From 6c2e18d94330969730bd86ad546a4bdf45f19a4f Mon Sep 17 00:00:00 2001 From: Gabeblis Date: Fri, 14 Feb 2025 16:37:12 +0000 Subject: [PATCH 1/5] Add Latest Example SSP Changes --- .../ssp/xml/fedramp-ssp-example.oscal.xml | 21387 +++++++++++----- 1 file changed, 14551 insertions(+), 6836 deletions(-) diff --git a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml index c83b28345..7527c4945 100644 --- a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml +++ b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml @@ -1,18 +1,19 @@ - - + - FedRAMP [Baseline Name] System Security Plan (SSP) + [EXAMPLE] FedRAMP [Baseline Name] System Security Plan (SSP) 2024-12-31T23:59:59Z - 2024-11-05T02:24:00Z - fedramp3.0.0-oscal1.1.4 - 1.1.2 + 2025-01-08T04:18:29Z + fedramp-3.0.0rc1-oscal-1.1.2 + 1.1.3 2023-06-30T00:00:00Z 1.0 1.0.4 - +

Initial publication.

 @@ -21,29 +22,32 @@ 2023-07-06T00:00:00Z 1.1 1.0.4 - +

Minor prop updates.

 - - - + + + ISSO + FedRAMP Program Management Office

The FedRAMP PMO resides within GSA and supports agencies and cloud service providers -through the FedRAMP authorization process and maintains a secure repository of -FedRAMP authorizations to enable reuse of security packages.

+ through the FedRAMP authorization process and maintains a secure repository of FedRAMP + authorizations to enable reuse of security packages.

 Prepared By

The organization that prepared this SSP. If developed in-house, this is the CSP -itself.

+ itself.

 @@ -63,18 +67,16 @@ itself.

CSP - Information System Owner

The individual within the CSP who is ultimately accountable for everything related to -this system.

+ this system.

 Authorizing Official -

The individual or individuals who must grant this system an authorization to -operate.

+

The individual or individuals who must grant this system an authorization to operate.

 @@ -83,14 +85,11 @@ operate.

The individual representing the authorizing official.

 - - System Administrator - Information System Management Point of Contact (POC) -

The highest level manager who responsible for system operation on behalf of the -System Owner.

+

The highest level manager who responsible for system operation on behalf of the System + Owner.

 @@ -106,18 +105,17 @@ System Owner.

 - System Information System Security Officer (or Equivalent) -

The individual accountable for the security posture of the system on behalf of the -system owner.

+

The individual accountable for the security posture of the system on behalf of the system + owner.

 Privacy Official's Point of Contact

The individual responsible for the privacy threshold analysis and if necessary the -privacy impact assessment.

+ privacy impact assessment.

 @@ -138,8 +136,8 @@ privacy impact assessment.

ICA POC (Remote) -

The point of contact for an interconnection on behalf of this external system to -which this system connects.

+

The point of contact for an interconnection on behalf of this external system to which + this system connects.

Remove this role if there are no ICAs.

@@ -149,7 +147,7 @@ which this system connects.

ICA Signatory (Local)

Responsible for signing an interconnection security agreement on behalf of this -system.

+ system.

Remove this role if there are no ICAs.

@@ -158,8 +156,8 @@ system.

ICA Signatory (Remote) -

Responsible for signing an interconnection security agreement on behalf of the -external system to which this system connects.

+

Responsible for signing an interconnection security agreement on behalf of the external + system to which this system connects.

Remove this role if there are no ICAs.

@@ -175,12 +173,9 @@ external system to which this system connects.

Customer

Represents any customers of this system as may be necessary for assigning customer -responsibility.

+ responsibility.

 - - Document Creator - Provider @@ -199,12 +194,6 @@ responsibility.

This is a sample role.

 - - Leveraged Authorization Users - -

Any internal users of a leveraged authorization.

- - External System Owner @@ -214,15 +203,14 @@ responsibility.

External System Management Point of Contact (POC) -

The highest level manager who responsible for an external system's operation on -behalf of the System Owner.

+

The highest level manager who responsible for an external system's operation on behalf of + the System Owner.

 External System Technical Point of Contact -

The individual or individuals leading the technical operation of an external -system.

+

The individual or individuals leading the technical operation of an external system.

 @@ -241,8 +229,8 @@ system.

00000 -

There must be one location identifying the CSP's primary business address, such as -the CSP's HQ, or the address of the system owner's primary business location.

+

There must be one location identifying the CSP's primary business address, such as the + CSP's HQ, or the address of the system owner's primary business location.

 @@ -281,22 +269,15 @@ the CSP's HQ, or the address of the system owner's primary business location.

The type property must also have a class of "primary" or "alternate".

 - - Example Organization - ExOrg - - - Cloud Service Provider (CSP) Name CSP Acronym/Short Name 11111111-2222-4000-8000-003000000001

Replace sample CSP information.

-

CSP information must be present and associated with the "cloud-service-provider" role -via responsible-party. -

+

CSP information must be present and associated with the "cloud-service-provider" role via + responsible-party.

 @@ -304,7 +285,6 @@ via responsible-party. FedRAMP PMO - info@fedramp.gov
1800 F St. NW @@ -315,8 +295,8 @@ via responsible-party.

This party entry must be present in a FedRAMP SSP.

-

The uuid may be different; however, the uuid must be associated with the -"fedramp-pmo" role in the responsible-party assemblies.

+

The uuid may be different; however, the uuid must be associated with the "fedramp-pmo" + role in the responsible-party assemblies.

 @@ -325,11 +305,10 @@ via responsible-party.

This party entry must be present in a FedRAMP SSP.

-

The uuid may be different; however, the uuid must be associated with the -"fedramp-jab" role in the responsible-party assemblies.

+

The uuid may be different; however, the uuid must be associated with the "fedramp-jab" + role in the responsible-party assemblies.

 - External Organization External @@ -477,9 +456,6 @@ via responsible-party. Leveraged Authorization User - - - Name of Leveraged System A Provider @@ -498,9 +474,9 @@ via responsible-party. 11111111-2222-4000-8000-004000000018 - - 11111111-0000-4000-9000-000000000001 - + + 11111111-2222-4000-8000-004000000010 + 11111111-2222-4000-8000-004000000001 22222222-2222-4000-8000-004000000001 @@ -508,7 +484,6 @@ via responsible-party.

