-
Notifications
You must be signed in to change notification settings - Fork 0
/
nist_sp_800-53r5.yaml
10328 lines (10328 loc) · 482 KB
/
nist_sp_800-53r5.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
ac:
title: Access Control
controls:
ac-01:
label: AC-1
title: Policy and Procedures
statement: |
a. Develop, document, and disseminate to {{ insert: param, ac-1_prm_1 }}:
1. {{ insert: param, ac-1_prm_2 }} access control policy that:
(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
2. Procedures to facilitate the implementation of the access control policy and the associated access controls;
b. Designate an {{ insert: param, ac-1_prm_3 }} to manage the development, documentation, and dissemination of the access control policy and procedures; and
c. Review and update the current access control:
1. Policy {{ insert: param, ac-1_prm_4 }} and following {{ insert: param, ac-1_prm_5 }}; and
2. Procedures {{ insert: param, ac-1_prm_6 }} and following {{ insert: param, ac-1_prm_7 }}.
parameters:
ac-1_prm_1:
label: "organization-defined personnel or roles"
ac-1_prm_2:
how-many: one or more
choice:
- "Organization-level"
- "Mission/business process-level"
- "System-level"
ac-1_prm_3:
label: "organization-defined official"
ac-1_prm_4:
label: "organization-defined frequency"
ac-1_prm_5:
label: "organization-defined events"
ac-1_prm_6:
label: "organization-defined frequency"
ac-1_prm_7:
label: "organization-defined events"
ac-02:
label: AC-2
title: Account Management
statement: |
a. Define and document the types of accounts allowed and specifically prohibited for use within the system;
b. Assign account managers;
c. Require {{ insert: param, ac-2_prm_1 }} for group and role membership;
d. Specify:
1. Authorized users of the system;
2. Group and role membership; and
3. Access authorizations (i.e., privileges) and {{ insert: param, ac-2_prm_2 }} for each account;
e. Require approvals by {{ insert: param, ac-2_prm_3 }} for requests to create accounts;
f. Create, enable, modify, disable, and remove accounts in accordance with {{ insert: param, ac-2_prm_4 }};
g. Monitor the use of accounts;
h. Notify account managers and {{ insert: param, ac-2_prm_5 }} within:
1. {{ insert: param, ac-2_prm_6 }} when accounts are no longer required;
2. {{ insert: param, ac-2_prm_7 }} when users are terminated or transferred; and
3. {{ insert: param, ac-2_prm_8 }} when system usage or need-to-know changes for an individual;
i. Authorize access to the system based on:
1. A valid access authorization;
2. Intended system usage; and
3. {{ insert: param, ac-2_prm_9 }};
j. Review accounts for compliance with account management requirements {{ insert: param, ac-2_prm_10 }};
k. Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and
l. Align account management processes with personnel termination and transfer processes.
parameters:
ac-2_prm_1:
label: "organization-defined prerequisites and criteria"
ac-2_prm_2:
label: "organization-defined attributes (as required)"
ac-2_prm_3:
label: "organization-defined personnel or roles"
ac-2_prm_4:
label: "organization-defined policy, procedures, prerequisites, and criteria"
ac-2_prm_5:
label: "organization-defined personnel or roles"
ac-2_prm_6:
label: "organization-defined time period"
ac-2_prm_7:
label: "organization-defined time period"
ac-2_prm_8:
label: "organization-defined time period"
ac-2_prm_9:
label: "organization-defined attributes (as required)"
ac-2_prm_10:
label: "organization-defined frequency"
ac-02.01:
label: AC-2(1)
parent_control: ac-02
title: Automated System Account Management
statement: |
Support the management of system accounts using {{ insert: param, ac-2.1_prm_1 }}.
parameters:
ac-2.1_prm_1:
label: "organization-defined automated mechanisms"
ac-02.02:
label: AC-2(2)
parent_control: ac-02
title: Automated Temporary and Emergency Account Management
statement: |
Automatically {{ insert: param, ac-2.2_prm_1 }} temporary and emergency accounts after {{ insert: param, ac-2.2_prm_2 }}.
parameters:
ac-2.2_prm_1:
choice:
- "remove"
- "disable"
ac-2.2_prm_2:
label: "organization-defined time period for each type of account"
ac-02.03:
label: AC-2(3)
parent_control: ac-02
title: Disable Accounts
statement: |
Disable accounts within {{ insert: param, ac-2.3_prm_1 }} when the accounts:
(a) Have expired;
(b) Are no longer associated with a user or individual;
(c) Are in violation of organizational policy; or
(d) Have been inactive for {{ insert: param, ac-2.3_prm_2 }}.
