a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] system and information integrity policy that:(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and2. Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; andc. Review and update the current system and information integrity:1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].
a. Identify, report, and correct system flaws;b. Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;c. Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; andd. Incorporate flaw remediation into the organizational configuration management process.
[Withdrawn: Incorporated into PL-9.]
Determine if system components have applicable security-relevant software and firmware updates installed using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency].
(a) Measure the time between flaw identification and flaw remediation; and(b) Establish the following benchmarks for taking corrective actions: [Assignment: organization-defined benchmarks].
Employ automated patch management tools to facilitate flaw remediation to the following system components: [Assignment: organization-defined system components].
Install [Assignment: organization-defined security-relevant software and firmware updates] automatically to [Assignment: organization-defined system components].
Remove previous versions of [Assignment: organization-defined software and firmware components] after updated versions have been installed.
a. Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;b. Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;c. Configure malicious code protection mechanisms to:1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more): endpoint; network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization-defined personnel or roles] in response to malicious code detection; andd. Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.
[Withdrawn: Incorporated into PL-9.]
[Withdrawn: Incorporated into SI-3.]
[Withdrawn: Incorporated into AC-6(10).]
Update malicious code protection mechanisms only when directed by a privileged user.
[Withdrawn: Incorporated into MP-7.]
(a) Test malicious code protection mechanisms [Assignment: organization-defined frequency] by introducing known benign code into the system; and(b) Verify that the detection of the code and the associated incident reporting occur.
[Withdrawn: Incorporated into SI-3.]
(a) Detect the following unauthorized operating system commands through the kernel application programming interface on [Assignment: organization-defined system hardware components]: [Assignment: organization-defined unauthorized operating system commands]; and(b) [Selection (one or more): issue a warning; audit the command execution; prevent the execution of the command].
[Withdrawn: Incorporated into AC-17(10).]
(a) Employ the following tools and techniques to analyze the characteristics and behavior of malicious code: [Assignment: organization-defined tools and techniques]; and(b) Incorporate the results from malicious code analysis into organizational incident response and flaw remediation processes.
a. Monitor the system to detect:1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and2. Unauthorized local, network, and remote connections;b. Identify unauthorized use of the system through the following techniques and methods: [Assignment: organization-defined techniques and methods];c. Invoke internal monitoring capabilities or deploy monitoring devices:1. Strategically within the system to collect organization-determined essential information; and2. At ad hoc locations within the system to track specific types of transactions of interest to the organization;d. Analyze detected events and anomalies;e. Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;f. Obtain legal opinion regarding system monitoring activities; andg. Provide [Assignment: organization-defined system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]].
Connect and configure individual intrusion detection tools into a system-wide intrusion detection system.
Employ automated tools and mechanisms to support near real-time analysis of events.
Employ automated tools and mechanisms to integrate intrusion detection tools and mechanisms into access control and flow control mechanisms.
(a) Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic;(b) Monitor inbound and outbound communications traffic [Assignment: organization-defined frequency] for [Assignment: organization-defined unusual or unauthorized activities or conditions].
Alert [Assignment: organization-defined personnel or roles] when the following system-generated indications of compromise or potential compromise occur: [Assignment: organization-defined compromise indicators].
[Withdrawn: Incorporated into AC-6(10).]
(a) Notify [Assignment: organization-defined incident response personnel (identified by name and/or by role)] of detected suspicious events; and(b) Take the following actions upon detection: [Assignment: organization-defined least-disruptive actions to terminate suspicious events].
[Withdrawn: Incorporated into SI-4.]
Test intrusion-monitoring tools and mechanisms [Assignment: organization-defined frequency].
Make provisions so that [Assignment: organization-defined encrypted communications traffic] is visible to [Assignment: organization-defined system monitoring tools and mechanisms].
Analyze outbound communications traffic at the external interfaces to the system and selected [Assignment: organization-defined interior points within the system] to discover anomalies.
Alert [Assignment: organization-defined personnel or roles] using [Assignment: organization-defined automated mechanisms] when the following indications of inappropriate or unusual activities with security or privacy implications occur: [Assignment: organization-defined activities that trigger alerts].
(a) Analyze communications traffic and event patterns for the system;(b) Develop profiles representing common traffic and event patterns; and(c) Use the traffic and event profiles in tuning system-monitoring devices.
Employ a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises or breaches to the system.
Employ an intrusion detection system to monitor wireless communications traffic as the traffic passes from wireless to wireline networks.
Correlate information from monitoring tools and mechanisms employed throughout the system.
Correlate information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness.
Analyze outbound communications traffic at external interfaces to the system and at the following interior points to detect covert exfiltration of information: [Assignment: organization-defined interior points within the system].
Implement [Assignment: organization-defined additional monitoring] of individuals who have been identified by [Assignment: organization-defined sources] as posing an increased level of risk.
