "TPM-05.8_A03", "objective": "processes, methods, and techniques to monitor security requirement compliance by external service providers on an ongoing basis are implemented.", "pptdf": "Process", "origin": "171A_R3_A.03.16.03.c", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-06", "ao_id": "TPM-06_A01", "objective": "roles and responsibilities for third-party provider personnel are documented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-07", "ao_id": "TPM-07_A01", "objective": "sensitive / regulated data flows identify information shared with third-parties.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-07", "ao_id": "TPM-07_A02", "objective": "mechanisms are used to look for unauthorized exfiltration or disclosure of sensitive / regulated data that is shared with third-parties.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-08", "ao_id": "TPM-08_A01", "objective": "the frequency at which to assess and review the supply chain-related risks associated with suppliers or contractors and the systems, system components or system services they provide is defined.", "pptdf": "Process", "origin": "53A_R5_SR-06_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-08", "ao_id": "TPM-08_A02", "objective": "the supply chain-related risks associated with suppliers or contractors and the systems, system components or system services they provide are assessed and reviewed per an organization-defined frequency.", "pptdf": "Process", "origin": "53A_R5_SR-06", "assessment_rigor": "1", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "TPM-08", "ao_id": "TPM-08_A03", "objective": "supply chain elements, processes and actors to be analyzed and tested are defined.", "pptdf": "Process", "origin": "53A_R5_SR-06(01)_ODP[01]\n53A_R5_SR-06(01)_ODP[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-08", "ao_id": "TPM-08_A04", "objective": "organization-defined mechanisms are employed on supply chain elements, processes and actors associated with the system, system component or system service.", "pptdf": "Process", "origin": "53A_R5_SR-06(01)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-08", "ao_id": "TPM-08_A05", "objective": "processes, methods, and techniques to monitor security requirement compliance by external service providers on an ongoing basis are implemented.", "pptdf": "Process", "origin": "171A_R3_A.03.16.03.c", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-09", "ao_id": "TPM-09_A01", "objective": "weaknesses or deficiencies in supply chain elements identified during independent or organizational assessments of such elements are remediated.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-10", "ao_id": "TPM-10_A01", "objective": "affected third-parties are identified through change control practices.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-10", "ao_id": "TPM-10_A02", "objective": "provided services are assessed for impact from proposed changes.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-10", "ao_id": "TPM-10_A03", "objective": "recurring reviews are performed of third-party provided services against existing contract requirements.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-10", "ao_id": "TPM-10_A04", "objective": "discrepancies in services provided and/or geolocation of provided services are evaluated for impact to the organization's operations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-11", "ao_id": "TPM-11_A01", "objective": "incident handling activities involving supply chain events are coordinated with other organizations involved in the supply chain.", "pptdf": "Process", "origin": "53A_R5_IR-04(10)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-12", "ao_id": "TPM-12_A01", "objective": "a process to minimize risk associate with Foreign Ownership, Control or Influence (FOCI) through Supply Chain Risk Management (SCRM) practices is defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-12", "ao_id": "TPM-12_A02", "objective": "Supply Chain Risk Management (SCRM) practices exist to minimize risk associate with FOCI.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-12.1", "ao_id": "TPM-12.1_A01", "objective": "External Service Providers (ESP) are periodically reviewed for changes that affect Foreign Ownership, Control or Influence (FOCI).", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-12.2", "ao_id": "TPM-12.2_A01", "objective": "contracts with third-parties contractually impose safeguards (e.g., additional controls, access modification, contract termination, etc.) from Foreign Ownership, Control or Influence (FOCI) concerns to ensure that unauthorized access to sensitive and/or regulated data is prevented.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "TPM-12.2", "ao_id": "TPM-12.2_A02", "objective": "contracts with third-parties contractually impose safeguards (e.g., additional controls, access modification, contract termination, etc.) from FOCI concerns to ensure that performance of contracts is not adversely affected.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-01", "ao_id": "VPM-01_A01", "objective": "an organization-wide vulnerability and patch management program is developed and implemented to proactively identify and remediation vulnerabilities.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-01", "ao_id": "VPM-01_A02", "objective": "the time within which to identify system flaws is specified.", "pptdf": "Process", "origin": "171A_3.14.1[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-01", "ao_id": "VPM-01_A03", "objective": "system flaws are identified within the specified time frame.", "pptdf": "Process", "origin": "171A_3.14.1[b]\n53A_R5_SI-02a.[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-01", "ao_id": "VPM-01_A04", "objective": "the time within which to report system flaws is specified.", "pptdf": "Process", "origin": "171A_3.14.1[c]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-01", "ao_id": "VPM-01_A05", "objective": "system flaws are reported within the specified time frame.", "pptdf": "Process", "origin": "171A_3.14.1[d]\n53A_R5_SI-02a.