parameters:
ac-2.3_prm_1:
label: "organization-defined time period"
ac-2.3_prm_2:
label: "organization-defined time period"
ac-02.04:
label: AC-2(4)
parent_control: ac-02
title: Automated Audit Actions
statement: |
Automatically audit account creation, modification, enabling, disabling, and removal actions.
ac-02.05:
label: AC-2(5)
parent_control: ac-02
title: Inactivity Logout
statement: |
Require that users log out when {{ insert: param, ac-2.5_prm_1 }}.
parameters:
ac-2.5_prm_1:
label: "organization-defined time period of expected inactivity or description of when to log out"
ac-02.06:
label: AC-2(6)
parent_control: ac-02
title: Dynamic Privilege Management
statement: |
Implement {{ insert: param, ac-2.6_prm_1 }}.
parameters:
ac-2.6_prm_1:
label: "organization-defined dynamic privilege management capabilities"
ac-02.07:
label: AC-2(7)
parent_control: ac-02
title: Privileged User Accounts
statement: |
(a) Establish and administer privileged user accounts in accordance with {{ insert: param, ac-2.7_prm_1 }};
(b) Monitor privileged role or attribute assignments;
(c) Monitor changes to roles or attributes; and
(d) Revoke access when privileged role or attribute assignments are no longer appropriate.
parameters:
ac-2.7_prm_1:
choice:
- "a role-based access scheme"
- "an attribute-based access scheme"
ac-02.08:
label: AC-2(8)
parent_control: ac-02
title: Dynamic Account Management
statement: |
Create, activate, manage, and deactivate {{ insert: param, ac-2.8_prm_1 }} dynamically.
parameters:
ac-2.8_prm_1:
label: "organization-defined system accounts"
ac-02.09:
label: AC-2(9)
parent_control: ac-02
title: Restrictions on Use of Shared and Group Accounts
statement: |
Only permit the use of shared and group accounts that meet {{ insert: param, ac-2.9_prm_1 }}.
parameters:
ac-2.9_prm_1:
label: "organization-defined conditions for establishing shared and group accounts"
ac-02.11:
label: AC-2(11)
parent_control: ac-02
title: Usage Conditions
statement: |
Enforce {{ insert: param, ac-2.11_prm_1 }} for {{ insert: param, ac-2.11_prm_2 }}.
parameters:
ac-2.11_prm_1:
label: "organization-defined circumstances and/or usage conditions"
ac-2.11_prm_2:
label: "organization-defined system accounts"
ac-02.12:
label: AC-2(12)
parent_control: ac-02
title: Account Monitoring for Atypical Usage
statement: |
(a) Monitor system accounts for {{ insert: param, ac-2.12_prm_1 }}; and
(b) Report atypical usage of system accounts to {{ insert: param, ac-2.12_prm_2 }}.
parameters:
ac-2.12_prm_1:
label: "organization-defined atypical usage"
ac-2.12_prm_2:
label: "organization-defined personnel or roles"
ac-02.13:
label: AC-2(13)
parent_control: ac-02
title: Disable Accounts for High-risk Individuals
statement: |
Disable accounts of individuals within {{ insert: param, ac-2.13_prm_1 }} of discovery of {{ insert: param, ac-2.13_prm_2 }}.
parameters:
ac-2.13_prm_1:
label: "organization-defined time period"
ac-2.13_prm_2:
label: "organization-defined significant risks"
ac-03:
label: AC-3
title: Access Enforcement
statement: |
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
ac-03.02:
label: AC-3(2)
parent_control: ac-03
title: Dual Authorization
statement: |
Enforce dual authorization for {{ insert: param, ac-3.2_prm_1 }}.
parameters:
ac-3.2_prm_1:
label: "organization-defined privileged commands and/or other organization-defined actions"
ac-03.03:
label: AC-3(3)
parent_control: ac-03
title: Mandatory Access Control
statement: |
Enforce {{ insert: param, ac-3.3_prm_1 }} over the set of covered subjects and objects specified in the policy, and where the policy:
(a) Is uniformly enforced across the covered subjects and objects within the system;
(b) Specifies that a subject that has been granted access to information is constrained from doing any of the following;
(1) Passing the information to unauthorized subjects or objects;
(2) Granting its privileges to other subjects;
(3) Changing one or more security attributes (specified by the policy) on subjects, objects, the system, or system components;
(4) Choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects; and
(5) Changing the rules governing access control; and
(c) Specifies that {{ insert: param, ac-3.3_prm_2 }} may explicitly be granted {{ insert: param, ac-3.3_prm_3 }} such that they are not limited by any defined subset (or all) of the above constraints.