Implement the following additional monitoring of privileged users: [Assignment: organization-defined additional monitoring].
Implement the following additional monitoring of individuals during [Assignment: organization-defined probationary period]: [Assignment: organization-defined additional monitoring].
(a) Detect network services that have not been authorized or approved by [Assignment: organization-defined authorization or approval processes]; and(b) [Selection (one or more): Audit; Alert [Assignment: organization-defined personnel or roles]] when detected.
Implement the following host-based monitoring mechanisms at [Assignment: organization-defined system components]: [Assignment: organization-defined host-based monitoring mechanisms].
Discover, collect, and distribute to [Assignment: organization-defined personnel or roles], indicators of compromise provided by [Assignment: organization-defined sources].
Provide visibility into network traffic at external and key internal system interfaces to optimize the effectiveness of monitoring devices.
a. Receive system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis;b. Generate internal security alerts, advisories, and directives as deemed necessary;c. Disseminate security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; andd. Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance.
Broadcast security alert and advisory information throughout the organization using [Assignment: organization-defined automated mechanisms].
a. Verify the correct operation of [Assignment: organization-defined security and privacy functions];b. Perform the verification of the functions specified in SI-6a [Selection (one or more): [Assignment: organization-defined system transitional states]; upon command by user with appropriate privilege; [Assignment: organization-defined frequency]];c. Alert [Assignment: organization-defined personnel or roles] to failed security and privacy verification tests; andd. [Selection (one or more): Shut the system down; Restart the system; [Assignment: organization-defined alternative action(s)]] when anomalies are discovered.
[Withdrawn: Incorporated into SI-6.]
Implement automated mechanisms to support the management of distributed security and privacy function testing.
Report the results of security and privacy function verification to [Assignment: organization-defined personnel or roles].
a. Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: [Assignment: organization-defined software, firmware, and information]; andb. Take the following actions when unauthorized changes to the software, firmware, and information are detected: [Assignment: organization-defined actions].
Perform an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (one or more): at startup; at [Assignment: organization-defined transitional states or security-relevant events]; [Assignment: organization-defined frequency]].
Employ automated tools that provide notification to [Assignment: organization-defined personnel or roles] upon discovering discrepancies during integrity verification.
Employ centrally managed integrity verification tools.
[Withdrawn: Incorporated into SR-9.]
Automatically [Selection (one or more): shut the system down; restart the system; implement [Assignment: organization-defined controls]] when integrity violations are discovered.
Implement cryptographic mechanisms to detect unauthorized changes to software, firmware, and information.
Incorporate the detection of the following unauthorized changes into the organizational incident response capability: [Assignment: organization-defined security-relevant changes to the system].
Upon detection of a potential integrity violation, provide the capability to audit the event and initiate the following actions: [Selection (one or more): generate an audit record; alert current user; alert [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined other actions]].
Verify the integrity of the boot process of the following system components: [Assignment: organization-defined system components].
Implement the following mechanisms to protect the integrity of boot firmware in [Assignment: organization-defined system components]: [Assignment: organization-defined mechanisms].
[Withdrawn: Incorporated into CM-7(6).]
Require that the integrity of the following user-installed software be verified prior to execution: [Assignment: organization-defined user-installed software].
[Withdrawn: Incorporated into CM-7(7).]
[Withdrawn: Incorporated into CM-7(8).]
Implement cryptographic mechanisms to authenticate the following software or firmware components prior to installation: [Assignment: organization-defined software or firmware components].
Prohibit processes from executing without supervision for more than [Assignment: organization-defined time period].
Implement [Assignment: organization-defined controls] for application self-protection at runtime.
a. Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages; andb. Update spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures.
[Withdrawn: Incorporated into PL-9.]
Automatically update spam protection mechanisms [Assignment: organization-defined frequency].
Implement spam protection mechanisms with a learning capability to more effectively identify legitimate communications traffic.
[Withdrawn: Incorporated into AC-2, AC-3, AC-5, and AC-6.]
Check the validity of the following information inputs: [Assignment: organization-defined information inputs to the system].
(a) Provide a manual override capability for input validation of the following information inputs: [Assignment: organization-defined inputs defined in the base control (SI-10)];(b) Restrict the use of the manual override capability to only [Assignment: organization-defined authorized individuals]; and(c) Audit the use of the manual override capability.
Review and resolve input validation errors within [Assignment: organization-defined time period].
Verify that the system behaves in a predictable and documented manner when invalid inputs are received.
Account for timing interactions among system components in determining appropriate responses for invalid inputs.
Restrict the use of information inputs to [Assignment: organization-defined trusted sources] and/or [Assignment: organization-defined formats].