Zero or more

 - 11111111-2222-4000-8000-004000000010 @@ -516,10 +491,8 @@ via responsible-party. - 11111111-2222-4000-8000-004000000001 - 11111111-2222-4000-8000-004000000010 11111111-2222-4000-8000-004000000011 @@ -528,7 +501,6 @@ via responsible-party. - 11111111-2222-4000-8000-004000000010

Exactly one

@@ -553,7 +525,6 @@ via responsible-party.

Exactly one

 - 11111111-2222-4000-8000-004000000014 @@ -570,64 +541,55 @@ via responsible-party. 11111111-2222-4000-8000-004000000016

Exactly one

+
    +
  • testtest +

    hello

    +
    • +
- - - +

This example points to the FedRAMP Rev 5 Moderate baseline that is part of the official -FedRAMP 3.0.0 release.

+ FedRAMP 3.0.0 release.

Must adjust accordingly for applicable baseline and revision.

 - - F00000000 System's Full Name System's Short Name or Acronym - -

[Insert CSO Name] is delivered as [a/an] [insert based on the Service Model above] -offering using a multi-tenant [insert based on the Deployment Model above] cloud -computing environment. It is available to [Insert scope of customers in accordance with -instructions above (for example, the public, federal, state, local, and tribal -governments, as well as research institutions, federal contractors, government -contractors etc.)].

+

[Insert CSO Name] is delivered as [a/an] [insert based on the Service Model above] offering + using a multi-tenant [insert based on the Deployment Model above] cloud computing + environment. It is available to [Insert scope of customers in accordance with instructions + above (for example, the public, federal, state, local, and tribal governments, as well as + research institutions, federal contractors, government contractors etc.)].

NOTE: Additional description, including the purpose and functions of this system may be -added here. This includes any narrative text usually included in section 9.1 of the -SSP.

+ added here. This includes any narrative text usually included in section 9.1 of the SSP.

NOTE: The description is expected to be at least 32 words in length.

 -

Remarks are required if service model is "other". Optional otherwise.

 -

Remarks are required if deployment model is "hybrid-cloud" or "other". Optional -otherwise.

+ otherwise.

 - - - - - + - - fips-199-moderate + fips-199-high - - Information Type Name @@ -718,31 +680,22 @@ otherwise.

 - - - fips-199-moderate fips-199-moderate fips-199-moderate - -

Remarks are optional if status/state is "operational".

Remarks are required otherwise.

 - - -

A holistic, top-level explanation of the FedRAMP authorization boundary.

 -

A diagram-specific explanation.

@@ -752,11 +705,9 @@ otherwise.

 -

A holistic, top-level explanation of the network architecture.

 -

A diagram-specific explanation.

@@ -766,11 +717,9 @@ otherwise.

 -

A holistic, top-level explanation of the system's data flows.

 -

A diagram-specific explanation.

@@ -781,70 +730,48 @@ otherwise.

 - - - - - AwesomeCloud Commercial(IaaS) - -

For now, this is a required field. In the future we intend -to pull this information directly from FedRAMP's records -based on the "leveraged-system-identifier" property's value.

+

For now, this is a required field. In the future we intend to pull this information + directly from FedRAMP's records based on the "leveraged-system-identifier" property's + value.

 - + -

For now, this is a required field. In the future we intend -to pull this information directly from FedRAMP's records -based on the "leveraged-system-identifier" property's value.

+

For now, this is a required field. In the future we intend to pull this information + directly from FedRAMP's records based on the "leveraged-system-identifier" property's + value.

 - 11111111-2222-4000-8000-c0040000000a 2015-01-01 -

Use one leveraged-authorization assembly for each underlying authorized -cloud system or general support system (GSS).

-

For each leveraged authorization there must also be a "system" component. -The corrisponding "system" component must include a -"leveraged-authorization-uuid" property -that links it to this leveraged authorization.

+

Use one leveraged-authorization assembly for each underlying authorized cloud system or + general support system (GSS).

+

For each leveraged authorization there must also be a "system" component. The + corrisponding "system" component must include a "leveraged-authorization-uuid" property + that links it to this leveraged authorization.

 - - - - - - system-poc-technical - Admin - -

admin user

- - administration + + <function-performed>none</function-performed> </authorized-privilege> <remarks> - <p>The user assembly is being reviewed for continued applicability -under FedRAMP's adoption of Rev 5.</p> - <p>Currently, FedRAMP will only process user content if it includes the -FedRAMP "separation-of-duties-matrix" property/extension. All other user -entries will be ignored by validation rules, but may be displayed by tools. </p> + <p>The user assembly is being reviewed for continued applicability under FedRAMP's adoption + of Rev 5.</p> + <p>Currently, FedRAMP will only process user content if it includes the FedRAMP + "separation-of-duties-matrix" property/extension. All other user entries will be ignored + by validation rules, but may be displayed by tools. </p> </remarks> </user> <user uuid="11111111-2222-4000-8000-008000000002"> <prop name="separation-of-duties-matrix" value="yes" ns="http://fedramp.gov/ns/oscal"/> - <prop name="type" value="internal"/> - <prop ns="http://fedramp.gov/ns/oscal" name="sensitivity" value="high-risk"/> - <prop ns="http://fedramp.gov/ns/oscal" name="privilege-level" value="read-write"/> - - <role-id>system-poc-technical</role-id> <authorized-privilege> <title>Add/Remove Admins This can add and remove admins. @@ -852,74 +779,40 @@ entries will be ignored by validation rules, but may be displayed by tools.

