Ivalue Group

SCF Domain	SCF Control	SCF	Secure Controls Framework (SCF) Control Description	Methods To Comply With SCF Controls	Evidence Request List (ERL)
Security & Privacy Governance	Security & Privacy Governance Program	GOV-01	Mechanisms exist to facilitate the implementation of cybersecurity and privacy governance controls.	- Steering committee - Digital Security Program (DSP) - Cybersecurity & Data Protection Program (CDPP)	E-GOV-01 E-GOV-02
Security & Privacy Governance	Steering Committee	GOV-01.1	Mechanisms exist to coordinate cybersecurity, privacy and business alignment through a steering committee or advisory board, comprising of key cybersecurity, privacy and business executives, which meets formally and on a regular basis.	- Steering committee - Digital Security Program (DSP) - Cybersecurity & Data Protection Program (CDPP)	E-GOV-03
Security & Privacy Governance	Status Reporting To Governing Body	GOV-01.2	Mechanisms exist to provide governance oversight reporting and recommendations to those entrusted to make executive decisions about matters considered material to the organization’s cybersecurity and privacy program.		E-CPL-05 E-CPL-09 E-GOV-03 E-GOV-04 E-GOV-05 E-GOV-06 E-GOV-07 E-GOV-13
Security & Privacy Governance	Publishing Security & Privacy Documentation	GOV-02	Mechanisms exist to establish, maintain and disseminate cybersecurity and privacy policies, standards and procedures.	- Steering committee - Digital Security Program (DSP) - Cybersecurity & Data Protection Program (CDPP) - Governance, Risk and Compliance Solution (GRC) tool (Ostendio, ZenGRC, RequirementONE, Allgress, Archer, RSAM, Metric stream, etc.) - Wiki - SharePoint	E-GOV-08 E-GOV-09 E-GOV-11
Security & Privacy Governance	Periodic Review & Update of Security & Privacy Program	GOV-03	Mechanisms exist to review the cybersecurity and privacy program, including policies, standards and procedures, at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness.	- Governance, Risk and Compliance Solution (GRC) tool (Ostendio, ZenGRC, RequirementONE, Allgress, Archer, RSAM, Metric stream, etc.) - Steering committee	E-GOV-12
Security & Privacy Governance	Assigned Security & Privacy Responsibilities	GOV-04	Mechanisms exist to assign a qualified individual with the mission and resources to centrally-manage, coordinate, develop, implement and maintain an enterprise-wide cybersecurity and privacy program.	- NIST NICE Framework - Chief Information Security Officer (CISO)	E-HRS-01 E-HRS-05 E-HRS-06 E-HRS-07 E-HRS-08 E-HRS-09 E-HRS-10 E-HRS-13 E-HRS-15
Security & Privacy Governance	Measures of Performance	GOV-05	Mechanisms exist to develop, report and monitor cybersecurity and privacy program measures of performance.	- Metrics - Governance, Risk and Compliance Solution (GRC) tool (Ostendio, ZenGRC, RequirementONE, Allgress, Archer, RSAM, Metric stream, etc.) - Enterprise Risk Management (ERM) solution	E-GOV-13
Security & Privacy Governance	Key Performance Indicators (KPIs)	GOV-05.1	Mechanisms exist to develop, report and monitor Key Performance Indicators (KPIs) to assist organizational management in performance monitoring and trend analysis of the cybersecurity and privacy program.	- Key Performance Indicators (KPIs)
Security & Privacy Governance	Key Risk Indicators (KRIs)	GOV-05.2	Mechanisms exist to develop, report and monitor Key Risk Indicators (KRIs) to assist senior management in performance monitoring and trend analysis of the cybersecurity and privacy program.	- Key Risk Indicators (KRIs)
Security & Privacy Governance	Contacts With Authorities	GOV-06	Mechanisms exist to identify and document appropriate contacts with relevant law enforcement and regulatory bodies.	- Threat intelligence personnel - Integrated Security Incident Response Team (ISIRT)
Security & Privacy Governance	Contacts With Groups & Associations	GOV-07	Mechanisms exist to establish contact with selected groups and associations within the cybersecurity & privacy communities to: ▪ Facilitate ongoing cybersecurity and privacy education and training for organizational personnel; ▪ Maintain currency with recommended cybersecurity and privacy practices, techniques and technologies; and ▪ Share current security-related information including threats, vulnerabilities and incidents.	- SANS - CISO Executive Network - ISACA chapters - IAPP chapters - ISAA chapters	E-THR-02
Security & Privacy Governance	Defining Business Context & Mission	GOV-08	Mechanisms exist to define the context of its business model and document the mission of the organization.		E-PRM-01
Security & Privacy Governance	Define Control Objectives	GOV-09	Mechanisms exist to establish control objectives as the basis for the selection, implementation and management of the organization’s internal control system.		E-GOV-10
Security & Privacy Governance	Data Governance	GOV-10	Mechanisms exist to facilitate data governance to oversee the organization's policies, standards and procedures so that sensitive/regulated data is effectively managed and maintained in accordance with applicable statutory, regulatory and contractual obligations.
Security & Privacy Governance	Purpose Validation	GOV-11	Mechanisms exist to monitor mission/business-critical services or functions to ensure those resources are being used consistent with their intended purpose.
Security & Privacy Governance	Forced Technology Transfer (FTT)	GOV-12	Mechanisms exist to avoid and/or constrain the forced exfiltration of sensitive / regulated information (e.g., Intellectual Property (IP)) to the host government for purposes of market access or market management practices.	- Board of Directors (Bod) Ethics Committee
Security & Privacy Governance	State-Sponsored Espionage	GOV-13	Mechanisms exist to constrain the host government's ability to leverage the organization's technology assets for economic or political espionage and/or cyberwarfare activities.	- Board of Directors (Bod) Ethics Committee
Security & Privacy Governance	Business As Usual (BAU) Secure Practices	GOV-14	Mechanisms exist to incorporate cybersecurity and privacy principles into Business As Usual (BAU) practices through executive leadership involvement.
Security & Privacy Governance	Operationalizing Cybersecurity & Privacy Practices	GOV-15	Mechanisms exist to compel data and/or process owners to operationalize cybersecurity and privacy practices for each system, application and/or service under their control.
Security & Privacy Governance	Select Controls	GOV-15.1	Mechanisms exist to compel data and/or process owners to select required cybersecurity and privacy controls for each system, application and/or service under their control.
Security & Privacy Governance	Implement Controls	GOV-15.2	Mechanisms exist to compel data and/or process owners to implement required cybersecurity and privacy controls for each system, application and/or service under their control.
Security & Privacy Governance	Assess Controls	GOV-15.3	Mechanisms exist to compel data and/or process owners to assess if required cybersecurity and privacy controls for each system, application and/or service under their control are implemented correctly and are operating as intended.
Security & Privacy Governance	Authorize Systems, Applications & Services	GOV-15.4	Mechanisms exist to compel data and/or process owners to obtain authorization for the production use of each system, application and/or service under their control.
Security & Privacy Governance	Monitor Controls	GOV-15.5	Mechanisms exist to compel data and/or process owners to monitor systems, applications and/or services under their control on an ongoing basis for applicable threats and risks, as well as to ensure cybersecurity and privacy controls are operating as intended.
Asset Management	Asset Governance	AST-01	Mechanisms exist to facilitate an IT Asset Management (ITAM) program to implement and manage asset management controls.	- Generally Accepted Accounting Principles (GAAP) - ITIL - Configuration Management Database (CMDB) - IT Asset Management (ITAM) program	E-AST-01
Asset Management	Asset-Service Dependencies	AST-01.1	Mechanisms exist to identify and assess the security of technology assets that support more than one critical business function.		E-BCM-09
Asset Management	Stakeholder Identification & Involvement	AST-01.2	Mechanisms exist to identify and involve pertinent stakeholders of critical systems, applications and services to support the ongoing secure management of those assets.		E-CPL-03
Asset Management	Standardized Naming Convention	AST-01.3	Mechanisms exist to implement a scalable, standardized naming convention for systems, applications and services that avoids asset naming conflicts.
Asset Management	Asset Inventories	AST-02	Mechanisms exist to perform inventories of technology assets that: ▪ Accurately reflects the current systems, applications and services in use; ▪ Identifies authorized software products, including business justification details; ▪ Is at the level of granularity deemed necessary for tracking and reporting; ▪ Includes organization-defined information deemed necessary to achieve effective property accountability; and ▪ Is available for review and audit by designated organizational personnel.	- ManageEngine AssetExplorer - LANDesk IT Asset Management Suite - ServiceNow (https://www.servicenow.com/) - Solarwinds (https://www.solarwinds.com/) - CrowdStrike - JAMF - ITIL - Configuration Management Database (CMDB)	E-AST-04 E-AST-05 E-AST-07
Asset Management	Updates During Installations / Removals	AST-02.1	Mechanisms exist to update asset inventories as part of component installations, removals and asset upgrades.	- CrowdStrike - JAMF - ITIL - Configuration Management Database (CMDB)
Asset Management	Automated Unauthorized Component Detection	AST-02.2	Automated mechanisms exist to detect and alert upon the detection of unauthorized hardware, software and firmware components.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - DHCP logging - Active discovery tools - NNT Change Tracker (https://www.newnettechnologies.com) - Vectra - Tripwire Enterprise (https://www.tripwire.com/products/tripwire-enterprise/) - Puppet (https://puppet.com/) - Chef (https://www.chef.io/) (https://www.chef.io/) - Microsoft SCCM - CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
Asset Management	Component Duplication Avoidance	AST-02.3	Mechanisms exist to establish and maintain an authoritative source and repository to provide a trusted source and accountability for approved and implemented system components that prevents assets from being duplicated in other asset inventories.	- ITIL - Configuration Management Database (CMDB) - Manual or automated process
Asset Management	Approved Baseline Deviations	AST-02.4	Mechanisms exist to document and govern instances of approved deviations from established baseline configurations.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com) - Tripwire Enterprise (https://www.tripwire.com/products/tripwire-enterprise/) - SCCM - Puppet (https://puppet.com/) - Chef (https://www.chef.io/) (https://www.chef.io/) - Microsoft SCCM	E-RSK-03 E-TDA-14
Asset Management	Network Access Control (NAC)	AST-02.5	Automated mechanisms exist to employ Network Access Control (NAC), or a similar technology, that is capable of detecting unauthorized devices and disable network access to those unauthorized devices.	- Cisco NAC - Aruba Networks - Juniper NAC - Packet Fence - Symantec NAC - Sophos NAC - Bradford Networks NAC Director - Cisco ISE - ForeScout
Asset Management	Dynamic Host Configuration Protocol (DHCP) Server Logging	AST-02.6	Mechanisms exist to enable Dynamic Host Configuration Protocol (DHCP) server logging to improve asset inventories and assist in detecting unknown systems.	- Splunk - Manual Process - Build Automation Tools - NNT Log Tracker (https://www.newnettechnologies.com/event-log-management.html) - Chef (https://www.chef.io/) (https://www.chef.io/) - Puppet (https://puppet.com/) - Tripwire Enterprise (https://www.tripwire.com/products/tripwire-enterprise/)	E-MON-04
Asset Management	Software Licensing Restrictions	AST-02.7	Mechanisms exist to protect Intellectual Property (IP) rights with software licensing restrictions.	- Manual Process - Tripwire Enterprise (https://www.tripwire.com/products/tripwire-enterprise/)
Asset Management	Data Action Mapping	AST-02.8	Mechanisms exist to create and maintain a map of technology assets where sensitive/regulated data is stored, transmitted or processed.	- Visio - LucidChart	E-DCH-05
Asset Management	Configuration Management Database (CMDB)	AST-02.9	Mechanisms exist to implement and manage a Configuration Management Database (CMDB), or similar technology, to monitor and govern technology asset-specific information.	- Configuration Management Database (CMDB)
Asset Management	Automated Location Tracking	AST-02.10	Mechanisms exist to track the geographic location of system components.
Asset Management	Component Assignment	AST-02.11	Mechanisms exist to bind components to a specific system.
Asset Management	Asset Ownership Assignment	AST-03	Mechanisms exist to ensure asset ownership responsibilities are assigned, tracked and managed at a team, individual, or responsible organization level to establish a common understanding of requirements for asset protection.		E-AST-01 E-CPL-03
Asset Management	Accountability Information	AST-03.1	Mechanisms exist to include capturing the name, position and/or role of individuals responsible/accountable for administering assets as part of the technology asset inventory process.		E-AST-01
Asset Management	Provenance	AST-03.2	Mechanisms exist to track the origin, development, ownership, location and changes to systems, system components and associated data.		E-AST-22
Asset Management	Network Diagrams & Data Flow Diagrams (DFDs)	AST-04	Mechanisms exist to maintain network architecture diagrams that: ▪ Contain sufficient detail to assess the security of the network's architecture; ▪ Reflect the current architecture of the network environment; and ▪ Document all sensitive/regulated data flows.	- High-Level Diagram (HLD) - Low-Level Diagram (LLD) - Data Flow Diagram (DFD) - Solarwinds (https://www.solarwinds.com/) - Paessler - PRTG	E-DCH-03 E-DCH-04 E-DCH-05
Asset Management	Asset Scope Classification	AST-04.1	Mechanisms exist to determine cybersecurity and privacy control applicability by identifying, assigning and documenting the appropriate asset scope categorization for all systems, applications, services and personnel (internal and third-parties).		E-AST-02 E-CPL-02 E-DCH-01 E-DCH-02
Asset Management	Control Applicability Boundary Graphical Representation	AST-04.2	Mechanisms exist to ensure control applicability is appropriately-determined for systems, applications, services and third parties by graphically representing applicable boundaries.		E-AST-02 E-CPL-02
Asset Management	Compliance-Specific Asset Identification	AST-04.3	Mechanisms exist to create and maintain a current inventory of systems, applications and services that are in scope for statutory, regulatory and/or contractual compliance obligations that provides sufficient detail to determine control applicability, based on asset scope categorization.		E-AST-02 E-CPL-02
Asset Management	Security of Assets & Media	AST-05	Mechanisms exist to maintain strict control over the internal or external distribution of any kind of sensitive/regulated media.	- ITIL - Configuration Management Database (CMDB) - Definitive Software Library (DSL)
Asset Management	Management Approval For External Media Transfer	AST-05.1	Mechanisms exist to obtain management approval for any sensitive / regulated media that is transferred outside of the organization's facilities.
Asset Management	Unattended End-User Equipment	AST-06	Mechanisms exist to implement enhanced protection measures for unattended systems to protect against tampering and unauthorized access.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - File Integrity Monitoring (FIM) - Lockable casings - Tamper detection tape - Full Disk Encryption (FDE) - NNT Change Tracker (https://www.newnettechnologies.com)
Asset Management	Asset Storage In Automobiles	AST-06.1	Mechanisms exist to educate users on the need to physically secure laptops and other mobile devices out of site when traveling, preferably in the trunk of a vehicle.	- Security awareness training - Gamification
Asset Management	Kiosks & Point of Interaction (PoI) Devices	AST-07	Mechanisms exist to appropriately protect devices that capture sensitive/regulated data via direct physical interaction from tampering and substitution.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - File Integrity Monitoring (FIM) - Lockable casings - Tamper detection tape - Chip & PIN
Asset Management	Tamper Detection	AST-08	Mechanisms exist to periodically inspect systems and system components for Indicators of Compromise (IoC).	- ""Burner"" phones & laptops - Tamper tape
Asset Management	Secure Disposal, Destruction or Re-Use of Equipment	AST-09	Mechanisms exist to securely dispose of, destroy or repurpose system components using organization-defined techniques and methods to prevent information being recovered from these components.	- Shred-it - IronMountain - sdelete (sysinternals) - Bootnukem	E-AST-03
Asset Management	Return of Assets	AST-10	Mechanisms exist to ensure that employees and third-party users return all organizational assets in their possession upon termination of employment, contract or agreement.	- Termination checklist - Manual Process - Native OS and Device Asset Tracking capabilities	E-AST-01
Asset Management	Removal of Assets	AST-11	Mechanisms exist to authorize, control and track technology assets entering and exiting organizational facilities.	- RFID asset tagging - RFID proximity sensors at access points - Asset management software
Asset Management	Use of Personal Devices	AST-12	Mechanisms exist to restrict the possession and usage of personally-owned technology devices within organization-controlled facilities.	- BYOD policy
Asset Management	Use of Third-Party Devices	AST-13	Mechanisms exist to reduce the risk associated with third-party assets that are attached to the network from harming organizational assets or exfiltrating organizational data.	- NAC - Separate SSIDs for wireless networks - SIEM monitoring/alerting - Manual process to disable network all unused ports - Network Access Control (NAC) - Mobile Device Management (MDM) software - Data Loss Prevention (DLP)
Asset Management	Usage Parameters	AST-14	Mechanisms exist to monitor and enforce usage parameters that limit the potential damage caused from the unauthorized or unintentional alteration of system parameters.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)
Asset Management	Bluetooth & Wireless Devices	AST-14.1	Mechanisms exist to prevent the usage of Bluetooth and wireless devices (e.g., Near Field Communications (NFC)) in sensitive areas or unless used in a Radio Frequency (RF)-screened building.
Asset Management	Infrared Communications	AST-14.2	Mechanisms exist to prevent line of sight and reflected infrared (IR) communications use in an unsecured space.
Asset Management	Tamper Protection	AST-15	Mechanisms exist to verify logical configuration settings and the physical integrity of critical technology assets throughout their lifecycle.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - Tamper detection tape - File Integrity Monitoring (FIM) - NNT Change Tracker (https://www.newnettechnologies.com) - Tripwire Enterprise (https://www.tripwire.com/products/tripwire-enterprise/)
Asset Management	Inspection of Systems, Components & Devices	AST-15.1	Mechanisms exist to physically and logically inspect critical technology assets to detect evidence of tampering.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - Tamper detection tape - File Integrity Monitoring (FIM) - NNT Change Tracker (https://www.newnettechnologies.com) - Tripwire Enterprise (https://www.tripwire.com/products/tripwire-enterprise/)
Asset Management	Bring Your Own Device (BYOD) Usage	AST-16	Mechanisms exist to implement and govern a Bring Your Own Device (BYOD) program to reduce risk associated with personally-owned devices in the workplace.	- AirWatch - SCCM - Casper - BYOD policy
Asset Management	Prohibited Equipment & Services	AST-17	Mechanisms exist to govern Supply Chain Risk Management (SCRM) sanctions that require the removal and prohibition of certain technology services and/or equipment that are designated as supply chain threats by a statutory or regulatory body.		E-AST-10
Asset Management	Roots of Trust Protection	AST-18	Mechanisms exist to provision and protect the confidentiality, integrity and authenticity of product supplier keys and data that can be used as a “roots of trust” basis for integrity verification.
Asset Management	Telecommunications Equipment	AST-19	Mechanisms exist to establish usage restrictions and implementation guidance for telecommunication equipment to prevent potential damage or unauthorized modification and to prevent potential eavesdropping.
Asset Management	Video Teleconference (VTC) Security	AST-20	Mechanisms exist to implement secure Video Teleconference (VTC) capabilities on endpoint devices and in designated conference rooms, to prevent potential eavesdropping.
Asset Management	Voice Over Internet Protocol (VoIP) Security	AST-21	Mechanisms exist to implement secure Internet Protocol Telephony (IPT) that logically or physically separates Voice Over Internet Protocol (VoIP) traffic from data networks.
Asset Management	Microphones & Web Cameras	AST-22	Mechanisms exist to configure assets to prohibit the use of endpoint-based microphones and web cameras in secure areas or where sensitive information is discussed.
Asset Management	Multi-Function Devices (MFD)	AST-23	Mechanisms exist to securely configure Multi-Function Devices (MFD) according to industry-recognized secure practices for the type of device.		E-TPM-01
Asset Management	Travel-Only Devices	AST-24	Mechanisms exist to issue personnel travelling overseas with temporary, loaner or ""travel-only"" end user technology (e.g., laptops and mobile devices) when travelling to authoritarian countries with a higher-than average risk for Intellectual Property (IP) theft or espionage against individuals and private companies.
Asset Management	Re-Imaging Devices After Travel	AST-25	Mechanisms exist to re-image end user technology (e.g., laptops and mobile devices) when returning from overseas travel to an authoritarian country with a higher-than average risk for Intellectual Property (IP) theft or espionage against individuals and private companies.
Asset Management	System Administrative Processes	AST-26	Mechanisms exist to develop, implement and govern system administration processes, with corresponding Standardized Operating Procedures (SOP), for operating and maintaining systems, applications and services.
Asset Management	Jump Server	AST-27	Mechanisms exist to conduct remote system administrative functions via a ""jump box"" or ""jump server"" that is located in a separate network zone to user workstations.
Asset Management	Database Administrative Processes	AST-28	Mechanisms exist to develop, implement and govern database management processes, with corresponding Standardized Operating Procedures (SOP), for operating and maintaining databases.
Asset Management	Database Management System (DBMS)	AST-28.1	Mechanisms exist to implement and maintain Database Management Systems (DBMSs), where applicable.
Asset Management	Radio Frequency Identification (RFID) Security	AST-29	Mechanisms exist to securely govern Radio Frequency Identification (RFID) deployments to ensure RFID is used safely and securely to protect the confidentiality and integrity of data and prevent the compromise of secure spaces.
Asset Management	Contactless Access Control Systems	AST-29.1	Mechanisms exist to securely configure contactless access control systems incorporating contactless RFID or smart cards to protect the confidentiality and integrity of data and prevent the compromise of secure spaces.
Asset Management	Decommissioning	AST-30	Mechanisms exist to ensure systems, applications and services are properly decommissioned so that data is properly transitioned to new systems or archived in accordance with applicable organizational standards, as well as statutory, regulatory and contractual obligations.
Business Continuity & Disaster Recovery	Business Continuity Management System (BCMS)	BCD-01	Mechanisms exist to facilitate the implementation of contingency planning controls to help ensure resilient assets and services.	- Business Continuity Plan (BCP) - Disaster Recovery Plan (DRP) - Continuity of Operations Plan (COOP) - Business Impact Analysis (BIA) - Criticality assessments	E-BCM-01
Business Continuity & Disaster Recovery	Coordinate with Related Plans	BCD-01.1	Mechanisms exist to coordinate contingency plan development with internal and external elements responsible for related plans.	- Cybersecurity Incident Response Plan (IIRP)
Business Continuity & Disaster Recovery	Coordinate With External Service Providers	BCD-01.2	Mechanisms exist to coordinate internal contingency plans with the contingency plans of external service providers to ensure that contingency requirements can be satisfied.	- Business Continuity Plan (BCP) - Disaster Recovery Plan (DRP) - Continuity of Operations Plan (COOP)
Business Continuity & Disaster Recovery	Transfer to Alternate Processing / Storage Site	BCD-01.3	Mechanisms exist to redeploy personnel to other roles during a disruptive event or in the execution of a continuity plan.
Business Continuity & Disaster Recovery	Recovery Time / Point Objectives (RTO / RPO)	BCD-01.4	Mechanisms exist to facilitate recovery operations in accordance with Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).		E-BCM-02 E-BCM-03
Business Continuity & Disaster Recovery	Identify Critical Assets	BCD-02	Mechanisms exist to identify and document the critical systems, applications and services that support essential missions and business functions.	- Business Impact Analysis (BIA) - Criticality assessments	E-BCM-08
Business Continuity & Disaster Recovery	Resume All Missions & Business Functions	BCD-02.1	Mechanisms exist to resume all missions and business functions within Recovery Time Objectives (RTOs) of the contingency plan's activation.	- Disaster Recovery Plan (DRP) - Continuity of Operations Plan (COOP) - Disaster recovery software
Business Continuity & Disaster Recovery	Continue Essential Mission & Business Functions	BCD-02.2	Mechanisms exist to continue essential missions and business functions with little or no loss of operational continuity and sustain that continuity until full system restoration at primary processing and/or storage sites.	- Disaster Recovery Plan (DRP) - Continuity of Operations Plan (COOP)
Business Continuity & Disaster Recovery	Resume Essential Missions & Business Functions	BCD-02.3	Mechanisms exist to resume essential missions and business functions within an organization-defined time period of contingency plan activation.	- Business Continuity Plan (BCP) - Disaster Recovery Plan (DRP) - Continuity of Operations Plan (COOP)
Business Continuity & Disaster Recovery	Data Storage Location Reviews	BCD-02.4	Mechanisms exist to perform periodic security reviews of storage locations that contain sensitive / regulated data.		E-AST-23
Business Continuity & Disaster Recovery	Contingency Training	BCD-03	Mechanisms exist to adequately train contingency personnel and applicable stakeholders in their contingency roles and responsibilities.	- NIST NICE Framework - Tabletop exercises	E-BCM-07
Business Continuity & Disaster Recovery	Simulated Events	BCD-03.1	Mechanisms exist to incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations.	- Tabletop exercises	E-BCM-06
Business Continuity & Disaster Recovery	Automated Training Environments	BCD-03.2	Automated mechanisms exist to provide a more thorough and realistic contingency training environment.
Business Continuity & Disaster Recovery	Contingency Plan Testing & Exercises	BCD-04	Mechanisms exist to conduct tests and/or exercises to evaluate the contingency plan's effectiveness and the organization’s readiness to execute the plan.	- Simulated disasters / emergencies	E-BCM-06 E-BCM-07
Business Continuity & Disaster Recovery	Coordinated Testing with Related Plans	BCD-04.1	Mechanisms exist to coordinate contingency plan testing with internal and external elements responsible for related plans.	- Playbooks - Enterprise-wide Continuity of Operations Plan (COOP)
Business Continuity & Disaster Recovery	Alternate Storage & Processing Sites	BCD-04.2	Mechanisms exist to test contingency plans at alternate storage & processing sites to both familiarize contingency personnel with the facility and evaluate the capabilities of the alternate processing site to support contingency operations.
Business Continuity & Disaster Recovery	Contingency Plan Root Cause Analysis (RCA) & Lessons Learned	BCD-05	Mechanisms exist to conduct a Root Cause Analysis (RCA) and ""lessons learned"" activity every time the contingency plan is activated.	- Standardized Operating Procedures (SOP) - Disaster Recovery Plan (DRP) - Business Continuity Plan (BCP) - Continuity of Operations Plan (COOP)	E-BCM-04
Business Continuity & Disaster Recovery	Contingency Planning & Updates	BCD-06	Mechanisms exist to keep contingency plans current with business needs, technology changes and feedback from contingency plan testing activities.	- Offline / offsite documentation	E-BCM-05
Business Continuity & Disaster Recovery	Alternative Security Measures	BCD-07	Mechanisms exist to implement alternative or compensating controls to satisfy security functions when the primary means of implementing the security function is unavailable or compromised.	- Business Impact Analysis (BIA) - Criticality assessments
Business Continuity & Disaster Recovery	Alternate Storage Site	BCD-08	Mechanisms exist to establish an alternate storage site that includes both the assets and necessary agreements to permit the storage and recovery of system backup information.	- SunGard - AWS - Azure
Business Continuity & Disaster Recovery	Separation from Primary Site	BCD-08.1	Mechanisms exist to separate the alternate storage site from the primary storage site to reduce susceptibility to similar threats.	- SunGard - AWS - Azure
Business Continuity & Disaster Recovery	Accessibility	BCD-08.2	Mechanisms exist to identify and mitigate potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster.	- SunGard - AWS - Azure
Business Continuity & Disaster Recovery	Alternate Processing Site	BCD-09	Mechanisms exist to establish an alternate processing site that provides security measures equivalent to that of the primary site.	- SunGard - AWS - Azure
Business Continuity & Disaster Recovery	Separation from Primary Site	BCD-09.1	Mechanisms exist to separate the alternate processing site from the primary processing site to reduce susceptibility to similar threats.	- SunGard - AWS - Azure
Business Continuity & Disaster Recovery	Accessibility	BCD-09.2	Mechanisms exist to identify and mitigate potential accessibility problems to the alternate processing site and possible mitigation actions, in the event of an area-wide disruption or disaster.	- Business Continuity Plan (BCP) - Continuity of Operations Plan (COOP)
Business Continuity & Disaster Recovery	Alternate Site Priority of Service	BCD-09.3	Mechanisms exist to address priority-of-service provisions in alternate processing and storage sites that support availability requirements, including Recovery Time Objectives (RTOs).	- Hot / warm / cold site contracts	E-TPM-04
Business Continuity & Disaster Recovery	Preparation for Use	BCD-09.4	Mechanisms exist to prepare the alternate processing alternate to support essential missions and business functions so that the alternate site is capable of being used as the primary site.
Business Continuity & Disaster Recovery	Inability to Return to Primary Site	BCD-09.5	Mechanisms exist to plan and prepare for both natural and manmade circumstances that preclude returning to the primary processing site.
Business Continuity & Disaster Recovery	Telecommunications Services Availability	BCD-10	Mechanisms exist to reduce the likelihood of a single point of failure with primary telecommunications services.	- Alternate telecommunications services are maintained with multiple ISP / network providers