[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-01", "ao_id": "VPM-01_A06", "objective": "the time within which to correct system flaws is specified.", "pptdf": "Process", "origin": "171A_3.14.1[e]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-01", "ao_id": "VPM-01_A07", "objective": "system flaws are corrected within the specified time frame.", "pptdf": "Process", "origin": "171A_3.14.1[f]\n53A_R5_SI-02a.[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-01", "ao_id": "VPM-01_A08", "objective": "time period within which to install security-relevant software updates after the release of the updates is defined.", "pptdf": "Process", "origin": "53A_R5_SI-02_ODP", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-01", "ao_id": "VPM-01_A09", "objective": "software updates related to flaw remediation are tested for effectiveness before installation.", "pptdf": "Process", "origin": "53A_R5_SI-02b.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-01", "ao_id": "VPM-01_A10", "objective": "software updates related to flaw remediation are tested for potential side effects before installation.", "pptdf": "Process", "origin": "53A_R5_SI-02b.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-01", "ao_id": "VPM-01_A11", "objective": "firmware updates related to flaw remediation are tested for effectiveness before installation.", "pptdf": "Process", "origin": "53A_R5_SI-02b.[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-01", "ao_id": "VPM-01_A12", "objective": "firmware updates related to flaw remediation are tested for potential side effects before installation.", "pptdf": "Process", "origin": "53A_R5_SI-02b.[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-01", "ao_id": "VPM-01_A13", "objective": "security-relevant software updates are installed within an organization-defined time period of the release of the updates.", "pptdf": "Technology", "origin": "53A_R5_SI-02c.[01]", "assessment_rigor": "3", "scf_defined_parameters": "within thirty (30) days of release of updates", "org_defined_parameters": "" }, { "scf_control_id": "VPM-01", "ao_id": "VPM-01_A14", "objective": "security-relevant firmware updates are installed within an organization-defined time period of the release of the updates.", "pptdf": "Technology", "origin": "53A_R5_SI-02c.[02]", "assessment_rigor": "3", "scf_defined_parameters": "within thirty (30) days of release of updates", "org_defined_parameters": "" }, { "scf_control_id": "VPM-01", "ao_id": "VPM-01_A15", "objective": "flaw remediation is incorporated into the organizational configuration management process.", "pptdf": "Process", "origin": "53A_R5_SI-02d.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-01", "ao_id": "VPM-01_A16", "objective": "response times to remediate system vulnerabilities are defined.", "pptdf": "Process", "origin": "171A_R3_A.03.11.02.ODP[03]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-01", "ao_id": "VPM-01_A17", "objective": "vulnerability & patch management operations are conducted according to documented policies, standards, procedures and/or other organizational directives.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-01", "ao_id": "VPM-01_A18", "objective": "adequate resources (e.g., people, processes, technologies, data and/or facilities) are provided to support vulnerability & patch management operations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-01", "ao_id": "VPM-01_A19", "objective": "responsibility and authority for the performance of vulnerability & patch management-related activities are assigned to designated personnel.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-01", "ao_id": "VPM-01_A20", "objective": "personnel performing vulnerability & patch management-related activities have the skills and knowledge needed to perform their assigned duties.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-01.1", "ao_id": "VPM-01.1_A01", "objective": "the breadth of testing and evaluation of required controls is defined.", "pptdf": "Process", "origin": "53A_R5_SA-11(07)_ODP[01]\n172A_3.14.3e_ODP[1]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-01.1", "ao_id": "VPM-01.1_A02", "objective": "the depth of testing and evaluation of required controls is defined.", "pptdf": "Process", "origin": "53A_R5_SA-11(07)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-01.1", "ao_id": "VPM-01.1_A03", "objective": "system, applications and services are monitored for vulnerabilities per an organization-defined frequency.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-01.1", "ao_id": "VPM-01.1_A04", "objective": "systems and system components are included in the scope of the specified enhanced security requirements.", "pptdf": "Process", "origin": "172A_3.14.3e[a]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-01.1", "ao_id": "VPM-01.1_A05", "objective": "systems and system components that are not included in systems and system components are segregated in purpose-specific networks.", "pptdf": "Technology", "origin": "172A_3.14.3e[b]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-01.1", "ao_id": "VPM-01.1_A06", "objective": "the developer of the system, system component or system service is required to perform attack surface reviews.", "pptdf": "Process", "origin": "53A_R5_SA-11(06)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-01.1", "ao_id": "VPM-01.1_A07", "objective": "the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that produces evidence that meets an organization-defined breadth.", "pptdf": "Process", "origin": "53A_R5_SA-11(07)[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-01.1", "ao_id": "VPM-01.1_A08", "objective": "the developer of the system, system component, or system service is required to verify that the scope of testing and evaluation provides complete coverage of the required controls at an organization-defined depth.", "pptdf": "Process", "origin": "53A_R5_SA-11(07)[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-01.1", "ao_id": "VPM-01.1_A09", "objective": "the system is monitored for vulnerabilities .", "pptdf": "Process", "origin": "171A_R3_A.03.11.02.a[01]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "at least monthly, or when there are significant incidents or significant changes to risks", "org_defined_parameters": "" }, { "scf_control_id": "VPM-02", "ao_id": "VPM-02_A01", "objective": "vulnerabilities are identified.", "pptdf": "Process", "origin": "171A_3.11.3[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-02", "ao_id": "VPM-02_A02", "objective": "response times to remediate system vulnerabilities are defined.", "pptdf": "Process", "origin": "171A_R3_A.03.11.02.ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-02", "ao_id": "VPM-02_A03", "objective": "vulnerabilities are remediated in accordance with risk assessments.", "pptdf": "Process", "origin": "171A_3.11.3[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-03", "ao_id": "VPM-03_A01", "objective": "a risk ranking methodology is utilized to prioritize newly discovered security vulnerabilities.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-03.1", "ao_id": "VPM-03.1_A01", "objective": "on at least an annual basis, a threat assessment is performed to identify and assess applicable internal and external threats.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-03.1", "ao_id": "VPM-03.1_A02", "objective": "a threat catalog captures applicable internal and external threats from the threat assessment.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-03.1", "ao_id": "VPM-03.1_A03", "objective": "the scope of Attack Surface Management (ASM) is defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-03.1", "ao_id": "VPM-03.1_A04", "objective": "vulnerability scanning activities are performed against the scope of ASM to identify applicable vulnerabilities.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-03.1", "ao_id": "VPM-03.1_A05", "objective": "the organization documents the potential impact(s) and likelihood(s) of applicable internal and external threats exploiting known vulnerabilities.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-03.1", "ao_id": "VPM-03.1_A06", "objective": "each item in the threat catalog is prioritized, based on potential impact(s) and likelihood(s) of applicable internal and external threats exploiting identified vulnerabilities.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-04", "ao_id": "VPM-04_A01", "objective": "sources of new threats and vulnerabilities are defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-04", "ao_id": "VPM-04_A02", "objective": "a time period is defined to seek out new, applicable threats and vulnerabilities.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-04", "ao_id": "VPM-04_A03", "objective": "a capability exists to respond to new threats and vulnerabilities on an ongoing basis.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-04", "ao_id": "VPM-04_A04", "objective": "system vulnerabilities are remediated within organization-defined response times.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-04", "ao_id": "VPM-04_A05", "objective": "system vulnerabilities are remediated within .", "pptdf": "Process", "origin": "171A_R3_A.03.11.02.b", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "thirty (30) days from date of discovery for high-risk vulnerabilities (including both critical and high); 90 days from date of discovery for moderate-risk vulnerabilities; and 180 days from date of discovery for low-risk vulnerabilities", "org_defined_parameters": "" }, { "scf_control_id": "VPM-04.1", "ao_id": "VPM-04.1_A01", "objective": "the latest stable version of software and/or security-related updates is installed on applicable systems.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-04.2", "ao_id": "VPM-04.2_A01", "objective": "flaws related to the collection, usage, processing or dissemination of Personal Data (PD) are identified.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-04.2", "ao_id": "VPM-04.2_A02", "objective": "flaws related to the collection, usage, processing or dissemination of Personal Data (PD) are corrected.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-04.3", "ao_id": "VPM-04.3_A01", "objective": "criteria are defined to justify the deferral of software and/or firmware patches.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-04.3", "ao_id": "VPM-04.3_A02", "objective": "the deferral of software and/or firmware patches is facilitated when the disadvantages of applying the patch outweighs the benefits, based on organization-defined criteria.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-05", "ao_id": "VPM-05_A01", "objective": "the time period within which to install security-relevant software updates after the release of the updates is defined.", "pptdf": "Process", "origin": "53A_R5_SI-02_ODP\n171A_R3_A.03.14.01.ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-05", "ao_id": "VPM-05_A02", "objective": "system flaws are identified.", "pptdf": "Process", "origin": "53A_R5_SI-02a.[01]\n171A_R3_A.03.14.01.a[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-05", "ao_id": "VPM-05_A03", "objective": "automated patch management tools are employed to facilitate flaw remediation to components.", "pptdf": "Technology", "origin": "53A_R5_SI-02(04)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-05", "ao_id": "VPM-05_A04", "objective": "system flaws are corrected.", "pptdf": "Technology", "origin": "53A_R5_SI-02a.[03]\n171A_R3_A.03.14.01.a[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-05", "ao_id": "VPM-05_A05", "objective": "system flaws are reported.", "pptdf": "Process", "origin": "53A_R5_SI-02a.[02]\n171A_R3_A.03.14.01.a[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-05", "ao_id": "VPM-05_A06", "objective": "software updates related to flaw remediation are tested for effectiveness before installation.", "pptdf": "Process", "origin": "53A_R5_SI-02b.[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-05", "ao_id": "VPM-05_A07", "objective": "software updates related to flaw remediation are tested for potential side effects before installation.", "pptdf": "Process", "origin": "53A_R5_SI-02b.[02]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-05", "ao_id": "VPM-05_A08", "objective": "firmware updates related to flaw remediation are tested for effectiveness before installation.", "pptdf": "Process", "origin": "53A_R5_SI-02b.[03]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-05", "ao_id": "VPM-05_A09", "objective": "firmware updates related to flaw remediation are tested for potential side effects before installation.", "pptdf": "Process", "origin": "53A_R5_SI-02b.