- - - - system-poc-technical - Admin - -

admin user

- - administration + + <function-performed>add/remove non-privliged admins</function-performed> </authorized-privilege> </user> <user uuid="11111111-2222-4000-8000-008000000004"> <prop name="separation-of-duties-matrix" value="yes" ns="http://fedramp.gov/ns/oscal"/> - <prop name="type" value="internal"/> - <prop ns="http://fedramp.gov/ns/oscal" name="privilege-level" value="read-write"/> - <prop ns="http://fedramp.gov/ns/oscal" name="sensitivity" value="high-risk"/> - <role-id>system-poc-technical</role-id> <authorized-privilege> - <title>Admin - -

admin user

- - administration + + <function-performed>Manage services and components within the virtual cloud environment.</function-performed> </authorized-privilege> </user> <user uuid="11111111-2222-4000-8000-008000000005"> <prop name="separation-of-duties-matrix" value="yes" ns="http://fedramp.gov/ns/oscal"/> - <prop ns="http://fedramp.gov/ns/oscal" name="sensitivity" value="high-risk"/> - <prop ns="http://fedramp.gov/ns/oscal" name="privilege-level" value="read-write"/> - <prop name="type" value="internal"/> - <role-id>system-owner</role-id> <authorized-privilege> - <title>Admin - -

admin user

- - administration + + <function-performed>Add and remove users from the virtual cloud environment.</function-performed> </authorized-privilege> </user> - <!-- ========= MINIMUM REQUIRED COMPONENT: THIS SYSTEM ======= --> - <!-- ========= MINIMUM REQUIRED COMPONENT: THIS SYSTEM ======= --> - <!-- ========= MINIMUM REQUIRED COMPONENT: THIS SYSTEM ======= --> - <!--There must be a "this-system" component --> <component uuid="11111111-2222-4000-8000-009000000000" type="this-system"> <title>This System -

This component represents the entire authorization boundary, -as depicted in the system authorization boundary diagram.

-

FedRAMP requires exactly one "this-system" component, which is used -in control implementation responses and interconnections.

+

This component represents the entire authorization boundary, as depicted in the system + authorization boundary diagram.

+

FedRAMP requires exactly one "this-system" component, which is used in control + implementation responses and interconnections.

 -

A FedRAMP SSP must always have exactly one "this-system" component -that represents the whole system.

+

A FedRAMP SSP must always have exactly one "this-system" component that represents the + whole system.

It does not need system details, as those exist elsewhere in this SSP.

 - - - - - - - - - Awesome Cloud IaaS (Leveraged Authorized System) @@ -928,306 +821,253 @@ that represents the whole system.

- - - + +

If 'yes', describe the authentication method.

If 'no', explain why no authentication is used.

-

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+

If 'not-applicable', attest explain why authentication is not applicable in the + remarks.

 - - + + - 11111111-2222-4000-8000-c0040000000a -

The "provider" role is required for the component representing -a leveraged system. It must reference exactly one party -(via party-uuid), which points to a party of type "organization" -representing the organization that owns the leveraged system.

+

The "provider" role is required for the component representing a leveraged system. It + must reference exactly one party (via party-uuid), which points to a party of type + "organization" representing the organization that owns the leveraged system.

 - - - + + + + 11111111-2222-4000-8000-c0040000000a -

This is a leveraged system within which this system operates. -It is explicitly listed on the FedRAMP marketplace with a status of -"FedRAMP Authorized".

+

This is a leveraged system within which this system operates. It is explicitly listed on + the FedRAMP marketplace with a status of "FedRAMP Authorized".

Requirements

Each leveraged system must be expressed as a "system" component, and must have:

  • the name of the system in the title - exactly as it appears in the FedRAMP -Marketplace
    • + Marketplace
  • a "leveraged authorization-uuid" core property that links this component to the -leveraged-authorization entry
    • + leveraged-authorization entry
  • an "implementation-point" core property with a value of "external"
    • -
  • A "nature-of-agreement" property/extension with an appropriate allowed value. If the value is -"other", use the proeprty's remarks to descibe the agreement.
    • -
  • an "authentication-method" property/extension with a value of "yes", "no" or -"not-applicable" with commentary in the remarks.
    • -
  • One or more "information-type" property/extensions, where the a -llowed values are the 800-63 -information type identifiers.
    • -
  • A "provider" responsible-role with exactly one party-uuid entry -that indicates which organization is the provider of this leveraged system.
    • +
  • A "nature-of-agreement" property/extension with an appropriate allowed value. If the + value is "other", use the proeprty's remarks to descibe the agreement.
    • +
  • an "authentication-method" property/extension with a value of "yes", "no" or + "not-applicable" with commentary in the remarks.
    • +
  • One or more "information-type" property/extensions, where the a llowed values are the + 800-63 information type identifiers.
    • +
  • A "provider" responsible-role with exactly one party-uuid entry that indicates which + organization is the provider of this leveraged system.
  • a status with a state value of "operational"
  • At least one responsible-role (other than "provider") that indicates any authorized -users. This must have one or more "privilege-uuid" property/extensions. Each references -a user assembly entry.
    • + users. This must have one or more "privilege-uuid" property/extensions. Each references + a user assembly entry.

Where relevant, this component should also have:

    -
  • An "inherited-uuid" property if the leveraged system's owner provides a UUID for -their system (such as in an OSCAL-based CRM).
    • +
  • An "inherited-uuid" property if the leveraged system's owner provides a UUID for their + system (such as in an OSCAL-based CRM).

Links to the vendor website describing the system are encouraged, but not required.

-

Services

-

A service within the scope of the leveraged system's authorization boundary -is considered an "authorized service". Any other service offered by the -leveraged system is considered a "non-authorized service"

-

Represent each authorized or non-authorized leveraged services using a -"service" component. Both authorized and non-authorized service components -are represented the same in OSCAL with the following exceptions:

+

A service within the scope of the leveraged system's authorization boundary is considered + an "authorized service". Any other service offered by the leveraged system is considered a + "non-authorized service"

+

Represent each authorized or non-authorized leveraged services using a "service" + component. Both authorized and non-authorized service components are represented the same + in OSCAL with the following exceptions:

    -
  • The component for an authorized servcie includes a - "leveraged-authorization-uuid" property. This - property must be excluded from the component of a - non-authorized leveraged service.
    • -
  • The component for a non-authorized service must include -a "still-supported" property/extension.
    • -
  • The component for a non-authorized service must have -a "poam-item" link that references a corrisponding entry in this system's -POA&M.
    • +
  • The component for an authorized servcie includes a "leveraged-authorization-uuid" + property. This property must be excluded from the component of a non-authorized + leveraged service.
    • +
  • The component for a non-authorized service must include a "still-supported" + property/extension.
    • +
  • The component for a non-authorized service must have a "poam-item" link that + references a corrisponding entry in this system's POA&M.
-

Both authorized and non-authorized leveraged services include:

    -
  • a "provided-by" link with a URI fragment that points -to the "system" component representing the leveraged system. -(Example: "#11111111-2222-4000-8000-009000100001") -
    • -
  • the name of the service in the title (for authorized services this should be -exactly as it appears in the FedRAMP Marketplace
    • +
  • a "provided-by" link with a URI fragment that points to the "system" component + representing the leveraged system. (Example: + "#11111111-2222-4000-8000-009000100001")
    • +
  • the name of the service in the title (for authorized services this should be exactly + as it appears in the FedRAMP Marketplace
  • an "implementation-point" core property with a value of "external"
    • -
  • an "authentication-method" property/extension with a value of "yes", "no" or -"not-applicable" with commentary in the remarks.
    • -
  • One or more "information-type" property/extensions, where the a -llowed values are the 800-63 -information type identifiers.
    • +
  • an "authentication-method" property/extension with a value of "yes", "no" or + "not-applicable" with commentary in the remarks.
    • +
  • One or more "information-type" property/extensions, where the a llowed values are the + 800-63 information type identifiers.
  • a status with a state value of "operational"
  • At least one responsible-role (other than "provider") that indicates any authorized -users. This must have one or more "privilege-uuid" property/extensions. Each references -a user assembly entry.
    • + users. This must have one or more "privilege-uuid" property/extensions. Each references + a user assembly entry.
- -

Although SSP Table 7.1 also requires data categoriation and hosting -environment information about non-authorized leveraged services, -these datails are derived from other content in this SSP.

+

Although SSP Table 7.1 also requires data categoriation and hosting environment + information about non-authorized leveraged services, these datails are derived from other + content in this SSP.

 - - Service A

An authorized service provided by the Awesome Cloud leveraged authorization.

Describe the service and what it is used for.

 - - - + + + - - + + + 11111111-2222-4000-8000-004000000008 -

This is a service offered by a leveraged system and used by this system. -It is explicitly listed on the FedRAMP marketplace as being included in the -scope of this leveraged system's ATO, thus is considered an "Authorized Service.

+

This is a service offered by a leveraged system and used by this system. It is explicitly + listed on the FedRAMP marketplace as being included in the scope of this leveraged + system's ATO, thus is considered an "Authorized Service.

Each leveraged service must be expressed as a "service" component, and must have:

  • the name of the service in the title - exactly as it appears in the FedRAMP -Marketplace
    • + Marketplace
  • a "leveraged authorization-uuid" property that links this component to the -leveraged-authorization entry
    • + leveraged-authorization entry
  • an "implementation-point" property with a value of "external"; and
    • -
  • a "provided-by" link with a URI fragment that points to the -"system" component representing the leveraged system. (Example: "#11111111-2222-4000-8000-009000100001") -
    • +
  • a "provided-by" link with a URI fragment that points to the "system" component + representing the leveraged system. (Example: + "#11111111-2222-4000-8000-009000100001")

Where relevant, this component should also have:

  • One or more "information-type" properties, where the allowed values are the 800-63 -information type identifiers.
    • -
  • At least one responsible-role that indicates the authorized userswith a role-id of "leveraged-authorization-users" and exactly -one or more party-uuid entries that indicates which users within this system may -interact with the leveraged systeme.
    • -
  • An "inherited-uuid" property if the leveraged system's owner provides a UUID for -their system (such as in an OSCAL-based CRM).
    • + information type identifiers. +
  • At least one responsible-role that indicates the authorized userswith a role-id of + "leveraged-authorization-users" and exactly one or more party-uuid entries that + indicates which users within this system may interact with the leveraged systeme.
    • +
  • An "inherited-uuid" property if the leveraged system's owner provides a UUID for their + system (such as in an OSCAL-based CRM).

Link(s) to the vendor's web site describing the service are encouraged, but not -required.

+ required.

The following fields from the Leveraged Authorization Table are handled in the -leveraged-authorization assembly:

+ leveraged-authorization assembly:

  • Package ID, Authorization Type, Impact Level

-

The following fields from the Leveraged Authorization Table are handled in the -"system" component representing the leveraged system as a whole:

+

The following fields from the Leveraged Authorization Table are handled in the "system" + component representing the leveraged system as a whole:

- Nature of Agreement, CSP Name

 - - - - Service B

An non-authorized service provided by the Awesome Cloud leveraged authorization.

Describe the service and what it is used for.

 - - - - - - + + +

If 'yes', describe the authentication method.

If 'no', explain why no authentication is used.

-

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+

If 'not-applicable', attest explain why authentication is not applicable in the + remarks.

 - - - - + + + - - + + + 11111111-2222-4000-8000-004000000010 + 11111111-2222-4000-8000-004000000011 + 11111111-2222-4000-8000-004000000012 - 33333333-2222-4000-8000-004000000001 + 11111111-2222-4000-8000-004000000001 -

This is a service offered by a leveraged system and used by this system. -It is NOT explicitly listed on the FedRAMP marketplace as being included -in the scope of the leveraged system's ATO, thus is treated as a -non-authorized, leveraged service.

+

This is a service offered by a leveraged system and used by this system. It is NOT + explicitly listed on the FedRAMP marketplace as being included in the scope of the + leveraged system's ATO, thus is treated as a non-authorized, leveraged service.

-

Each non-authorized leveraged service must be expressed as a "service" component, and must have:

+

Each non-authorized leveraged service must be expressed as a "service" component, and + must have:

  • the name of the service in the title - exactly as it appears in the FedRAMP -Marketplace
    • + Marketplace
  • an "implementation-point" property with a value of "external"; and
    • -
  • one or two "direction" prperty/extensions
    • -
  • One or more "information-type" property/extensions, where the allowed values are the 800-63 -information type identifiers, and the cited types are included full list of system information types.
    • -
  • exactly one "poam-item" link, with an href value that references the -POA&M and a resource-fragment that represents the -POAM&M ID (legacy) in a Excel workbook or poam-item-uuid (preferred) -in an OSCAL-based POA&M.
    • -
  • a "provided-by" link with a URI fragment that points to the -"system" component representing the leveraged system. (Example: "#11111111-2222-4000-8000-009000100001") -
    • -
  • -
  • - +
  • One or more "information-type" property/extensions, where the allowed values are the + 800-63 information type identifiers, and the cited types are included full list of + system information types.
    • +
  • at least one "poam-item" link, with an href value that references the POA&M and a + resource-fragment that represents the POAM&M ID (legacy/Excel POA&M) or + poam-item UUID (OSCAL POA&M)
    • +
  • a "provided-by" link with a URI fragment that points to the "system" component + representing the leveraged system. (Example: + "#11111111-2222-4000-8000-009000100001")
-

The "leveraged-authorization-uuid" property must NOT be present, as this is how -tools are able to distinguish between authorized and non-authorized services -from the same leveraged provider.