Business Continuity & Disaster Recovery	Telecommunications Priority of Service Provisions	BCD-10.1	Mechanisms exist to formalize primary and alternate telecommunications service agreements contain priority-of-service provisions that support availability requirements, including Recovery Time Objectives (RTOs).	- Hot / warm / cold site contracts	E-TPM-04
Business Continuity & Disaster Recovery	Separation of Primary / Alternate Providers	BCD-10.2	Mechanisms exist to obtain alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats.
Business Continuity & Disaster Recovery	Provider Continency Plan	BCD-10.3	Mechanisms exist to contractually-require telecommunications service providers to have contingency plans that meet organizational contingency requirements.
Business Continuity & Disaster Recovery	Alternate Communications Paths	BCD-10.4	Mechanisms exist to maintain command and control capabilities via alternate communications channels and designating alternative decision makers if primary decision makers are unavailable.
Business Continuity & Disaster Recovery	Data Backups	BCD-11	Mechanisms exist to create recurring backups of data, software and/or system images, as well as verify the integrity of these backups, to ensure the availability of the data to satisfying Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).	- Backup technologies & procedures - Offline storage	E-BCM-10 E-BCM-11 E-BCM-12 E-BCM-13
Business Continuity & Disaster Recovery	Testing for Reliability & Integrity	BCD-11.1	Mechanisms exist to routinely test backups that verifies the reliability of the backup process, as well as the integrity and availability of the data.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
Business Continuity & Disaster Recovery	Separate Storage for Critical Information	BCD-11.2	Mechanisms exist to store backup copies of critical software and other security-related information in a separate facility or in a fire-rated container that is not collocated with the system being backed up.	- IronMountain	E-AST-08 E-BCM-11 E-BCM-12 E-BCM-13
Business Continuity & Disaster Recovery	Information System Imaging	BCD-11.3	Mechanisms exist to reimage assets from configuration-controlled and integrity-protected images that represent a secure, operational state.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - Acronis - Docker (https://www.docker.com/) - VMWare
Business Continuity & Disaster Recovery	Cryptographic Protection	BCD-11.4	Cryptographic mechanisms exist to prevent the unauthorized disclosure and/or modification of backup information.	- Backup technologies & procedures
Business Continuity & Disaster Recovery	Test Restoration Using Sampling	BCD-11.5	Mechanisms exist to utilize sampling of available backups to test recovery capabilities as part of business continuity plan testing.
Business Continuity & Disaster Recovery	Transfer to Alternate Storage Site	BCD-11.6	Mechanisms exist to transfer backup data to the alternate storage site at a rate that is capable of meeting both Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
Business Continuity & Disaster Recovery	Redundant Secondary System	BCD-11.7	Mechanisms exist to maintain a failover system, that is not collocated with the primary system, application and/or service, which can be activated with little-to-no loss of information or disruption to operations.
Business Continuity & Disaster Recovery	Dual Authorization For Backup Media Destruction	BCD-11.8	Mechanisms exist to implement and enforce dual authorization for the deletion or destruction of sensitive backup media and data.
Business Continuity & Disaster Recovery	Information System Recovery & Reconstitution	BCD-12	Mechanisms exist to ensure the secure recovery and reconstitution of systems to a known state after a disruption, compromise or failure.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
Business Continuity & Disaster Recovery	Transaction Recovery	BCD-12.1	Mechanisms exist to utilize specialized backup mechanisms that will allow transaction recovery for transaction-based applications and services in accordance with Recovery Point Objectives (RPOs).
Business Continuity & Disaster Recovery	Failover Capability	BCD-12.2	Mechanisms exist to implement real-time or near-real-time failover capability to maintain availability of critical systems, applications and/or services.	- Load balancers - High Availability (HA) firewalls
Business Continuity & Disaster Recovery	Electronic Discovery (eDiscovery)	BCD-12.3	Mechanisms exist to utilize electronic discovery (eDiscovery) that covers current and archived communication transactions.
Business Continuity & Disaster Recovery	Restore Within Time Period	BCD-12.4	Mechanisms exist to restore systems, applications and/or services within organization-defined restoration time-periods from configuration-controlled and integrity-protected information; representing a known, operational state for the asset.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
Business Continuity & Disaster Recovery	Backup & Restoration Hardware Protection	BCD-13	Mechanisms exist to protect backup and restoration hardware and software.
Business Continuity & Disaster Recovery	Isolated Recovery Environment	BCD-14	Mechanisms exist to utilize an isolated, non-production environment to perform data backup and recovery operations through offline, cloud or off-site capabilities.
Business Continuity & Disaster Recovery	Reserve Hardware	BCD-15	Mechanisms exist to purchase and maintain a sufficient reserve of spare hardware to ensure essential missions and business functions can be maintained in the event of a supply chain disruption.
Capacity & Performance Planning	Capacity & Performance Management	CAP-01	Mechanisms exist to facilitate the implementation of capacity management controls to ensure optimal system performance to meet expected and anticipated future capacity requirements.	- Splunk - Resource monitoring
Capacity & Performance Planning	Resource Priority	CAP-02	Mechanisms exist to control resource utilization of systems that are susceptible to Denial of Service (DoS) attacks to limit and prioritize the use of resources.	- Splunk - Resource monitoring
Capacity & Performance Planning	Capacity Planning	CAP-03	Mechanisms exist to conduct capacity planning so that necessary capacity for information processing, telecommunications and environmental support will exist during contingency operations.
Capacity & Performance Planning	Performance Monitoring	CAP-04	Automated mechanisms exist to centrally-monitor and alert on the operating state and health status of critical systems, applications and services.
Change Management	Change Management Program	CHG-01	Mechanisms exist to facilitate the implementation of a change management program.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - VisibleOps methodology - ITIL infrastructure library - NNT Change Tracker (https://www.newnettechnologies.com) - ServiceNow (https://www.servicenow.com/) - Remedy - Tripwire Enterprise (https://www.tripwire.com/products/tripwire-enterprise/) - Chef (https://www.chef.io/) (https://www.chef.io/) - Puppet (https://puppet.com/)	E-CHG-02
Change Management	Configuration Change Control	CHG-02	Mechanisms exist to govern the technical configuration change control processes.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - Change Control Board (CCB) - Configuration Management Database (CMDB) - Tripwire Enterprise (https://www.tripwire.com/products/tripwire-enterprise/) Enterprise - Chef (https://www.chef.io/) (https://www.chef.io/) - Puppet (https://puppet.com/) - Solarwinds (https://www.solarwinds.com/) - Docker (https://www.docker.com/) - VisibleOps methodology - ITIL infrastructure library	E-CHG-02
Change Management	Prohibition Of Changes	CHG-02.1	Mechanisms exist to prohibit unauthorized changes, unless organization-approved change requests are received.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - VisibleOps methodology - ITIL infrastructure library - Manual processes/workflows - Application whitelisting
Change Management	Test, Validate & Document Changes	CHG-02.2	Mechanisms exist to appropriately test and document proposed changes in a non-production environment before changes are implemented in a production environment.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - VisibleOps methodology - ITIL infrastructure library - NNT Change Tracker (https://www.newnettechnologies.com) - VMware - Docker (https://www.docker.com/)	E-CHG-03
Change Management	Security & Privacy Representative for Asset Lifecycle Changes	CHG-02.3	Mechanisms exist to include a cybersecurity and/or privacy representative in the configuration change control review process.	- Change Control Board (CCB) - Change Advisory Board (CAB) - VisibleOps methodology - ITIL infrastructure library	E-CHG-04
Change Management	Automated Security Response	CHG-02.4	Automated mechanisms exist to implement remediation actions upon the detection of unauthorized baseline configurations change(s).	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
Change Management	Cryptographic Management	CHG-02.5	Mechanisms exist to govern assets involved in providing cryptographic protections according to the organization's configuration management processes.
Change Management	Security Impact Analysis for Changes	CHG-03	Mechanisms exist to analyze proposed changes for potential security impacts, prior to the implementation of the change.	- VisibleOps methodology - ITIL infrastructure library - Change management software
Change Management	Access Restriction For Change	CHG-04	Mechanisms exist to enforce configuration restrictions in an effort to restrict the ability of users to conduct unauthorized changes.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - VisibleOps methodology - ITIL infrastructure library - Role-based permissions - Mandatory Access Control (MAC) - Application whitelisting
Change Management	Automated Access Enforcement / Auditing	CHG-04.1	Mechanisms exist to perform after-the-fact reviews of configuration change logs to discover any unauthorized changes.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - VisibleOps methodology - ITIL infrastructure library - NNT Change Tracker (https://www.newnettechnologies.com) - Manual review processes - Tripwire Enterprise (https://www.tripwire.com/products/tripwire-enterprise/) - Puppet (https://puppet.com/) - Chef (https://www.chef.io/) (https://www.chef.io/)
Change Management	Signed Components	CHG-04.2	Mechanisms exist to prevent the installation of software and firmware components without verification that the component has been digitally signed using an organization-approved certificate authority.	- Privileged Account Management (PAM) - Patch management tools - OS configuration standards
Change Management	Dual Authorization for Change	CHG-04.3	Mechanisms exist to enforce a two-person rule for implementing changes to critical assets.	- Separation of Duties (SoD)
Change Management	Limit Production / Operational Privileges (Incompatible Roles)	CHG-04.4	Mechanisms exist to limit operational privileges for implementing changes.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - Separation of Duties (SoD) - Privileged Account Management (PAM)
Change Management	Library Privileges	CHG-04.5	Mechanisms exist to restrict software library privileges to those individuals with a pertinent business need for access.	- Privileged Account Management (PAM)
Change Management	Stakeholder Notification of Changes	CHG-05	Mechanisms exist to ensure stakeholders are made aware of and understand the impact of proposed changes.	- Change management procedures - VisibleOps methodology - ITIL infrastructure library
Change Management	Security Functionality Verification	CHG-06	Mechanisms exist to verify the functionality of security controls when anomalies are discovered.	- Information Assurance Program (IAP) - Security Test & Evaluation (STE)
Change Management	Report Verification Results	CHG-06.1	Mechanisms exist to report the results of cybersecurity and privacy function verification to appropriate organizational management.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)
Cloud Security	Cloud Services	CLD-01	Mechanisms exist to facilitate the implementation of cloud management controls to ensure cloud instances are secure and in-line with industry practices.	- Data Protection Impact Assessment (DPIA)	E-AST-06
Cloud Security	Cloud Infrastructure Onboarding	CLD-01.1	Mechanisms exist to ensure cloud services are designed and configured so systems, applications and processes are secured in accordance with applicable organizational standards, as well as statutory, regulatory and contractual obligations.
Cloud Security	Cloud Infrastructure Offboarding	CLD-01.2	Mechanisms exist to ensure cloud services are decommissioned so that data is securely transitioned to new systems or archived in accordance with applicable organizational standards, as well as statutory, regulatory and contractual obligations.
Cloud Security	Cloud Security Architecture	CLD-02	Mechanisms exist to ensure the cloud security architecture supports the organization's technology strategy to securely design, configure and maintain cloud employments.	- Architectural review board - System Security Plan (SSP) - Security architecture roadmaps	E-TDA-09
Cloud Security	Cloud Infrastructure Security Subnet	CLD-03	Mechanisms exist to host security-specific technologies in a dedicated subnet.	- Security management subnet
Cloud Security	Application & Program Interface (API) Security	CLD-04	Mechanisms exist to ensure support for secure interoperability between components.	- Use only open and published APIs
Cloud Security	Virtual Machine Images	CLD-05	Mechanisms exist to ensure the integrity of virtual machine images at all times.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - File Integrity Monitoring (FIM) - Docker (https://www.docker.com/) - NNT Change Tracker (https://www.newnettechnologies.com)
Cloud Security	Multi-Tenant Environments	CLD-06	Mechanisms exist to ensure multi-tenant owned or managed assets (physical and virtual) are designed and governed such that provider and customer (tenant) user access is appropriately segmented from other tenant users.	- Security architecture review - Defined processes to segment at the network, application, databases layers
Cloud Security	Customer Responsibility Matrix (CRM)	CLD-06.1	Mechanisms exist to formally document a Customer Responsibility Matrix (CRM), delineating assigned responsibilities for controls between the Cloud Service Provider (CSP) and its customers.	- Customer Responsibility Matrix (CRM) - Shared Responsibility Matrix (SRM) - Responsible, Accountable, Supporting, Consulted and Informed (RASCI) matrix	E-CPL-03
Cloud Security	Multi-Tenant Event Logging Capabilities	CLD-06.2	Mechanisms exist to ensure Multi-Tenant Service Providers (MTSP) facilitate security event logging capabilities for its customers that are consistent with applicable statutory, regulatory and/or contractual obligations.
Cloud Security	Multi-Tenant Forensics Capabilities	CLD-06.3	Mechanisms exist to ensure Multi-Tenant Service Providers (MTSP) facilitate prompt forensic investigations in the event of a suspected or confirmed security incident.
Cloud Security	Multi-Tenant Incident Response Capabilities	CLD-06.4	Mechanisms exist to ensure Multi-Tenant Service Providers (MTSP) facilitate prompt response to suspected or confirmed security incidents and vulnerabilities, including timely notification to affected customers.
Cloud Security	Data Handling & Portability	CLD-07	Mechanisms exist to ensure cloud providers use secure protocols for the import, export and management of data in cloud-based services.	- Data Protection Impact Assessment (DPIA) - Security architecture review - Encrypted data transfers (e.g. TLS or VPNs)
Cloud Security	Standardized Virtualization Formats	CLD-08	Mechanisms exist to ensure interoperability by requiring cloud providers to use industry-recognized formats and provide documentation of custom changes for review.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - Data Protection Impact Assessment (DPIA) - Manual review process - Vendor risk assessments - Independent vendor compliance assessments
Cloud Security	Geolocation Requirements for Processing, Storage and Service Locations	CLD-09	Mechanisms exist to control the location of cloud processing/storage based on business requirements that includes statutory, regulatory and contractual obligations.	- Data Protection Impact Assessment (DPIA)	E-AST-06 E-AST-23
Cloud Security	Sensitive Data In Public Cloud Providers	CLD-10	Mechanisms exist to limit and manage the storage of sensitive/regulated data in public cloud providers.	- Data Protection Impact Assessment (DPIA) - Security and network architecture diagrams - Data Flow Diagram (DFD)	E-AST-08
Cloud Security	Cloud Access Point (CAP)	CLD-11	Mechanisms exist to utilize Cloud Access Points (CAPs) to provide boundary protection and monitoring functions that both provide access to the cloud and protect the organization from the cloud.	- Next Generation Firewall (NGF) - Web Application Firewall (WAF) - Network Routing / Switching - Intrusion Detection / Protection (IDS / IPS) - Data Loss Prevention (DLP) - Full Packet Capture
Cloud Security	Side Channel Attack Prevention	CLD-12	Mechanisms exist to prevent ""side channel attacks"" when using a Content Delivery Network (CDN) by restricting access to the origin server's IP address to the CDN and an authorized management network.
Compliance	Statutory, Regulatory & Contractual Compliance	CPL-01	Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.	- Governance, Risk and Compliance Solution (GRC) tool (Ostendio, ZenGRC, RequirementONE, Allgress, Archer, RSAM, Metric stream, etc.) - Steering committee	E-CPL-01 E-GOV-10
Compliance	Non-Compliance Oversight	CPL-01.1	Mechanisms exist to document and review instances of non-compliance with statutory, regulatory and/or contractual obligations to develop appropriate risk mitigation actions.		E-CPL-05
Compliance	Compliance Scope	CPL-01.2	Mechanisms exist to document and validate the scope of cybersecurity and privacy controls that are determined to meet statutory, regulatory and/or contractual compliance obligations.		E-AST-02 E-CPL-02 E-GOV-10
Compliance	Security & Privacy Controls Oversight	CPL-02	Mechanisms exist to provide a security & privacy controls oversight function that reports to the organization's executive leadership.	- Governance, Risk and Compliance Solution (GRC) tool (Ostendio, ZenGRC, RequirementONE, Allgress, Archer, RSAM, Metric stream, etc.) - Steering committee - Formalized SDLC program - Formalized DevOps program - Information Assurance Program (IAP) - Security Test & Evaluation (STE)	E-CPL-07 E-CPL-09 E-GOV-04 E-GOV-05 E-GOV-06 E-GOV-13 E-RSK-03
Compliance	Internal Audit Function	CPL-02.1	Mechanisms exist to implement an internal audit function that is capable of providing senior organization management with insights into the appropriateness of the organization's technology and information governance processes.		E-CPL-04 E-CPL-07
Compliance	Security Assessments	CPL-03	Mechanisms exist to ensure managers regularly review the processes and documented procedures within their area of responsibility to adhere to appropriate security policies, standards and other applicable requirements.	- Information Assurance Program (IAP) - Security Test & Evaluation (STE) - Governance, Risk and Compliance Solution (GRC) tool (Ostendio, ZenGRC, RequirementONE, Allgress, Archer, RSAM, Metric stream, etc.)	E-CPL-05 E-CPL-07
Compliance	Independent Assessors	CPL-03.1	Mechanisms exist to utilize independent assessors to evaluate security & privacy controls at planned intervals or when the system, service or project undergoes significant changes.	- Information Assurance Program (IAP) - Security Test & Evaluation (STE)	E-CPL-07
Compliance	Functional Review Of Security Controls	CPL-03.2	Mechanisms exist to regularly review technology assets for adherence to the organization’s cybersecurity and privacy policies and standards.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - Internal audit program - NNT Change Tracker (https://www.newnettechnologies.com) - Operational review processes - Regular/yearly policy and standards review process - Governance, Risk and Compliance Solution (GRC) (ZenGRC, Archer, RSAM, Metric stream, etc.)	E-CPL-08
Compliance	Audit Activities	CPL-04	Mechanisms exist to thoughtfully plan audits by including input from operational risk and compliance partners to minimize the impact of audit-related activities on business operations.	- Internal audit program
Compliance	Legal Assessment of Investigative Inquires	CPL-05	Mechanisms exist to determine whether a government agency has an applicable and valid legal basis to request data from the organization and what further steps need to be taken, if necessary.
Compliance	Investigation Request Notifications	CPL-05.1	Mechanisms exist to notify customers about investigation request notifications, unless the applicable legal basis for a government agency's action prohibits notification (e.g., potential criminal prosecution).
Compliance	Investigation Access Restrictions	CPL-05.2	Mechanisms exist to support official investigations by provisioning government investigators with ""least privileges"" and ""least functionality"" to ensure that government investigators only have access to the data and systems needed to perform the investigation.
Compliance	Government Surveillance	CPL-06	Mechanisms exist to constrain the host government from having unrestricted and non-monitored access to the organization's systems, applications and services that could potentially violate other applicable statutory, regulatory and/or contractual obligations.	- Board of Directors (Bod) Ethics Committee
Configuration Management	Configuration Management Program	CFG-01	Mechanisms exist to facilitate the implementation of configuration management controls.	- NNT Change Tracker (https://www.newnettechnologies.com) - Configuration Management Database (CMDB) - Baseline hardening standards - Formalized DevOps program - Information Assurance Program (IAP) - Security Test & Evaluation (STE)
Configuration Management	Assignment of Responsibility	CFG-01.1	Mechanisms exist to implement a segregation of duties for configuration management that prevents developers from performing production configuration management duties.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
Configuration Management	System Hardening Through Baseline Configurations	CFG-02	Mechanisms exist to develop, document and maintain secure baseline configurations for technology platform that are consistent with industry-accepted system hardening standards.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - Defense Information Security Agency (DISA) Secure Technology Implementation Guides (STIGs) - Center for Internet Security (CIS) Benchmarks - NNT Change Tracker (https://www.newnettechnologies.com)	E-AST-12 E-AST-13 E-AST-14 E-AST-15 E-AST-16 E-AST-17 E-AST-18 E-AST-19 E-AST-20 E-AST-21
Configuration Management	Reviews & Updates	CFG-02.1	Mechanisms exist to review and update baseline configurations: ▪ At least annually; ▪ When required due to so; or ▪ As part of system component installations and upgrades.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - Defense Information Security Agency (DISA) Secure Technology Implementation Guides (STIGs) - Center for Internet Security (CIS) Benchmarks - NNT Change Tracker (https://www.newnettechnologies.com)
Configuration Management	Automated Central Management & Verification	CFG-02.2	Automated mechanisms exist to govern and report on baseline configurations of the systems.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)
Configuration Management	Retention Of Previous Configurations	CFG-02.3	Mechanisms exist to retain previous versions of baseline configuration to support roll back.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)
Configuration Management	Development & Test Environment Configurations	CFG-02.4	Mechanisms exist to manage baseline configurations for development and test environments separately from operational baseline configurations to minimize the risk of unintentional changes.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)
Configuration Management	Configure Systems, Components or Services for High-Risk Areas	CFG-02.5	Mechanisms exist to configure systems utilized in high-risk areas with more restrictive baseline configurations.	- NNT Change Tracker (https://www.newnettechnologies.com)	E-AST-12 E-AST-13 E-AST-14 E-AST-15 E-AST-16 E-AST-17 E-AST-18 E-AST-19 E-AST-20 E-AST-21
Configuration Management	Network Device Configuration File Synchronization	CFG-02.6	Mechanisms exist to configure network devices to synchronize startup and running configuration files.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)
Configuration Management	Approved Configuration Deviations	CFG-02.7	Mechanisms exist to document, assess risk and approve or deny deviations to standardized configurations.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)
Configuration Management	Respond To Unauthorized Changes	CFG-02.8	Mechanisms exist to respond to unauthorized changes to configuration settings as security incidents.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - Service Level Agreements (SLAs) - NNT Change Tracker (https://www.newnettechnologies.com)
Configuration Management	Baseline Tailoring	CFG-02.9	Mechanisms exist to allow baseline controls to be specialized or customized by applying a defined set of tailoring actions that are specific to: ▪ Mission / business functions; ▪ Operational environment; ▪ Specific threats or vulnerabilities; or ▪ Other conditions or situations that could affect mission / business success.	- DISA STIGs - CIS Benchmarks
Configuration Management	Least Functionality	CFG-03	Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)
Configuration Management	Periodic Review	CFG-03.1	Mechanisms exist to periodically review system configurations to identify and disable unnecessary and/or non-secure functions, ports, protocols and services.	- NNT Change Tracker (https://www.newnettechnologies.com)
Configuration Management	Prevent Unauthorized Software Execution	CFG-03.2	Mechanisms exist to configure systems to prevent the execution of unauthorized software programs.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)
Configuration Management	Unauthorized or Authorized Software (Blacklisting or Whitelisting)	CFG-03.3	Mechanisms exist to whitelist or blacklist applications in an order to limit what is authorized to execute on systems.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)
Configuration Management	Split Tunneling	CFG-03.4	Mechanisms exist to prevent systems from creating split tunneling connections or similar techniques that could be used to exfiltrate data.
Configuration Management	Software Usage Restrictions	CFG-04	Mechanisms exist to enforce software usage restrictions to comply with applicable contract agreements and copyright laws.
Configuration Management	Open Source Software	CFG-04.1	Mechanisms exist to establish parameters for the secure use of open source software.	- Acceptable Use Policy (AUP)
Configuration Management	Unsupported Internet Browsers & Email Clients	CFG-04.2	Mechanisms exist to allow only approved Internet browsers and email clients to run on systems.
Configuration Management	User-Installed Software	CFG-05	Mechanisms exist to restrict the ability of non-privileged users to install unauthorized software.	- Privileged Account Management (PAM)
Configuration Management	Unauthorized Installation Alerts	CFG-05.1	Mechanisms exist to configure systems to generate an alert when the unauthorized installation of software is detected.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)
Configuration Management	Restrict Roles Permitted To Install Software	CFG-05.2	Mechanisms exist to configure systems to prevent the installation of software, unless the action is performed by a privileged user or service.
Configuration Management	Configuration Enforcement	CFG-06	Automated mechanisms exist to monitor, enforce and report on configurations for endpoint devices.
Configuration Management	Zero-Touch Provisioning (ZTP)	CFG-07	Mechanisms exist to implement Zero-Touch Provisioning (ZTP), or similar technology, to automatically and securely configure devices upon being added to a network.
Configuration Management	Sensitive / Regulated Data Access Enforcement	CFG-08	Mechanisms exist to configure systems, applications and processes to restrict access to sensitive/regulated data.		E-DCH-08
Configuration Management	Sensitive / Regulated Data Actions	CFG-08.1	Automated mechanisms exist to generate event logs whenever sensitive/regulated data is collected, created, updated, deleted and/or archived.
Continuous Monitoring	Continuous Monitoring	MON-01	Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.	- Splunk - CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)
Continuous Monitoring	Intrusion Detection & Prevention Systems (IDS & IPS)	MON-01.1	Mechanisms exist to implement Intrusion Detection / Prevention Systems (IDS / IPS) technologies on critical systems, key network segments and network choke points.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)
Continuous Monitoring	Automated Tools for Real-Time Analysis	MON-01.2	Mechanisms exist to utilize a Security Incident Event Manager (SIEM), or similar automated tool, to support near real-time analysis and incident escalation.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)	E-MON-01 E-MON-05
Continuous Monitoring	Inbound & Outbound Communications Traffic	MON-01.3	Mechanisms exist to continuously monitor inbound and outbound communications traffic for unusual or unauthorized activities or conditions.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)
Continuous Monitoring	System Generated Alerts	MON-01.4	Mechanisms exist to monitor, correlate and respond to alerts from physical, cybersecurity, privacy and supply chain activities to achieve integrated situational awareness.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)
Continuous Monitoring	Wireless Intrusion Detection System (WIDS)	MON-01.5	Mechanisms exist to utilize Wireless Intrusion Detection / Protection Systems (WIDS / WIPS) to identify rogue wireless devices and to detect attack attempts via wireless networks.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)
Continuous Monitoring	Host-Based Devices	MON-01.6	Mechanisms exist to utilize Host-based Intrusion Detection / Prevention Systems (HIDS / HIPS) to actively alert on or block unwanted activities and send logs to a Security Incident Event Manager (SIEM), or similar automated tool, to maintain situational awareness.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)
Continuous Monitoring	File Integrity Monitoring (FIM)	MON-01.7	Mechanisms exist to utilize a File Integrity Monitor (FIM), or similar change-detection technology, on critical assets to generate alerts for unauthorized modifications.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)
Continuous Monitoring	Reviews & Updates	MON-01.8	Mechanisms exist to review event logs on an ongoing basis and escalate incidents in accordance with established timelines and procedures.	- Security Incident Event Manager (SIEM) - Splunk	E-MON-01 E-MON-02 E-MON-05
Continuous Monitoring	Proxy Logging	MON-01.9	Mechanisms exist to log all Internet-bound requests, in order to identify prohibited activities and assist incident handlers with identifying potentially compromised systems.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)
Continuous Monitoring	Deactivated Account Activity	MON-01.10	Mechanisms exist to monitor deactivated accounts for attempted usage.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - Security Incident Event Manager (SIEM) - Splunk - NNT Change Tracker (https://www.newnettechnologies.com)
Continuous Monitoring	Automated Response to Suspicious Events	MON-01.11	Mechanisms exist to automatically implement pre-determined corrective actions in response to detected events that have security incident implications.