[04]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-05", "ao_id": "VPM-05_A10", "objective": "security-relevant software updates are installed within an organization-defined time period of the release of the updates.", "pptdf": "Technology", "origin": "53A_R5_SI-02c.[01]", "assessment_rigor": "3", "scf_defined_parameters": "within thirty (30) days of release of updates", "org_defined_parameters": "" }, { "scf_control_id": "VPM-05", "ao_id": "VPM-05_A11", "objective": "security-relevant firmware updates are installed within an organization-defined time period of the release of the updates.", "pptdf": "Technology", "origin": "53A_R5_SI-02c.[02]", "assessment_rigor": "3", "scf_defined_parameters": "within thirty (30) days of release of updates", "org_defined_parameters": "" }, { "scf_control_id": "VPM-05", "ao_id": "VPM-05_A12", "objective": "flaw remediation is incorporated into the organizational configuration management process.", "pptdf": "Process", "origin": "53A_R5_SI-02d.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-05", "ao_id": "VPM-05_A13", "objective": "the system components requiring automated patch management tools to facilitate flaw remediation are defined.", "pptdf": "Technology", "origin": "53A_R5_SI-02(04)_ODP", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-05", "ao_id": "VPM-05_A14", "objective": "the time period within which to install security-relevant firmware updates after the release of the updates is defined.", "pptdf": "Process", "origin": "171A_R3_A.03.14.01.ODP[02]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-05", "ao_id": "VPM-05_A15", "objective": "system vulnerabilities are remediated within .", "pptdf": "Process", "origin": "171A_R3_A.03.11.02.b", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "thirty (30) days from date of discovery for high-risk vulnerabilities (including both critical and high); 90 days from date of discovery for moderate-risk vulnerabilities; and 180 days from date of discovery for low-risk vulnerabilities", "org_defined_parameters": "" }, { "scf_control_id": "VPM-05", "ao_id": "VPM-05_A16", "objective": "security-relevant software updates are installed within of the release of the updates.", "pptdf": "Technology", "origin": "171A_R3_A.03.14.01.b[01]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "thirty (30) days for high-risk flaws (including both critical and high), 90 days for moderate-risk flaws, and 180 days for low-risk flaws", "org_defined_parameters": "" }, { "scf_control_id": "VPM-05", "ao_id": "VPM-05_A17", "objective": "security-relevant firmware updates are installed within of the release of the updates.", "pptdf": "Technology", "origin": "171A_R3_A.03.14.01.b[02]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "thirty (30) days for high-risk flaws (including both critical and high), 90 days for moderate-risk flaws, and 180 days for low-risk flaws", "org_defined_parameters": "" }, { "scf_control_id": "VPM-05.1", "ao_id": "VPM-05.1_A01", "objective": "cybersecurity / data privacy controls and related processes to be centrally managed are defined.", "pptdf": "Process", "origin": "53A_R5_PL-09_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-05.1", "ao_id": "VPM-05.1_A02", "objective": "controls and related processes are centrally managed.", "pptdf": "Process", "origin": "53A_R5_PL-09", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-05.1", "ao_id": "VPM-05.1_A03", "objective": "the system components requiring automated patch management tools to facilitate flaw remediation are defined.", "pptdf": "Process", "origin": "53A_R5_SI-02(04)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-05.1", "ao_id": "VPM-05.1_A04", "objective": "automated patch management tools are employed to facilitate flaw remediation to components.", "pptdf": "Technology", "origin": "53A_R5_SI-02(04)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-05.2", "ao_id": "VPM-05.2_A01", "objective": "automated mechanisms to determine if applicable security-relevant software and firmware updates are installed on system components are defined.", "pptdf": "Process", "origin": "53A_R5_SI-02(02)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "at least monthly", "org_defined_parameters": "" }, { "scf_control_id": "VPM-05.2", "ao_id": "VPM-05.2_A02", "objective": "the frequency at which to determine if applicable security-relevant software and firmware updates are installed on system components is defined.", "pptdf": "Process", "origin": "53A_R5_SI-02(02)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "at least monthly", "org_defined_parameters": "" }, { "scf_control_id": "VPM-05.2", "ao_id": "VPM-05.2_A03", "objective": "system components have applicable security-relevant software and firmware updates installed frequency using automated mechanisms.", "pptdf": "Technology", "origin": "53A_R5_SI-02(02)", "assessment_rigor": "1", "scf_defined_parameters": "at least monthly", "org_defined_parameters": "" }, { "scf_control_id": "VPM-05.2", "ao_id": "VPM-05.2_A04", "objective": "the system components requiring automated patch management tools to facilitate flaw remediation are defined.", "pptdf": "Process", "origin": "53A_R5_SI-02(04)_ODP", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-05.2", "ao_id": "VPM-05.2_A05", "objective": "automated patch management tools are employed to facilitate flaw remediation to components.", "pptdf": "Technology", "origin": "53A_R5_SI-02(04)", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-05.3", "ao_id": "VPM-05.3_A01", "objective": "the benchmarks for taking corrective actions are defined.", "pptdf": "Process", "origin": "53A_R5_SI-02(03)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-05.3", "ao_id": "VPM-05.3_A02", "objective": "the time between flaw identification and flaw remediation is measured.", "pptdf": "Process", "origin": "53A_R5_SI-02(03)(a)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-05.3", "ao_id": "VPM-05.3_A03", "objective": "benchmarks for taking corrective actions have been established.", "pptdf": "Process", "origin": "53A_R5_SI-02(03)(b)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-05.4", "ao_id": "VPM-05.4_A01", "objective": "the system components requiring automated patch management tools to facilitate flaw remediation are defined.", "pptdf": "Process", "origin": "53A_R5_SI-02(04)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-05.4", "ao_id": "VPM-05.4_A02", "objective": "automated