parameters:
ac-3.3_prm_1:
label: "organization-defined mandatory access control policy"
ac-3.3_prm_2:
label: "organization-defined subjects"
ac-3.3_prm_3:
label: "organization-defined privileges"
ac-03.04:
label: AC-3(4)
parent_control: ac-03
title: Discretionary Access Control
statement: |
Enforce {{ insert: param, ac-3.4_prm_1 }} over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following:
(a) Pass the information to any other subjects or objects;
(b) Grant its privileges to other subjects;
(c) Change security attributes on subjects, objects, the system, or the system’s components;
(d) Choose the security attributes to be associated with newly created or revised objects; or
(e) Change the rules governing access control.
parameters:
ac-3.4_prm_1:
label: "organization-defined discretionary access control policy"
ac-03.05:
label: AC-3(5)
parent_control: ac-03
title: Security-relevant Information
statement: |
Prevent access to {{ insert: param, ac-3.5_prm_1 }} except during secure, non-operable system states.
parameters:
ac-3.5_prm_1:
label: "organization-defined security-relevant information"
ac-03.07:
label: AC-3(7)
parent_control: ac-03
title: Role-based Access Control
statement: |
Enforce a role-based access control policy over defined subjects and objects and control access based upon {{ insert: param, ac-3.7_prm_1 }}.
parameters:
ac-3.7_prm_1:
label: "organization-defined roles and users authorized to assume such roles"
ac-03.08:
label: AC-3(8)
parent_control: ac-03
title: Revocation of Access Authorizations
statement: |
Enforce the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on {{ insert: param, ac-3.8_prm_1 }}.
parameters:
ac-3.8_prm_1:
label: "organization-defined rules governing the timing of revocations of access authorizations"
ac-03.09:
label: AC-3(9)
parent_control: ac-03
title: Controlled Release
statement: |
Release information outside of the system only if:
(a) The receiving {{ insert: param, ac-3.9_prm_1 }} provides {{ insert: param, ac-3.9_prm_2 }}; and
(b) {{ insert: param, ac-3.9_prm_3 }} are used to validate the appropriateness of the information designated for release.
parameters:
ac-3.9_prm_1:
label: "organization-defined system or system component"
ac-3.9_prm_2:
label: "organization-defined controls"
ac-3.9_prm_3:
label: "organization-defined controls"
ac-03.10:
label: AC-3(10)
parent_control: ac-03
title: Audited Override of Access Control Mechanisms
statement: |
Employ an audited override of automated access control mechanisms under {{ insert: param, ac-3.10_prm_1 }} by {{ insert: param, ac-3.10_prm_2 }}.
parameters:
ac-3.10_prm_1:
label: "organization-defined conditions"
ac-3.10_prm_2:
label: "organization-defined roles"
ac-03.11:
label: AC-3(11)
parent_control: ac-03
title: Restrict Access to Specific Information Types
statement: |
Restrict access to data repositories containing {{ insert: param, ac-3.11_prm_1 }}.
parameters:
ac-3.11_prm_1:
label: "organization-defined information types"
ac-03.12:
label: AC-3(12)
parent_control: ac-03
title: Assert and Enforce Application Access
statement: |
(a) Require applications to assert, as part of the installation process, the access needed to the following system applications and functions: {{ insert: param, ac-3.12_prm_1 }};
(b) Provide an enforcement mechanism to prevent unauthorized access; and
(c) Approve access changes after initial installation of the application.
parameters:
ac-3.12_prm_1:
label: "organization-defined system applications and functions"
ac-03.13:
label: AC-3(13)
parent_control: ac-03
title: Attribute-based Access Control
statement: |
Enforce attribute-based access control policy over defined subjects and objects and control access based upon {{ insert: param, ac-3.13_prm_1 }}.
parameters:
ac-3.13_prm_1:
label: "organization-defined attributes to assume access permissions"
ac-03.14:
label: AC-3(14)
parent_control: ac-03
title: Individual Access
statement: |
Provide {{ insert: param, ac-3.14_prm_1 }} to enable individuals to have access to the following elements of their personally identifiable information: {{ insert: param, ac-3.14_prm_2 }}.
parameters:
ac-3.14_prm_1:
label: "organization-defined mechanisms"
ac-3.14_prm_2:
label: "organization-defined elements"
ac-03.15:
label: AC-3(15)
parent_control: ac-03
title: Discretionary and Mandatory Access Control
statement: |
(a) Enforce {{ insert: param, ac-3.15_prm_1 }} over the set of covered subjects and objects specified in the policy; and
(b) Enforce {{ insert: param, ac-3.15_prm_2 }} over the set of covered subjects and objects specified in the policy.
parameters:
ac-3.15_prm_1:
label: "organization-defined mandatory access control policy"
ac-3.15_prm_2:
label: "organization-defined discretionary access control policy"
ac-04:
label: AC-4
title: Information Flow Enforcement
statement: |
Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on {{ insert: param, ac-4_prm_1 }}.