Continuous Monitoring	Automated Alerts	MON-01.12	Mechanisms exist to automatically alert incident response personnel to inappropriate or anomalous activities that have potential security incident implications.
Continuous Monitoring	Alert Threshold Tuning	MON-01.13	Mechanisms exist to ""tune"" event monitoring technologies through analyzing communications traffic/event patterns and developing profiles representing common traffic patterns and/or events.
Continuous Monitoring	Individuals Posing Greater Risk	MON-01.14	Mechanisms exist to implement enhanced activity monitoring for individuals who have been identified as posing an increased level of risk.		E-MON-03
Continuous Monitoring	Privileged User Oversight	MON-01.15	Mechanisms exist to implement enhanced activity monitoring for privileged users.		E-MON-03
Continuous Monitoring	Analyze and Prioritize Monitoring Requirements	MON-01.16	Mechanisms exist to assess the organization's needs for monitoring and prioritize the monitoring of assets, based on asset criticality and the sensitivity of the data it stores, transmits and processes.
Continuous Monitoring	Real-Time Session Monitoring	MON-01.17	Mechanisms exist to enable authorized personnel the ability to remotely view and hear content related to an established user session in real time, in accordance with organizational standards, as well as statutory, regulatory and contractual obligations.
Continuous Monitoring	Centralized Collection of Security Event Logs	MON-02	Mechanisms exist to utilize a Security Incident Event Manager (SIEM) or similar automated tool, to support the centralized collection of security-related event logs.	- Security Incident Event Manager (SIEM) - Splunk	E-MON-01 E-MON-05
Continuous Monitoring	Correlate Monitoring Information	MON-02.1	Automated mechanisms exist to correlate both technical and non-technical information from across the enterprise by a Security Incident Event Manager (SIEM) or similar automated tool, to enhance organization-wide situational awareness.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - Security Incident Event Manager (SIEM) - Splunk - NNT Change Tracker (https://www.newnettechnologies.com)
Continuous Monitoring	Central Review & Analysis	MON-02.2	Automated mechanisms exist to centrally collect, review and analyze audit records from multiple sources.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)	E-MON-01 E-MON-02 E-MON-05
Continuous Monitoring	Integration of Scanning & Other Monitoring Information	MON-02.3	Automated mechanisms exist to integrate the analysis of audit records with analysis of vulnerability scanners, network performance, system monitoring and other sources to further enhance the ability to identify inappropriate or unusual activity.
Continuous Monitoring	Correlation with Physical Monitoring	MON-02.4	Automated mechanisms exist to correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual or malevolent activity.
Continuous Monitoring	Permitted Actions	MON-02.5	Mechanisms exist to specify the permitted actions for both users and systems associated with the review, analysis and reporting of audit information.
Continuous Monitoring	Audit Level Adjustments	MON-02.6	Mechanisms exist to adjust the level of audit review, analysis and reporting based on evolving threat information from law enforcement, industry associations or other credible sources of threat intelligence.
Continuous Monitoring	System-Wide / Time-Correlated Audit Trail	MON-02.7	Automated mechanisms exist to compile audit records into an organization-wide audit trail that is time-correlated.
Continuous Monitoring	Changes by Authorized Individuals	MON-02.8	Mechanisms exist to provide privileged users or roles the capability to change the auditing to be performed on specified information system components, based on specific event criteria within specified time thresholds.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
Continuous Monitoring	Content of Audit Records	MON-03	Mechanisms exist to configure systems to produce audit records that contain sufficient information to, at a minimum: ▪ Establish what type of event occurred; ▪ When (date and time) the event occurred; ▪ Where the event occurred; ▪ The source of the event; ▪ The outcome (success or failure) of the event; and ▪ The identity of any user/subject associated with the event.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
Continuous Monitoring	Sensitive Audit Information	MON-03.1	Mechanisms exist to protect sensitive/regulated data contained in log files.
Continuous Monitoring	Audit Trails	MON-03.2	Mechanisms exist to link system access to individual users or service accounts.
Continuous Monitoring	Privileged Functions Logging	MON-03.3	Mechanisms exist to log and review the actions of users and/or services with elevated privileges.	- Security Incident Event Manager (SIEM) - Splunk
Continuous Monitoring	Verbosity Logging for Boundary Devices	MON-03.4	Mechanisms exist to verbosely log all traffic (both allowed and blocked) arriving at network boundary devices, including firewalls, Intrusion Detection / Prevention Systems (IDS/IPS) and inbound and outbound proxies.
Continuous Monitoring	Limit Personal Data (PD) In Audit Records	MON-03.5	Mechanisms exist to limit Personal Data (PD) contained in audit records to the elements identified in the privacy risk assessment.	- Data Protection Impact Assessment (DPIA)
Continuous Monitoring	Centralized Management of Planned Audit Record Content	MON-03.6	Mechanisms exist to centrally manage and configure the content required to be captured in audit records generated by organization-defined information system components.
Continuous Monitoring	Database Logging	MON-03.7	Mechanisms exist to ensure databases produce audit records that contain sufficient information to monitor database activities.
Continuous Monitoring	Event Log Storage Capacity	MON-04	Mechanisms exist to allocate and proactively manage sufficient event log storage capacity to reduce the likelihood of such capacity being exceeded.
Continuous Monitoring	Response To Event Log Processing Failures	MON-05	Mechanisms exist to alert appropriate personnel in the event of a log processing failure and take actions to remedy the disruption.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - Security Incident Event Manager (SIEM) - Splunk - NNT Change Tracker (https://www.newnettechnologies.com)
Continuous Monitoring	Real-Time Alerts of Event Logging Failure	MON-05.1	Mechanisms exist to provide 24x7x365 near real-time alerting capability when an event log processing failure occurs.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - Security Incident Event Manager (SIEM) - Splunk - NNT Change Tracker (https://www.newnettechnologies.com)
Continuous Monitoring	Event Log Storage Capacity Alerting	MON-05.2	Automated mechanisms exist to alert appropriate personnel when the allocated volume reaches an organization-defined percentage of maximum event log storage capacity.
Continuous Monitoring	Monitoring Reporting	MON-06	Mechanisms exist to provide an event log report generation capability to aid in detecting and assessing anomalous activities.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - Security Incident Event Manager (SIEM) - Splunk - NNT Change Tracker (https://www.newnettechnologies.com)
Continuous Monitoring	Query Parameter Audits of Personal Data (PD)	MON-06.1	Mechanisms exist to provide and implement the capability for auditing the parameters of user query events for data sets containing Personal Data (PD).
Continuous Monitoring	Trend Analysis Reporting	MON-06.2	Mechanisms exist to employ trend analyses to determine if security control implementations, the frequency of continuous monitoring activities, and/or the types of activities used in the continuous monitoring process need to be modified based on empirical data.
Continuous Monitoring	Time Stamps	MON-07	Mechanisms exist to configure systems to use an authoritative time source to generate time stamps for event logs.
Continuous Monitoring	Synchronization With Authoritative Time Source	MON-07.1	Mechanisms exist to synchronize internal system clocks with an authoritative time source.	- Network Time Protocol (NTP)
Continuous Monitoring	Protection of Event Logs	MON-08	Mechanisms exist to protect event logs and audit tools from unauthorized access, modification and deletion.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - Security Incident Event Manager (SIEM) - Splunk
Continuous Monitoring	Event Log Backup on Separate Physical Systems / Components	MON-08.1	Mechanisms exist to back up event logs onto a physically different system or system component than the Security Incident Event Manager (SIEM) or similar automated tool.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - Security Incident Event Manager (SIEM) - Splunk
Continuous Monitoring	Access by Subset of Privileged Users	MON-08.2	Mechanisms exist to restrict access to the management of event logs to privileged users with a specific business need.	- Security Incident Event Manager (SIEM) - Splunk
Continuous Monitoring	Cryptographic Protection of Event Log Information	MON-08.3	Cryptographic mechanisms exist to protect the integrity of event logs and audit tools.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
Continuous Monitoring	Dual Authorization for Event Log Movement	MON-08.4	Automated mechanisms exist to enforce dual authorization for the movement or deletion of event logs.
Continuous Monitoring	Non-Repudiation	MON-09	Mechanisms exist to utilize a non-repudiation capability to protect against an individual falsely denying having performed a particular action.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
Continuous Monitoring	Identity Binding	MON-09.1	Mechanisms exist to bind the identity of the information producer to the information generated.
Continuous Monitoring	Event Log Retention	MON-10	Mechanisms exist to retain event logs for a time period consistent with records retention requirements to provide support for after-the-fact investigations of security incidents and to meet statutory, regulatory and contractual retention requirements.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)	E-AST-11
Continuous Monitoring	Monitoring For Information Disclosure	MON-11	Mechanisms exist to monitor for evidence of unauthorized exfiltration or disclosure of non-public information.	- Content filtering solution - Review of social media outlets
Continuous Monitoring	Analyze Traffic for Covert Exfiltration	MON-11.1	Automated mechanisms exist to analyze network traffic to detect covert data exfiltration.
Continuous Monitoring	Unauthorized Network Services	MON-11.2	Automated mechanisms exist to detect unauthorized network services and alert incident response personnel.
Continuous Monitoring	Monitoring for Indicators of Compromise (IOC)	MON-11.3	Automated mechanisms exist to identify and alert on Indicators of Compromise (IoC).	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
Continuous Monitoring	Session Audit	MON-12	Mechanisms exist to provide session audit capabilities that can: ▪ Capture and log all content related to a user session; and ▪ Remotely view all content related to an established user session in real time.	- NNT Change Tracker (https://www.newnettechnologies.com)
Continuous Monitoring	Alternate Event Logging Capability	MON-13	Mechanisms exist to provide an alternate event logging capability in the event of a failure in primary audit capability.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)
Continuous Monitoring	Cross-Organizational Monitoring	MON-14	Mechanisms exist to coordinate sanitized event logs among external organizations to identify anomalous events when event logs are shared across organizational boundaries, without giving away sensitive or critical business data.
Continuous Monitoring	Sharing of Event Logs	MON-14.1	Mechanisms exist to share event logs with third-party organizations based on specific cross-organizational sharing agreements.	- Veris (incident sharing) (http://veriscommunity.net)
Continuous Monitoring	Covert Channel Analysis	MON-15	Mechanisms exist to conduct covert channel analysis to identify aspects of communications that are potential avenues for covert channels.
Continuous Monitoring	Anomalous Behavior	MON-16	Mechanisms exist to detect and respond to anomalous behavior that could indicate account compromise or other malicious activities.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)
Continuous Monitoring	Insider Threats	MON-16.1	Mechanisms exist to monitor internal personnel activity for potential security incidents.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)
Continuous Monitoring	Third-Party Threats	MON-16.2	Mechanisms exist to monitor third-party personnel activity for potential security incidents.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)
Continuous Monitoring	Unauthorized Activities	MON-16.3	Mechanisms exist to monitor for unauthorized activities, accounts, connections, devices and software.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)
Continuous Monitoring	Account Creation and Modification Logging	MON-16.4	Automated mechanisms exist to generate event logs for permissions changes to privileged accounts and/or groups.
Cryptographic Protections	Use of Cryptographic Controls	CRY-01	Mechanisms exist to facilitate the implementation of cryptographic protections controls using known public standards and trusted cryptographic technologies.	- Key and certificate management solutions - Microsoft BitLocker (https://www.microsoft.com/en-us/download/details.aspx?id=53006) - Symantec Endpoint Encryption (https://www.symantec.com/products/endpoint-protection) - Vormetric Transparent Encryption (https://www.thalesesecurity.com/products/data-encryption/vormetric-transparent-encryption)
Cryptographic Protections	Alternate Physical Protection	CRY-01.1	Cryptographic mechanisms exist to prevent unauthorized disclosure of information as an alternate to physical safeguards.
Cryptographic Protections	Export-Controlled Technology	CRY-01.2	Mechanisms exist to address the exporting of cryptographic technologies in compliance with relevant statutory and regulatory requirements.
Cryptographic Protections	Pre/Post Transmission Handling	CRY-01.3	Cryptographic mechanisms exist to ensure the confidentiality and integrity of information during preparation for transmission and during reception.
Cryptographic Protections	Conceal / Randomize Communications	CRY-01.4	Cryptographic mechanisms exist to conceal or randomize communication patterns.
Cryptographic Protections	Cryptographic Cipher Suites and Protocols Inventory	CRY-01.5	Mechanisms exist to identify, document and review deployed cryptographic cipher suites and protocols to proactively respond to industry trends regarding the continued viability of utilized cryptographic cipher suites and protocols.
Cryptographic Protections	Cryptographic Module Authentication	CRY-02	Automated mechanisms exist to enable systems to authenticate to a cryptographic module.	- Yubico (https://www.yubico.com)
Cryptographic Protections	Transmission Confidentiality	CRY-03	Cryptographic mechanisms exist to protect the confidentiality of data being transmitted.	- SSL / TLS protocols - IPSEC Tunnels - Native MPLS encrypted tunnel configurations - Custom encrypted payloads	E-CRY-01
Cryptographic Protections	Transmission Integrity	CRY-04	Cryptographic mechanisms exist to protect the integrity of data being transmitted.		E-CRY-01
Cryptographic Protections	Encrypting Data At Rest	CRY-05	Cryptographic mechanisms exist to prevent unauthorized disclosure of data at rest.	- Symantec Endpoint Encryption (https://www.symantec.com/products/endpoint-protection)
Cryptographic Protections	Storage Media	CRY-05.1	Cryptographic mechanisms exist to protect the confidentiality and integrity of sensitive/regulated data residing on storage media.	- Native Storage Area Network (SAN) encryption functionality - BitLocker and EFS
Cryptographic Protections	Offline Storage	CRY-05.2	Mechanisms exist to remove unused data from online storage and archive it off-line in a secure location until it can be disposed of according to data retention requirements.
Cryptographic Protections	Database Encryption	CRY-05.3	Mechanisms exist to ensure that database servers utilize encryption to protect the confidentiality of the data within the databases.
Cryptographic Protections	Non-Console Administrative Access	CRY-06	Cryptographic mechanisms exist to protect the confidentiality and integrity of non-console administrative access.
Cryptographic Protections	Wireless Access Authentication & Encryption	CRY-07	Mechanisms exist to protect wireless access via secure authentication and encryption.
Cryptographic Protections	Public Key Infrastructure (PKI)	CRY-08	Mechanisms exist to securely implement an internal Public Key Infrastructure (PKI) infrastructure or obtain PKI services from a reputable PKI service provider.	- Microsoft Active Directory (AD) Certificate Services - Digitcert (https://www.digicert.com) - Entrust (https://www.entrust.com) - Comodo (https://www.comodo.com) - Vault (https://www.vaultproject.io/)
Cryptographic Protections	Availability	CRY-08.1	Resiliency mechanisms exist to ensure the availability of data in the event of the loss of cryptographic keys.
Cryptographic Protections	Cryptographic Key Management	CRY-09	Mechanisms exist to facilitate cryptographic key management controls to protect the confidentiality, integrity and availability of keys.	- Microsoft Active Directory (AD) Certificate Services - Digitcert (https://www.digicert.com) - Entrust (https://www.entrust.com) - Comodo (https://www.comodo.com) - Vault (https://www.vaultproject.io/)	E-CRY-01
Cryptographic Protections	Symmetric Keys	CRY-09.1	Mechanisms exist to facilitate the production and management of symmetric cryptographic keys using Federal Information Processing Standards (FIPS)-compliant key management technology and processes.		E-CRY-01
Cryptographic Protections	Asymmetric Keys	CRY-09.2	Mechanisms exist to facilitate the production and management of asymmetric cryptographic keys using Federal Information Processing Standards (FIPS)-compliant key management technology and processes that protect the user’s private key.		E-CRY-01
Cryptographic Protections	Cryptographic Key Loss or Change	CRY-09.3	Mechanisms exist to ensure the availability of information in the event of the loss of cryptographic keys by individual users.	- Escrowing of encryption keys is a common practice for ensuring availability in the event of loss of keys.
Cryptographic Protections	Control & Distribution of Cryptographic Keys	CRY-09.4	Mechanisms exist to facilitate the secure distribution of symmetric and asymmetric cryptographic keys using industry recognized key management technology and processes.
Cryptographic Protections	Assigned Owners	CRY-09.5	Mechanisms exist to ensure cryptographic keys are bound to individual identities.
Cryptographic Protections	Third-Party Cryptographic Keys	CRY-09.6	Mechanisms exist to ensure customers are provided with appropriate key management guidance whenever cryptographic keys are shared.
Cryptographic Protections	External System Cryptographic Key Control	CRY-09.7	Mechanisms exist to maintain control of cryptographic keys for encrypted material stored or transmitted through an external system.
Cryptographic Protections	Transmission of Security & Privacy Attributes	CRY-10	Mechanisms exist to ensure systems associate security attributes with information exchanged between systems.	- Integrity checking
Cryptographic Protections	Certificate Authorities	CRY-11	Automated mechanisms exist to enable the use of organization-defined Certificate Authorities (CAs) to facilitate the establishment of protected sessions.
Data Classification & Handling	Data Protection	DCH-01	Mechanisms exist to facilitate the implementation of data protection controls.
Data Classification & Handling	Data Stewardship	DCH-01.1	Mechanisms exist to ensure data stewardship is assigned, documented and communicated.
Data Classification & Handling	Sensitive / Regulated Data Protection	DCH-01.2	Mechanisms exist to protect sensitive/regulated data wherever it is stored.
Data Classification & Handling	Sensitive / Regulated Media Records	DCH-01.3	Mechanisms exist to ensure media records for sensitive/regulated data contain sufficient information to determine the potential impact in the event of a data loss incident.
Data Classification & Handling	Data & Asset Classification	DCH-02	Mechanisms exist to ensure data and assets are categorized in accordance with applicable statutory, regulatory and contractual requirements.		E-DCH-01 E-DCH-02
Data Classification & Handling	Highest Classification Level	DCH-02.1	Mechanisms exist to ensure that systems, applications and services are classified according to the highest level of data sensitivity that is stored, transmitted and/or processed.
Data Classification & Handling	Media Access	DCH-03	Mechanisms exist to control and restrict access to digital and non-digital media to authorized individuals.	- Data Loss Prevention (DLP)
Data Classification & Handling	Disclosure of Information	DCH-03.1	Mechanisms exist to restrict the disclosure of sensitive / regulated data to authorized parties with a need to know.
Data Classification & Handling	Masking Displayed Data	DCH-03.2	Mechanisms exist to apply data masking to sensitive information that is displayed or printed.
Data Classification & Handling	Controlled Release	DCH-03.3	Automated mechanisms exist to validate cybersecurity and privacy attributes prior to releasing information to external systems.
Data Classification & Handling	Media Marking	DCH-04	Mechanisms exist to mark media in accordance with data protection requirements so that personnel are alerted to distribution limitations, handling caveats and applicable security requirements.
Data Classification & Handling	Automated Marking	DCH-04.1	Automated mechanisms exist to mark media and system output to indicate the distribution limitations, handling requirements and applicable security markings (if any) of the information to aide Data Loss Prevention (DLP) technologies.
Data Classification & Handling	Security & Privacy Attributes	DCH-05	Mechanisms exist to bind security attributes to information as it is stored, transmitted and processed.
Data Classification & Handling	Dynamic Attribute Association	DCH-05.1	Mechanisms exist to dynamically associate cybersecurity and privacy attributes with individuals and objects as information is created, combined, or transformed, in accordance with organization-defined cybersecurity and privacy policies.
Data Classification & Handling	Attribute Value Changes By Authorized Individuals	DCH-05.2	Mechanisms exist to provide authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated cybersecurity and privacy attributes.
Data Classification & Handling	Maintenance of Attribute Associations By System	DCH-05.3	Mechanisms exist to maintain the association and integrity of cybersecurity and privacy attributes to individuals and objects.
Data Classification & Handling	Association of Attributes By Authorized Individuals	DCH-05.4	Mechanisms exist to provide the capability to associate cybersecurity and privacy attributes with individuals and objects by authorized individuals (or processes acting on behalf of individuals).
Data Classification & Handling	Attribute Displays for Output Devices	DCH-05.5	Mechanisms exist to display cybersecurity and privacy attributes in human-readable form on each object that the system transmits to output devices to identify special dissemination, handling or distribution instructions using human-readable, standard naming conventions.
Data Classification & Handling	Data Subject Attribute Associations	DCH-05.6	Mechanisms exist to require personnel to associate and maintain the association of cybersecurity and privacy attributes with individuals and objects in accordance with cybersecurity and privacy policies.
Data Classification & Handling	Consistent Attribute Interpretation	DCH-05.7	Mechanisms exist to provide a consistent, organizationally agreed upon interpretation of cybersecurity and privacy attributes employed in access enforcement and flow enforcement decisions between distributed system components.
Data Classification & Handling	Identity Association Techniques & Technologies	DCH-05.8	Mechanisms exist to associate cybersecurity and privacy attributes to information.
Data Classification & Handling	Attribute Reassignment	DCH-05.9	Mechanisms exist to reclassify data as required, due to changing business/technical requirements.
Data Classification & Handling	Attribute Configuration By Authorized Individuals	DCH-05.10	Mechanisms exist to provide authorized individuals the capability to define or change the type and value of cybersecurity and privacy attributes available for association with subjects and objects.
Data Classification & Handling	Audit Changes	DCH-05.11	Mechanisms exist to audit changes to cybersecurity and privacy attributes and responds to events in accordance with incident response procedures.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
Data Classification & Handling	Media Storage	DCH-06	Mechanisms exist to: ▪ Physically control and securely store digital and non-digital media within controlled areas using organization-defined security measures; and ▪ Protect system media until the media are destroyed or sanitized using approved equipment, techniques and procedures.
Data Classification & Handling	Physically Secure All Media	DCH-06.1	Mechanisms exist to physically secure all media that contains sensitive information.	- Lockbox
Data Classification & Handling	Sensitive Data Inventories	DCH-06.2	Mechanisms exist to maintain inventory logs of all sensitive media and conduct sensitive media inventories at least annually.		E-AST-08
Data Classification & Handling	Periodic Scans for Sensitive Data	DCH-06.3	Mechanisms exist to periodically scan unstructured data sources for sensitive/regulated data or data requiring special protection measures by statutory, regulatory or contractual obligations.
Data Classification & Handling	Making Sensitive Data Unreadable In Storage	DCH-06.4	Mechanisms exist to ensure sensitive/regulated data is rendered human unreadable anywhere sensitive/regulated data is stored.
Data Classification & Handling	Storing Authentication Data	DCH-06.5	Mechanisms exist to prohibit the storage of sensitive transaction authentication data after authorization.
Data Classification & Handling	Media Transportation	DCH-07	Mechanisms exist to protect and control digital and non-digital media during transport outside of controlled areas using appropriate security measures.	- Assigned couriers
Data Classification & Handling	Custodians	DCH-07.1	Mechanisms exist to identify custodians throughout the transport of digital or non-digital media.	- Chain of custody
Data Classification & Handling	Encrypting Data In Storage Media	DCH-07.2	Cryptographic mechanisms exist to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.
Data Classification & Handling	Physical Media Disposal	DCH-08	Mechanisms exist to securely dispose of media when it is no longer required, using formal procedures.	- Shred-it - IronMountain - DoD-strength data erasers	E-AST-03
Data Classification & Handling	Digital Media Sanitization	DCH-09	Mechanisms exist to sanitize digital media with the strength and integrity commensurate with the classification or sensitivity of the information prior to disposal, release out of organizational control or release for reuse.		E-AST-03 E-DCH-07
Data Classification & Handling	Media Sanitization Documentation	DCH-09.1	Mechanisms exist to supervise, track, document and verify media sanitization and disposal actions.	- Certificate of destruction	E-AST-03 E-DCH-07
Data Classification & Handling	Equipment Testing	DCH-09.2	Mechanisms exist to test sanitization equipment and procedures to verify that the intended result is achieved.
Data Classification & Handling	Sanitization of Personal Data (PD)	DCH-09.3	Mechanisms exist to facilitate the sanitization of Personal Data (PD).	- De-identifying PI
Data Classification & Handling	First Time Use Sanitization	DCH-09.4	Mechanisms exist to apply nondestructive sanitization techniques to portable storage devices prior to first use.
Data Classification & Handling	Dual Authorization for Sensitive Data Destruction	DCH-09.5	Mechanisms exist to enforce dual authorization for the destruction, disposal or sanitization of digital media that contains sensitive / regulated data.
Data Classification & Handling	Media Use	DCH-10	Mechanisms exist to restrict the use of types of digital media on systems or system components.
Data Classification & Handling	Limitations on Use	DCH-10.1	Mechanisms exist to restrict the use and distribution of sensitive / regulated data.
Data Classification & Handling	Prohibit Use Without Owner	DCH-10.2	Mechanisms exist to prohibit the use of portable storage devices in organizational information systems when such devices have no identifiable owner.
Data Classification & Handling	Data Reclassification	DCH-11	Mechanisms exist to reclassify data, including associated systems, applications and services, commensurate with the security category and/or classification level of the information.
Data Classification & Handling	Removable Media Security	DCH-12	Mechanisms exist to restrict removable media in accordance with data handling and acceptable usage parameters.
Data Classification & Handling	Use of External Information Systems	DCH-13	Mechanisms exist to govern how external parties, systems and services are used to securely store, process and transmit data.
Data Classification & Handling	Limits of Authorized Use	DCH-13.1	Mechanisms exist to prohibit external parties, systems and services from storing, processing and transmitting data unless authorized individuals first: ▪ Verifying the implementation of required security controls; or ▪ Retaining a processing agreement with the entity hosting the external systems or service.
Data Classification & Handling	Portable Storage Devices	DCH-13.2	Mechanisms exist to restrict or prohibit the use of portable storage devices by users on external systems.
Data Classification & Handling	Protecting Sensitive Data on External Systems	DCH-13.3	Mechanisms exist to ensure that the requirements for the protection of sensitive information processed, stored or transmitted on external systems, are implemented in accordance with applicable statutory, regulatory and contractual obligations.	- NIST 800-171 Compliance Criteria (NCC) (ComplianceForge)
Data Classification & Handling	Non-Organizationally Owned Systems / Components / Devices	DCH-13.4	Mechanisms exist to restrict the use of non-organizationally owned information systems, system components or devices to process, store or transmit organizational information.
Data Classification & Handling	Information Sharing	DCH-14	Mechanisms exist to utilize a process to assist users in making information sharing decisions to ensure data is appropriately protected.	- ShareFile - SmartVault - Veris (incident sharing) (http://veriscommunity.net)
Data Classification & Handling	Information Search & Retrieval	DCH-14.1	Mechanisms exist to ensure information systems implement data search and retrieval functions that properly enforce data protection / sharing restrictions.
Data Classification & Handling	Transfer Authorizations	DCH-14.2	Mechanisms exist to verify that individuals or systems transferring data between interconnecting systems have the requisite authorizations (e.g., write permissions or privileges) prior to transferring said data.
Data Classification & Handling	Data Access Mapping	DCH-14.3	Mechanisms exist to develop a data-specific Access Control List (ACL) or Data Information Sharing Agreement (DISA) to determine the personnel with whom sensitive/regulated data is shared.
Data Classification & Handling	Publicly Accessible Content	DCH-15	Mechanisms exist to control publicly-accessible content.	- Designate individuals authorized to post information onto systems that are publicly accessible. - Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information. - Review the proposed content of publicly accessible information for nonpublic information prior to posting. - Remove nonpublic information from the publicly accessible system.