+

The "leveraged-authorization-uuid" property must NOT be present, as this is how tools are + able to distinguish between authorized and non-authorized services from the same leveraged + provider.

-

Where relevant, this component should also have:

    -
  • At least one responsible-role that indicates the authorized userswith a role-id of "leveraged-authorization-users" and exactly -one or more party-uuid entries that indicates which users within this system may -interact with the leveraged systeme.
    • -
  • An "inherited-uuid" property if the leveraged system's owner provides a UUID for -their system (such as in an OSCAL-based CRM).
    • -
-

Link(s) to the vendor's web site describing the service are encouraged, but not -required.

-

The following fields from the Leveraged Authorization Table are handled in the -leveraged-authorization assembly:

-
    -
  • Package ID, Authorization Type, Impact Level
    • +
  • At least one responsible-role that indicates the authorized userswith a role-id of + "leveraged-authorization-users" and exactly one or more party-uuid entries that + indicates which users within this system may interact with the leveraged systeme.
    • +
  • An "inherited-uuid" property if the leveraged system's owner provides a UUID for their + system (such as in an OSCAL-based CRM).
-

- -

- An "inherited-uuid" property if the leveraged system's owner provides a UUID for -their system (such as in an OSCAL-based CRM).

Link(s) to the vendor's web site describing the service are encouraged, but not -required.

-

-

The following fields from the Leveraged Authorization Table are handled in the -leveraged-authorization assembly:

-

- Package ID, Authorization Type, Impact Level

+ required.

-

The following fields from the Leveraged Authorization Table are handled in the -"system" component assembly:

+

The following fields from the Leveraged Authorization Table are handled in the "system" + component assembly:

- Nature of Agreement, CSP Name

-

An unauthorized service from an underlying leveraged authorization must NOT have the "leveraged-authorization-uuid" property. The presence or absence of this property is how the authorization status of a service is indicated.

 - - - - + Other Cloud SaaS

An external system to which this system shares an interconnection.

 - - - - - - - - - - - -

If 'yes', describe the authentication method.

-

If 'no', explain why no authentication is used.

-

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

- - - - - - - - - - - - 33333333-2222-4000-8000-004000000001 @@ -1258,11 +1098,9 @@ leveraged-authorization assembly:

  • an "asset-type" property with a value of "saas", "paas", "iaas" or "other"
  • an "implementation-point" property with a value of "external"
  • a "status" field with a state value of "operational"
    • -
  • if an interconnection exists with this system and there are -remote listening ports, one or more "protocol" assemblies must -be provided.
    • +
  • if an interconnection exists with this system and there are remote listening ports, + one or more "protocol" assemblies must be provided.
    • -

    While not required, each "system" component should have:

    • an "inherited-uuid" property if the value was provided by the system owner
      • @@ -1272,61 +1110,58 @@ be provided.
    • an "system-poc-management" responsible-role
    • an "system-poc-technical" responsible-role
    -

    Unlike prior FedRAMP OSCAL publications, avoid the use of FedRAMP -properties/extensions for these roles, instead favor the core OSCAL -responsible-roles constructs, and the NIST-standard roles of -"authorizing-official", "system-owner", "system-poc-management -and "system-poc-technical"

    +

    Unlike prior FedRAMP OSCAL publications, avoid the use of FedRAMP properties/extensions + for these roles, instead favor the core OSCAL responsible-roles constructs, and the + NIST-standard roles of "authorizing-official", "system-owner", "system-poc-management and + "system-poc-technical"

     - - - - + [EXAMPLE]Authorized Connection Information System Name -

    Describe the purpose of the external system/service; specifically, provide reasons -for connectivity (e.g., system monitoring, system alerting, download updates, etc.)

    +

    Describe the purpose of the external system/service; specifically, provide reasons for + connectivity (e.g., system monitoring, system alerting, download updates, etc.)

     - - - - - - + +

    If 'yes', describe the authentication method in the remarks.

    If 'no', explain why no authentication is used in the remarks.

    -

    If 'not-applicable', attest explain why authentication is not applicable in the remarks.

    +

    If 'not-applicable', attest explain why authentication is not applicable in the + remarks.

         - - - - - - + + + + + + -

    Describe the hosting of the interconnection itself (NOT the hosting of the remote system).

    +

    Describe the hosting of the interconnection itself (NOT the hosting of the remote + system).

         - - - - - - - - - - - - - - - + + + + + + + ISA + + + UUID of "this system" or a component within this system's boundary + + + UUID of remote system + + - 44444444-2222-4000-8000-004000000001 @@ -1336,11 +1171,13 @@ for connectivity (e.g., system monitoring, system alerting, download updates, et 11111111-2222-4000-8000-004000000008 - - - Incoming FTP Service - - + + + 11111111-2222-4000-8000-004000000010 + 11111111-2222-4000-8000-004000000011 + 11111111-2222-4000-8000-004000000012 +

    Each interconnection to one or more remote systems must have:

      @@ -1349,24 +1186,34 @@ for connectivity (e.g., system monitoring, system alerting, download updates, et

    Each "interconnection" component must have:

      -
    • an "implementation-point" property with a value of "external"
      • -
    • a "status" field with a state value of "operational"
      • -
    • one or two "direction" properties
    • a "nature-of-agreement" property/extension
    • one or more "authentication-method" properties/extensions.
    • a "hosting-environment" proptery/extension
      • -
    • at least one local ipv4 address, ipv6 address or URI via the appropriate property, with the class set to "local"
      • -
    • at least one remote ipv4 address, ipv6 address or URI via the appropriate property, with the class set to "remote"
      • -
    • at least one "protocol" field with the name set to "local" or "remote" depending on which side is "listening" on the identified ports.
      • -
    • at least one "agreement" link with an href vlue that refers to a back-matter resource containing the interconnection security agreemnet (ISA)
      • -
    • exactly one "used-by" link with an href value that refers to the "this-system" component.
      • -
    • one or more "used-by" links with href values that refer to each "system" component representing a remote system sharing the connection.
      • -
    • exactly one "provider" responsible role that references the party information for the organization the provides the connection.
      • +
    • at least one local ipv4 address, ipv6 address, URI or FQDN via the appropriate property, + with the class set to "local"
      • +
    • at least one remote ipv4 address, ipv6 address, URI or FQDN via the appropriate property, + with the class set to "remote"
      • +
    • at least one "agreement" link with an href vlue that refers to a back-matter resource + containing the interconnection security agreemnet (ISA)
      • +
    • at least one "information-type" property with class set to + "incoming" or "outgoing and value set to a NIST 800-60 identifier (i.e. "C.3.5.1")
      • +
    • exactly one "used-by" link with an href value that refers to the component + within this system or the "this-system" component itself.
      • +
    • one or more "used-by" links with href values that refer to each "system" component + representing a remote system sharing the connection.
      • +
    • exactly one "poam-item" link, with an href value that references the POA&M and a + resource-fragment that represents the POAM&M ID (legacy/Excel POA&M) or + poam-item UUID (OSCAL POA&M)
      • +
    • a "status" field with a state value of "operational"
      • +
    • exactly one "provider" responsible role that references the party information for the + organization the provides the connection.
    -

    Authentication methods must address both system-authentication as well as -user authentication mechanisms.

    -

    Describe the hosting of the interconnection itself (NOT the hosting of the remote system).

    -

    If the interconnection travels across the public Internet, the provider may be the cloud hosting provider or the Internet provider

    +

    Authentication methods must address both system-authentication as well as user + authentication mechanisms.

    +

    Describe the hosting of the interconnection itself (NOT the hosting of the remote + system).

    +

    If the interconnection travels across the public Internet, the provider may be the cloud + hosting provider or the Internet provider

    While not required, each "interconnection" component should have:

      @@ -1375,16 +1222,13 @@ user authentication mechanisms.

    • an "system-poc-management" responsible-role
    • an "system-poc-technical" responsible-role
    -

    Unlike prior FedRAMP OSCAL publications, avoid the use of FedRAMP -properties/extensions for these roles, instead favor the core OSCAL -responsible-roles constructs, and the NIST-standard roles of -"system-poc-management" and "system-poc-technical". With an interconnection, -the system POC roles reference parties that represent the connection provider.

    +

    Unlike prior FedRAMP OSCAL publications, avoid the use of FedRAMP properties/extensions + for these roles, instead favor the core OSCAL responsible-roles constructs, and the + NIST-standard roles of "system-poc-management" and "system-poc-technical". With an + interconnection, the system POC roles reference parties that represent the connection + provider.

         - - - Other Cloud SaaS @@ -1394,9 +1238,7 @@ the system POC roles reference parties that represent the connection provider. - - 11111111-2222-4000-8000-004000000010 @@ -1410,407 +1252,557 @@ the system POC roles reference parties that represent the connection provider.For each external system with which this system connects:

    Must have a "system" component (this component).

    Must have an "interconnection" component that connects this component with the -"this-system" component.

    -

    If the leveraged system owner provides a UUID for their system (such as in an -OSCAL-based CRM), it should be reflected in the inherited-uuid -property.

    + "this-system" component.

    +

    If the leveraged system owner provides a UUID for their system (such as in an OSCAL-based + CRM), it should be reflected in the inherited-uuid property.

    Must include all leveraged services and features from the leveraged authorization -here.

    -

    For an external system, the "implementation-point" property must always be present -with a value of "external".

    - - + here.

    +

    For an external system, the "implementation-point" property must always be present with a + value of "external".

    Each interconnection must be defined with both an "system" component and an -"interconnection" component.

    + "interconnection" component.

    Must include all leveraged services and features from the leveraged authorization -here.

    + here.

     - - Service C

    A service provided by an external system other than the leveraged system.

    Describe the service and what it is used for.

     - - - +

    If 'yes', describe the authentication method in the remarks.

    If 'no', explain why no authentication is used in the remarks.

    -

    If 'not-applicable', attest explain why authentication is not applicable in the remarks.

    +

    If 'not-applicable', attest explain why authentication is not applicable in the + remarks.

         - - + + -

    This can only be known if provided by the leveraged system. -such as via an OSCAL-based CRM, component definition, -or as a result to the leveraged system's OSCAL-based SSP.

    +

    This can only be known if provided by the leveraged system. such as via an OSCAL-based + CRM, component definition, or as a result to the leveraged system's OSCAL-based SSP.