Prevent untrusted data injections.
a. Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; andb. Reveal error messages only to [Assignment: organization-defined personnel or roles].
Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements.
Limit personally identifiable information being processed in the information life cycle to the following elements of personally identifiable information: [Assignment: organization-defined elements of personally identifiable information].
Use the following techniques to minimize the use of personally identifiable information for research, testing, or training: [Assignment: organization-defined techniques].
Use the following techniques to dispose of, destroy, or erase information following the retention period: [Assignment: organization-defined techniques].
a. Determine mean time to failure (MTTF) for the following system components in specific environments of operation: [Assignment: organization-defined system components]; andb. Provide substitute system components and a means to exchange active and standby components in accordance with the following criteria: [Assignment: organization-defined MTTF substitution criteria].
Take system components out of service by transferring component responsibilities to substitute components no later than [Assignment: organization-defined fraction or percentage] of mean time to failure.
[Withdrawn: Incorporated into SI-7(16).]
Manually initiate transfers between active and standby system components when the use of the active component reaches [Assignment: organization-defined percentage] of the mean time to failure.
If system component failures are detected:(a) Ensure that the standby components are successfully and transparently installed within [Assignment: organization-defined time period]; and(b) [Selection (one or more): Activate [Assignment: organization-defined alarm]; Automatically shut down the system; [Assignment: organization-defined action]].
Provide [Selection: real-time; near real-time] [Assignment: organization-defined failover capability] for the system.
Implement non-persistent [Assignment: organization-defined system components and services] that are initiated in a known state and terminated [Selection (one or more): upon end of session of use; periodically at [Assignment: organization-defined frequency]].
Obtain software and data employed during system component and service refreshes from the following trusted sources: [Assignment: organization-defined trusted sources].
(a) [Selection: Refresh [Assignment: organization-defined information][Assignment: organization-defined frequency]; Generate [Assignment: organization-defined information] on demand]; and(b) Delete information when no longer needed.
Establish connections to the system on demand and terminate connections after [Selection: completion of a request; a period of non-use].
Validate information output from the following software programs and/or applications to ensure that the information is consistent with the expected content: [Assignment: organization-defined software programs and/or applications].
Implement the following controls to protect the system memory from unauthorized code execution: [Assignment: organization-defined controls].
Implement the indicated fail-safe procedures when the indicated failures occur: [Assignment: organization-defined list of failure conditions and associated fail-safe procedures].
a. Check the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle [Assignment: organization-defined frequency]; andb. Correct or delete inaccurate or outdated personally identifiable information.
Correct or delete personally identifiable information that is inaccurate or outdated, incorrectly determined regarding impact, or incorrectly de-identified using [Assignment: organization-defined automated mechanisms].
Employ data tags to automate the correction or deletion of personally identifiable information across the information life cycle within organizational systems.
Collect personally identifiable information directly from the individual.
Correct or delete personally identifiable information upon request by individuals or their designated representatives.
Notify [Assignment: organization-defined recipients of personally identifiable information] and individuals that the personally identifiable information has been corrected or deleted.
a. Remove the following elements of personally identifiable information from datasets: [Assignment: organization-defined elements of personally identifiable information]; andb. Evaluate [Assignment: organization-defined frequency] for effectiveness of de-identification.
De-identify the dataset upon collection by not collecting personally identifiable information.
Prohibit archiving of personally identifiable information elements if those elements in a dataset will not be needed after the dataset is archived.
Remove personally identifiable information elements from a dataset prior to its release if those elements in the dataset do not need to be part of the data release.
Remove, mask, encrypt, hash, or replace direct identifiers in a dataset.
Manipulate numerical data, contingency tables, and statistical findings so that no individual or organization is identifiable in the results of the analysis.
Prevent disclosure of personally identifiable information by adding non-deterministic noise to the results of mathematical operations before the results are reported.
Perform de-identification using validated algorithms and software that is validated to implement the algorithms.
Perform a motivated intruder test on the de-identified dataset to determine if the identified data remains or if the de-identified data can be re-identified.
Embed data or capabilities in the following systems or system components to determine if organizational data has been exfiltrated or improperly removed from the organization: [Assignment: organization-defined systems or system components].
Refresh [Assignment: organization-defined information] at [Assignment: organization-defined frequencies] or generate the information on demand and delete the information when no longer needed.
a. Identify the following alternative sources of information for [Assignment: organization-defined essential functions and services]: [Assignment: organization-defined alternative information sources]; andb. Use an alternative information source for the execution of essential functions or services on [Assignment: organization-defined systems or system components] when the primary source of information is corrupted or unavailable.
Based on [Assignment: organization-defined circumstances]:a. Fragment the following information: [Assignment: organization-defined information]; andb. Distribute the fragmented information across the following systems or system components: [Assignment: organization-defined systems or system components].