Data Classification & Handling	Data Mining Protection	DCH-16	Mechanisms exist to protect data storage objects against unauthorized data mining and data harvesting techniques.
Data Classification & Handling	Ad-Hoc Transfers	DCH-17	Mechanisms exist to secure ad-hoc exchanges of large digital files with internal or external parties.	- ShareFile - Box
Data Classification & Handling	Media & Data Retention	DCH-18	Mechanisms exist to retain media and data in accordance with applicable statutory, regulatory and contractual obligations.	- Data Protection Impact Assessment (DPIA)	E-AST-11
Data Classification & Handling	Limit Personal Data (PD) Elements In Testing, Training & Research	DCH-18.1	Mechanisms exist to limit Personal Data (PD) being processed in the information lifecycle to elements identified in the Data Protection Impact Assessment (DPIA).	- Data Protection Impact Assessment (DPIA)
Data Classification & Handling	Minimize Personal Data (PD)	DCH-18.2	Mechanisms exist to minimize the use of Personal Data (PD) for research, testing, or training, in accordance with the Data Protection Impact Assessment (DPIA).	- Data Protection Impact Assessment (DPIA)
Data Classification & Handling	Temporary Files Containing Personal Data (PD)	DCH-18.3	Mechanisms exist to perform periodic checks of temporary files for the existence of Personal Data (PD).
Data Classification & Handling	Geographic Location of Data	DCH-19	Mechanisms exist to inventory, document and maintain data flows for data that is resident (permanently or temporarily) within a service's geographically distributed applications (physical and virtual), infrastructure, systems components and/or shared with other third-parties.		E-AST-23
Data Classification & Handling	Archived Data Sets	DCH-20	Mechanisms exist to protect archived data in accordance with applicable statutory, regulatory and contractual obligations.
Data Classification & Handling	Information Disposal	DCH-21	Mechanisms exist to securely dispose of, destroy or erase information.	- Shred-it - IronMountain
Data Classification & Handling	Data Quality Operations	DCH-22	Mechanisms exist to check for the accuracy, relevance, timeliness, impact, completeness and de-identification of information across the information lifecycle.	- Data Protection Impact Assessment (DPIA)
Data Classification & Handling	Updating & Correcting Personal Data (PD)	DCH-22.1	Mechanisms exist to utilize technical controls to correct Personal Data (PD) that is inaccurate or outdated, incorrectly determined regarding impact, or incorrectly de-identified.	- Data Protection Impact Assessment (DPIA)
Data Classification & Handling	Data Tags	DCH-22.2	Mechanisms exist to utilize data tags to automate tracking of sensitive/regulated data across the information lifecycle.	- Data Protection Impact Assessment (DPIA)
Data Classification & Handling	Primary Source Personal Data (PD) Collection	DCH-22.3	Mechanisms exist to collect Personal Data (PD) directly from the individual.	- Data Protection Impact Assessment (DPIA)
Data Classification & Handling	De-Identification (Anonymization)	DCH-23	Mechanisms exist to anonymize data by removing Personal Data (PD) from datasets.	- Data Protection Impact Assessment (DPIA)
Data Classification & Handling	De-Identify Dataset Upon Collection	DCH-23.1	Mechanisms exist to de-identify the dataset upon collection by not collecting Personal Data (PD).	- Data Protection Impact Assessment (DPIA)
Data Classification & Handling	Archiving	DCH-23.2	Mechanisms exist to refrain from archiving Personal Data (PD) elements if those elements in a dataset will not be needed after the dataset is archived.	- Data Protection Impact Assessment (DPIA)
Data Classification & Handling	Release	DCH-23.3	Mechanisms exist to remove Personal Data (PD) elements from a dataset prior to its release if those elements in the dataset do not need to be part of the data release.	- Data Protection Impact Assessment (DPIA)
Data Classification & Handling	Removal, Masking, Encryption, Hashing or Replacement of Direct Identifiers	DCH-23.4	Mechanisms exist to remove, mask, encrypt, hash or replace direct identifiers in a dataset.	- Data Protection Impact Assessment (DPIA)
Data Classification & Handling	Statistical Disclosure Control	DCH-23.5	Mechanisms exist to manipulate numerical data, contingency tables and statistical findings so that no person or organization is identifiable in the results of the analysis.
Data Classification & Handling	Differential Privacy	DCH-23.6	Mechanisms exist to prevent disclosure of Personal Data (PD) by adding non-deterministic noise to the results of mathematical operations before the results are reported.	- Data Protection Impact Assessment (DPIA)
Data Classification & Handling	Automated De-Identification of Sensitive Data	DCH-23.7	Mechanisms exist to perform de-identification of sensitive/regulated data, using validated algorithms and software to implement the algorithms.	- Data Protection Impact Assessment (DPIA)
Data Classification & Handling	Motivated Intruder	DCH-23.8	Mechanisms exist to perform a motivated intruder test on the de-identified dataset to determine if the identified data remains or if the de-identified data can be re-identified.
Data Classification & Handling	Code Names	DCH-23.9	Mechanisms exist to use aliases to name assets, that are mission-critical and/or contain highly-sensitive/regulated data, are unique and not readily associated with a product, project or type of data.
Data Classification & Handling	Information Location	DCH-24	Mechanisms exist to identify and document the location of information and the specific system components on which the information resides.	- Data Flow Diagram (DFD)	E-AST-23
Data Classification & Handling	Automated Tools to Support Information Location	DCH-24.1	Automated mechanisms exist to identify by data classification type to ensure adequate cybersecurity and privacy controls are in place to protect organizational information and individual privacy.
Data Classification & Handling	Transfer of Sensitive and/or Regulated Data	DCH-25	Mechanisms exist to restrict and govern the transfer of sensitive and/or regulated data to third-countries or international organizations.	- Model contracts - Privacy Shield - Binding Corporate Rules (BCR)
Data Classification & Handling	Transfer Activity Limits	DCH-25.1	Mechanisms exist to establish organization-defined ""normal business activities"" to identify anomalous transaction activities that can reduce the opportunity for sending (outbound) and/or receiving (inbound) fraudulent actions.
Data Classification & Handling	Data Localization	DCH-26	Mechanisms exist to constrain the impact of ""digital sovereignty laws,"" that require localized data within the host country, where data and processes may be subjected to arbitrary enforcement actions that potentially violate other applicable statutory, regulatory and/or contractual obligations.	- Board of Directors (Bod) Ethics Committee
Embedded Technology	Embedded Technology Security Program	EMB-01	Mechanisms exist to facilitate the implementation of embedded technology controls.		E-AST-07
Embedded Technology	Internet of Things (IOT)	EMB-02	Mechanisms exist to proactively manage the cybersecurity and privacy risks associated with Internet of Things (IoT).
Embedded Technology	Operational Technology (OT)	EMB-03	Mechanisms exist to proactively manage the cybersecurity and privacy risks associated with Operational Technology (OT).
Embedded Technology	Interface Security	EMB-04	Mechanisms exist to protect embedded devices against unauthorized use of the physical factory diagnostic and test interface(s).
Embedded Technology	Embedded Technology Configuration Monitoring	EMB-05	Mechanisms exist to generate log entries on embedded devices when configuration changes or attempts to access interfaces are detected.
Embedded Technology	Prevent Alterations	EMB-06	Mechanisms exist to protect embedded devices by preventing the unauthorized installation and execution of software.
Embedded Technology	Embedded Technology Maintenance	EMB-07	Mechanisms exist to securely update software and upgrade functionality on embedded devices.
Embedded Technology	Resilience To Outages	EMB-08	Mechanisms exist to configure embedded technology to be resilient to data network and power outages.
Embedded Technology	Power Level Monitoring	EMB-09	Automated mechanisms exist to monitor the power levels of embedded technologies for decreased or excessive power usage, including battery drainage, to investigate for device tampering.
Embedded Technology	Embedded Technology Reviews	EMB-10	Mechanisms exist to perform evaluations of deployed embedded technologies as needed, or at least on an annual basis, to ensure that necessary updates to mitigate the risks associated with legacy embedded technologies are identified and implemented.
Embedded Technology	Message Queuing Telemetry Transport (MQTT) Security	EMB-11	Mechanisms exist to enforce the security of Message Queuing Telemetry Transport (MQTT) traffic.
Embedded Technology	Restrict Communications	EMB-12	Mechanisms exist to require embedded technologies to initiate all communications and drop new, incoming communications.
Embedded Technology	Authorized Communications	EMB-13	Mechanisms exist to restrict embedded technologies to communicate only with authorized peers and service endpoints.
Embedded Technology	Operating Environment Certification	EMB-14	Mechanisms exist to determine if embedded technologies are certified for secure use in the proposed operating environment.
Embedded Technology	Safety Assessment	EMB-15	Mechanisms exist to evaluate the safety aspects of embedded technologies via a fault tree analysis, or similar method, to determine possible consequences of misuse, misconfiguration and/or failure.
Embedded Technology	Certificate-Based Authentication	EMB-16	Mechanisms exist to enforce certificate-based authentication for embedded technologies (e.g., IoT, OT, etc.) and their supporting services.
Embedded Technology	Chip-To-Cloud Security	EMB-17	Mechanisms exist to implement embedded technologies that utilize pre-provisioned cloud trust anchors to support secure bootstrap and Zero Touch Provisioning (ZTP).
Embedded Technology	Real-Time Operating System (RTOS) Security	EMB-18	Mechanisms exist to ensure embedded technologies utilize a securely configured Real-Time Operating System (RTOS).
Embedded Technology	Safe Operations	EMB-19	Mechanisms exist to continuously validate autonomous systems that trigger an automatic state change when safe operation is no longer assured.
Endpoint Security	Endpoint Security	END-01	Mechanisms exist to facilitate the implementation of endpoint security controls.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - Group Policy Objects (GPOs) - Antimalware technologies - Software firewalls - Host-based IDS/IPS technologies - NNT Change Tracker (https://www.newnettechnologies.com)
Endpoint Security	Endpoint Protection Measures	END-02	Mechanisms exist to protect the confidentiality, integrity, availability and safety of endpoint devices.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)
Endpoint Security	Prohibit Installation Without Privileged Status	END-03	Automated mechanisms exist to prohibit software installations without explicitly assigned privileged status.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - Removal of local admin rights - Privileged Account Management (PAM) - NNT Change Tracker (https://www.newnettechnologies.com)
Endpoint Security	Software Installation Alerts	END-03.1	Mechanisms exist to generate an alert when new software is detected.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)
Endpoint Security	Governing Access Restriction for Change	END-03.2	Mechanisms exist to define, document, approve and enforce access restrictions associated with changes to systems.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
Endpoint Security	Malicious Code Protection (Anti-Malware)	END-04	Mechanisms exist to utilize antimalware technologies to detect and eradicate malicious code.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - Antimalware software - NNT Change Tracker (https://www.newnettechnologies.com)
Endpoint Security	Automatic Antimalware Signature Updates	END-04.1	Mechanisms exist to automatically update antimalware technologies, including signature definitions.	- Antimalware software
Endpoint Security	Documented Protection Measures	END-04.2	Mechanisms exist to document antimalware technologies.
Endpoint Security	Centralized Management of Antimalware Technologies	END-04.3	Mechanisms exist to centrally-manage antimalware technologies.	- Antimalware software	E-MON-02
Endpoint Security	Heuristic / Nonsignature-Based Detection	END-04.4	Mechanisms exist to utilize heuristic / nonsignature-based antimalware detection capabilities.	- Antimalware software
Endpoint Security	Malware Protection Mechanism Testing	END-04.5	Mechanisms exist to test antimalware technologies by introducing a known benign, non-spreading test case into the system and subsequently verifying that both detection of the test case and associated incident reporting occurs.	- EICAR test file
Endpoint Security	Evolving Malware Threats	END-04.6	Mechanisms exist to perform periodic evaluations evolving malware threats to assess systems that are generally not considered to be commonly affected by malicious software.
Endpoint Security	Always On Protection	END-04.7	Mechanisms exist to ensure that anti-malware technologies are continuously running in real-time and cannot be disabled or altered by non-privileged users, unless specifically authorized by management on a case-by-case basis for a limited time period.	- Antimalware software
Endpoint Security	Software Firewall	END-05	Mechanisms exist to utilize host-based firewall software, or a similar technology, on all information systems, where technically feasible.	- NNT Change Tracker (https://www.newnettechnologies.com)
Endpoint Security	Endpoint File Integrity Monitoring (FIM)	END-06	Mechanisms exist to utilize File Integrity Monitor (FIM) technology to detect and report unauthorized changes to system files and configurations.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com) - File Integrity Monitor (FIM)
Endpoint Security	Integrity Checks	END-06.1	Mechanisms exist to validate configurations through integrity checking of software and firmware.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com) - File Integrity Monitor (FIM)
Endpoint Security	Integration of Detection & Response	END-06.2	Mechanisms exist to detect and respond to unauthorized configuration changes as cybersecurity incidents.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com) - File Integrity Monitor (FIM)
Endpoint Security	Automated Notifications of Integrity Violations	END-06.3	Automated mechanisms exist to alert incident response personnel upon discovering discrepancies during integrity verification.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
Endpoint Security	Automated Response to Integrity Violations	END-06.4	Automated mechanisms exist to implement remediation actions when integrity violations are discovered.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)
Endpoint Security	Boot Process Integrity	END-06.5	Automated mechanisms exist to verify the integrity of the boot process of information systems.
Endpoint Security	Protection of Boot Firmware	END-06.6	Automated mechanisms exist to protect the integrity of boot firmware in information systems.
Endpoint Security	Binary or Machine-Executable Code	END-06.7	Mechanisms exist to prohibit the use of binary or machine-executable code from sources with limited or no warranty and without access to source code.
Endpoint Security	Host Intrusion Detection and Prevention Systems (HIDS / HIPS)	END-07	Mechanisms exist to utilize Host-based Intrusion Detection / Prevention Systems (HIDS / HIPS) on sensitive systems.	- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com) - File Integrity Monitor (FIM)
Endpoint Security	Phishing & Spam Protection	END-08	Mechanisms exist to utilize anti-phishing and spam protection technologies to detect and take action on unsolicited messages transported by electronic mail.
Endpoint Security	Central Management	END-08.1	Mechanisms exist to centrally-manage anti-phishing and spam protection technologies.
Endpoint Security	Automatic Spam and Phishing Protection Updates	END-08.2	Mechanisms exist to automatically update anti-phishing and spam protection technologies when new releases are available in accordance with configuration and change management practices.
Endpoint Security	Trusted Path	END-09	Mechanisms exist to establish a trusted communications path between the user and the security functions of the operating system.	- Active Directory (AD) Ctrl+Alt+Del login process
Endpoint Security	Mobile Code	END-10	Mechanisms exist to address mobile code / operating system-independent applications.
Endpoint Security	Thin Nodes	END-11	Mechanisms exist to configure thin nodes to have minimal functionality and information storage.
Endpoint Security	Port & Input / Output (I/O) Device Access	END-12	Mechanisms exist to physically disable or remove unnecessary connection ports or input/output devices from sensitive systems.
Endpoint Security	Sensor Capability	END-13	Mechanisms exist to configure embedded sensors on systems to: ▪ Prohibit the remote activation of sensing capabilities; and ▪ Provide an explicit indication of sensor use to users.
Endpoint Security	Authorized Use	END-13.1	Mechanisms exist to utilize organization-defined measures so that data or information collected by sensors is only used for authorized purposes.
Endpoint Security	Notice of Collection	END-13.2	Mechanisms exist to notify individuals that Personal Data (PD) is collected by sensors.	- Visible or auditory alert - Data Protection Impact Assessment (DPIA)
Endpoint Security	Collection Minimization	END-13.3	Mechanisms exist to utilize sensors that are configured to minimize the collection of information about individuals.
Embedded Technology	Sensor Delivery Verification	END-13.4	Mechanisms exist to verify embedded technology sensors are configured so that data collected by the sensor(s) is only reported to authorized individuals or roles.
Endpoint Security	Collaborative Computing Devices	END-14	Mechanisms exist to unplug or prohibit the remote activation of collaborative computing devices with the following exceptions: ▪ Networked whiteboards; ▪ Video teleconference cameras; and ▪ Teleconference microphones.	- Unplug devices when not needed
Endpoint Security	Disabling / Removal In Secure Work Areas	END-14.1	Mechanisms exist to disable or remove collaborative computing devices from critical information systems and secure work areas.
Endpoint Security	Explicitly Indicate Current Participants	END-14.2	Automated mechanisms exist to provide an explicit indication of current participants in online meetings and teleconferences.
Endpoint Security	Hypervisor Access	END-15	Mechanisms exist to restrict access to hypervisor management functions or administrative consoles for systems hosting virtualized systems.
Endpoint Security	Restrict Access To Security Functions	END-16	Mechanisms exist to ensure security functions are restricted to authorized individuals and enforce least privilege control requirements for necessary job functions.	- Windows Defender Device Guard
Endpoint Security	Host-Based Security Function Isolation	END-16.1	Mechanisms exist to implement underlying software separation mechanisms to facilitate security function isolation.	- Windows Defender Device Guard
Human Resources Security	Human Resources Security Management	HRS-01	Mechanisms exist to facilitate the implementation of personnel security controls.
Human Resources Security	Position Categorization	HRS-02	Mechanisms exist to manage personnel security risk by assigning a risk designation to all positions and establishing screening criteria for individuals filling those positions.		E-HRS-01 E-HRS-02 E-HRS-03 E-HRS-04 E-HRS-11 E-HRS-22
Human Resources Security	Users With Elevated Privileges	HRS-02.1	Mechanisms exist to ensure that every user accessing a system that processes, stores, or transmits sensitive information is cleared and regularly trained to handle the information in question.		E-HRS-02 E-HRS-03 E-HRS-04 E-HRS-11 E-HRS-22
Human Resources Security	Probationary Periods	HRS-02.2	Mechanisms exist to identify newly onboarded personnel for enhanced monitoring during their probationary period.
Human Resources Security	Roles & Responsibilities	HRS-03	Mechanisms exist to define cybersecurity responsibilities for all personnel.	- NIST NICE framework - RACI diagram	E-HRS-01 E-HRS-02 E-HRS-03 E-HRS-04 E-HRS-11 E-HRS-13 E-HRS-18 E-HRS-22
Human Resources Security	User Awareness	HRS-03.1	Mechanisms exist to communicate with users about their roles and responsibilities to maintain a safe and secure working environment.		E-HRS-01 E-HRS-13 E-HRS-16 E-HRS-18
Human Resources Security	Competency Requirements for Security-Related Positions	HRS-03.2	Mechanisms exist to ensure that all security-related positions are staffed by qualified individuals who have the necessary skill set.		E-HRS-21 E-HRS-23
Human Resources Security	Personnel Screening	HRS-04	Mechanisms exist to manage personnel security risk by screening individuals prior to authorizing access.	- Criminal, education and employment background checks	E-HRS-17 E-HRS-21
Human Resources Security	Roles With Special Protection Measures	HRS-04.1	Mechanisms exist to ensure that individuals accessing a system that stores, transmits or processes information requiring special protection satisfy organization-defined personnel screening criteria.	- Security clearances for classified information.	E-HRS-17 E-HRS-21
Human Resources Security	Formal Indoctrination	HRS-04.2	Mechanisms exist to verify that individuals accessing a system processing, storing, or transmitting sensitive information are formally indoctrinated for all the relevant types of information to which they have access on the system.		E-HRS-18
Human Resources Security	Citizenship Requirements	HRS-04.3	Mechanisms exist to verify that individuals accessing a system processing, storing, or transmitting sensitive information meet applicable statutory, regulatory and/or contractual requirements for citizenship.
Human Resources Security	Citizenship Identification	HRS-04.4	Mechanisms exist to identify foreign nationals, including by their specific citizenship.
Human Resources Security	Terms of Employment	HRS-05	Mechanisms exist to require all employees and contractors to apply cybersecurity and privacy principles in their daily work.	- Acceptable Use Policy (AUP) - Rules of behavior	E-HRS-16 E-HRS-22
Human Resources Security	Rules of Behavior	HRS-05.1	Mechanisms exist to define acceptable and unacceptable rules of behavior for the use of technologies, including consequences for unacceptable behavior.	- Acceptable Use Policy (AUP) - Rules of behavior	E-HRS-22
Human Resources Security	Social Media & Social Networking Restrictions	HRS-05.2	Mechanisms exist to define rules of behavior that contain explicit restrictions on the use of social media and networking sites, posting information on commercial websites and sharing account information.	- Acceptable Use Policy (AUP) - Rules of behavior	E-HRS-22
Human Resources Security	Use of Communications Technology	HRS-05.3	Mechanisms exist to establish usage restrictions and implementation guidance for communications technologies based on the potential to cause damage to systems, if used maliciously.	- Acceptable Use Policy (AUP) - Rules of behavior	E-HRS-22
Human Resources Security	Use of Critical Technologies	HRS-05.4	Mechanisms exist to govern usage policies for critical technologies.		E-HRS-22
Human Resources Security	Use of Mobile Devices	HRS-05.5	Mechanisms exist to manage business risks associated with permitting mobile device access to organizational resources.	- Acceptable Use Policy (AUP) - Rules of behavior - BYOD policy	E-HRS-22
Human Resources Security	Security-Minded Dress Code	HRS-05.6	Mechanisms exist to prohibit the use of oversized clothing (e.g., baggy pants, oversized hooded sweatshirts, etc.) to prevent the unauthorized exfiltration of data and technology assets.
Human Resources Security	Policy Familiarization & Acknowledgement	HRS-05.7	Mechanisms exist to ensure personnel receive recurring familiarization with the organization’s cybersecurity and privacy policies and provide acknowledgement.		E-HRS-18 E-SAT-02 E-SAT-04
Human Resources Security	Access Agreements	HRS-06	Mechanisms exist to require internal and third-party users to sign appropriate access agreements prior to being granted access.		E-HRS-16
Human Resources Security	Confidentiality Agreements	HRS-06.1	Mechanisms exist to require Non-Disclosure Agreements (NDAs) or similar confidentiality agreements that reflect the needs to protect data and operational details, or both employees and third-parties.	- Non-Disclosure Agreements (NDAs)	E-HRS-20
Human Resources Security	Post-Employment Obligations	HRS-06.2	Mechanisms exist to notify terminated individuals of applicable, legally-binding post-employment requirements for the protection of sensitive organizational information.		E-HRS-19
Human Resources Security	Personnel Sanctions	HRS-07	Mechanisms exist to sanction personnel failing to comply with established security policies, standards and procedures.
Human Resources Security	Workplace Investigations	HRS-07.1	Mechanisms exist to conduct employee misconduct investigations when there is reasonable assurance that a policy has been violated.
Human Resources Security	Personnel Transfer	HRS-08	Mechanisms exist to adjust logical and physical access authorizations to systems and facilities upon personnel reassignment or transfer, in a timely manner.
Human Resources Security	Personnel Termination	HRS-09	Mechanisms exist to govern the termination of individual employment.		E-HRS-19
Human Resources Security	Asset Collection	HRS-09.1	Mechanisms exist to retrieve organization-owned assets upon termination of an individual's employment.		E-HRS-19
Human Resources Security	High-Risk Terminations	HRS-09.2	Mechanisms exist to expedite the process of removing ""high risk"" individual’s access to systems and applications upon termination, as determined by management.		E-HRS-19
Human Resources Security	Post-Employment Requirements	HRS-09.3	Mechanisms exist to govern former employee behavior by notifying terminated individuals of applicable, legally binding post-employment requirements for the protection of organizational information.	- Non-Disclosure Agreements (NDAs)	E-HRS-19
Human Resources Security	Automated Employment Status Notifications	HRS-09.4	Automated mechanisms exist to notify Identity and Access Management (IAM) personnel or roles upon termination of an individual employment or contract.
Human Resources Security	Third-Party Personnel Security	HRS-10	Mechanisms exist to govern third-party personnel by reviewing and monitoring third-party cybersecurity and privacy roles and responsibilities.	- Independent background check service	E-HRS-16 E-HRS-18 E-HRS-22
Human Resources Security	Separation of Duties (SoD)	HRS-11	Mechanisms exist to implement and maintain Separation of Duties (SoD) to prevent potential inappropriate activity without collusion.		E-HRS-25
Human Resources Security	Incompatible Roles	HRS-12	Mechanisms exist to avoid incompatible development-specific roles through limiting and reviewing developer privileges to change hardware, software and firmware components within a production/operational environment.		E-HRS-25
Human Resources Security	Two-Person Rule	HRS-12.1	Mechanisms exist to enforce a two-person rule for implementing changes to sensitive systems.
Human Resources Security	Identify Critical Skills & Gaps	HRS-13	Mechanisms exist to evaluate the critical cybersecurity and privacy skills needed to support the organization’s mission and identify gaps that exist.		E-HRS-23 E-HRS-24
Human Resources Security	Remediate Identified Skills Deficiencies	HRS-13.1	Mechanisms exist to remediate critical skills deficiencies necessary to support the organization’s mission and business functions.		E-HRS-24
Human Resources Security	Identify Vital Cybersecurity & Privacy Staff	HRS-13.2	Mechanisms exist to identify vital cybersecurity & privacy staff.		E-HRS-26
Human Resources Security	Establish Redundancy for Vital Cybersecurity & Privacy Staff	HRS-13.3	Mechanisms exist to establish redundancy for vital cybersecurity & privacy staff.
Human Resources Security	Perform Succession Planning	HRS-13.4	Mechanisms exist to perform succession planning for vital cybersecurity & privacy roles.
Identification & Authentication	Identity & Access Management (IAM)	IAC-01	Mechanisms exist to facilitate the implementation of identification and access management controls.
Identification & Authentication	Retain Access Records	IAC-01.1	Mechanisms exist to retain a record of personnel accountability to ensure there is a record of all access granted to an individual (system and application-wise), who provided the authorization, when the authorization was granted and when the access was last reviewed.
Identification & Authentication	Identification & Authentication for Organizational Users	IAC-02	Mechanisms exist to uniquely identify and centrally Authenticate, Authorize and Audit (AAA) organizational users and processes acting on behalf of organizational users.
Identification & Authentication	Group Authentication	IAC-02.1	Mechanisms exist to require individuals to be authenticated with an individual authenticator when a group authenticator is utilized.
Identification & Authentication	Network Access to Privileged Accounts - Replay Resistant	IAC-02.2	Automated mechanisms exist to employ replay-resistant network access authentication.
Identification & Authentication	Acceptance of PIV Credentials	IAC-02.3	Mechanisms exist to accept and electronically verify organizational Personal Identity Verification (PIV) credentials.	- Personal Identity Verification (PIV) credentials
Identification & Authentication	Out-of-Band Authentication (OOBA)	IAC-02.4	Mechanisms exist to implement Out-of-Band Authentication (OOBA) under specific conditions.
Identification & Authentication	Identification & Authentication for Non-Organizational Users	IAC-03	Mechanisms exist to uniquely identify and centrally Authenticate, Authorize and Audit (AAA) third-party users and processes that provide services to the organization.
Identification & Authentication	Acceptance of PIV Credentials from Other Organizations	IAC-03.1	Mechanisms exist to accept and electronically verify Personal Identity Verification (PIV) credentials from third-parties.
Identification & Authentication	Acceptance of Third-Party Credentials	IAC-03.2	Automated mechanisms exist to accept Federal Identity, Credential and Access Management (FICAM)-approved third-party credentials.
Identification & Authentication	Use of FICAM-Issued Profiles	IAC-03.3	Mechanisms exist to conform systems to Federal Identity, Credential and Access Management (FICAM)-issued profiles.
Identification & Authentication	Disassociability	IAC-03.4	Mechanisms exist to disassociate user attributes or credential assertion relationships among individuals, credential service providers and relying parties.
Identification & Authentication	Acceptance of External Authenticators	IAC-03.5	Mechanisms exist to restrict the use of external authenticators to those that are National Institute of Standards and Technology (NIST)-compliant and maintain a list of accepted external authenticators.
Identification & Authentication	Identification & Authentication for Devices	IAC-04	Mechanisms exist to uniquely identify and centrally Authenticate, Authorize and Audit (AAA) devices before establishing a connection using bidirectional authentication that is cryptographically- based and replay resistant.	- Active Directory (AD) Kerberos
Identification & Authentication	Device Attestation	IAC-04.1	Mechanisms exist to ensure device identification and authentication is accurate by centrally-managing the joining of systems to the domain as part of the initial asset configuration management process.