         - + - - + + 11111111-2222-4000-8000-c0040000000a + + + 11111111-2222-4000-8000-004000000010 11111111-2222-4000-8000-004000000011 11111111-2222-4000-8000-004000000012 - - 33333333-2222-4000-8000-004000000001 - - <port-range start="5432" end="5432" transport="TCP"/> </protocol> - <remarks> <p>This is a service provided by an external system other than the leveraged system.</p> - <p>As a result, the "leveraged-authorization-uuid" property is not applicable and must -NOT be used.</p> + <p>As a result, the "leveraged-authorization-uuid" property is not applicable and must NOT + be used.</p> <p/> <p>Each external service used from a leveraged authorization must have:</p> - <p>- a "system" component (CURRENTLY DEFERRED DUE TO A KNOWN ISSUE WITH THE "provided-by" link relationship).</p> - <p>- a "service" component (this component).</p> + <ul> + <li>a "system" component (CURRENTLY DEFERRED DUE TO A KNOWN ISSUE WITH THE "provided-by" + link relationship).</li> + <li>a "service" component (this component).</li> + </ul> <p/> <p>This component must always have:</p> - <p>- The name of the service in the title - preferably exactly as it appears on the -vendor's web site</p> - <p>- A "risk" property/extension - using the remarks, either describe any risk or state there is no risk and provide a basis for that assertion.</p> - <p>- An "implementation-point" property with a value of "external".</p> - <p>- A "provided-by" link with a URI fragment that points to the UUID of the above -"system" component.</p> - <p> - Example: <code>"#11111111-2222-4000-8000-009000100001"</code> - </p> - <p> - IMPORTANT: Due to a known error in core OSCAL (versions =1.1.2) constraints, -this property is blocked from proper use.</p> - <p>- a status with a state value of "operational"</p> + <ul> + <li>The name of the service in the title - preferably exactly as it appears on the + vendor's web site</li> + <li>An "implementation-point" property with a value of "external".</li> + <li>A "provided-by" link with a URI fragment that points to the UUID of the above "system" + component.</li> + <li>exactly one "poam-item" link, with an href value that references the POA&M and a + resource-fragment that represents the POAM&M ID (legacy/Excel POA&M) or + poam-item UUID (OSCAL POA&M)</li> + <li>a status with a state value of "operational"</li> + </ul> <p/> <p>Where relevant, this component should also have:</p> - <p>- One or more "information-type" properties, where the allowed values are the 800-63 -information type identifiers.</p> - <p>- A responsible-role with a role-id of "leveraged-authorization-users" and exactly -one or more party-uuid entries that indicates which users within this system may -interact with the leveraged systeme.</p> - <p>- An "inherited-uuid" property if the leveraged system's owner provides a UUID for -their system (such as in an OSCAL-based CRM).</p> - <p>Link(s) to the vendor's web site describing the service are encouraged, but not -required.</p> + <ul> + <li>One or more "information-type" properties, where the allowed values are the 800-63 + information type identifiers.</li> + <li>A responsible-role with a role-id of "leveraged-authorization-users" and exactly one + or more party-uuid entries that indicates which users within this system may interact + with the leveraged systeme.</li> + <li>An "inherited-uuid" property if the leveraged system's owner provides a UUID for their + system (such as in an OSCAL-based CRM).</li> + <li>Link(s) to the vendor's web site describing the service are encouraged, but not + required.</li> + </ul> <p/> <p>The following fields from the Leveraged Authorization Table are handled in the -leveraged-authorization assembly:</p> + leveraged-authorization assembly:</p> <p>- Package ID, Authorization Type, Impact Level</p> <p/> - <p>The following fields from the Leveraged Authorization Table are handled in the -"system" component assembly:</p> + <p>The following fields from the Leveraged Authorization Table are handled in the "system" + component assembly:</p> <p>- Nature of Agreement, CSP Name</p> <p/> - <p>An unauthorized service from an underlying leveraged authorization must NOT have the "leveraged-authorization-uuid" property. The presence or absence of this property is how the authorization status of a service is indicated.</p> + <p>An unauthorized service from an underlying leveraged authorization must NOT have the + "leveraged-authorization-uuid" property. The presence or absence of this property is how + the authorization status of a service is indicated.</p> + </remarks> + </component> + <component uuid="11111111-2222-4000-8000-009000100004" type="client"> + <title>Undetermined External API Clients + +

    This component represents any of the public API clients that may access this systems'API + service.

    +     + + + + + +

    When an API service is offered to a large community, this one component bay be used to + represent the collection of API clients that may connect from that community. This must + have:

    +
      +
    • a component type set to "external-client"
      • +
    • an "implementation-point" property set to "external"
      • +
    • one or more responsible roles should be defined representing the community of + potential API client users. If the servvice is open to the public, use the "public" + responsible-role ID.
      • +
    - - - Service C - + API Service -

    A service provided by an external system other than the leveraged system.

    +

    A service offered by this system to external systems, such as an API. As a result, + communication crosses the boundary.

    Describe the service and what it is used for.

     - - - + + + - - - +

    If 'yes', describe the authentication method in the remarks.

    If 'no', explain why no authentication is used in the remarks.

    -

    If 'not-applicable', attest explain why authentication is not applicable in the remarks.

    -     -     - - -

    Either describe a risk associated with this service, or indicate there is no identified risk.

    -

    If there is no risk, please explain your basis for that conclusion.

    +

    If 'not-applicable', attest explain why authentication is not applicable in the + remarks.

         - + -

    If there are one or more identified risks, describe any resulting impact.

    +

    Terms of Use

         - + -

    If there are one or more identified risks, describe any mitigating factors.

    +

    Explain why authentication scans are not possible for this component. Provide evidence + if available, such as scanner tool or vendor links.

         - - + + + + - - - 11111111-2222-4000-8000-004000000018 + + + 11111111-2222-4000-8000-004000000010 + 11111111-2222-4000-8000-004000000011 + 11111111-2222-4000-8000-004000000012 - - 11111111-2222-4000-8000-004000000011 + + 11111111-2222-4000-8000-004000000001 - - - Remote API Service + + API Service - -

    This is a service provided by an external system other than the leveraged system.

    - - - -

    - A "risk" property/extension - using the remarks, either describe any risk or state there is no risk and provide a basis for that assertion.

    - - - -

    As a result, the "leveraged-authorization-uuid" property is not applicable and must -NOT be used.

    -

    All services require the "implementation-point" property. In this case, the property -value is set to "external.

    -

    All external services would normally require a "provided-by" link; however, a known -bug in core OSCAL syntax prevents the use of this property at this time.

    -

    If the leveraged system owner provides a UUID for their service (such as in an -OSCAL-based CRM), it should be reflected in the inherited-uuid -property.

    - - - - +

    This is a service provided by this system to external systems, such as an offered API. + The following is required:

    +
      +
    • The "title" fields must have the name of the offered API.
      • +
    • The "description" field must include the purpose and use of the API.
      • +
    • The component "type" attribute must have a value of "service".
      • +
    • The "implementation-point" property must have a value of "internal".
      • +
    • One or more "information-type" prop/extensions must be present with 800-60 information + type values.
      • +
    • The "connection-security" prop/extensions must be present with an appropriate + value.
      • +
    • The "authentication-method" prop/extensions must be present with an appropriate + value.
      • +
    • The "authentication-method" prop/extensions "remarks" must provide additional + content.
      • +
    • The "nature-of-agreement" prop/extension must identify any governing terms for the + connection.
      • +
    • One or more "used-by" links must provide the component UUID of the other system.
      • +
    • A "poam-item" link, which must have an href value that references the POA&M and a + resource-fragment that represents the POAM&M ID (legacy/Excel POA&M) or + poam-item UUID (OSCAL POA&M)
      • +
    • A "status" field that must have a state of "operational"
      • +
    • One or more "responsible-role" fields with:
        +
      • one or more roles by "role-id" [rquiried]
        • +
      • one or more "privilege-uuid" prop/extensions [required]
        • +
      • one or more "party-uuid" values to identify who has these privliges. + [required]
        • +
      +
      • +
    • One or more "protocol" fields.
      • +
    +

    +

    Because this is softare that exists within the boundary, it is also requires the + following in satisfaction of inventory/CM/ConMon requirements:

    +
      +
    • An "allows-authenticated-scan" property with an appropriate value.
      • +
    • An "scan-type" property/extension set to "infrastructure".
      • +
    • TODO: Revisit this list when working the inventory epic
      • +
    - - Management CLI -

    None

    +

    A CLI tool used from within this system's boundary to manage a hypervisor, service, or + other system outside this system's boundary, resulting in communication that crosses the + boundary.