parameters:
ac-4_prm_1:
label: "organization-defined information flow control policies"
ac-04.01:
label: AC-4(1)
parent_control: ac-04
title: Object Security and Privacy Attributes
statement: |
Use {{ insert: param, ac-4.1_prm_1 }} associated with {{ insert: param, ac-4.1_prm_2 }} to enforce {{ insert: param, ac-4.1_prm_3 }} as a basis for flow control decisions.
parameters:
ac-4.1_prm_1:
label: "organization-defined security and privacy attributes"
ac-4.1_prm_2:
label: "organization-defined information, source, and destination objects"
ac-4.1_prm_3:
label: "organization-defined information flow control policies"
ac-04.02:
label: AC-4(2)
parent_control: ac-04
title: Processing Domains
statement: |
Use protected processing domains to enforce {{ insert: param, ac-4.2_prm_1 }} as a basis for flow control decisions.
parameters:
ac-4.2_prm_1:
label: "organization-defined information flow control policies"
ac-04.03:
label: AC-4(3)
parent_control: ac-04
title: Dynamic Information Flow Control
statement: |
Enforce {{ insert: param, ac-4.3_prm_1 }}.
parameters:
ac-4.3_prm_1:
label: "organization-defined information flow control policies"
ac-04.04:
label: AC-4(4)
parent_control: ac-04
title: Flow Control of Encrypted Information
statement: |
Prevent encrypted information from bypassing {{ insert: param, ac-4.4_prm_1 }} by {{ insert: param, ac-4.4_prm_2 }}.
parameters:
ac-4.4_prm_1:
label: "organization-defined information flow control mechanisms"
ac-4.4_prm_2:
how-many: one or more
choice:
- "decrypting the information"
- "blocking the flow of the encrypted information"
- "terminating communications sessions attempting to pass encrypted information"
- " {{ insert: param, ac-4.4_prm_3 }} "
ac-4.4_prm_3:
label: "organization-defined procedure or method"
ac-04.05:
label: AC-4(5)
parent_control: ac-04
title: Embedded Data Types
statement: |
Enforce {{ insert: param, ac-4.5_prm_1 }} on embedding data types within other data types.
parameters:
ac-4.5_prm_1:
label: "organization-defined limitations"
ac-04.06:
label: AC-4(6)
parent_control: ac-04
title: Metadata
statement: |
Enforce information flow control based on {{ insert: param, ac-4.6_prm_1 }}.
parameters:
ac-4.6_prm_1:
label: "organization-defined metadata"
ac-04.07:
label: AC-4(7)
parent_control: ac-04
title: One-way Flow Mechanisms
statement: |
Enforce one-way information flows through hardware-based flow control mechanisms.
ac-04.08:
label: AC-4(8)
parent_control: ac-04
title: Security and Privacy Policy Filters
statement: |
(a) Enforce information flow control using {{ insert: param, ac-4.8_prm_1 }} as a basis for flow control decisions for {{ insert: param, ac-4.8_prm_2 }}; and
(b) {{ insert: param, ac-4.8_prm_3 }} data after a filter processing failure in accordance with {{ insert: param, ac-4.8_prm_4 }}.
parameters:
ac-4.8_prm_1:
label: "organization-defined security or privacy policy filters"
ac-4.8_prm_2:
label: "organization-defined information flows"
ac-4.8_prm_3:
how-many: one or more
choice:
- "Block"
- "Strip"
- "Modify"
- "Quarantine"
ac-4.8_prm_4:
label: "organization-defined security or privacy policy"
ac-04.09:
label: AC-4(9)
parent_control: ac-04
title: Human Reviews
statement: |
Enforce the use of human reviews for {{ insert: param, ac-4.9_prm_1 }} under the following conditions: {{ insert: param, ac-4.9_prm_2 }}.
parameters:
ac-4.9_prm_1:
label: "organization-defined information flows"
ac-4.9_prm_2:
label: "organization-defined conditions"
ac-04.10:
label: AC-4(10)
parent_control: ac-04
title: Enable and Disable Security or Privacy Policy Filters
statement: |
Provide the capability for privileged administrators to enable and disable {{ insert: param, ac-4.10_prm_1 }} under the following conditions: {{ insert: param, ac-4.10_prm_2 }}.
parameters:
ac-4.10_prm_1:
label: "organization-defined security or privacy policy filters"
ac-4.10_prm_2:
label: "organization-defined conditions"
ac-04.11:
label: AC-4(11)
parent_control: ac-04
title: Configuration of Security or Privacy Policy Filters
statement: |
Provide the capability for privileged administrators to configure {{ insert: param, ac-4.11_prm_1 }} to support different security or privacy policies.