SCF Domain

SCF Control

SCF

Secure Controls Framework (SCF) Control Description

Methods To Comply With SCF Controls

Evidence Request List (ERL)

Security & Privacy Governance

Security & Privacy Governance Program

GOV-01

Mechanisms exist to facilitate the implementation of cybersecurity and privacy governance controls.

- Steering committee - Digital Security Program (DSP) - Cybersecurity & Data Protection Program (CDPP)

E-GOV-01 E-GOV-02

Security & Privacy Governance

Steering Committee

GOV-01.1

Mechanisms exist to coordinate cybersecurity, privacy and business alignment through a steering committee or advisory board, comprising of key cybersecurity, privacy and business executives, which meets formally and on a regular basis.

- Steering committee - Digital Security Program (DSP) - Cybersecurity & Data Protection Program (CDPP)

E-GOV-03

Security & Privacy Governance

Status Reporting To Governing Body

GOV-01.2

Mechanisms exist to provide governance oversight reporting and recommendations to those entrusted to make executive decisions about matters considered material to the organization’s cybersecurity and privacy program.

E-CPL-05 E-CPL-09 E-GOV-03 E-GOV-04 E-GOV-05 E-GOV-06 E-GOV-07 E-GOV-13

Security & Privacy Governance

Publishing Security & Privacy Documentation

GOV-02

Mechanisms exist to establish, maintain and disseminate cybersecurity and privacy policies, standards and procedures.

- Steering committee - Digital Security Program (DSP) - Cybersecurity & Data Protection Program (CDPP) - Governance, Risk and Compliance Solution (GRC) tool (Ostendio, ZenGRC, RequirementONE, Allgress, Archer, RSAM, Metric stream, etc.) - Wiki - SharePoint

E-GOV-08 E-GOV-09 E-GOV-11

Security & Privacy Governance

Periodic Review & Update of Security & Privacy Program

GOV-03

Mechanisms exist to review the cybersecurity and privacy program, including policies, standards and procedures, at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness.

- Governance, Risk and Compliance Solution (GRC) tool (Ostendio, ZenGRC, RequirementONE, Allgress, Archer, RSAM, Metric stream, etc.) - Steering committee

E-GOV-12

Security & Privacy Governance

Assigned Security & Privacy Responsibilities

GOV-04

Mechanisms exist to assign a qualified individual with the mission and resources to centrally-manage, coordinate, develop, implement and maintain an enterprise-wide cybersecurity and privacy program.

- NIST NICE Framework - Chief Information Security Officer (CISO)

E-HRS-01 E-HRS-05 E-HRS-06 E-HRS-07 E-HRS-08 E-HRS-09 E-HRS-10 E-HRS-13 E-HRS-15

Security & Privacy Governance

Measures of Performance

GOV-05

Mechanisms exist to develop, report and monitor cybersecurity and privacy program measures of performance.

- Metrics - Governance, Risk and Compliance Solution (GRC) tool (Ostendio, ZenGRC, RequirementONE, Allgress, Archer, RSAM, Metric stream, etc.) - Enterprise Risk Management (ERM) solution

E-GOV-13

Security & Privacy Governance

Key Performance Indicators (KPIs)

GOV-05.1

Mechanisms exist to develop, report and monitor Key Performance Indicators (KPIs) to assist organizational management in performance monitoring and trend analysis of the cybersecurity and privacy program.

- Key Performance Indicators (KPIs)

Security & Privacy Governance

Key Risk Indicators (KRIs)

GOV-05.2

Mechanisms exist to develop, report and monitor Key Risk Indicators (KRIs) to assist senior management in performance monitoring and trend analysis of the cybersecurity and privacy program.

- Key Risk Indicators (KRIs)

Security & Privacy Governance

Contacts With Authorities

GOV-06

Mechanisms exist to identify and document appropriate contacts with relevant law enforcement and regulatory bodies.

- Threat intelligence personnel - Integrated Security Incident Response Team (ISIRT)

Security & Privacy Governance

Contacts With Groups & Associations

GOV-07

Mechanisms exist to establish contact with selected groups and associations within the cybersecurity & privacy communities to: ▪ Facilitate ongoing cybersecurity and privacy education and training for organizational personnel; ▪ Maintain currency with recommended cybersecurity and privacy practices, techniques and technologies; and ▪ Share current security-related information including threats, vulnerabilities and incidents.

- SANS - CISO Executive Network - ISACA chapters - IAPP chapters - ISAA chapters

E-THR-02

Security & Privacy Governance

Defining Business Context & Mission

GOV-08

Mechanisms exist to define the context of its business model and document the mission of the organization.

E-PRM-01

Security & Privacy Governance

Define Control Objectives

GOV-09

Mechanisms exist to establish control objectives as the basis for the selection, implementation and management of the organization’s internal control system.

E-GOV-10

Security & Privacy Governance

Data Governance

GOV-10

Mechanisms exist to facilitate data governance to oversee the organization's policies, standards and procedures so that sensitive/regulated data is effectively managed and maintained in accordance with applicable statutory, regulatory and contractual obligations.

Security & Privacy Governance

Purpose Validation

GOV-11

Mechanisms exist to monitor mission/business-critical services or functions to ensure those resources are being used consistent with their intended purpose.

Security & Privacy Governance

Forced Technology Transfer (FTT)

GOV-12

Mechanisms exist to avoid and/or constrain the forced exfiltration of sensitive / regulated information (e.g., Intellectual Property (IP)) to the host government for purposes of market access or market management practices.

- Board of Directors (Bod) Ethics Committee

Security & Privacy Governance

State-Sponsored Espionage

GOV-13

Mechanisms exist to constrain the host government's ability to leverage the organization's technology assets for economic or political espionage and/or cyberwarfare activities.

- Board of Directors (Bod) Ethics Committee

Security & Privacy Governance

Business As Usual (BAU) Secure Practices

GOV-14

Mechanisms exist to incorporate cybersecurity and privacy principles into Business As Usual (BAU) practices through executive leadership involvement.

Security & Privacy Governance

Operationalizing Cybersecurity & Privacy Practices

GOV-15

Mechanisms exist to compel data and/or process owners to operationalize cybersecurity and privacy practices for each system, application and/or service under their control.

Security & Privacy Governance

Select Controls

GOV-15.1

Mechanisms exist to compel data and/or process owners to select required cybersecurity and privacy controls for each system, application and/or service under their control.

Security & Privacy Governance

Implement Controls

GOV-15.2

Mechanisms exist to compel data and/or process owners to implement required cybersecurity and privacy controls for each system, application and/or service under their control.

Security & Privacy Governance

Assess Controls

GOV-15.3

Mechanisms exist to compel data and/or process owners to assess if required cybersecurity and privacy controls for each system, application and/or service under their control are implemented correctly and are operating as intended.

Security & Privacy Governance

Authorize Systems, Applications & Services

GOV-15.4

Mechanisms exist to compel data and/or process owners to obtain authorization for the production use of each system, application and/or service under their control.

Security & Privacy Governance

Monitor Controls

GOV-15.5

Mechanisms exist to compel data and/or process owners to monitor systems, applications and/or services under their control on an ongoing basis for applicable threats and risks, as well as to ensure cybersecurity and privacy controls are operating as intended.

Asset Management

Asset Governance

AST-01

Mechanisms exist to facilitate an IT Asset Management (ITAM) program to implement and manage asset management controls.

- Generally Accepted Accounting Principles (GAAP) - ITIL - Configuration Management Database (CMDB) - IT Asset Management (ITAM) program

E-AST-01

Asset Management

Asset-Service Dependencies

AST-01.1

Mechanisms exist to identify and assess the security of technology assets that support more than one critical business function.

E-BCM-09

Asset Management

Stakeholder Identification & Involvement

AST-01.2

Mechanisms exist to identify and involve pertinent stakeholders of critical systems, applications and services to support the ongoing secure management of those assets.

E-CPL-03

Asset Management

Standardized Naming Convention

AST-01.3

Mechanisms exist to implement a scalable, standardized naming convention for systems, applications and services that avoids asset naming conflicts.

Asset Management

Asset Inventories

AST-02

Mechanisms exist to perform inventories of technology assets that: ▪ Accurately reflects the current systems, applications and services in use; ▪ Identifies authorized software products, including business justification details; ▪ Is at the level of granularity deemed necessary for tracking and reporting; ▪ Includes organization-defined information deemed necessary to achieve effective property accountability; and ▪ Is available for review and audit by designated organizational personnel.

- ManageEngine AssetExplorer - LANDesk IT Asset Management Suite - ServiceNow (https://www.servicenow.com/) - Solarwinds (https://www.solarwinds.com/) - CrowdStrike - JAMF - ITIL - Configuration Management Database (CMDB)

E-AST-04 E-AST-05 E-AST-07

Asset Management

Updates During Installations / Removals

AST-02.1

Mechanisms exist to update asset inventories as part of component installations, removals and asset upgrades.

- CrowdStrike - JAMF - ITIL - Configuration Management Database (CMDB)

Asset Management

Automated Unauthorized Component Detection

AST-02.2

Automated mechanisms exist to detect and alert upon the detection of unauthorized hardware, software and firmware components.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - DHCP logging - Active discovery tools - NNT Change Tracker (https://www.newnettechnologies.com) - Vectra - Tripwire Enterprise (https://www.tripwire.com/products/tripwire-enterprise/) - Puppet (https://puppet.com/) - Chef (https://www.chef.io/) (https://www.chef.io/) - Microsoft SCCM - CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)

Asset Management

Component Duplication Avoidance

AST-02.3

Mechanisms exist to establish and maintain an authoritative source and repository to provide a trusted source and accountability for approved and implemented system components that prevents assets from being duplicated in other asset inventories.

- ITIL - Configuration Management Database (CMDB) - Manual or automated process

Asset Management

Approved Baseline Deviations

AST-02.4

Mechanisms exist to document and govern instances of approved deviations from established baseline configurations.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com) - Tripwire Enterprise (https://www.tripwire.com/products/tripwire-enterprise/) - SCCM - Puppet (https://puppet.com/) - Chef (https://www.chef.io/) (https://www.chef.io/) - Microsoft SCCM

E-RSK-03 E-TDA-14

Asset Management

Network Access Control (NAC)

AST-02.5

Automated mechanisms exist to employ Network Access Control (NAC), or a similar technology, that is capable of detecting unauthorized devices and disable network access to those unauthorized devices.

- Cisco NAC - Aruba Networks - Juniper NAC - Packet Fence - Symantec NAC - Sophos NAC - Bradford Networks NAC Director - Cisco ISE - ForeScout

Asset Management

Dynamic Host Configuration Protocol (DHCP) Server Logging

AST-02.6

Mechanisms exist to enable Dynamic Host Configuration Protocol (DHCP) server logging to improve asset inventories and assist in detecting unknown systems.

- Splunk - Manual Process - Build Automation Tools - NNT Log Tracker (https://www.newnettechnologies.com/event-log-management.html) - Chef (https://www.chef.io/) (https://www.chef.io/) - Puppet (https://puppet.com/) - Tripwire Enterprise (https://www.tripwire.com/products/tripwire-enterprise/)

E-MON-04

Asset Management

Software Licensing Restrictions

AST-02.7

Mechanisms exist to protect Intellectual Property (IP) rights with software licensing restrictions.

- Manual Process - Tripwire Enterprise (https://www.tripwire.com/products/tripwire-enterprise/)

Asset Management

Data Action Mapping

AST-02.8

Mechanisms exist to create and maintain a map of technology assets where sensitive/regulated data is stored, transmitted or processed.

- Visio - LucidChart

E-DCH-05

Asset Management

Configuration Management Database (CMDB)

AST-02.9

Mechanisms exist to implement and manage a Configuration Management Database (CMDB), or similar technology, to monitor and govern technology asset-specific information.

- Configuration Management Database (CMDB)

Asset Management

Automated Location Tracking

AST-02.10

Mechanisms exist to track the geographic location of system components.

Asset Management

Component Assignment

AST-02.11

Mechanisms exist to bind components to a specific system.

Asset Management

Asset Ownership Assignment

AST-03

Mechanisms exist to ensure asset ownership responsibilities are assigned, tracked and managed at a team, individual, or responsible organization level to establish a common understanding of requirements for asset protection.

E-AST-01 E-CPL-03

Asset Management

Accountability Information

AST-03.1

Mechanisms exist to include capturing the name, position and/or role of individuals responsible/accountable for administering assets as part of the technology asset inventory process.

E-AST-01

Asset Management

Provenance

AST-03.2

Mechanisms exist to track the origin, development, ownership, location and changes to systems, system components and associated data.

E-AST-22

Asset Management

Network Diagrams & Data Flow Diagrams (DFDs)

AST-04

Mechanisms exist to maintain network architecture diagrams that: ▪ Contain sufficient detail to assess the security of the network's architecture; ▪ Reflect the current architecture of the network environment; and ▪ Document all sensitive/regulated data flows.

- High-Level Diagram (HLD) - Low-Level Diagram (LLD) - Data Flow Diagram (DFD) - Solarwinds (https://www.solarwinds.com/) - Paessler - PRTG

E-DCH-03 E-DCH-04 E-DCH-05

Asset Management

Asset Scope Classification

AST-04.1

Mechanisms exist to determine cybersecurity and privacy control applicability by identifying, assigning and documenting the appropriate asset scope categorization for all systems, applications, services and personnel (internal and third-parties).

E-AST-02 E-CPL-02 E-DCH-01 E-DCH-02

Asset Management

Control Applicability Boundary Graphical Representation

AST-04.2

Mechanisms exist to ensure control applicability is appropriately-determined for systems, applications, services and third parties by graphically representing applicable boundaries.

E-AST-02 E-CPL-02

Asset Management

Compliance-Specific Asset Identification

AST-04.3

Mechanisms exist to create and maintain a current inventory of systems, applications and services that are in scope for statutory, regulatory and/or contractual compliance obligations that provides sufficient detail to determine control applicability, based on asset scope categorization.

E-AST-02 E-CPL-02

Asset Management

Security of Assets & Media

AST-05

Mechanisms exist to maintain strict control over the internal or external distribution of any kind of sensitive/regulated media.

- ITIL - Configuration Management Database (CMDB) - Definitive Software Library (DSL)

Asset Management

Management Approval For External Media Transfer

AST-05.1

Mechanisms exist to obtain management approval for any sensitive / regulated media that is transferred outside of the organization's facilities.

Asset Management

Unattended End-User Equipment

AST-06

Mechanisms exist to implement enhanced protection measures for unattended systems to protect against tampering and unauthorized access.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - File Integrity Monitoring (FIM) - Lockable casings - Tamper detection tape - Full Disk Encryption (FDE) - NNT Change Tracker (https://www.newnettechnologies.com)

Asset Management

Asset Storage In Automobiles

AST-06.1

Mechanisms exist to educate users on the need to physically secure laptops and other mobile devices out of site when traveling, preferably in the trunk of a vehicle.

- Security awareness training - Gamification

Asset Management

Kiosks & Point of Interaction (PoI) Devices

AST-07

Mechanisms exist to appropriately protect devices that capture sensitive/regulated data via direct physical interaction from tampering and substitution.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - File Integrity Monitoring (FIM) - Lockable casings - Tamper detection tape - Chip & PIN

Asset Management

Tamper Detection

AST-08

Mechanisms exist to periodically inspect systems and system components for Indicators of Compromise (IoC).

- ""Burner"" phones & laptops - Tamper tape

Asset Management

Secure Disposal, Destruction or Re-Use of Equipment

AST-09

Mechanisms exist to securely dispose of, destroy or repurpose system components using organization-defined techniques and methods to prevent information being recovered from these components.

- Shred-it - IronMountain - sdelete (sysinternals) - Bootnukem

E-AST-03

Asset Management

Return of Assets

AST-10

Mechanisms exist to ensure that employees and third-party users return all organizational assets in their possession upon termination of employment, contract or agreement.

- Termination checklist - Manual Process - Native OS and Device Asset Tracking capabilities

E-AST-01

Asset Management

Removal of Assets

AST-11

Mechanisms exist to authorize, control and track technology assets entering and exiting organizational facilities.

- RFID asset tagging - RFID proximity sensors at access points - Asset management software

Asset Management

Use of Personal Devices

AST-12

Mechanisms exist to restrict the possession and usage of personally-owned technology devices within organization-controlled facilities.

- BYOD policy

Asset Management

Use of Third-Party Devices

AST-13

Mechanisms exist to reduce the risk associated with third-party assets that are attached to the network from harming organizational assets or exfiltrating organizational data.

- NAC - Separate SSIDs for wireless networks - SIEM monitoring/alerting - Manual process to disable network all unused ports - Network Access Control (NAC) - Mobile Device Management (MDM) software - Data Loss Prevention (DLP)

Asset Management

Usage Parameters

AST-14

Mechanisms exist to monitor and enforce usage parameters that limit the potential damage caused from the unauthorized or unintentional alteration of system parameters.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)

Asset Management

Bluetooth & Wireless Devices

AST-14.1

Mechanisms exist to prevent the usage of Bluetooth and wireless devices (e.g., Near Field Communications (NFC)) in sensitive areas or unless used in a Radio Frequency (RF)-screened building.

Asset Management

Infrared Communications

AST-14.2

Mechanisms exist to prevent line of sight and reflected infrared (IR) communications use in an unsecured space.

Asset Management

Tamper Protection

AST-15

Mechanisms exist to verify logical configuration settings and the physical integrity of critical technology assets throughout their lifecycle.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - Tamper detection tape - File Integrity Monitoring (FIM) - NNT Change Tracker (https://www.newnettechnologies.com) - Tripwire Enterprise (https://www.tripwire.com/products/tripwire-enterprise/)

Asset Management

Inspection of Systems, Components & Devices

AST-15.1

Mechanisms exist to physically and logically inspect critical technology assets to detect evidence of tampering.

Asset Management

Bring Your Own Device (BYOD) Usage

AST-16

Mechanisms exist to implement and govern a Bring Your Own Device (BYOD) program to reduce risk associated with personally-owned devices in the workplace.

- AirWatch - SCCM - Casper - BYOD policy

Asset Management

Prohibited Equipment & Services

AST-17

Mechanisms exist to govern Supply Chain Risk Management (SCRM) sanctions that require the removal and prohibition of certain technology services and/or equipment that are designated as supply chain threats by a statutory or regulatory body.

E-AST-10

Asset Management

Roots of Trust Protection

AST-18

Mechanisms exist to provision and protect the confidentiality, integrity and authenticity of product supplier keys and data that can be used as a “roots of trust” basis for integrity verification.

Asset Management

Telecommunications Equipment

AST-19

Mechanisms exist to establish usage restrictions and implementation guidance for telecommunication equipment to prevent potential damage or unauthorized modification and to prevent potential eavesdropping.

Asset Management

Video Teleconference (VTC) Security

AST-20

Mechanisms exist to implement secure Video Teleconference (VTC) capabilities on endpoint devices and in designated conference rooms, to prevent potential eavesdropping.

Asset Management

Voice Over Internet Protocol (VoIP) Security

AST-21

Mechanisms exist to implement secure Internet Protocol Telephony (IPT) that logically or physically separates Voice Over Internet Protocol (VoIP) traffic from data networks.

Asset Management

Microphones & Web Cameras

AST-22

Mechanisms exist to configure assets to prohibit the use of endpoint-based microphones and web cameras in secure areas or where sensitive information is discussed.

Asset Management

Multi-Function Devices (MFD)

AST-23

Mechanisms exist to securely configure Multi-Function Devices (MFD) according to industry-recognized secure practices for the type of device.

E-TPM-01

Asset Management

Travel-Only Devices

AST-24

Mechanisms exist to issue personnel travelling overseas with temporary, loaner or ""travel-only"" end user technology (e.g., laptops and mobile devices) when travelling to authoritarian countries with a higher-than average risk for Intellectual Property (IP) theft or espionage against individuals and private companies.

Asset Management

Re-Imaging Devices After Travel

AST-25

Mechanisms exist to re-image end user technology (e.g., laptops and mobile devices) when returning from overseas travel to an authoritarian country with a higher-than average risk for Intellectual Property (IP) theft or espionage against individuals and private companies.

Asset Management

System Administrative Processes

AST-26

Mechanisms exist to develop, implement and govern system administration processes, with corresponding Standardized Operating Procedures (SOP), for operating and maintaining systems, applications and services.

Asset Management

Jump Server

AST-27

Mechanisms exist to conduct remote system administrative functions via a ""jump box"" or ""jump server"" that is located in a separate network zone to user workstations.

Asset Management

Database Administrative Processes

AST-28

Mechanisms exist to develop, implement and govern database management processes, with corresponding Standardized Operating Procedures (SOP), for operating and maintaining databases.

Asset Management

Database Management System (DBMS)

AST-28.1

Mechanisms exist to implement and maintain Database Management Systems (DBMSs), where applicable.

Asset Management

Radio Frequency Identification (RFID) Security

AST-29

Mechanisms exist to securely govern Radio Frequency Identification (RFID) deployments to ensure RFID is used safely and securely to protect the confidentiality and integrity of data and prevent the compromise of secure spaces.

Asset Management

Contactless Access Control Systems

AST-29.1

Mechanisms exist to securely configure contactless access control systems incorporating contactless RFID or smart cards to protect the confidentiality and integrity of data and prevent the compromise of secure spaces.

Asset Management

Decommissioning

AST-30

Mechanisms exist to ensure systems, applications and services are properly decommissioned so that data is properly transitioned to new systems or archived in accordance with applicable organizational standards, as well as statutory, regulatory and contractual obligations.

Business Continuity & Disaster Recovery

Business Continuity Management System (BCMS)

BCD-01

Mechanisms exist to facilitate the implementation of contingency planning controls to help ensure resilient assets and services.

- Business Continuity Plan (BCP) - Disaster Recovery Plan (DRP) - Continuity of Operations Plan (COOP) - Business Impact Analysis (BIA) - Criticality assessments

E-BCM-01

Business Continuity & Disaster Recovery

Coordinate with Related Plans

BCD-01.1

Mechanisms exist to coordinate contingency plan development with internal and external elements responsible for related plans.

- Cybersecurity Incident Response Plan (IIRP)

Business Continuity & Disaster Recovery

Coordinate With External Service Providers

BCD-01.2

Mechanisms exist to coordinate internal contingency plans with the contingency plans of external service providers to ensure that contingency requirements can be satisfied.

- Business Continuity Plan (BCP) - Disaster Recovery Plan (DRP) - Continuity of Operations Plan (COOP)

Business Continuity & Disaster Recovery

Transfer to Alternate Processing / Storage Site

BCD-01.3

Mechanisms exist to redeploy personnel to other roles during a disruptive event or in the execution of a continuity plan.

Business Continuity & Disaster Recovery

Recovery Time / Point Objectives (RTO / RPO)

BCD-01.4

Mechanisms exist to facilitate recovery operations in accordance with Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).

E-BCM-02 E-BCM-03

Business Continuity & Disaster Recovery

Identify Critical Assets

BCD-02

Mechanisms exist to identify and document the critical systems, applications and services that support essential missions and business functions.

- Business Impact Analysis (BIA) - Criticality assessments

E-BCM-08

Business Continuity & Disaster Recovery

Resume All Missions & Business Functions

BCD-02.1

Mechanisms exist to resume all missions and business functions within Recovery Time Objectives (RTOs) of the contingency plan's activation.

- Disaster Recovery Plan (DRP) - Continuity of Operations Plan (COOP) - Disaster recovery software

Business Continuity & Disaster Recovery

Continue Essential Mission & Business Functions

BCD-02.2

Mechanisms exist to continue essential missions and business functions with little or no loss of operational continuity and sustain that continuity until full system restoration at primary processing and/or storage sites.

- Disaster Recovery Plan (DRP) - Continuity of Operations Plan (COOP)

Business Continuity & Disaster Recovery

Resume Essential Missions & Business Functions

BCD-02.3

Mechanisms exist to resume essential missions and business functions within an organization-defined time period of contingency plan activation.

- Business Continuity Plan (BCP) - Disaster Recovery Plan (DRP) - Continuity of Operations Plan (COOP)

Business Continuity & Disaster Recovery

Data Storage Location Reviews

BCD-02.4

Mechanisms exist to perform periodic security reviews of storage locations that contain sensitive / regulated data.

E-AST-23

Business Continuity & Disaster Recovery

Contingency Training

BCD-03

Mechanisms exist to adequately train contingency personnel and applicable stakeholders in their contingency roles and responsibilities.

- NIST NICE Framework - Tabletop exercises

E-BCM-07

Business Continuity & Disaster Recovery

Simulated Events

BCD-03.1

Mechanisms exist to incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations.

- Tabletop exercises

E-BCM-06

Business Continuity & Disaster Recovery

Automated Training Environments

BCD-03.2

Automated mechanisms exist to provide a more thorough and realistic contingency training environment.

Business Continuity & Disaster Recovery

Contingency Plan Testing & Exercises

BCD-04

Mechanisms exist to conduct tests and/or exercises to evaluate the contingency plan's effectiveness and the organization’s readiness to execute the plan.

- Simulated disasters / emergencies

E-BCM-06 E-BCM-07

Business Continuity & Disaster Recovery

Coordinated Testing with Related Plans

BCD-04.1

Mechanisms exist to coordinate contingency plan testing with internal and external elements responsible for related plans.

- Playbooks - Enterprise-wide Continuity of Operations Plan (COOP)

Business Continuity & Disaster Recovery

Alternate Storage & Processing Sites

BCD-04.2

Mechanisms exist to test contingency plans at alternate storage & processing sites to both familiarize contingency personnel with the facility and evaluate the capabilities of the alternate processing site to support contingency operations.

Business Continuity & Disaster Recovery

Contingency Plan Root Cause Analysis (RCA) & Lessons Learned

BCD-05

Mechanisms exist to conduct a Root Cause Analysis (RCA) and ""lessons learned"" activity every time the contingency plan is activated.