patch management tools are employed to facilitate flaw remediation to components.", "pptdf": "Technology", "origin": "53A_R5_SI-02(04)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-05.4", "ao_id": "VPM-05.4_A03", "objective": "security-relevant software and firmware updates to be automatically installed to system components are defined.", "pptdf": "Process", "origin": "53A_R5_SI-02(05)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-05.4", "ao_id": "VPM-05.4_A04", "objective": "system components requiring security-relevant software updates to be automatically installed are defined.", "pptdf": "Process", "origin": "53A_R5_SI-02(05)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-05.4", "ao_id": "VPM-05.4_A05", "objective": "security-relevant software and firmware updates are installed automatically to system components.", "pptdf": "Technology", "origin": "53A_R5_SI-02(05)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-05.5", "ao_id": "VPM-05.5_A01", "objective": "software and firmware components to be removed after updated versions have been installed are defined.", "pptdf": "Process", "origin": "53A_R5_SI-02(06)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-05.5", "ao_id": "VPM-05.5_A02", "objective": "previous versions of software and firmware components are removed after updated versions have been installed.", "pptdf": "Technology", "origin": "53A_R5_SI-02(06)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-05.6", "ao_id": "VPM-05.6_A01", "objective": "a process to conduct reasonable testing of software and/or firmware patching in a non-production environment, prior to production release, is defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-05.6", "ao_id": "VPM-05.6_A02", "objective": "prior to production release, the organization performs reasonable testing of software and/or firmware patching in a non-production environment.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-05.7", "ao_id": "VPM-05.7_A01", "objective": "a process to perform out-of-cycle software and/or firmware patching to address time-sensitive remediations is defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-05.7", "ao_id": "VPM-05.7_A02", "objective": "the organization performs out-of-cycle software and/or firmware patching to address time-sensitive remediations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-05.8", "ao_id": "VPM-05.8_A01", "objective": "software and/or firmware patches are obtained from trusted sources.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-05.8", "ao_id": "VPM-05.8_A02", "objective": "software and/or firmware patches are checked for integrity.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-06", "ao_id": "VPM-06_A01", "objective": "the frequency at which the system is scanned for vulnerabilities is defined.", "pptdf": "Process", "origin": "53A_R5_RA-05_ODP[01]\n53A_R5_RA-05_ODP[02]\n171A_3.11.2[a]\n171A_R3_A.03.11.02.ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "at least monthly", "org_defined_parameters": "" }, { "scf_control_id": "VPM-06", "ao_id": "VPM-06_A02", "objective": "response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk are defined.", "pptdf": "Process", "origin": "53A_R5_RA-05_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-06", "ao_id": "VPM-06_A03", "objective": "personnel or roles with whom information obtained from the vulnerability scanning process and control assessments are to be shared.", "pptdf": "Process", "origin": "53A_R5_RA-05_ODP[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-06", "ao_id": "VPM-06_A04", "objective": "vulnerability scan reports and results from vulnerability monitoring are analyzed.", "pptdf": "Process", "origin": "53A_R5_RA-05c.", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-06", "ao_id": "VPM-06_A05", "objective": "systems and hosted applications are scanned for vulnerabilities frequently and/or randomly in accordance with organization-defined process and when new vulnerabilities potentially affecting the system are identified and reported.", "pptdf": "Process", "origin": "53A_R5_RA-05a.[01]\n53A_R5_RA-05a.[02]", "assessment_rigor": "1", "scf_defined_parameters": "monthly operating system/infrastructure; monthly web applications (including APIs) and databases", "org_defined_parameters": "" }, { "scf_control_id": "VPM-06", "ao_id": "VPM-06_A06", "objective": "vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools.", "pptdf": "Technology", "origin": "53A_R5_RA-05b.", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-06", "ao_id": "VPM-06_A07", "objective": "vulnerability monitoring tools and techniques are employed to automate parts of the vulnerability management process by using standards for enumerating platforms, software flaws and improper configurations.", "pptdf": "Technology", "origin": "53A_R5_RA-05b.01", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-06", "ao_id": "VPM-06_A08", "objective": "vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for formatting checklists and test procedures.", "pptdf": "Technology", "origin": "53A_R5_RA-05b.02", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-06", "ao_id": "VPM-06_A09", "objective": "vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for measuring vulnerability impact.", "pptdf": "Technology", "origin": "53A_R5_RA-05b.03", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-06", "ao_id": "VPM-06_A10", "objective": "the system is scanned for vulnerabilities per an organization-defined frequency.", "pptdf": "Process", "origin": "171A_3.11.2[b]", "assessment_rigor": "2", "scf_defined_parameters": "at least monthly", "org_defined_parameters": "" }, { "scf_control_id": "VPM-06", "ao_id": "VPM-06_A11", "objective": "vulnerability scans are performed on applications with the defined frequency.", "pptdf": "Process", "origin": "171A_3.11.2[c]", "assessment_rigor": "2", "scf_defined_parameters": "at least monthly", "org_defined_parameters": "" }, { "scf_control_id": "VPM-06", "ao_id": "VPM-06_A12", "objective": "the system is monitored for vulnerabilities when new vulnerabilities that affect the system are identified.", "pptdf": "Process", "origin": "171A_3.11.2[d]\n171A_R3_A.03.11.02.a[03]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-06", "ao_id": "VPM-06_A13", "objective": "the system is scanned for vulnerabilities when new vulnerabilities that affect the system are identified.", "pptdf": "Process", "origin": "171A_3.11.2[e]\n171A_R3_A.03.11.02.a[04]", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-06", "ao_id": "VPM-06_A14", "objective": "legitimate vulnerabilities are remediated response times in accordance with an organizational assessment of risk.", "pptdf": "Process", "origin": "53A_R5_RA-05d.", "assessment_rigor": "3", "scf_defined_parameters": "high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery", "org_defined_parameters": "" }, { "scf_control_id": "VPM-06", "ao_id": "VPM-06_A15", "objective": "information obtained from the vulnerability monitoring process and control assessments is shared with personnel or roles to help eliminate similar vulnerabilities in other systems.", "pptdf": "Process", "origin": "53A_R5_RA-05e.