parameters:
ac-4.11_prm_1:
label: "organization-defined security or privacy policy filters"
ac-04.12:
label: AC-4(12)
parent_control: ac-04
title: Data Type Identifiers
statement: |
When transferring information between different security domains, use {{ insert: param, ac-4.12_prm_1 }} to validate data essential for information flow decisions.
parameters:
ac-4.12_prm_1:
label: "organization-defined data type identifiers"
ac-04.13:
label: AC-4(13)
parent_control: ac-04
title: Decomposition into Policy-relevant Subcomponents
statement: |
When transferring information between different security domains, decompose information into {{ insert: param, ac-4.13_prm_1 }} for submission to policy enforcement mechanisms.
parameters:
ac-4.13_prm_1:
label: "organization-defined policy-relevant subcomponents"
ac-04.14:
label: AC-4(14)
parent_control: ac-04
title: Security or Privacy Policy Filter Constraints
statement: |
When transferring information between different security domains, implement {{ insert: param, ac-4.14_prm_1 }} requiring fully enumerated formats that restrict data structure and content.
parameters:
ac-4.14_prm_1:
label: "organization-defined security or privacy policy filters"
ac-04.15:
label: AC-4(15)
parent_control: ac-04
title: Detection of Unsanctioned Information
statement: |
When transferring information between different security domains, examine the information for the presence of {{ insert: param, ac-4.15_prm_1 }} and prohibit the transfer of such information in accordance with the {{ insert: param, ac-4.15_prm_2 }}.
parameters:
ac-4.15_prm_1:
label: "organization-defined unsanctioned information"
ac-4.15_prm_2:
label: "organization-defined security or privacy policy"
ac-04.17:
label: AC-4(17)
parent_control: ac-04
title: Domain Authentication
statement: |
Uniquely identify and authenticate source and destination points by {{ insert: param, ac-4.17_prm_1 }} for information transfer.
parameters:
ac-4.17_prm_1:
how-many: one or more
choice:
- "organization"
- "system"
- "application"
- "service"
- "individual"
ac-04.19:
label: AC-4(19)
parent_control: ac-04
title: Validation of Metadata
statement: |
When transferring information between different security domains, implement {{ insert: param, ac-4.19_prm_1 }} on metadata.
parameters:
ac-4.19_prm_1:
label: "organization-defined security or privacy policy filters"
ac-04.20:
label: AC-4(20)
parent_control: ac-04
title: Approved Solutions
statement: |
Employ {{ insert: param, ac-4.20_prm_1 }} to control the flow of {{ insert: param, ac-4.20_prm_2 }} across security domains.
parameters:
ac-4.20_prm_1:
label: "organization-defined solutions in approved configurations"
ac-4.20_prm_2:
label: "organization-defined information"
ac-04.21:
label: AC-4(21)
parent_control: ac-04
title: Physical or Logical Separation of Information Flows
statement: |
Separate information flows logically or physically using {{ insert: param, ac-4.21_prm_1 }} to accomplish {{ insert: param, ac-4.21_prm_2 }}.
parameters:
ac-4.21_prm_1:
label: "organization-defined mechanisms and/or techniques"
ac-4.21_prm_2:
label: "organization-defined required separations by types of information"
ac-04.22:
label: AC-4(22)
parent_control: ac-04
title: Access Only
statement: |
Provide access from a single device to computing platforms, applications, or data residing in multiple different security domains, while preventing information flow between the different security domains.
ac-04.23:
label: AC-4(23)
parent_control: ac-04
title: Modify Non-releasable Information
statement: |
When transferring information between different security domains, modify non-releasable information by implementing {{ insert: param, ac-4.23_prm_1 }}.
parameters:
ac-4.23_prm_1:
label: "organization-defined modification action"
ac-04.24:
label: AC-4(24)
parent_control: ac-04
title: Internal Normalized Format
statement: |
When transferring information between different security domains, parse incoming data into an internal normalized format and regenerate the data to be consistent with its intended specification.
ac-04.25:
label: AC-4(25)
parent_control: ac-04
title: Data Sanitization
statement: |
When transferring information between different security domains, sanitize data to minimize {{ insert: param, ac-4.25_prm_1 }} in accordance with {{ insert: param, ac-4.25_prm_2 }}.
parameters:
ac-4.25_prm_1:
how-many: one or more
choice:
- "delivery of malicious content, command and control of malicious code, malicious code augmentation, and steganography encoded data"
- "spillage of sensitive information"
ac-4.25_prm_2:
label: "organization-defined policy"
ac-04.26:
label: AC-4(26)
parent_control: ac-04
title: Audit Filtering Actions
statement: |
When transferring information between different security domains, record and audit content filtering actions and results for the information being filtered.
ac-04.27:
label: AC-4(27)
parent_control: ac-04
title: Redundant/independent Filtering Mechanisms
statement: |
When transferring information between different security domains, implement content filtering solutions that provide redundant and independent filtering mechanisms for each data type.