- Standardized Operating Procedures (SOP) - Disaster Recovery Plan (DRP) - Business Continuity Plan (BCP) - Continuity of Operations Plan (COOP)

E-BCM-04

Business Continuity & Disaster Recovery

Contingency Planning & Updates

BCD-06

Mechanisms exist to keep contingency plans current with business needs, technology changes and feedback from contingency plan testing activities.

- Offline / offsite documentation

E-BCM-05

Business Continuity & Disaster Recovery

Alternative Security Measures

BCD-07

Mechanisms exist to implement alternative or compensating controls to satisfy security functions when the primary means of implementing the security function is unavailable or compromised.

- Business Impact Analysis (BIA) - Criticality assessments

Business Continuity & Disaster Recovery

Alternate Storage Site

BCD-08

Mechanisms exist to establish an alternate storage site that includes both the assets and necessary agreements to permit the storage and recovery of system backup information.

- SunGard - AWS - Azure

Business Continuity & Disaster Recovery

Separation from Primary Site

BCD-08.1

Mechanisms exist to separate the alternate storage site from the primary storage site to reduce susceptibility to similar threats.

- SunGard - AWS - Azure

Business Continuity & Disaster Recovery

Accessibility

BCD-08.2

Mechanisms exist to identify and mitigate potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster.

- SunGard - AWS - Azure

Business Continuity & Disaster Recovery

Alternate Processing Site

BCD-09

Mechanisms exist to establish an alternate processing site that provides security measures equivalent to that of the primary site.

- SunGard - AWS - Azure

Business Continuity & Disaster Recovery

Separation from Primary Site

BCD-09.1

Mechanisms exist to separate the alternate processing site from the primary processing site to reduce susceptibility to similar threats.

- SunGard - AWS - Azure

Business Continuity & Disaster Recovery

Accessibility

BCD-09.2

Mechanisms exist to identify and mitigate potential accessibility problems to the alternate processing site and possible mitigation actions, in the event of an area-wide disruption or disaster.

- Business Continuity Plan (BCP) - Continuity of Operations Plan (COOP)

Business Continuity & Disaster Recovery

Alternate Site Priority of Service

BCD-09.3

Mechanisms exist to address priority-of-service provisions in alternate processing and storage sites that support availability requirements, including Recovery Time Objectives (RTOs).

- Hot / warm / cold site contracts

E-TPM-04

Business Continuity & Disaster Recovery

Preparation for Use

BCD-09.4

Mechanisms exist to prepare the alternate processing alternate to support essential missions and business functions so that the alternate site is capable of being used as the primary site.

Business Continuity & Disaster Recovery

Inability to Return to Primary Site

BCD-09.5

Mechanisms exist to plan and prepare for both natural and manmade circumstances that preclude returning to the primary processing site.

Business Continuity & Disaster Recovery

Telecommunications Services Availability

BCD-10

Mechanisms exist to reduce the likelihood of a single point of failure with primary telecommunications services.

- Alternate telecommunications services are maintained with multiple ISP / network providers

Business Continuity & Disaster Recovery

Telecommunications Priority of Service Provisions

BCD-10.1

Mechanisms exist to formalize primary and alternate telecommunications service agreements contain priority-of-service provisions that support availability requirements, including Recovery Time Objectives (RTOs).

- Hot / warm / cold site contracts

E-TPM-04

Business Continuity & Disaster Recovery

Separation of Primary / Alternate Providers

BCD-10.2

Mechanisms exist to obtain alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats.

Business Continuity & Disaster Recovery

Provider Continency Plan

BCD-10.3

Mechanisms exist to contractually-require telecommunications service providers to have contingency plans that meet organizational contingency requirements.

Business Continuity & Disaster Recovery

Alternate Communications Paths

BCD-10.4

Mechanisms exist to maintain command and control capabilities via alternate communications channels and designating alternative decision makers if primary decision makers are unavailable.

Business Continuity & Disaster Recovery

Data Backups

BCD-11

Mechanisms exist to create recurring backups of data, software and/or system images, as well as verify the integrity of these backups, to ensure the availability of the data to satisfying Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).

- Backup technologies & procedures - Offline storage

E-BCM-10 E-BCM-11 E-BCM-12 E-BCM-13

Business Continuity & Disaster Recovery

Testing for Reliability & Integrity

BCD-11.1

Mechanisms exist to routinely test backups that verifies the reliability of the backup process, as well as the integrity and availability of the data.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)

Business Continuity & Disaster Recovery

Separate Storage for Critical Information

BCD-11.2

Mechanisms exist to store backup copies of critical software and other security-related information in a separate facility or in a fire-rated container that is not collocated with the system being backed up.

- IronMountain

E-AST-08 E-BCM-11 E-BCM-12 E-BCM-13

Business Continuity & Disaster Recovery

Information System Imaging

BCD-11.3

Mechanisms exist to reimage assets from configuration-controlled and integrity-protected images that represent a secure, operational state.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - Acronis - Docker (https://www.docker.com/) - VMWare

Business Continuity & Disaster Recovery

Cryptographic Protection

BCD-11.4

Cryptographic mechanisms exist to prevent the unauthorized disclosure and/or modification of backup information.

- Backup technologies & procedures

Business Continuity & Disaster Recovery

Test Restoration Using Sampling

BCD-11.5

Mechanisms exist to utilize sampling of available backups to test recovery capabilities as part of business continuity plan testing.

Business Continuity & Disaster Recovery

Transfer to Alternate Storage Site

BCD-11.6

Mechanisms exist to transfer backup data to the alternate storage site at a rate that is capable of meeting both Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).

Business Continuity & Disaster Recovery

Redundant Secondary System

BCD-11.7

Mechanisms exist to maintain a failover system, that is not collocated with the primary system, application and/or service, which can be activated with little-to-no loss of information or disruption to operations.

Business Continuity & Disaster Recovery

Dual Authorization For Backup Media Destruction

BCD-11.8

Mechanisms exist to implement and enforce dual authorization for the deletion or destruction of sensitive backup media and data.

Business Continuity & Disaster Recovery

Information System Recovery & Reconstitution

BCD-12

Mechanisms exist to ensure the secure recovery and reconstitution of systems to a known state after a disruption, compromise or failure.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)

Business Continuity & Disaster Recovery

Transaction Recovery

BCD-12.1

Mechanisms exist to utilize specialized backup mechanisms that will allow transaction recovery for transaction-based applications and services in accordance with Recovery Point Objectives (RPOs).

Business Continuity & Disaster Recovery

Failover Capability

BCD-12.2

Mechanisms exist to implement real-time or near-real-time failover capability to maintain availability of critical systems, applications and/or services.

- Load balancers - High Availability (HA) firewalls

Business Continuity & Disaster Recovery

Electronic Discovery (eDiscovery)

BCD-12.3

Mechanisms exist to utilize electronic discovery (eDiscovery) that covers current and archived communication transactions.

Business Continuity & Disaster Recovery

Restore Within Time Period

BCD-12.4

Mechanisms exist to restore systems, applications and/or services within organization-defined restoration time-periods from configuration-controlled and integrity-protected information; representing a known, operational state for the asset.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)

Business Continuity & Disaster Recovery

Backup & Restoration Hardware Protection

BCD-13

Mechanisms exist to protect backup and restoration hardware and software.

Business Continuity & Disaster Recovery

Isolated Recovery Environment

BCD-14

Mechanisms exist to utilize an isolated, non-production environment to perform data backup and recovery operations through offline, cloud or off-site capabilities.

Business Continuity & Disaster Recovery

Reserve Hardware

BCD-15

Mechanisms exist to purchase and maintain a sufficient reserve of spare hardware to ensure essential missions and business functions can be maintained in the event of a supply chain disruption.

Capacity & Performance Planning

Capacity & Performance Management

CAP-01

Mechanisms exist to facilitate the implementation of capacity management controls to ensure optimal system performance to meet expected and anticipated future capacity requirements.

- Splunk - Resource monitoring

Capacity & Performance Planning

Resource Priority

CAP-02

Mechanisms exist to control resource utilization of systems that are susceptible to Denial of Service (DoS) attacks to limit and prioritize the use of resources.

- Splunk - Resource monitoring

Capacity & Performance Planning

Capacity Planning

CAP-03

Mechanisms exist to conduct capacity planning so that necessary capacity for information processing, telecommunications and environmental support will exist during contingency operations.

Capacity & Performance Planning

Performance Monitoring

CAP-04

Automated mechanisms exist to centrally-monitor and alert on the operating state and health status of critical systems, applications and services.

Change Management

Change Management Program

CHG-01

Mechanisms exist to facilitate the implementation of a change management program.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - VisibleOps methodology - ITIL infrastructure library - NNT Change Tracker (https://www.newnettechnologies.com) - ServiceNow (https://www.servicenow.com/) - Remedy - Tripwire Enterprise (https://www.tripwire.com/products/tripwire-enterprise/) - Chef (https://www.chef.io/) (https://www.chef.io/) - Puppet (https://puppet.com/)

E-CHG-02

Change Management

Configuration Change Control

CHG-02

Mechanisms exist to govern the technical configuration change control processes.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - Change Control Board (CCB) - Configuration Management Database (CMDB) - Tripwire Enterprise (https://www.tripwire.com/products/tripwire-enterprise/) Enterprise - Chef (https://www.chef.io/) (https://www.chef.io/) - Puppet (https://puppet.com/) - Solarwinds (https://www.solarwinds.com/) - Docker (https://www.docker.com/) - VisibleOps methodology - ITIL infrastructure library

E-CHG-02

Change Management

Prohibition Of Changes

CHG-02.1

Mechanisms exist to prohibit unauthorized changes, unless organization-approved change requests are received.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - VisibleOps methodology - ITIL infrastructure library - Manual processes/workflows - Application whitelisting

Change Management

Test, Validate & Document Changes

CHG-02.2

Mechanisms exist to appropriately test and document proposed changes in a non-production environment before changes are implemented in a production environment.

E-CHG-03

Change Management

Security & Privacy Representative for Asset Lifecycle Changes

CHG-02.3

Mechanisms exist to include a cybersecurity and/or privacy representative in the configuration change control review process.

- Change Control Board (CCB) - Change Advisory Board (CAB) - VisibleOps methodology - ITIL infrastructure library

E-CHG-04

Change Management

Automated Security Response

CHG-02.4

Automated mechanisms exist to implement remediation actions upon the detection of unauthorized baseline configurations change(s).

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)

Change Management

Cryptographic Management

CHG-02.5

Mechanisms exist to govern assets involved in providing cryptographic protections according to the organization's configuration management processes.

Change Management

Security Impact Analysis for Changes

CHG-03

Mechanisms exist to analyze proposed changes for potential security impacts, prior to the implementation of the change.

- VisibleOps methodology - ITIL infrastructure library - Change management software

Change Management

Access Restriction For Change

CHG-04

Mechanisms exist to enforce configuration restrictions in an effort to restrict the ability of users to conduct unauthorized changes.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - VisibleOps methodology - ITIL infrastructure library - Role-based permissions - Mandatory Access Control (MAC) - Application whitelisting

Change Management

Automated Access Enforcement / Auditing

CHG-04.1

Mechanisms exist to perform after-the-fact reviews of configuration change logs to discover any unauthorized changes.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - VisibleOps methodology - ITIL infrastructure library - NNT Change Tracker (https://www.newnettechnologies.com) - Manual review processes - Tripwire Enterprise (https://www.tripwire.com/products/tripwire-enterprise/) - Puppet (https://puppet.com/) - Chef (https://www.chef.io/) (https://www.chef.io/)

Change Management

Signed Components

CHG-04.2

Mechanisms exist to prevent the installation of software and firmware components without verification that the component has been digitally signed using an organization-approved certificate authority.

- Privileged Account Management (PAM) - Patch management tools - OS configuration standards

Change Management

Dual Authorization for Change

CHG-04.3

Mechanisms exist to enforce a two-person rule for implementing changes to critical assets.

- Separation of Duties (SoD)

Change Management

Limit Production / Operational Privileges (Incompatible Roles)

CHG-04.4

Mechanisms exist to limit operational privileges for implementing changes.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - Separation of Duties (SoD) - Privileged Account Management (PAM)

Change Management

Library Privileges

CHG-04.5

Mechanisms exist to restrict software library privileges to those individuals with a pertinent business need for access.

- Privileged Account Management (PAM)

Change Management

Stakeholder Notification of Changes

CHG-05

Mechanisms exist to ensure stakeholders are made aware of and understand the impact of proposed changes.

- Change management procedures - VisibleOps methodology - ITIL infrastructure library

Change Management

Security Functionality Verification

CHG-06

Mechanisms exist to verify the functionality of security controls when anomalies are discovered.

- Information Assurance Program (IAP) - Security Test & Evaluation (STE)

Change Management

Report Verification Results

CHG-06.1

Mechanisms exist to report the results of cybersecurity and privacy function verification to appropriate organizational management.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)

Cloud Security

Cloud Services

CLD-01

Mechanisms exist to facilitate the implementation of cloud management controls to ensure cloud instances are secure and in-line with industry practices.

- Data Protection Impact Assessment (DPIA)

E-AST-06

Cloud Security

Cloud Infrastructure Onboarding

CLD-01.1

Mechanisms exist to ensure cloud services are designed and configured so systems, applications and processes are secured in accordance with applicable organizational standards, as well as statutory, regulatory and contractual obligations.

Cloud Security

Cloud Infrastructure Offboarding

CLD-01.2

Mechanisms exist to ensure cloud services are decommissioned so that data is securely transitioned to new systems or archived in accordance with applicable organizational standards, as well as statutory, regulatory and contractual obligations.

Cloud Security

Cloud Security Architecture

CLD-02

Mechanisms exist to ensure the cloud security architecture supports the organization's technology strategy to securely design, configure and maintain cloud employments.

- Architectural review board - System Security Plan (SSP) - Security architecture roadmaps

E-TDA-09

Cloud Security

Cloud Infrastructure Security Subnet

CLD-03

Mechanisms exist to host security-specific technologies in a dedicated subnet.

- Security management subnet

Cloud Security

Application & Program Interface (API) Security

CLD-04

Mechanisms exist to ensure support for secure interoperability between components.

- Use only open and published APIs

Cloud Security

Virtual Machine Images

CLD-05

Mechanisms exist to ensure the integrity of virtual machine images at all times.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - File Integrity Monitoring (FIM) - Docker (https://www.docker.com/) - NNT Change Tracker (https://www.newnettechnologies.com)

Cloud Security

Multi-Tenant Environments

CLD-06

Mechanisms exist to ensure multi-tenant owned or managed assets (physical and virtual) are designed and governed such that provider and customer (tenant) user access is appropriately segmented from other tenant users.

- Security architecture review - Defined processes to segment at the network, application, databases layers

Cloud Security

Customer Responsibility Matrix (CRM)

CLD-06.1

Mechanisms exist to formally document a Customer Responsibility Matrix (CRM), delineating assigned responsibilities for controls between the Cloud Service Provider (CSP) and its customers.

- Customer Responsibility Matrix (CRM) - Shared Responsibility Matrix (SRM) - Responsible, Accountable, Supporting, Consulted and Informed (RASCI) matrix

E-CPL-03

Cloud Security

Multi-Tenant Event Logging Capabilities

CLD-06.2

Mechanisms exist to ensure Multi-Tenant Service Providers (MTSP) facilitate security event logging capabilities for its customers that are consistent with applicable statutory, regulatory and/or contractual obligations.

Cloud Security

Multi-Tenant Forensics Capabilities

CLD-06.3

Mechanisms exist to ensure Multi-Tenant Service Providers (MTSP) facilitate prompt forensic investigations in the event of a suspected or confirmed security incident.

Cloud Security

Multi-Tenant Incident Response Capabilities

CLD-06.4

Mechanisms exist to ensure Multi-Tenant Service Providers (MTSP) facilitate prompt response to suspected or confirmed security incidents and vulnerabilities, including timely notification to affected customers.

Cloud Security

Data Handling & Portability

CLD-07

Mechanisms exist to ensure cloud providers use secure protocols for the import, export and management of data in cloud-based services.

- Data Protection Impact Assessment (DPIA) - Security architecture review - Encrypted data transfers (e.g. TLS or VPNs)

Cloud Security

Standardized Virtualization Formats

CLD-08

Mechanisms exist to ensure interoperability by requiring cloud providers to use industry-recognized formats and provide documentation of custom changes for review.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - Data Protection Impact Assessment (DPIA) - Manual review process - Vendor risk assessments - Independent vendor compliance assessments

Cloud Security

Geolocation Requirements for Processing, Storage and Service Locations

CLD-09

Mechanisms exist to control the location of cloud processing/storage based on business requirements that includes statutory, regulatory and contractual obligations.

- Data Protection Impact Assessment (DPIA)

E-AST-06 E-AST-23

Cloud Security

Sensitive Data In Public Cloud Providers

CLD-10

Mechanisms exist to limit and manage the storage of sensitive/regulated data in public cloud providers.

- Data Protection Impact Assessment (DPIA) - Security and network architecture diagrams - Data Flow Diagram (DFD)

E-AST-08

Cloud Security

Cloud Access Point (CAP)

CLD-11

Mechanisms exist to utilize Cloud Access Points (CAPs) to provide boundary protection and monitoring functions that both provide access to the cloud and protect the organization from the cloud.

- Next Generation Firewall (NGF) - Web Application Firewall (WAF) - Network Routing / Switching - Intrusion Detection / Protection (IDS / IPS) - Data Loss Prevention (DLP) - Full Packet Capture

Cloud Security

Side Channel Attack Prevention

CLD-12

Mechanisms exist to prevent ""side channel attacks"" when using a Content Delivery Network (CDN) by restricting access to the origin server's IP address to the CDN and an authorized management network.

Compliance

Statutory, Regulatory & Contractual Compliance

CPL-01

Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.

- Governance, Risk and Compliance Solution (GRC) tool (Ostendio, ZenGRC, RequirementONE, Allgress, Archer, RSAM, Metric stream, etc.) - Steering committee

E-CPL-01 E-GOV-10

Compliance

Non-Compliance Oversight

CPL-01.1

Mechanisms exist to document and review instances of non-compliance with statutory, regulatory and/or contractual obligations to develop appropriate risk mitigation actions.

E-CPL-05

Compliance

Compliance Scope

CPL-01.2

Mechanisms exist to document and validate the scope of cybersecurity and privacy controls that are determined to meet statutory, regulatory and/or contractual compliance obligations.

E-AST-02 E-CPL-02 E-GOV-10

Compliance

Security & Privacy Controls Oversight

CPL-02

Mechanisms exist to provide a security & privacy controls oversight function that reports to the organization's executive leadership.

- Governance, Risk and Compliance Solution (GRC) tool (Ostendio, ZenGRC, RequirementONE, Allgress, Archer, RSAM, Metric stream, etc.) - Steering committee - Formalized SDLC program - Formalized DevOps program - Information Assurance Program (IAP) - Security Test & Evaluation (STE)

E-CPL-07 E-CPL-09 E-GOV-04 E-GOV-05 E-GOV-06 E-GOV-13 E-RSK-03

Compliance

Internal Audit Function

CPL-02.1

Mechanisms exist to implement an internal audit function that is capable of providing senior organization management with insights into the appropriateness of the organization's technology and information governance processes.

E-CPL-04 E-CPL-07

Compliance

Security Assessments

CPL-03

Mechanisms exist to ensure managers regularly review the processes and documented procedures within their area of responsibility to adhere to appropriate security policies, standards and other applicable requirements.

- Information Assurance Program (IAP) - Security Test & Evaluation (STE) - Governance, Risk and Compliance Solution (GRC) tool (Ostendio, ZenGRC, RequirementONE, Allgress, Archer, RSAM, Metric stream, etc.)

E-CPL-05 E-CPL-07

Compliance

Independent Assessors

CPL-03.1

Mechanisms exist to utilize independent assessors to evaluate security & privacy controls at planned intervals or when the system, service or project undergoes significant changes.

- Information Assurance Program (IAP) - Security Test & Evaluation (STE)

E-CPL-07

Compliance

Functional Review Of Security Controls

CPL-03.2

Mechanisms exist to regularly review technology assets for adherence to the organization’s cybersecurity and privacy policies and standards.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - Internal audit program - NNT Change Tracker (https://www.newnettechnologies.com) - Operational review processes - Regular/yearly policy and standards review process - Governance, Risk and Compliance Solution (GRC) (ZenGRC, Archer, RSAM, Metric stream, etc.)

E-CPL-08

Compliance

Audit Activities

CPL-04

Mechanisms exist to thoughtfully plan audits by including input from operational risk and compliance partners to minimize the impact of audit-related activities on business operations.

- Internal audit program

Compliance

Legal Assessment of Investigative Inquires

CPL-05

Mechanisms exist to determine whether a government agency has an applicable and valid legal basis to request data from the organization and what further steps need to be taken, if necessary.

Compliance

Investigation Request Notifications

CPL-05.1

Mechanisms exist to notify customers about investigation request notifications, unless the applicable legal basis for a government agency's action prohibits notification (e.g., potential criminal prosecution).

Compliance

Investigation Access Restrictions

CPL-05.2

Mechanisms exist to support official investigations by provisioning government investigators with ""least privileges"" and ""least functionality"" to ensure that government investigators only have access to the data and systems needed to perform the investigation.

Compliance

Government Surveillance

CPL-06

Mechanisms exist to constrain the host government from having unrestricted and non-monitored access to the organization's systems, applications and services that could potentially violate other applicable statutory, regulatory and/or contractual obligations.

- Board of Directors (Bod) Ethics Committee

Configuration Management

Configuration Management Program

CFG-01

Mechanisms exist to facilitate the implementation of configuration management controls.

- NNT Change Tracker (https://www.newnettechnologies.com) - Configuration Management Database (CMDB) - Baseline hardening standards - Formalized DevOps program - Information Assurance Program (IAP) - Security Test & Evaluation (STE)

Configuration Management

Assignment of Responsibility

CFG-01.1

Mechanisms exist to implement a segregation of duties for configuration management that prevents developers from performing production configuration management duties.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)

Configuration Management

System Hardening Through Baseline Configurations

CFG-02

Mechanisms exist to develop, document and maintain secure baseline configurations for technology platform that are consistent with industry-accepted system hardening standards.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - Defense Information Security Agency (DISA) Secure Technology Implementation Guides (STIGs) - Center for Internet Security (CIS) Benchmarks - NNT Change Tracker (https://www.newnettechnologies.com)

E-AST-12 E-AST-13 E-AST-14 E-AST-15 E-AST-16 E-AST-17 E-AST-18 E-AST-19 E-AST-20 E-AST-21

Configuration Management

Reviews & Updates

CFG-02.1

Mechanisms exist to review and update baseline configurations: ▪ At least annually; ▪ When required due to so; or ▪ As part of system component installations and upgrades.

Configuration Management

Automated Central Management & Verification

CFG-02.2

Automated mechanisms exist to govern and report on baseline configurations of the systems.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)

Configuration Management

Retention Of Previous Configurations

CFG-02.3

Mechanisms exist to retain previous versions of baseline configuration to support roll back.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)

Configuration Management

Development & Test Environment Configurations

CFG-02.4

Mechanisms exist to manage baseline configurations for development and test environments separately from operational baseline configurations to minimize the risk of unintentional changes.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)

Configuration Management

Configure Systems, Components or Services for High-Risk Areas

CFG-02.5

Mechanisms exist to configure systems utilized in high-risk areas with more restrictive baseline configurations.

- NNT Change Tracker (https://www.newnettechnologies.com)

E-AST-12 E-AST-13 E-AST-14 E-AST-15 E-AST-16 E-AST-17 E-AST-18 E-AST-19 E-AST-20 E-AST-21

Configuration Management

Network Device Configuration File Synchronization

CFG-02.6

Mechanisms exist to configure network devices to synchronize startup and running configuration files.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)

Configuration Management

Approved Configuration Deviations

CFG-02.7

Mechanisms exist to document, assess risk and approve or deny deviations to standardized configurations.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)

Configuration Management

Respond To Unauthorized Changes

CFG-02.8

Mechanisms exist to respond to unauthorized changes to configuration settings as security incidents.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - Service Level Agreements (SLAs) - NNT Change Tracker (https://www.newnettechnologies.com)

Configuration Management

Baseline Tailoring

CFG-02.9

Mechanisms exist to allow baseline controls to be specialized or customized by applying a defined set of tailoring actions that are specific to: ▪ Mission / business functions; ▪ Operational environment; ▪ Specific threats or vulnerabilities; or ▪ Other conditions or situations that could affect mission / business success.

- DISA STIGs - CIS Benchmarks

Configuration Management

Least Functionality

CFG-03

Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)

Configuration Management

Periodic Review

CFG-03.1

Mechanisms exist to periodically review system configurations to identify and disable unnecessary and/or non-secure functions, ports, protocols and services.

- NNT Change Tracker (https://www.newnettechnologies.com)

Configuration Management

Prevent Unauthorized Software Execution

CFG-03.2

Mechanisms exist to configure systems to prevent the execution of unauthorized software programs.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)

Configuration Management

Unauthorized or Authorized Software (Blacklisting or Whitelisting)

CFG-03.3

Mechanisms exist to whitelist or blacklist applications in an order to limit what is authorized to execute on systems.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)

Configuration Management

Split Tunneling

CFG-03.4

Mechanisms exist to prevent systems from creating split tunneling connections or similar techniques that could be used to exfiltrate data.

Configuration Management

Software Usage Restrictions

CFG-04

Mechanisms exist to enforce software usage restrictions to comply with applicable contract agreements and copyright laws.

Configuration Management

Open Source Software

CFG-04.1

Mechanisms exist to establish parameters for the secure use of open source software.

- Acceptable Use Policy (AUP)

Configuration Management

Unsupported Internet Browsers & Email Clients

CFG-04.2

Mechanisms exist to allow only approved Internet browsers and email clients to run on systems.

Configuration Management

User-Installed Software

CFG-05

Mechanisms exist to restrict the ability of non-privileged users to install unauthorized software.

- Privileged Account Management (PAM)

Configuration Management

Unauthorized Installation Alerts

CFG-05.1

Mechanisms exist to configure systems to generate an alert when the unauthorized installation of software is detected.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)

Configuration Management

Restrict Roles Permitted To Install Software

CFG-05.2

Mechanisms exist to configure systems to prevent the installation of software, unless the action is performed by a privileged user or service.

Configuration Management

Configuration Enforcement

CFG-06

Automated mechanisms exist to monitor, enforce and report on configurations for endpoint devices.

Configuration Management

Zero-Touch Provisioning (ZTP)

CFG-07

Mechanisms exist to implement Zero-Touch Provisioning (ZTP), or similar technology, to automatically and securely configure devices upon being added to a network.

Configuration Management

Sensitive / Regulated Data Access Enforcement

CFG-08

Mechanisms exist to configure systems, applications and processes to restrict access to sensitive/regulated data.

E-DCH-08

Configuration Management

Sensitive / Regulated Data Actions

CFG-08.1

Automated mechanisms exist to generate event logs whenever sensitive/regulated data is collected, created, updated, deleted and/or archived.

Continuous Monitoring

MON-01

Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.