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-06", "ao_id": "VPM-06_A16", "objective": "vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned are employed.", "pptdf": "Technology", "origin": "53A_R5_RA-05f.", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-06", "ao_id": "VPM-06_A17", "objective": "the frequency at which to update system vulnerabilities to be scanned is defined.", "pptdf": "Process", "origin": "171A_R3_A.03.11.02.ODP[04]", "assessment_rigor": "2", "scf_defined_parameters": "at least monthly", "org_defined_parameters": "" }, { "scf_control_id": "VPM-06", "ao_id": "VPM-06_A18", "objective": "the system is monitored for vulnerabilities per an organization-defined frequency.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "at least monthly", "org_defined_parameters": "" }, { "scf_control_id": "VPM-06", "ao_id": "VPM-06_A19", "objective": "system vulnerabilities to be scanned are updated per an organization-defined frequency.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "at least monthly", "org_defined_parameters": "" }, { "scf_control_id": "VPM-06", "ao_id": "VPM-06_A20", "objective": "system vulnerabilities to be scanned are updated when new vulnerabilities are identified and reported.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-06", "ao_id": "VPM-06_A21", "objective": "the frequency at which the system is monitored for vulnerabilities is defined.", "pptdf": "Process", "origin": "171A_R3_A.03.11.02.ODP[01]", "assessment_rigor": "2", "scf_defined_parameters": "at least monthly", "org_defined_parameters": "" }, { "scf_control_id": "VPM-06", "ao_id": "VPM-06_A22", "objective": "the system is monitored for vulnerabilities .", "pptdf": "Process", "origin": "171A_R3_A.03.11.02.a[01]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "at least monthly, or when there are significant incidents or significant changes to risks", "org_defined_parameters": "" }, { "scf_control_id": "VPM-06", "ao_id": "VPM-06_A23", "objective": "the system is scanned for vulnerabilities .", "pptdf": "Process", "origin": "171A_R3_A.03.11.02.a[02]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "at least monthly, or when there are significant incidents or significant changes to risks", "org_defined_parameters": "" }, { "scf_control_id": "VPM-06", "ao_id": "VPM-06_A24", "objective": "system vulnerabilities to be scanned are updated .", "pptdf": "Process", "origin": "171A_R3_A.03.11.02.c[01]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "no more than 24 hours prior to running the scans", "org_defined_parameters": "" }, { "scf_control_id": "VPM-06.1", "ao_id": "VPM-06.1_A01", "objective": "the frequency at which to update system vulnerabilities to be scanned is defined.", "pptdf": "Process", "origin": "53A_R5_RA-05(02)_ODP[01]\n53A_R5_RA-05(02)_ODP[02]\n171A_R3_A.03.11.02.ODP[04]", "assessment_rigor": "1", "scf_defined_parameters": "within 24 hours prior to\nrunning scans", "org_defined_parameters": "" }, { "scf_control_id": "VPM-06.1", "ao_id": "VPM-06.1_A02", "objective": "system vulnerabilities to be scanned are updated per an organization-defined frequency.", "pptdf": "Process", "origin": "53A_R5_RA-05(02)", "assessment_rigor": "1", "scf_defined_parameters": "within 24 hours prior to\nrunning scans", "org_defined_parameters": "" }, { "scf_control_id": "VPM-06.1", "ao_id": "VPM-06.1_A03", "objective": "system vulnerabilities to be scanned are updated when new vulnerabilities are identified and reported.", "pptdf": "Process", "origin": "171A_R3_A.03.11.02.c[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-06.1", "ao_id": "VPM-06.1_A04", "objective": "system vulnerabilities to be scanned are updated .", "pptdf": "Process", "origin": "171A_R3_A.03.11.02.c[01]", "assessment_rigor": "NIST 800-171", "scf_defined_parameters": "no more than 24 hours prior to running the scans", "org_defined_parameters": "" }, { "scf_control_id": "VPM-06.2", "ao_id": "VPM-06.2_A01", "objective": "the breadth and depth of vulnerability scanning coverage are defined.", "pptdf": "Process", "origin": "53A_R5_RA-05(03)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-06.3", "ao_id": "VPM-06.3_A01", "objective": "system components to which privileged access is authorized for selected vulnerability scanning activities are defined.", "pptdf": "Process", "origin": "53A_R5_RA-05(05)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "all components that support authentication", "org_defined_parameters": "" }, { "scf_control_id": "VPM-06.3", "ao_id": "VPM-06.3_A02", "objective": "vulnerability scanning activities selected for privileged access authorization to system components are defined.", "pptdf": "Process", "origin": "53A_R5_RA-05(05)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "all scans", "org_defined_parameters": "" }, { "scf_control_id": "VPM-06.3", "ao_id": "VPM-06.3_A03", "objective": "privileged access authorization is implemented to system components for vulnerability scanning activities.", "pptdf": "Technology", "origin": "53A_R5_RA-05(05)", "assessment_rigor": "1", "scf_defined_parameters": "all components that support authentication", "org_defined_parameters": "" }, { "scf_control_id": "VPM-06.4", "ao_id": "VPM-06.4_A01", "objective": "automated mechanisms to compare the results of multiple vulnerability scans are