ac-04.28:
label: AC-4(28)
parent_control: ac-04
title: Linear Filter Pipelines
statement: |
When transferring information between different security domains, implement a linear content filter pipeline that is enforced with discretionary and mandatory access controls.
ac-04.29:
label: AC-4(29)
parent_control: ac-04
title: Filter Orchestration Engines
statement: |
When transferring information between different security domains, employ content filter orchestration engines to ensure that:
(a) Content filtering mechanisms successfully complete execution without errors; and
(b) Content filtering actions occur in the correct order and comply with {{ insert: param, ac-4.29_prm_1 }}.
parameters:
ac-4.29_prm_1:
label: "organization-defined policy"
ac-04.30:
label: AC-4(30)
parent_control: ac-04
title: Filter Mechanisms Using Multiple Processes
statement: |
When transferring information between different security domains, implement content filtering mechanisms using multiple processes.
ac-04.31:
label: AC-4(31)
parent_control: ac-04
title: Failed Content Transfer Prevention
statement: |
When transferring information between different security domains, prevent the transfer of failed content to the receiving domain.
ac-04.32:
label: AC-4(32)
parent_control: ac-04
title: Process Requirements for Information Transfer
statement: |
When transferring information between different security domains, the process that transfers information between filter pipelines:
(a) Does not filter message content;
(b) Validates filtering metadata;
(c) Ensures the content associated with the filtering metadata has successfully completed filtering; and
(d) Transfers the content to the destination filter pipeline.
ac-05:
label: AC-5
title: Separation of Duties
statement: |
a. Identify and document {{ insert: param, ac-5_prm_1 }}; and
b. Define system access authorizations to support separation of duties.
parameters:
ac-5_prm_1:
label: "organization-defined duties of individuals requiring separation"
ac-06:
label: AC-6
title: Least Privilege
statement: |
Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.
ac-06.01:
label: AC-6(1)
parent_control: ac-06
title: Authorize Access to Security Functions
statement: |
Authorize access for {{ insert: param, ac-6.1_prm_1 }} to:
(a) {{ insert: param, ac-6.1_prm_2 }}; and
(b) {{ insert: param, ac-6.1_prm_3 }}.
parameters:
ac-6.1_prm_1:
label: "organization-defined individuals or roles"
ac-6.1_prm_2:
label: "organization-defined security functions (deployed in hardware, software, and firmware)"
ac-6.1_prm_3:
label: "organization-defined security-relevant information"
ac-06.02:
label: AC-6(2)
parent_control: ac-06
title: Non-privileged Access for Nonsecurity Functions
statement: |
Require that users of system accounts (or roles) with access to {{ insert: param, ac-6.2_prm_1 }} use non-privileged accounts or roles, when accessing nonsecurity functions.
parameters:
ac-6.2_prm_1:
label: "organization-defined security functions or security-relevant information"
ac-06.03:
label: AC-6(3)
parent_control: ac-06
title: Network Access to Privileged Commands
statement: |
Authorize network access to {{ insert: param, ac-6.3_prm_1 }} only for {{ insert: param, ac-6.3_prm_2 }} and document the rationale for such access in the security plan for the system.
parameters:
ac-6.3_prm_1:
label: "organization-defined privileged commands"
ac-6.3_prm_2:
label: "organization-defined compelling operational needs"
ac-06.04:
label: AC-6(4)
parent_control: ac-06
title: Separate Processing Domains
statement: |
Provide separate processing domains to enable finer-grained allocation of user privileges.
ac-06.05:
label: AC-6(5)
parent_control: ac-06
title: Privileged Accounts
statement: |
Restrict privileged accounts on the system to {{ insert: param, ac-6.5_prm_1 }}.
parameters:
ac-6.5_prm_1:
label: "organization-defined personnel or roles"
ac-06.06:
label: AC-6(6)
parent_control: ac-06
title: Privileged Access by Non-organizational Users
statement: |
Prohibit privileged access to the system by non-organizational users.
ac-06.07:
label: AC-6(7)
parent_control: ac-06
title: Review of User Privileges
statement: |
(a) Review {{ insert: param, ac-6.7_prm_1 }} the privileges assigned to {{ insert: param, ac-6.7_prm_2 }} to validate the need for such privileges; and
(b) Reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs.
parameters:
ac-6.7_prm_1:
label: "organization-defined frequency"
ac-6.7_prm_2:
label: "organization-defined roles or classes of users"
ac-06.08:
label: AC-6(8)
parent_control: ac-06
title: Privilege Levels for Code Execution
statement: |
Prevent the following software from executing at higher privilege levels than users executing the software: {{ insert: param, ac-6.8_prm_1 }}.