- Splunk - CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)

Continuous Monitoring

Intrusion Detection & Prevention Systems (IDS & IPS)

MON-01.1

Mechanisms exist to implement Intrusion Detection / Prevention Systems (IDS / IPS) technologies on critical systems, key network segments and network choke points.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)

Continuous Monitoring

Automated Tools for Real-Time Analysis

MON-01.2

Mechanisms exist to utilize a Security Incident Event Manager (SIEM), or similar automated tool, to support near real-time analysis and incident escalation.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)

E-MON-01 E-MON-05

Continuous Monitoring

Inbound & Outbound Communications Traffic

MON-01.3

Mechanisms exist to continuously monitor inbound and outbound communications traffic for unusual or unauthorized activities or conditions.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)

Continuous Monitoring

System Generated Alerts

MON-01.4

Mechanisms exist to monitor, correlate and respond to alerts from physical, cybersecurity, privacy and supply chain activities to achieve integrated situational awareness.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)

Continuous Monitoring

Wireless Intrusion Detection System (WIDS)

MON-01.5

Mechanisms exist to utilize Wireless Intrusion Detection / Protection Systems (WIDS / WIPS) to identify rogue wireless devices and to detect attack attempts via wireless networks.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)

Continuous Monitoring

Host-Based Devices

MON-01.6

Mechanisms exist to utilize Host-based Intrusion Detection / Prevention Systems (HIDS / HIPS) to actively alert on or block unwanted activities and send logs to a Security Incident Event Manager (SIEM), or similar automated tool, to maintain situational awareness.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)

Continuous Monitoring

File Integrity Monitoring (FIM)

MON-01.7

Mechanisms exist to utilize a File Integrity Monitor (FIM), or similar change-detection technology, on critical assets to generate alerts for unauthorized modifications.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)

Continuous Monitoring

Reviews & Updates

MON-01.8

Mechanisms exist to review event logs on an ongoing basis and escalate incidents in accordance with established timelines and procedures.

- Security Incident Event Manager (SIEM) - Splunk

E-MON-01 E-MON-02 E-MON-05

Continuous Monitoring

Proxy Logging

MON-01.9

Mechanisms exist to log all Internet-bound requests, in order to identify prohibited activities and assist incident handlers with identifying potentially compromised systems.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)

Continuous Monitoring

Deactivated Account Activity

MON-01.10

Mechanisms exist to monitor deactivated accounts for attempted usage.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - Security Incident Event Manager (SIEM) - Splunk - NNT Change Tracker (https://www.newnettechnologies.com)

Continuous Monitoring

Automated Response to Suspicious Events

MON-01.11

Mechanisms exist to automatically implement pre-determined corrective actions in response to detected events that have security incident implications.

Continuous Monitoring

Automated Alerts

MON-01.12

Mechanisms exist to automatically alert incident response personnel to inappropriate or anomalous activities that have potential security incident implications.

Continuous Monitoring

Alert Threshold Tuning

MON-01.13

Mechanisms exist to ""tune"" event monitoring technologies through analyzing communications traffic/event patterns and developing profiles representing common traffic patterns and/or events.

Continuous Monitoring

Individuals Posing Greater Risk

MON-01.14

Mechanisms exist to implement enhanced activity monitoring for individuals who have been identified as posing an increased level of risk.

E-MON-03

Continuous Monitoring

Privileged User Oversight

MON-01.15

Mechanisms exist to implement enhanced activity monitoring for privileged users.

E-MON-03

Continuous Monitoring

Analyze and Prioritize Monitoring Requirements

MON-01.16

Mechanisms exist to assess the organization's needs for monitoring and prioritize the monitoring of assets, based on asset criticality and the sensitivity of the data it stores, transmits and processes.

Continuous Monitoring

Real-Time Session Monitoring

MON-01.17

Mechanisms exist to enable authorized personnel the ability to remotely view and hear content related to an established user session in real time, in accordance with organizational standards, as well as statutory, regulatory and contractual obligations.

Continuous Monitoring

Centralized Collection of Security Event Logs

MON-02

Mechanisms exist to utilize a Security Incident Event Manager (SIEM) or similar automated tool, to support the centralized collection of security-related event logs.

- Security Incident Event Manager (SIEM) - Splunk

E-MON-01 E-MON-05

Continuous Monitoring

Correlate Monitoring Information

MON-02.1

Automated mechanisms exist to correlate both technical and non-technical information from across the enterprise by a Security Incident Event Manager (SIEM) or similar automated tool, to enhance organization-wide situational awareness.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - Security Incident Event Manager (SIEM) - Splunk - NNT Change Tracker (https://www.newnettechnologies.com)

Continuous Monitoring

Central Review & Analysis

MON-02.2

Automated mechanisms exist to centrally collect, review and analyze audit records from multiple sources.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)

E-MON-01 E-MON-02 E-MON-05

Continuous Monitoring

Integration of Scanning & Other Monitoring Information

MON-02.3

Automated mechanisms exist to integrate the analysis of audit records with analysis of vulnerability scanners, network performance, system monitoring and other sources to further enhance the ability to identify inappropriate or unusual activity.

Continuous Monitoring

Correlation with Physical Monitoring

MON-02.4

Automated mechanisms exist to correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual or malevolent activity.

Continuous Monitoring

Permitted Actions

MON-02.5

Mechanisms exist to specify the permitted actions for both users and systems associated with the review, analysis and reporting of audit information.

Continuous Monitoring

Audit Level Adjustments

MON-02.6

Mechanisms exist to adjust the level of audit review, analysis and reporting based on evolving threat information from law enforcement, industry associations or other credible sources of threat intelligence.

Continuous Monitoring

System-Wide / Time-Correlated Audit Trail

MON-02.7

Automated mechanisms exist to compile audit records into an organization-wide audit trail that is time-correlated.

Continuous Monitoring

Changes by Authorized Individuals

MON-02.8

Mechanisms exist to provide privileged users or roles the capability to change the auditing to be performed on specified information system components, based on specific event criteria within specified time thresholds.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)

Continuous Monitoring

Content of Audit Records

MON-03

Mechanisms exist to configure systems to produce audit records that contain sufficient information to, at a minimum: ▪ Establish what type of event occurred; ▪ When (date and time) the event occurred; ▪ Where the event occurred; ▪ The source of the event; ▪ The outcome (success or failure) of the event; and ▪ The identity of any user/subject associated with the event.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)

Continuous Monitoring

Sensitive Audit Information

MON-03.1

Mechanisms exist to protect sensitive/regulated data contained in log files.

Continuous Monitoring

Audit Trails

MON-03.2

Mechanisms exist to link system access to individual users or service accounts.

Continuous Monitoring

Privileged Functions Logging

MON-03.3

Mechanisms exist to log and review the actions of users and/or services with elevated privileges.

- Security Incident Event Manager (SIEM) - Splunk

Continuous Monitoring

Verbosity Logging for Boundary Devices

MON-03.4

Mechanisms exist to verbosely log all traffic (both allowed and blocked) arriving at network boundary devices, including firewalls, Intrusion Detection / Prevention Systems (IDS/IPS) and inbound and outbound proxies.

Continuous Monitoring

Limit Personal Data (PD) In Audit Records

MON-03.5

Mechanisms exist to limit Personal Data (PD) contained in audit records to the elements identified in the privacy risk assessment.

- Data Protection Impact Assessment (DPIA)

Continuous Monitoring

Centralized Management of Planned Audit Record Content

MON-03.6

Mechanisms exist to centrally manage and configure the content required to be captured in audit records generated by organization-defined information system components.

Continuous Monitoring

Database Logging

MON-03.7

Mechanisms exist to ensure databases produce audit records that contain sufficient information to monitor database activities.

Continuous Monitoring

Event Log Storage Capacity

MON-04

Mechanisms exist to allocate and proactively manage sufficient event log storage capacity to reduce the likelihood of such capacity being exceeded.

Continuous Monitoring

Response To Event Log Processing Failures

MON-05

Mechanisms exist to alert appropriate personnel in the event of a log processing failure and take actions to remedy the disruption.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - Security Incident Event Manager (SIEM) - Splunk - NNT Change Tracker (https://www.newnettechnologies.com)

Continuous Monitoring

Real-Time Alerts of Event Logging Failure

MON-05.1

Mechanisms exist to provide 24x7x365 near real-time alerting capability when an event log processing failure occurs.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - Security Incident Event Manager (SIEM) - Splunk - NNT Change Tracker (https://www.newnettechnologies.com)

Continuous Monitoring

Event Log Storage Capacity Alerting

MON-05.2

Automated mechanisms exist to alert appropriate personnel when the allocated volume reaches an organization-defined percentage of maximum event log storage capacity.

Continuous Monitoring

Monitoring Reporting

MON-06

Mechanisms exist to provide an event log report generation capability to aid in detecting and assessing anomalous activities.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - Security Incident Event Manager (SIEM) - Splunk - NNT Change Tracker (https://www.newnettechnologies.com)

Continuous Monitoring

Query Parameter Audits of Personal Data (PD)

MON-06.1

Mechanisms exist to provide and implement the capability for auditing the parameters of user query events for data sets containing Personal Data (PD).

Continuous Monitoring

Trend Analysis Reporting

MON-06.2

Mechanisms exist to employ trend analyses to determine if security control implementations, the frequency of continuous monitoring activities, and/or the types of activities used in the continuous monitoring process need to be modified based on empirical data.

Continuous Monitoring

Time Stamps

MON-07

Mechanisms exist to configure systems to use an authoritative time source to generate time stamps for event logs.

Continuous Monitoring

Synchronization With Authoritative Time Source

MON-07.1

Mechanisms exist to synchronize internal system clocks with an authoritative time source.

- Network Time Protocol (NTP)

Continuous Monitoring

Protection of Event Logs

MON-08

Mechanisms exist to protect event logs and audit tools from unauthorized access, modification and deletion.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - Security Incident Event Manager (SIEM) - Splunk

Continuous Monitoring

Event Log Backup on Separate Physical Systems / Components

MON-08.1

Mechanisms exist to back up event logs onto a physically different system or system component than the Security Incident Event Manager (SIEM) or similar automated tool.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - Security Incident Event Manager (SIEM) - Splunk

Continuous Monitoring

Access by Subset of Privileged Users

MON-08.2

Mechanisms exist to restrict access to the management of event logs to privileged users with a specific business need.

- Security Incident Event Manager (SIEM) - Splunk

Continuous Monitoring

Cryptographic Protection of Event Log Information

MON-08.3

Cryptographic mechanisms exist to protect the integrity of event logs and audit tools.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)

Continuous Monitoring

Dual Authorization for Event Log Movement

MON-08.4

Automated mechanisms exist to enforce dual authorization for the movement or deletion of event logs.

Continuous Monitoring

Non-Repudiation

MON-09

Mechanisms exist to utilize a non-repudiation capability to protect against an individual falsely denying having performed a particular action.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)

Continuous Monitoring

Identity Binding

MON-09.1

Mechanisms exist to bind the identity of the information producer to the information generated.

Continuous Monitoring

Event Log Retention

MON-10

Mechanisms exist to retain event logs for a time period consistent with records retention requirements to provide support for after-the-fact investigations of security incidents and to meet statutory, regulatory and contractual retention requirements.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)

E-AST-11

Continuous Monitoring

Monitoring For Information Disclosure

MON-11

Mechanisms exist to monitor for evidence of unauthorized exfiltration or disclosure of non-public information.

- Content filtering solution - Review of social media outlets

Continuous Monitoring

Analyze Traffic for Covert Exfiltration

MON-11.1

Automated mechanisms exist to analyze network traffic to detect covert data exfiltration.

Continuous Monitoring

Unauthorized Network Services

MON-11.2

Automated mechanisms exist to detect unauthorized network services and alert incident response personnel.

Continuous Monitoring

Monitoring for Indicators of Compromise (IOC)

MON-11.3

Automated mechanisms exist to identify and alert on Indicators of Compromise (IoC).

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)

Continuous Monitoring

Session Audit

MON-12

Mechanisms exist to provide session audit capabilities that can: ▪ Capture and log all content related to a user session; and ▪ Remotely view all content related to an established user session in real time.

- NNT Change Tracker (https://www.newnettechnologies.com)

Continuous Monitoring

Alternate Event Logging Capability

MON-13

Mechanisms exist to provide an alternate event logging capability in the event of a failure in primary audit capability.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)

Continuous Monitoring

Cross-Organizational Monitoring

MON-14

Mechanisms exist to coordinate sanitized event logs among external organizations to identify anomalous events when event logs are shared across organizational boundaries, without giving away sensitive or critical business data.

Continuous Monitoring

Sharing of Event Logs

MON-14.1

Mechanisms exist to share event logs with third-party organizations based on specific cross-organizational sharing agreements.

- Veris (incident sharing) (http://veriscommunity.net)

Continuous Monitoring

Covert Channel Analysis

MON-15

Mechanisms exist to conduct covert channel analysis to identify aspects of communications that are potential avenues for covert channels.

Continuous Monitoring

Anomalous Behavior

MON-16

Mechanisms exist to detect and respond to anomalous behavior that could indicate account compromise or other malicious activities.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)

Continuous Monitoring

Insider Threats

MON-16.1

Mechanisms exist to monitor internal personnel activity for potential security incidents.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)

Continuous Monitoring

Third-Party Threats

MON-16.2

Mechanisms exist to monitor third-party personnel activity for potential security incidents.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)

Continuous Monitoring

Unauthorized Activities

MON-16.3

Mechanisms exist to monitor for unauthorized activities, accounts, connections, devices and software.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)

Continuous Monitoring

Account Creation and Modification Logging

MON-16.4

Automated mechanisms exist to generate event logs for permissions changes to privileged accounts and/or groups.

Cryptographic Protections

Use of Cryptographic Controls

CRY-01

Mechanisms exist to facilitate the implementation of cryptographic protections controls using known public standards and trusted cryptographic technologies.

- Key and certificate management solutions - Microsoft BitLocker (https://www.microsoft.com/en-us/download/details.aspx?id=53006) - Symantec Endpoint Encryption (https://www.symantec.com/products/endpoint-protection) - Vormetric Transparent Encryption (https://www.thalesesecurity.com/products/data-encryption/vormetric-transparent-encryption)

Cryptographic Protections

Alternate Physical Protection

CRY-01.1

Cryptographic mechanisms exist to prevent unauthorized disclosure of information as an alternate to physical safeguards.

Cryptographic Protections

Export-Controlled Technology

CRY-01.2

Mechanisms exist to address the exporting of cryptographic technologies in compliance with relevant statutory and regulatory requirements.

Cryptographic Protections

Pre/Post Transmission Handling

CRY-01.3

Cryptographic mechanisms exist to ensure the confidentiality and integrity of information during preparation for transmission and during reception.

Cryptographic Protections

Conceal / Randomize Communications

CRY-01.4

Cryptographic mechanisms exist to conceal or randomize communication patterns.

Cryptographic Protections

Cryptographic Cipher Suites and Protocols Inventory

CRY-01.5

Mechanisms exist to identify, document and review deployed cryptographic cipher suites and protocols to proactively respond to industry trends regarding the continued viability of utilized cryptographic cipher suites and protocols.

Cryptographic Protections

Cryptographic Module Authentication

CRY-02

Automated mechanisms exist to enable systems to authenticate to a cryptographic module.

- Yubico (https://www.yubico.com)

Cryptographic Protections

Transmission Confidentiality

CRY-03

Cryptographic mechanisms exist to protect the confidentiality of data being transmitted.

- SSL / TLS protocols - IPSEC Tunnels - Native MPLS encrypted tunnel configurations - Custom encrypted payloads

E-CRY-01

Cryptographic Protections

Transmission Integrity

CRY-04

Cryptographic mechanisms exist to protect the integrity of data being transmitted.

E-CRY-01

Cryptographic Protections

Encrypting Data At Rest

CRY-05

Cryptographic mechanisms exist to prevent unauthorized disclosure of data at rest.

- Symantec Endpoint Encryption (https://www.symantec.com/products/endpoint-protection)

Cryptographic Protections

Storage Media

CRY-05.1

Cryptographic mechanisms exist to protect the confidentiality and integrity of sensitive/regulated data residing on storage media.

- Native Storage Area Network (SAN) encryption functionality - BitLocker and EFS

Cryptographic Protections

Offline Storage

CRY-05.2

Mechanisms exist to remove unused data from online storage and archive it off-line in a secure location until it can be disposed of according to data retention requirements.

Cryptographic Protections

Database Encryption

CRY-05.3

Mechanisms exist to ensure that database servers utilize encryption to protect the confidentiality of the data within the databases.

Cryptographic Protections

Non-Console Administrative Access

CRY-06

Cryptographic mechanisms exist to protect the confidentiality and integrity of non-console administrative access.

Cryptographic Protections

Wireless Access Authentication & Encryption

CRY-07

Mechanisms exist to protect wireless access via secure authentication and encryption.

Cryptographic Protections

Public Key Infrastructure (PKI)

CRY-08

Mechanisms exist to securely implement an internal Public Key Infrastructure (PKI) infrastructure or obtain PKI services from a reputable PKI service provider.

- Microsoft Active Directory (AD) Certificate Services - Digitcert (https://www.digicert.com) - Entrust (https://www.entrust.com) - Comodo (https://www.comodo.com) - Vault (https://www.vaultproject.io/)

Cryptographic Protections

Availability

CRY-08.1

Resiliency mechanisms exist to ensure the availability of data in the event of the loss of cryptographic keys.

Cryptographic Protections

Cryptographic Key Management

CRY-09

Mechanisms exist to facilitate cryptographic key management controls to protect the confidentiality, integrity and availability of keys.

E-CRY-01

Cryptographic Protections

Symmetric Keys

CRY-09.1

Mechanisms exist to facilitate the production and management of symmetric cryptographic keys using Federal Information Processing Standards (FIPS)-compliant key management technology and processes.

E-CRY-01

Cryptographic Protections

Asymmetric Keys

CRY-09.2

Mechanisms exist to facilitate the production and management of asymmetric cryptographic keys using Federal Information Processing Standards (FIPS)-compliant key management technology and processes that protect the user’s private key.

E-CRY-01

Cryptographic Protections

Cryptographic Key Loss or Change

CRY-09.3

Mechanisms exist to ensure the availability of information in the event of the loss of cryptographic keys by individual users.

- Escrowing of encryption keys is a common practice for ensuring availability in the event of loss of keys.

Cryptographic Protections

Control & Distribution of Cryptographic Keys

CRY-09.4

Mechanisms exist to facilitate the secure distribution of symmetric and asymmetric cryptographic keys using industry recognized key management technology and processes.

Cryptographic Protections

Assigned Owners

CRY-09.5

Mechanisms exist to ensure cryptographic keys are bound to individual identities.

Cryptographic Protections

Third-Party Cryptographic Keys

CRY-09.6

Mechanisms exist to ensure customers are provided with appropriate key management guidance whenever cryptographic keys are shared.

Cryptographic Protections

External System Cryptographic Key Control

CRY-09.7

Mechanisms exist to maintain control of cryptographic keys for encrypted material stored or transmitted through an external system.

Cryptographic Protections

Transmission of Security & Privacy Attributes

CRY-10

Mechanisms exist to ensure systems associate security attributes with information exchanged between systems.

- Integrity checking

Cryptographic Protections

Certificate Authorities

CRY-11

Automated mechanisms exist to enable the use of organization-defined Certificate Authorities (CAs) to facilitate the establishment of protected sessions.

Data Classification & Handling

Data Protection

DCH-01

Mechanisms exist to facilitate the implementation of data protection controls.

Data Classification & Handling

Data Stewardship

DCH-01.1

Mechanisms exist to ensure data stewardship is assigned, documented and communicated.

Data Classification & Handling

Sensitive / Regulated Data Protection

DCH-01.2

Mechanisms exist to protect sensitive/regulated data wherever it is stored.

Data Classification & Handling

Sensitive / Regulated Media Records

DCH-01.3

Mechanisms exist to ensure media records for sensitive/regulated data contain sufficient information to determine the potential impact in the event of a data loss incident.

Data Classification & Handling

Data & Asset Classification

DCH-02

Mechanisms exist to ensure data and assets are categorized in accordance with applicable statutory, regulatory and contractual requirements.

E-DCH-01 E-DCH-02

Data Classification & Handling

Highest Classification Level

DCH-02.1

Mechanisms exist to ensure that systems, applications and services are classified according to the highest level of data sensitivity that is stored, transmitted and/or processed.

Data Classification & Handling

Media Access

DCH-03

Mechanisms exist to control and restrict access to digital and non-digital media to authorized individuals.

- Data Loss Prevention (DLP)

Data Classification & Handling

Disclosure of Information

DCH-03.1

Mechanisms exist to restrict the disclosure of sensitive / regulated data to authorized parties with a need to know.

Data Classification & Handling

Masking Displayed Data

DCH-03.2

Mechanisms exist to apply data masking to sensitive information that is displayed or printed.

Data Classification & Handling

Controlled Release

DCH-03.3

Automated mechanisms exist to validate cybersecurity and privacy attributes prior to releasing information to external systems.

Data Classification & Handling

Media Marking

DCH-04

Mechanisms exist to mark media in accordance with data protection requirements so that personnel are alerted to distribution limitations, handling caveats and applicable security requirements.

Data Classification & Handling

Automated Marking

DCH-04.1

Automated mechanisms exist to mark media and system output to indicate the distribution limitations, handling requirements and applicable security markings (if any) of the information to aide Data Loss Prevention (DLP) technologies.

Data Classification & Handling

Security & Privacy Attributes

DCH-05

Mechanisms exist to bind security attributes to information as it is stored, transmitted and processed.

Data Classification & Handling

Dynamic Attribute Association

DCH-05.1

Mechanisms exist to dynamically associate cybersecurity and privacy attributes with individuals and objects as information is created, combined, or transformed, in accordance with organization-defined cybersecurity and privacy policies.

Data Classification & Handling

Attribute Value Changes By Authorized Individuals

DCH-05.2

Mechanisms exist to provide authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated cybersecurity and privacy attributes.

Data Classification & Handling

Maintenance of Attribute Associations By System

DCH-05.3

Mechanisms exist to maintain the association and integrity of cybersecurity and privacy attributes to individuals and objects.

Data Classification & Handling

Association of Attributes By Authorized Individuals

DCH-05.4

Mechanisms exist to provide the capability to associate cybersecurity and privacy attributes with individuals and objects by authorized individuals (or processes acting on behalf of individuals).

Data Classification & Handling

Attribute Displays for Output Devices

DCH-05.5

Mechanisms exist to display cybersecurity and privacy attributes in human-readable form on each object that the system transmits to output devices to identify special dissemination, handling or distribution instructions using human-readable, standard naming conventions.

Data Classification & Handling

Data Subject Attribute Associations

DCH-05.6

Mechanisms exist to require personnel to associate and maintain the association of cybersecurity and privacy attributes with individuals and objects in accordance with cybersecurity and privacy policies.

Data Classification & Handling

Consistent Attribute Interpretation

DCH-05.7

Mechanisms exist to provide a consistent, organizationally agreed upon interpretation of cybersecurity and privacy attributes employed in access enforcement and flow enforcement decisions between distributed system components.

Data Classification & Handling

Identity Association Techniques & Technologies

DCH-05.8

Mechanisms exist to associate cybersecurity and privacy attributes to information.

Data Classification & Handling

Attribute Reassignment

DCH-05.9

Mechanisms exist to reclassify data as required, due to changing business/technical requirements.

Data Classification & Handling

Attribute Configuration By Authorized Individuals

DCH-05.10

Mechanisms exist to provide authorized individuals the capability to define or change the type and value of cybersecurity and privacy attributes available for association with subjects and objects.

Data Classification & Handling

Audit Changes

DCH-05.11

Mechanisms exist to audit changes to cybersecurity and privacy attributes and responds to events in accordance with incident response procedures.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)

Data Classification & Handling

Media Storage

DCH-06

Mechanisms exist to: ▪ Physically control and securely store digital and non-digital media within controlled areas using organization-defined security measures; and ▪ Protect system media until the media are destroyed or sanitized using approved equipment, techniques and procedures.

Data Classification & Handling

Physically Secure All Media

DCH-06.1

Mechanisms exist to physically secure all media that contains sensitive information.

- Lockbox

Data Classification & Handling

Sensitive Data Inventories

DCH-06.2

Mechanisms exist to maintain inventory logs of all sensitive media and conduct sensitive media inventories at least annually.

E-AST-08

Data Classification & Handling

Periodic Scans for Sensitive Data

DCH-06.3

Mechanisms exist to periodically scan unstructured data sources for sensitive/regulated data or data requiring special protection measures by statutory, regulatory or contractual obligations.

Data Classification & Handling

Making Sensitive Data Unreadable In Storage

DCH-06.4

Mechanisms exist to ensure sensitive/regulated data is rendered human unreadable anywhere sensitive/regulated data is stored.

Data Classification & Handling

Storing Authentication Data

DCH-06.5

Mechanisms exist to prohibit the storage of sensitive transaction authentication data after authorization.

Data Classification & Handling

Media Transportation

DCH-07

Mechanisms exist to protect and control digital and non-digital media during transport outside of controlled areas using appropriate security measures.

- Assigned couriers

Data Classification & Handling

Custodians

DCH-07.1

Mechanisms exist to identify custodians throughout the transport of digital or non-digital media.

- Chain of custody

Data Classification & Handling

Encrypting Data In Storage Media

DCH-07.2

Cryptographic mechanisms exist to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.

Data Classification & Handling

Physical Media Disposal

DCH-08

Mechanisms exist to securely dispose of media when it is no longer required, using formal procedures.

- Shred-it - IronMountain - DoD-strength data erasers

E-AST-03

Data Classification & Handling

Digital Media Sanitization

DCH-09

Mechanisms exist to sanitize digital media with the strength and integrity commensurate with the classification or sensitivity of the information prior to disposal, release out of organizational control or release for reuse.

E-AST-03 E-DCH-07

Data Classification & Handling

Media Sanitization Documentation

DCH-09.1

Mechanisms exist to supervise, track, document and verify media sanitization and disposal actions.

- Certificate of destruction

E-AST-03 E-DCH-07

Data Classification & Handling

Equipment Testing

DCH-09.2

Mechanisms exist to test sanitization equipment and procedures to verify that the intended result is achieved.

Data Classification & Handling

Sanitization of Personal Data (PD)

DCH-09.3

Mechanisms exist to facilitate the sanitization of Personal Data (PD).

- De-identifying PI

Data Classification & Handling

First Time Use Sanitization

DCH-09.4

Mechanisms exist to apply nondestructive sanitization techniques to portable storage devices prior to first use.

Data Classification & Handling

Dual Authorization for Sensitive Data Destruction

DCH-09.5

Mechanisms exist to enforce dual authorization for the destruction, disposal or sanitization of digital media that contains sensitive / regulated data.

Data Classification & Handling

Media Use

DCH-10

Mechanisms exist to restrict the use of types of digital media on systems or system components.

Data Classification & Handling

Limitations on Use

DCH-10.1

Mechanisms exist to restrict the use and distribution of sensitive / regulated data.

Data Classification & Handling

Prohibit Use Without Owner

DCH-10.2

Mechanisms exist to prohibit the use of portable storage devices in organizational information systems when such devices have no identifiable owner.

Data Classification & Handling

Data Reclassification

DCH-11

Mechanisms exist to reclassify data, including associated systems, applications and services, commensurate with the security category and/or classification level of the information.

Data Classification & Handling

Removable Media Security

DCH-12

Mechanisms exist to restrict removable media in accordance with data handling and acceptable usage parameters.

Data Classification & Handling

Use of External Information Systems

DCH-13

Mechanisms exist to govern how external parties, systems and services are used to securely store, process and transmit data.

Data Classification & Handling

Limits of Authorized Use

DCH-13.1

Mechanisms exist to prohibit external parties, systems and services from storing, processing and transmitting data unless authorized individuals first: ▪ Verifying the implementation of required security controls; or ▪ Retaining a processing agreement with the entity hosting the external systems or service.