defined.", "pptdf": "Process", "origin": "53A_R5_RA-05(06)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-06.4", "ao_id": "VPM-06.4_A02", "objective": "the results of multiple vulnerability scans are compared using automated mechanisms.", "pptdf": "Technology", "origin": "53A_R5_RA-05(06)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-06.5", "ao_id": "VPM-06.5_A01", "objective": "a system, application or service whose historic event logs are to be reviewed is defined.", "pptdf": "Process", "origin": "53A_R5_RA-05(08)_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-06.5", "ao_id": "VPM-06.5_A02", "objective": "a time period for a potential previous exploit of a system, application or service is defined.", "pptdf": "Process", "origin": "53A_R5_RA-05(08)_ODP[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-06.5", "ao_id": "VPM-06.5_A03", "objective": "historic event logs are reviewed to determine if a vulnerability identified in a system, application or service has been previously exploited within an organization-defined time period.", "pptdf": "Process", "origin": "53A_R5_RA-05(08)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-06.6", "ao_id": "VPM-06.6_A01", "objective": "for Payment Card Industry Data Security Standard (PCI DSS) compliance, quarterly external vulnerability scans (outside the organization's network looking inward) via a reputable vulnerability service provider, are performed until passing results are obtained or all “high” vulnerabilities are resolved, as defined by the Common Vulnerability Scoring System (CVSS).", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-06.7", "ao_id": "VPM-06.7_A01", "objective": "for Payment Card Industry Data Security Standard (PCI DSS) compliance, quarterly internal vulnerability scans, which includes all segments of the organization's internal network, are performed until passing results are obtained or all “high” vulnerabilities are resolved, as defined by the Common Vulnerability Scoring System (CVSS).", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-06.8", "ao_id": "VPM-06.8_A01", "objective": "corrective actions to be taken if information about the system is discoverable are defined.", "pptdf": "Process", "origin": "53A_R5_RA-05(04)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-06.8", "ao_id": "VPM-06.8_A02", "objective": "corrective actions are taken when information about the system is confirmed as discoverable.", "pptdf": "Process", "origin": "53A_R5_RA-05(04)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-06.8", "ao_id": "VPM-06.8_A03", "objective": "information about the system is discoverable.", "pptdf": "Technology", "origin": "53A_R5_RA-05(04)[01]", "assessment_rigor": "3", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-06.9", "ao_id": "VPM-06.9_A01", "objective": "the output from vulnerability scanning tools is correlated to determine the presence of multi-vulnerability and multi-hop attack vectors.", "pptdf": "Technology", "origin": "53A_R5_RA-05(10)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-07", "ao_id": "VPM-07_A01", "objective": "the breadth of penetration testing is defined.", "pptdf": "Process", "origin": "53A_R5_SA-11(05)_ODP[01]\n53A_R5_CA-08_ODP[02]\n53A_R5_SA-11(05)(a)[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-07", "ao_id": "VPM-07_A02", "objective": "the depth of penetration testing is defined.", "pptdf": "Process", "origin": "53A_R5_SA-11(05)_ODP[02]\n53A_R5_SA-11(05)(a)[02]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-07", "ao_id": "VPM-07_A03", "objective": "constraints of penetration testing are defined.", "pptdf": "Process", "origin": "53A_R5_SA-11(05)_ODP[03]\n53A_R5_SA-11(05)(b)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-07", "ao_id": "VPM-07_A04", "objective": "automated scanning tools are identified.", "pptdf": "Process", "origin": "172A_3.12.1e[a]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-07", "ao_id": "VPM-07_A05", "objective": "ad hoc tests using subject matter experts are identified.", "pptdf": "Process", "origin": "172A_3.12.1e[b]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-07", "ao_id": "VPM-07_A06", "objective": "penetration testing is conducted frequently leveraging automated scanning tools and ad hoc tests using subject matter experts.", "pptdf": "Process", "origin": "172A_3.12.1e[c]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-07", "ao_id": "VPM-07_A07", "objective": "frequency at which to conduct penetration testing on systems or system components is defined.", "pptdf": "Process", "origin": "53A_R5_CA-08_ODP[01]\n172A_3.12.1e_ODP[1]", "assessment_rigor": "1", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "VPM-07", "ao_id": "VPM-07_A08", "objective": "penetration testing is conducted organization-defined frequency on organization-defined system(s) or system components.", "pptdf": "Process", "origin": "53A_R5_CA-08", "assessment_rigor": "1", "scf_defined_parameters": "at least annually", "org_defined_parameters": "" }, { "scf_control_id": "VPM-07.1", "ao_id": "VPM-07.1_A01", "objective": "an independent penetration testing agent or team is employed to perform penetration testing on the system or system components.", "pptdf": "Process", "origin": "53A_R5_CA-08(01)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-08", "ao_id": "VPM-08_A01", "objective": "locations to employ technical surveillance countermeasure surveys are defined.", "pptdf": "Process", "origin": "53A_R5_RA-06_ODP[01]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-08", "ao_id": "VPM-08_A02", "objective": "the frequency at which to employ technical surveillance countermeasure surveys is defined.", "pptdf": "Process", "origin": "53A_R5_RA-06_ODP[02]\n53A_R5_RA-06_ODP[03]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-08", "ao_id": "VPM-08_A03", "objective": "events or indicators which, if they occur, trigger a technical surveillance countermeasures survey are defined.", "pptdf": "Process", "origin": "53A_R5_RA-06_ODP[04]", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-08", "ao_id": "VPM-08_A04", "objective": "a technical surveillance countermeasures survey is employed at locations per organization-defined criteria.", "pptdf": "Process", "origin": "53A_R5_RA-06", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-09", "ao_id": "VPM-09_A01", "objective": "logs associated with scanning activities are monitored to ensure that those activities are limited to the timeframes of legitimate scans.