parameters:
ac-6.8_prm_1:
label: "organization-defined software"
ac-06.09:
label: AC-6(9)
parent_control: ac-06
title: Log Use of Privileged Functions
statement: |
Log the execution of privileged functions.
ac-06.10:
label: AC-6(10)
parent_control: ac-06
title: Prohibit Non-privileged Users from Executing Privileged Functions
statement: |
Prevent non-privileged users from executing privileged functions.
ac-07:
label: AC-7
title: Unsuccessful Logon Attempts
statement: |
a. Enforce a limit of {{ insert: param, ac-7_prm_1 }} consecutive invalid logon attempts by a user during a {{ insert: param, ac-7_prm_2 }}; and
b. Automatically {{ insert: param, ac-7_prm_3 }} when the maximum number of unsuccessful attempts is exceeded.
parameters:
ac-7_prm_1:
label: "organization-defined number"
ac-7_prm_2:
label: "organization-defined time period"
ac-7_prm_3:
how-many: one or more
choice:
- "lock the account or node for an {{ insert: param, ac-7_prm_4 }} "
- "lock the account or node until released by an administrator"
- "delay next logon prompt per {{ insert: param, ac-7_prm_5 }} "
- "notify system administrator"
- "take other {{ insert: param, ac-7_prm_6 }} "
ac-7_prm_4:
label: "organization-defined time period"
ac-7_prm_5:
label: "organization-defined delay algorithm"
ac-7_prm_6:
label: "organization-defined action"
ac-07.02:
label: AC-7(2)
parent_control: ac-07
title: Purge or Wipe Mobile Device
statement: |
Purge or wipe information from {{ insert: param, ac-7.2_prm_1 }} based on {{ insert: param, ac-7.2_prm_2 }} after {{ insert: param, ac-7.2_prm_3 }} consecutive, unsuccessful device logon attempts.
parameters:
ac-7.2_prm_1:
label: "organization-defined mobile devices"
ac-7.2_prm_2:
label: "organization-defined purging or wiping requirements and techniques"
ac-7.2_prm_3:
label: "organization-defined number"
ac-07.03:
label: AC-7(3)
parent_control: ac-07
title: Biometric Attempt Limiting
statement: |
Limit the number of unsuccessful biometric logon attempts to {{ insert: param, ac-7.3_prm_1 }}.
parameters:
ac-7.3_prm_1:
label: "organization-defined number"
ac-07.04:
label: AC-7(4)
parent_control: ac-07
title: Use of Alternate Authentication Factor
statement: |
(a) Allow the use of {{ insert: param, ac-7.4_prm_1 }} that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts have been exceeded; and
(b) Enforce a limit of {{ insert: param, ac-7.4_prm_2 }} consecutive invalid logon attempts through use of the alternative factors by a user during a {{ insert: param, ac-7.4_prm_3 }}.
parameters:
ac-7.4_prm_1:
label: "organization-defined authentication factors"
ac-7.4_prm_2:
label: "organization-defined number"
ac-7.4_prm_3:
label: "organization-defined time period"
ac-08:
label: AC-8
title: System Use Notification
statement: |
a. Display {{ insert: param, ac-8_prm_1 }} to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:
1. Users are accessing a U.S. Government system;
2. System usage may be monitored, recorded, and subject to audit;
3. Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and
4. Use of the system indicates consent to monitoring and recording;
b. Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and
c. For publicly accessible systems:
1. Display system use information {{ insert: param, ac-8_prm_2 }}, before granting further access to the publicly accessible system;
2. Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
3. Include a description of the authorized uses of the system.
parameters:
ac-8_prm_1:
label: "organization-defined system use notification message or banner"
ac-8_prm_2:
label: "organization-defined conditions"
ac-09:
label: AC-9
title: Previous Logon Notification
statement: |
Notify the user, upon successful logon to the system, of the date and time of the last logon.
ac-09.01:
label: AC-9(1)
parent_control: ac-09
title: Unsuccessful Logons
statement: |
Notify the user, upon successful logon, of the number of unsuccessful logon attempts since the last successful logon.
ac-09.02:
label: AC-9(2)
parent_control: ac-09
title: Successful and Unsuccessful Logons
statement: |
Notify the user, upon successful logon, of the number of {{ insert: param, ac-9.2_prm_1 }} during {{ insert: param, ac-9.2_prm_2 }}.
parameters:
ac-9.2_prm_1:
choice:
- "successful logons"
- "unsuccessful logon attempts"
- "both"
ac-9.2_prm_2:
label: "organization-defined time period"
ac-09.03:
label: AC-9(3)
parent_control: ac-09
title: Notification of Account Changes
statement: |
Notify the user, upon successful logon, of changes to {{ insert: param, ac-9.3_prm_1 }} during {{ insert: param, ac-9.3_prm_2 }}.