Data Classification & Handling

Portable Storage Devices

DCH-13.2

Mechanisms exist to restrict or prohibit the use of portable storage devices by users on external systems.

Data Classification & Handling

Protecting Sensitive Data on External Systems

DCH-13.3

Mechanisms exist to ensure that the requirements for the protection of sensitive information processed, stored or transmitted on external systems, are implemented in accordance with applicable statutory, regulatory and contractual obligations.

- NIST 800-171 Compliance Criteria (NCC) (ComplianceForge)

Data Classification & Handling

Non-Organizationally Owned Systems / Components / Devices

DCH-13.4

Mechanisms exist to restrict the use of non-organizationally owned information systems, system components or devices to process, store or transmit organizational information.

Data Classification & Handling

Information Sharing

DCH-14

Mechanisms exist to utilize a process to assist users in making information sharing decisions to ensure data is appropriately protected.

- ShareFile - SmartVault - Veris (incident sharing) (http://veriscommunity.net)

Data Classification & Handling

Information Search & Retrieval

DCH-14.1

Mechanisms exist to ensure information systems implement data search and retrieval functions that properly enforce data protection / sharing restrictions.

Data Classification & Handling

Transfer Authorizations

DCH-14.2

Mechanisms exist to verify that individuals or systems transferring data between interconnecting systems have the requisite authorizations (e.g., write permissions or privileges) prior to transferring said data.

Data Classification & Handling

Data Access Mapping

DCH-14.3

Mechanisms exist to develop a data-specific Access Control List (ACL) or Data Information Sharing Agreement (DISA) to determine the personnel with whom sensitive/regulated data is shared.

Data Classification & Handling

Publicly Accessible Content

DCH-15

Mechanisms exist to control publicly-accessible content.

- Designate individuals authorized to post information onto systems that are publicly accessible. - Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information. - Review the proposed content of publicly accessible information for nonpublic information prior to posting. - Remove nonpublic information from the publicly accessible system.

Data Classification & Handling

Data Mining Protection

DCH-16

Mechanisms exist to protect data storage objects against unauthorized data mining and data harvesting techniques.

Data Classification & Handling

Ad-Hoc Transfers

DCH-17

Mechanisms exist to secure ad-hoc exchanges of large digital files with internal or external parties.

- ShareFile - Box

Data Classification & Handling

Media & Data Retention

DCH-18

Mechanisms exist to retain media and data in accordance with applicable statutory, regulatory and contractual obligations.

- Data Protection Impact Assessment (DPIA)

E-AST-11

Data Classification & Handling

Limit Personal Data (PD) Elements In Testing, Training & Research

DCH-18.1

Mechanisms exist to limit Personal Data (PD) being processed in the information lifecycle to elements identified in the Data Protection Impact Assessment (DPIA).

- Data Protection Impact Assessment (DPIA)

Data Classification & Handling

Minimize Personal Data (PD)

DCH-18.2

Mechanisms exist to minimize the use of Personal Data (PD) for research, testing, or training, in accordance with the Data Protection Impact Assessment (DPIA).

- Data Protection Impact Assessment (DPIA)

Data Classification & Handling

Temporary Files Containing Personal Data (PD)

DCH-18.3

Mechanisms exist to perform periodic checks of temporary files for the existence of Personal Data (PD).

Data Classification & Handling

Geographic Location of Data

DCH-19

Mechanisms exist to inventory, document and maintain data flows for data that is resident (permanently or temporarily) within a service's geographically distributed applications (physical and virtual), infrastructure, systems components and/or shared with other third-parties.

E-AST-23

Data Classification & Handling

Archived Data Sets

DCH-20

Mechanisms exist to protect archived data in accordance with applicable statutory, regulatory and contractual obligations.

Data Classification & Handling

Information Disposal

DCH-21

Mechanisms exist to securely dispose of, destroy or erase information.

- Shred-it - IronMountain

Data Classification & Handling

Data Quality Operations

DCH-22

Mechanisms exist to check for the accuracy, relevance, timeliness, impact, completeness and de-identification of information across the information lifecycle.

- Data Protection Impact Assessment (DPIA)

Data Classification & Handling

Updating & Correcting Personal Data (PD)

DCH-22.1

Mechanisms exist to utilize technical controls to correct Personal Data (PD) that is inaccurate or outdated, incorrectly determined regarding impact, or incorrectly de-identified.

- Data Protection Impact Assessment (DPIA)

Data Classification & Handling

Data Tags

DCH-22.2

Mechanisms exist to utilize data tags to automate tracking of sensitive/regulated data across the information lifecycle.

- Data Protection Impact Assessment (DPIA)

Data Classification & Handling

Primary Source Personal Data (PD) Collection

DCH-22.3

Mechanisms exist to collect Personal Data (PD) directly from the individual.

- Data Protection Impact Assessment (DPIA)

Data Classification & Handling

De-Identification (Anonymization)

DCH-23

Mechanisms exist to anonymize data by removing Personal Data (PD) from datasets.

- Data Protection Impact Assessment (DPIA)

Data Classification & Handling

De-Identify Dataset Upon Collection

DCH-23.1

Mechanisms exist to de-identify the dataset upon collection by not collecting Personal Data (PD).

- Data Protection Impact Assessment (DPIA)

Data Classification & Handling

Archiving

DCH-23.2

Mechanisms exist to refrain from archiving Personal Data (PD) elements if those elements in a dataset will not be needed after the dataset is archived.

- Data Protection Impact Assessment (DPIA)

Data Classification & Handling

Release

DCH-23.3

Mechanisms exist to remove Personal Data (PD) elements from a dataset prior to its release if those elements in the dataset do not need to be part of the data release.

- Data Protection Impact Assessment (DPIA)

Data Classification & Handling

Removal, Masking, Encryption, Hashing or Replacement of Direct Identifiers

DCH-23.4

Mechanisms exist to remove, mask, encrypt, hash or replace direct identifiers in a dataset.

- Data Protection Impact Assessment (DPIA)

Data Classification & Handling

Statistical Disclosure Control

DCH-23.5

Mechanisms exist to manipulate numerical data, contingency tables and statistical findings so that no person or organization is identifiable in the results of the analysis.

Data Classification & Handling

Differential Privacy

DCH-23.6

Mechanisms exist to prevent disclosure of Personal Data (PD) by adding non-deterministic noise to the results of mathematical operations before the results are reported.

- Data Protection Impact Assessment (DPIA)

Data Classification & Handling

Automated De-Identification of Sensitive Data

DCH-23.7

Mechanisms exist to perform de-identification of sensitive/regulated data, using validated algorithms and software to implement the algorithms.

- Data Protection Impact Assessment (DPIA)

Data Classification & Handling

Motivated Intruder

DCH-23.8

Mechanisms exist to perform a motivated intruder test on the de-identified dataset to determine if the identified data remains or if the de-identified data can be re-identified.

Data Classification & Handling

Code Names

DCH-23.9

Mechanisms exist to use aliases to name assets, that are mission-critical and/or contain highly-sensitive/regulated data, are unique and not readily associated with a product, project or type of data.

Data Classification & Handling

Information Location

DCH-24

Mechanisms exist to identify and document the location of information and the specific system components on which the information resides.

- Data Flow Diagram (DFD)

E-AST-23

Data Classification & Handling

Automated Tools to Support Information Location

DCH-24.1

Automated mechanisms exist to identify by data classification type to ensure adequate cybersecurity and privacy controls are in place to protect organizational information and individual privacy.

Data Classification & Handling

Transfer of Sensitive and/or Regulated Data

DCH-25

Mechanisms exist to restrict and govern the transfer of sensitive and/or regulated data to third-countries or international organizations.

- Model contracts - Privacy Shield - Binding Corporate Rules (BCR)

Data Classification & Handling

Transfer Activity Limits

DCH-25.1

Mechanisms exist to establish organization-defined ""normal business activities"" to identify anomalous transaction activities that can reduce the opportunity for sending (outbound) and/or receiving (inbound) fraudulent actions.

Data Classification & Handling

Data Localization

DCH-26

Mechanisms exist to constrain the impact of ""digital sovereignty laws,"" that require localized data within the host country, where data and processes may be subjected to arbitrary enforcement actions that potentially violate other applicable statutory, regulatory and/or contractual obligations.

- Board of Directors (Bod) Ethics Committee

Embedded Technology

Embedded Technology Security Program

EMB-01

Mechanisms exist to facilitate the implementation of embedded technology controls.

E-AST-07

Embedded Technology

Internet of Things (IOT)

EMB-02

Mechanisms exist to proactively manage the cybersecurity and privacy risks associated with Internet of Things (IoT).

Embedded Technology

Operational Technology (OT)

EMB-03

Mechanisms exist to proactively manage the cybersecurity and privacy risks associated with Operational Technology (OT).

Embedded Technology

Interface Security

EMB-04

Mechanisms exist to protect embedded devices against unauthorized use of the physical factory diagnostic and test interface(s).

Embedded Technology

Embedded Technology Configuration Monitoring

EMB-05

Mechanisms exist to generate log entries on embedded devices when configuration changes or attempts to access interfaces are detected.

Embedded Technology

Prevent Alterations

EMB-06

Mechanisms exist to protect embedded devices by preventing the unauthorized installation and execution of software.

Embedded Technology

Embedded Technology Maintenance

EMB-07

Mechanisms exist to securely update software and upgrade functionality on embedded devices.

Embedded Technology

Resilience To Outages

EMB-08

Mechanisms exist to configure embedded technology to be resilient to data network and power outages.

Embedded Technology

Power Level Monitoring

EMB-09

Automated mechanisms exist to monitor the power levels of embedded technologies for decreased or excessive power usage, including battery drainage, to investigate for device tampering.

Embedded Technology

Embedded Technology Reviews

EMB-10

Mechanisms exist to perform evaluations of deployed embedded technologies as needed, or at least on an annual basis, to ensure that necessary updates to mitigate the risks associated with legacy embedded technologies are identified and implemented.

Embedded Technology

Message Queuing Telemetry Transport (MQTT) Security

EMB-11

Mechanisms exist to enforce the security of Message Queuing Telemetry Transport (MQTT) traffic.

Embedded Technology

Restrict Communications

EMB-12

Mechanisms exist to require embedded technologies to initiate all communications and drop new, incoming communications.

Embedded Technology

Authorized Communications

EMB-13

Mechanisms exist to restrict embedded technologies to communicate only with authorized peers and service endpoints.

Embedded Technology

Operating Environment Certification

EMB-14

Mechanisms exist to determine if embedded technologies are certified for secure use in the proposed operating environment.

Embedded Technology

Safety Assessment

EMB-15

Mechanisms exist to evaluate the safety aspects of embedded technologies via a fault tree analysis, or similar method, to determine possible consequences of misuse, misconfiguration and/or failure.

Embedded Technology

Certificate-Based Authentication

EMB-16

Mechanisms exist to enforce certificate-based authentication for embedded technologies (e.g., IoT, OT, etc.) and their supporting services.

Embedded Technology

Chip-To-Cloud Security

EMB-17

Mechanisms exist to implement embedded technologies that utilize pre-provisioned cloud trust anchors to support secure bootstrap and Zero Touch Provisioning (ZTP).

Embedded Technology

Real-Time Operating System (RTOS) Security

EMB-18

Mechanisms exist to ensure embedded technologies utilize a securely configured Real-Time Operating System (RTOS).

Embedded Technology

Safe Operations

EMB-19

Mechanisms exist to continuously validate autonomous systems that trigger an automatic state change when safe operation is no longer assured.

Endpoint Security

END-01

Mechanisms exist to facilitate the implementation of endpoint security controls.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - Group Policy Objects (GPOs) - Antimalware technologies - Software firewalls - Host-based IDS/IPS technologies - NNT Change Tracker (https://www.newnettechnologies.com)

Endpoint Security

Endpoint Protection Measures

END-02

Mechanisms exist to protect the confidentiality, integrity, availability and safety of endpoint devices.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)

Endpoint Security

Prohibit Installation Without Privileged Status

END-03

Automated mechanisms exist to prohibit software installations without explicitly assigned privileged status.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - Removal of local admin rights - Privileged Account Management (PAM) - NNT Change Tracker (https://www.newnettechnologies.com)

Endpoint Security

Software Installation Alerts

END-03.1

Mechanisms exist to generate an alert when new software is detected.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com)

Endpoint Security

Governing Access Restriction for Change

END-03.2

Mechanisms exist to define, document, approve and enforce access restrictions associated with changes to systems.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)

Endpoint Security

Malicious Code Protection (Anti-Malware)

END-04

Mechanisms exist to utilize antimalware technologies to detect and eradicate malicious code.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - Antimalware software - NNT Change Tracker (https://www.newnettechnologies.com)

Endpoint Security

Automatic Antimalware Signature Updates

END-04.1

Mechanisms exist to automatically update antimalware technologies, including signature definitions.

- Antimalware software

Endpoint Security

Documented Protection Measures

END-04.2

Mechanisms exist to document antimalware technologies.

Endpoint Security

Centralized Management of Antimalware Technologies

END-04.3

Mechanisms exist to centrally-manage antimalware technologies.

- Antimalware software

E-MON-02

Endpoint Security

Heuristic / Nonsignature-Based Detection

END-04.4

Mechanisms exist to utilize heuristic / nonsignature-based antimalware detection capabilities.

- Antimalware software

Endpoint Security

Malware Protection Mechanism Testing

END-04.5

Mechanisms exist to test antimalware technologies by introducing a known benign, non-spreading test case into the system and subsequently verifying that both detection of the test case and associated incident reporting occurs.

- EICAR test file

Endpoint Security

Evolving Malware Threats

END-04.6

Mechanisms exist to perform periodic evaluations evolving malware threats to assess systems that are generally not considered to be commonly affected by malicious software.

Endpoint Security

Always On Protection

END-04.7

Mechanisms exist to ensure that anti-malware technologies are continuously running in real-time and cannot be disabled or altered by non-privileged users, unless specifically authorized by management on a case-by-case basis for a limited time period.

- Antimalware software

Endpoint Security

Software Firewall

END-05

Mechanisms exist to utilize host-based firewall software, or a similar technology, on all information systems, where technically feasible.

- NNT Change Tracker (https://www.newnettechnologies.com)

Endpoint Security

Endpoint File Integrity Monitoring (FIM)

END-06

Mechanisms exist to utilize File Integrity Monitor (FIM) technology to detect and report unauthorized changes to system files and configurations.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com) - File Integrity Monitor (FIM)

Endpoint Security

Integrity Checks

END-06.1

Mechanisms exist to validate configurations through integrity checking of software and firmware.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com) - File Integrity Monitor (FIM)

Endpoint Security

Integration of Detection & Response

END-06.2

Mechanisms exist to detect and respond to unauthorized configuration changes as cybersecurity incidents.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com) - File Integrity Monitor (FIM)

Endpoint Security

Automated Notifications of Integrity Violations

END-06.3

Automated mechanisms exist to alert incident response personnel upon discovering discrepancies during integrity verification.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)

Endpoint Security

Automated Response to Integrity Violations

END-06.4

Automated mechanisms exist to implement remediation actions when integrity violations are discovered.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/)

Endpoint Security

Boot Process Integrity

END-06.5

Automated mechanisms exist to verify the integrity of the boot process of information systems.

Endpoint Security

Protection of Boot Firmware

END-06.6

Automated mechanisms exist to protect the integrity of boot firmware in information systems.

Endpoint Security

Binary or Machine-Executable Code

END-06.7

Mechanisms exist to prohibit the use of binary or machine-executable code from sources with limited or no warranty and without access to source code.

Endpoint Security

Host Intrusion Detection and Prevention Systems (HIDS / HIPS)

END-07

Mechanisms exist to utilize Host-based Intrusion Detection / Prevention Systems (HIDS / HIPS) on sensitive systems.

- CimTrak Integrity Suite (https://www.cimcor.com/cimtrak/) - NNT Change Tracker (https://www.newnettechnologies.com) - File Integrity Monitor (FIM)

Endpoint Security

Phishing & Spam Protection

END-08

Mechanisms exist to utilize anti-phishing and spam protection technologies to detect and take action on unsolicited messages transported by electronic mail.

Endpoint Security

Central Management

END-08.1

Mechanisms exist to centrally-manage anti-phishing and spam protection technologies.

Endpoint Security

Automatic Spam and Phishing Protection Updates

END-08.2

Mechanisms exist to automatically update anti-phishing and spam protection technologies when new releases are available in accordance with configuration and change management practices.

Endpoint Security

Trusted Path

END-09

Mechanisms exist to establish a trusted communications path between the user and the security functions of the operating system.

- Active Directory (AD) Ctrl+Alt+Del login process

Endpoint Security

Mobile Code

END-10

Mechanisms exist to address mobile code / operating system-independent applications.

Endpoint Security

Thin Nodes

END-11

Mechanisms exist to configure thin nodes to have minimal functionality and information storage.

Endpoint Security

Port & Input / Output (I/O) Device Access

END-12

Mechanisms exist to physically disable or remove unnecessary connection ports or input/output devices from sensitive systems.

Endpoint Security

Sensor Capability

END-13

Mechanisms exist to configure embedded sensors on systems to: ▪ Prohibit the remote activation of sensing capabilities; and ▪ Provide an explicit indication of sensor use to users.

Endpoint Security

Authorized Use

END-13.1

Mechanisms exist to utilize organization-defined measures so that data or information collected by sensors is only used for authorized purposes.

Endpoint Security

Notice of Collection

END-13.2

Mechanisms exist to notify individuals that Personal Data (PD) is collected by sensors.

- Visible or auditory alert - Data Protection Impact Assessment (DPIA)

Endpoint Security

Collection Minimization

END-13.3

Mechanisms exist to utilize sensors that are configured to minimize the collection of information about individuals.

Embedded Technology

Sensor Delivery Verification

END-13.4

Mechanisms exist to verify embedded technology sensors are configured so that data collected by the sensor(s) is only reported to authorized individuals or roles.

Endpoint Security

Collaborative Computing Devices

END-14

Mechanisms exist to unplug or prohibit the remote activation of collaborative computing devices with the following exceptions: ▪ Networked whiteboards; ▪ Video teleconference cameras; and ▪ Teleconference microphones.

- Unplug devices when not needed

Endpoint Security

Disabling / Removal In Secure Work Areas

END-14.1

Mechanisms exist to disable or remove collaborative computing devices from critical information systems and secure work areas.

Endpoint Security

Explicitly Indicate Current Participants

END-14.2

Automated mechanisms exist to provide an explicit indication of current participants in online meetings and teleconferences.

Endpoint Security

Hypervisor Access

END-15

Mechanisms exist to restrict access to hypervisor management functions or administrative consoles for systems hosting virtualized systems.

Endpoint Security

Restrict Access To Security Functions

END-16

Mechanisms exist to ensure security functions are restricted to authorized individuals and enforce least privilege control requirements for necessary job functions.

- Windows Defender Device Guard

Endpoint Security

Host-Based Security Function Isolation

END-16.1

Mechanisms exist to implement underlying software separation mechanisms to facilitate security function isolation.

- Windows Defender Device Guard

Human Resources Security

Human Resources Security Management

HRS-01

Mechanisms exist to facilitate the implementation of personnel security controls.

Human Resources Security

Position Categorization

HRS-02

Mechanisms exist to manage personnel security risk by assigning a risk designation to all positions and establishing screening criteria for individuals filling those positions.

E-HRS-01 E-HRS-02 E-HRS-03 E-HRS-04 E-HRS-11 E-HRS-22

Human Resources Security

Users With Elevated Privileges

HRS-02.1

Mechanisms exist to ensure that every user accessing a system that processes, stores, or transmits sensitive information is cleared and regularly trained to handle the information in question.

E-HRS-02 E-HRS-03 E-HRS-04 E-HRS-11 E-HRS-22

Human Resources Security

Probationary Periods

HRS-02.2

Mechanisms exist to identify newly onboarded personnel for enhanced monitoring during their probationary period.

Human Resources Security

Roles & Responsibilities

HRS-03

Mechanisms exist to define cybersecurity responsibilities for all personnel.

- NIST NICE framework - RACI diagram

E-HRS-01 E-HRS-02 E-HRS-03 E-HRS-04 E-HRS-11 E-HRS-13 E-HRS-18 E-HRS-22

Human Resources Security

User Awareness

HRS-03.1

Mechanisms exist to communicate with users about their roles and responsibilities to maintain a safe and secure working environment.

E-HRS-01 E-HRS-13 E-HRS-16 E-HRS-18

Human Resources Security

Competency Requirements for Security-Related Positions

HRS-03.2

Mechanisms exist to ensure that all security-related positions are staffed by qualified individuals who have the necessary skill set.

E-HRS-21 E-HRS-23

Human Resources Security

Personnel Screening

HRS-04

Mechanisms exist to manage personnel security risk by screening individuals prior to authorizing access.

- Criminal, education and employment background checks

E-HRS-17 E-HRS-21

Human Resources Security

Roles With Special Protection Measures

HRS-04.1

Mechanisms exist to ensure that individuals accessing a system that stores, transmits or processes information requiring special protection satisfy organization-defined personnel screening criteria.

- Security clearances for classified information.

E-HRS-17 E-HRS-21

Human Resources Security

Formal Indoctrination

HRS-04.2

Mechanisms exist to verify that individuals accessing a system processing, storing, or transmitting sensitive information are formally indoctrinated for all the relevant types of information to which they have access on the system.

E-HRS-18

Human Resources Security

Citizenship Requirements

HRS-04.3

Mechanisms exist to verify that individuals accessing a system processing, storing, or transmitting sensitive information meet applicable statutory, regulatory and/or contractual requirements for citizenship.

Human Resources Security

Citizenship Identification

HRS-04.4

Mechanisms exist to identify foreign nationals, including by their specific citizenship.

Human Resources Security

Terms of Employment

HRS-05

Mechanisms exist to require all employees and contractors to apply cybersecurity and privacy principles in their daily work.

- Acceptable Use Policy (AUP) - Rules of behavior

E-HRS-16 E-HRS-22

Human Resources Security

Rules of Behavior

HRS-05.1

Mechanisms exist to define acceptable and unacceptable rules of behavior for the use of technologies, including consequences for unacceptable behavior.

- Acceptable Use Policy (AUP) - Rules of behavior

E-HRS-22

Human Resources Security

Social Media & Social Networking Restrictions

HRS-05.2

Mechanisms exist to define rules of behavior that contain explicit restrictions on the use of social media and networking sites, posting information on commercial websites and sharing account information.

- Acceptable Use Policy (AUP) - Rules of behavior

E-HRS-22

Human Resources Security

Use of Communications Technology

HRS-05.3

Mechanisms exist to establish usage restrictions and implementation guidance for communications technologies based on the potential to cause damage to systems, if used maliciously.

- Acceptable Use Policy (AUP) - Rules of behavior

E-HRS-22

Human Resources Security

Use of Critical Technologies

HRS-05.4

Mechanisms exist to govern usage policies for critical technologies.

E-HRS-22

Human Resources Security

Use of Mobile Devices

HRS-05.5

Mechanisms exist to manage business risks associated with permitting mobile device access to organizational resources.

- Acceptable Use Policy (AUP) - Rules of behavior - BYOD policy

E-HRS-22

Human Resources Security

Security-Minded Dress Code

HRS-05.6

Mechanisms exist to prohibit the use of oversized clothing (e.g., baggy pants, oversized hooded sweatshirts, etc.) to prevent the unauthorized exfiltration of data and technology assets.

Human Resources Security

Policy Familiarization & Acknowledgement

HRS-05.7

Mechanisms exist to ensure personnel receive recurring familiarization with the organization’s cybersecurity and privacy policies and provide acknowledgement.

E-HRS-18 E-SAT-02 E-SAT-04

Human Resources Security

Access Agreements

HRS-06

Mechanisms exist to require internal and third-party users to sign appropriate access agreements prior to being granted access.

E-HRS-16

Human Resources Security

Confidentiality Agreements

HRS-06.1

Mechanisms exist to require Non-Disclosure Agreements (NDAs) or similar confidentiality agreements that reflect the needs to protect data and operational details, or both employees and third-parties.

- Non-Disclosure Agreements (NDAs)

E-HRS-20

Human Resources Security

Post-Employment Obligations

HRS-06.2

Mechanisms exist to notify terminated individuals of applicable, legally-binding post-employment requirements for the protection of sensitive organizational information.

E-HRS-19

Human Resources Security

Personnel Sanctions

HRS-07

Mechanisms exist to sanction personnel failing to comply with established security policies, standards and procedures.

Human Resources Security

Workplace Investigations

HRS-07.1

Mechanisms exist to conduct employee misconduct investigations when there is reasonable assurance that a policy has been violated.

Human Resources Security

Personnel Transfer

HRS-08

Mechanisms exist to adjust logical and physical access authorizations to systems and facilities upon personnel reassignment or transfer, in a timely manner.

Human Resources Security

Personnel Termination

HRS-09

Mechanisms exist to govern the termination of individual employment.

E-HRS-19

Human Resources Security

Asset Collection

HRS-09.1

Mechanisms exist to retrieve organization-owned assets upon termination of an individual's employment.

E-HRS-19

Human Resources Security

High-Risk Terminations

HRS-09.2

Mechanisms exist to expedite the process of removing ""high risk"" individual’s access to systems and applications upon termination, as determined by management.

E-HRS-19

Human Resources Security

Post-Employment Requirements

HRS-09.3

Mechanisms exist to govern former employee behavior by notifying terminated individuals of applicable, legally binding post-employment requirements for the protection of organizational information.

- Non-Disclosure Agreements (NDAs)

E-HRS-19

Human Resources Security

Automated Employment Status Notifications

HRS-09.4

Automated mechanisms exist to notify Identity and Access Management (IAM) personnel or roles upon termination of an individual employment or contract.

Human Resources Security

Third-Party Personnel Security

HRS-10

Mechanisms exist to govern third-party personnel by reviewing and monitoring third-party cybersecurity and privacy roles and responsibilities.

- Independent background check service

E-HRS-16 E-HRS-18 E-HRS-22

Human Resources Security

Separation of Duties (SoD)

HRS-11

Mechanisms exist to implement and maintain Separation of Duties (SoD) to prevent potential inappropriate activity without collusion.

E-HRS-25

Human Resources Security

Incompatible Roles

HRS-12

Mechanisms exist to avoid incompatible development-specific roles through limiting and reviewing developer privileges to change hardware, software and firmware components within a production/operational environment.

E-HRS-25

Human Resources Security

Two-Person Rule

HRS-12.1

Mechanisms exist to enforce a two-person rule for implementing changes to sensitive systems.

Human Resources Security

Identify Critical Skills & Gaps

HRS-13

Mechanisms exist to evaluate the critical cybersecurity and privacy skills needed to support the organization’s mission and identify gaps that exist.

E-HRS-23 E-HRS-24

Human Resources Security

Remediate Identified Skills Deficiencies

HRS-13.1

Mechanisms exist to remediate critical skills deficiencies necessary to support the organization’s mission and business functions.

E-HRS-24

Human Resources Security

Identify Vital Cybersecurity & Privacy Staff

HRS-13.2

Mechanisms exist to identify vital cybersecurity & privacy staff.

E-HRS-26

Human Resources Security

Establish Redundancy for Vital Cybersecurity & Privacy Staff

HRS-13.3

Mechanisms exist to establish redundancy for vital cybersecurity & privacy staff.

Human Resources Security

Perform Succession Planning

HRS-13.4

Mechanisms exist to perform succession planning for vital cybersecurity & privacy roles.