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-09", "ao_id": "VPM-09_A02", "objective": "logs associated with administrator accounts are monitored to ensure that those activities are limited to the timeframes of legitimate scans.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-10", "ao_id": "VPM-10_A01", "objective": "red team exercises to simulate attempts by adversaries to compromise organizational systems are defined.", "pptdf": "Process", "origin": "53A_R5_CA-08(02)_ODP", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "VPM-10", "ao_id": "VPM-10_A02", "objective": "organization-defined red team exercises are employed to simulate attempts by adversaries to compromise organizational systems in accordance with applicable rules of engagement.", "pptdf": "Process", "origin": "53A_R5_CA-08(02)", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "WEB-01", "ao_id": "WEB-01_A01", "objective": "an enterprise-wide web management policy, as well as associated standards, controls and procedures exists.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "WEB-01", "ao_id": "WEB-01_A02", "objective": "web security operations are conducted according to documented policies, standards, procedures and/or other organizational directives.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "WEB-01", "ao_id": "WEB-01_A03", "objective": "adequate resources (e.g., people, processes, technologies, data and/or facilities) are provided to support web security operations.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "WEB-01", "ao_id": "WEB-01_A04", "objective": "responsibility and authority for the performance of web security-related activities are assigned to designated personnel.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "WEB-01", "ao_id": "WEB-01_A05", "objective": "personnel performing web security-related activities have the skills and knowledge needed to perform their assigned duties.", "pptdf": "People", "origin": "SCF Created", "assessment_rigor": "2", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "WEB-01.1", "ao_id": "WEB-01.1_A01", "objective": "a capability exists to review secure pages for unauthorized code.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "WEB-02", "ao_id": "WEB-02_A01", "objective": "a Demilitarized Zone (DMZ) architecture is utilized for Internet-facing technologies to restrict inbound traffic to authorized devices on certain services, protocols and ports.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "WEB-03", "ao_id": "WEB-03_A01", "objective": "a Web Application Firewalls (WAFs) is utilized for Internet-facing technologies to protect against application-specific threats.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "WEB-04", "ao_id": "WEB-04_A01", "objective": "a capability exists to protect the confidentiality and availability of client data that is stored, transmitted or processed by the Internet-based service.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "WEB-05", "ao_id": "WEB-05_A01", "objective": "data subjects are provided with clear and precise information about cookies, in accordance with applicable legal requirements for cookie management.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "WEB-06", "ao_id": "WEB-06_A01", "objective": "Strong Customer Authentication (SCA) is utilized for consumers and/or data subjects to prove their identity.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "WEB-07", "ao_id": "WEB-07_A01", "objective": "the Open Web Application Security Project (OWASP) Application Security Verification Standard is incorporated into the organization's Secure Systems Development Lifecycle (SSDLC) process.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "WEB-08", "ao_id": "WEB-08_A01", "objective": "a robust Web Application Framework is used to aid in the development of secure web applications, including web services, web resources and web APIs.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "WEB-09", "ao_id": "WEB-09_A01", "objective": "all input handled by a web application is validated and/or sanitized.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "WEB-10", "ao_id": "WEB-10_A01", "objective": "all web application content is delivered using cryptographic mechanisms (e.g., TLS).", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "WEB-11", "ao_id": "WEB-11_A01", "objective": "output encoding is performed on all content produced by a web application to reduce the likelihood of cross-site scripting and other injection attacks.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "WEB-12", "ao_id": "WEB-12_A01", "objective": "web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers to protect both the web application and its users.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "WEB-13", "ao_id": "WEB-13_A01", "objective": "Indicators of Compromise (IoC) include unauthorized alterations, additions, deletions or changes on websites that store, process and/or transmit sensitive / regulated data.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "WEB-13", "ao_id": "WEB-13_A02", "objective": "a capability exists to monitor for web-based IoC triggers.", "pptdf": "Technology", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "WEB-14", "ao_id": "WEB-14_A01", "objective": "the scope of publicly accessible systems is defined.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "WEB-14", "ao_id": "WEB-14_A02", "objective": "publicly accessible systems containing sensitive / regulated data are identified.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "WEB-14", "ao_id": "WEB-14_A03", "objective": "a capability exists to routinely review the content on publicly accessible systems for sensitive / regulated data and remove such information, if discovered.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" }, { "scf_control_id": "WEB-14", "ao_id": "WEB-14_A04", "objective": "a capability exists to expeditiously remove sensitive / regulated data from publicly accessible systems, if discovered.", "pptdf": "Process", "origin": "SCF Created", "assessment_rigor": "1", "scf_defined_parameters": "", "org_defined_parameters": "" } ] }