parameters:
ac-9.3_prm_1:
label: "organization-defined security-related characteristics or parameters of the user’s account"
ac-9.3_prm_2:
label: "organization-defined time period"
ac-09.04:
label: AC-9(4)
parent_control: ac-09
title: Additional Logon Information
statement: |
Notify the user, upon successful logon, of the following additional information: {{ insert: param, ac-9.4_prm_1 }}.
parameters:
ac-9.4_prm_1:
label: "organization-defined additional information"
ac-10:
label: AC-10
title: Concurrent Session Control
statement: |
Limit the number of concurrent sessions for each {{ insert: param, ac-10_prm_1 }} to {{ insert: param, ac-10_prm_2 }}.
parameters:
ac-10_prm_1:
label: "organization-defined account and/or account type"
ac-10_prm_2:
label: "organization-defined number"
ac-11:
label: AC-11
title: Device Lock
statement: |
a. Prevent further access to the system by {{ insert: param, ac-11_prm_1 }}; and
b. Retain the device lock until the user reestablishes access using established identification and authentication procedures.
parameters:
ac-11_prm_1:
how-many: one or more
choice:
- "initiating a device lock after {{ insert: param, ac-11_prm_2 }} of inactivity"
- "requiring the user to initiate a device lock before leaving the system unattended"
ac-11_prm_2:
label: "organization-defined time period"
ac-11.01:
label: AC-11(1)
parent_control: ac-11
title: Pattern-hiding Displays
statement: |
**Conceal, via the device lock, information previously visible on the display with a publicly viewable image**.
ac-12:
label: AC-12
title: Session Termination
statement: |
Automatically terminate a user session after {{ insert: param, ac-12_prm_1 }}.
parameters:
ac-12_prm_1:
label: "organization-defined conditions or trigger events requiring session disconnect"
ac-12.01:
label: AC-12(1)
parent_control: ac-12
title: User-initiated Logouts
statement: |
Provide a logout capability for user-initiated communications sessions whenever authentication is used to gain access to {{ insert: param, ac-12.1_prm_1 }}.
parameters:
ac-12.1_prm_1:
label: "organization-defined information resources"
ac-12.02:
label: AC-12(2)
parent_control: ac-12
title: Termination Message
statement: |
Display an explicit logout message to users indicating the termination of authenticated communications sessions.
ac-12.03:
label: AC-12(3)
parent_control: ac-12
title: Timeout Warning Message
statement: |
Display an explicit message to users indicating that the session will end in {{ insert: param, ac-12.3_prm_1 }}.
parameters:
ac-12.3_prm_1:
label: "organization-defined time until end of session"
ac-14:
label: AC-14
title: Permitted Actions Without Identification or Authentication
statement: |
a. Identify {{ insert: param, ac-14_prm_1 }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and
b. Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication.
parameters:
ac-14_prm_1:
label: "organization-defined user actions"
ac-16:
label: AC-16
title: Security and Privacy Attributes
statement: |
a. Provide the means to associate {{ insert: param, ac-16_prm_1 }} with {{ insert: param, ac-16_prm_2 }} for information in storage, in process, and/or in transmission;
b. Ensure that the attribute associations are made and retained with the information;
c. Establish the following permitted security and privacy attributes from the attributes defined in [AC-16a](#ac-16_smt.a) for {{ insert: param, ac-16_prm_3 }}: {{ insert: param, ac-16_prm_4 }};
d. Determine the following permitted attribute values or ranges for each of the established attributes: {{ insert: param, ac-16_prm_5 }};
e. Audit changes to attributes; and
f. Review {{ insert: param, ac-16_prm_6 }} for applicability {{ insert: param, ac-16_prm_7 }}.
parameters:
ac-16_prm_1:
label: "organization-defined types of security and privacy attributes"
ac-16_prm_2:
label: "organization-defined security and privacy attribute values"
ac-16_prm_3:
label: "organization-defined systems"
ac-16_prm_4:
label: "organization-defined security and privacy attributes"
ac-16_prm_5:
label: "organization-defined attribute values or ranges for established attributes"
ac-16_prm_6:
label: "organization-defined security and privacy attributes"
ac-16_prm_7:
label: "organization-defined frequency"
ac-16.01:
label: AC-16(1)
parent_control: ac-16
title: Dynamic Attribute Association
statement: |
Dynamically associate security and privacy attributes with {{ insert: param, ac-16.1_prm_1 }} in accordance with the following security and privacy policies as information is created and combined: {{ insert: param, ac-16.1_prm_2 }}.
parameters:
ac-16.1_prm_1:
label: "organization-defined subjects and objects"
ac-16.1_prm_2:
label: "organization-defined security and privacy policies"