     - - - - - + + + +

    If 'yes', describe the authentication method in the remarks.

    If 'no', explain why no authentication is used in the remarks.

    -

    If 'not-applicable', attest explain why authentication is not applicable in the remarks.

    +

    If 'not-applicable', attest explain why authentication is not applicable in the + remarks.

         - - - + -

    Either describe a risk associated with this CLI, or indicate there is no identified risk.

    -

    If there is no risk, please explain your basis for that conclusion.

    +

    Terms of Use

         - + -

    If there are one or more identified risks, describe any resulting impact.

    +

    Explain why authentication scans are not possible for this component. Provide evidence + if available, such as scanner tool or vendor links.

         - + + + + + + + 11111111-2222-4000-8000-004000000010 + + + 11111111-2222-4000-8000-004000000001 + + +

    When an internal CLI tool communicates with a system outside the boundary, such as for + management of the underlying leveraged system or interaction with an external system, the + following is required:

    +
      +
    • The "title" fields must have the name of the CLI tool.
      • +
    • The "description" field must include the purpose and use of the tool within this + system.
      • +
    • The component "type" attribute must have a value of "software".
      • +
    • The "asset-type" property must have a value of "cli".
      • +
    • The "implementation-point" property must have a value of "internal".
      • +
    • One or more "information-type" prop/extensions must be present with 800-60 information + type values.
      • +
    • The "connection-security" prop/extensions must be present with an appropriate + value.
      • +
    • The "authentication-method" prop/extensions must be present with an appropriate + value.
      • +
    • The "authentication-method" prop/extensions "remarks" must provide additional + content.
      • +
    • The "nature-of-agreement" prop/extension must identify any governing terms for the + connection.
      • +
    • One or more "communicates-with" link must provide the component UUID of the other + system.
      • +
    • A "poam-item" link, which must have an href value that references the POA&M and a + resource-fragment that represents the POAM&M ID (legacy/Excel POA&M) or + poam-item UUID (OSCAL POA&M)
      • +
    • A "status" field that must have a state of "operational"
      • +
    • One or more "responsible-role" fields with:
        +
      • one or more roles by "role-id" [rquiried]
        • +
      • one or more "privilege-uuid" prop/extensions [required]
        • +
      • one or more "party-uuid" values to identify who has these privliges. + [required]
        • +
      +
      • +
    +

    +

    Because this is softare that exists within the boundary, it is also requires the + following in satisfaction of inventory/CM/ConMon requirements:

    +
      +
    • An "allows-authenticated-scan" property with an appropriate value.
      • +
    • An "scan-type" property/extension set to "infrastructure".
      • +
    • TODO: Revisit this list when working the inventory epic
      • +
    +     +     + + External Management CLI + +

    A CLI tool used by systems outside the authorization boundary to manage or interact with + this system..

    +     + + + + + + -

    If there are one or more identified risks, describe any mitigating factors.

    +

    If 'yes', describe the authentication method in the remarks.

    +

    If 'no', explain why no authentication is used in the remarks.

    +

    If 'not-applicable', attest explain why authentication is not applicable in the + remarks.

         - + -

    +

    Terms of Use

         - + + - - 11111111-2222-4000-8000-004000000018 + + - - 11111111-2222-4000-8000-004000000011 + + 11111111-2222-4000-8000-004000000001 + +

    When a CLI tool outside the system communicates with this system, such as for management + of the user's hypervisor in this system, the following is required:

    +
      +
    • The "title" fields must have the name of the CLI tool.
      • +
    • The "description" field that describes how the tool can influence the operation of + this system.
      • +
    • The component "type" attribute must have a value of "software".
      • +
    • The "asset-type" property must have a value of "cli".
      • +
    • The "implementation-point" property must have a value of "external".
      • +
    • One or more "information-type" prop/extensions must be present with 800-60 information + type values.
      • +
    • The "connection-security" prop/extensions must be present with an appropriate + value.
      • +
    • The "authentication-method" prop/extensions must be present with an appropriate + value.
      • +
    • The "authentication-method" prop/extensions "remarks" must provide additional + content.
      • +
    • The "nature-of-agreement" prop/extension must identify any governing terms for the + connection.
      • +
    • One or more "communicates-with" link must provide the component UUID of the component + within this system.
      • +
    • A "poam-item" link, which must have an href value that references the POA&M and a + resource-fragment that represents the POAM&M ID (legacy/Excel POA&M) or + poam-item UUID (OSCAL POA&M)
      • +
    • A "status" field that must have a state of "operational"
      • +
    • One or more "responsible-role" fields with:
        +
      • one or more roles by "role-id" [rquiried]
        • +
      • one or more "privilege-uuid" prop/extensions [required]
        • +
      • one or more "party-uuid" values to identify who has these privliges. + [optional]
        • +
      +
      • +
    +

    +

    As this is impelemented external to the system boundary, information such as "scan-type" + and "allows-authenticated-scanning" are not applicable and should not be present.

    +     - - - - - - - - Service D + + Access Control and Identity Management Policy -

    A service that exists within the authorization boundary.

    -

    Describe the service and what it is used for.

    +

    This is a corporate policy used for the system.

    +

    The Access Control and Identity Management Policy governs how user identities and access + rights are managed.

     - - - - + + - + +

    A policy component is required for each policy that governs the system.

    +

    The title, description and status fields are required by core OSCAL. The title field + should reflect the actual title of the policy document.

    +

    For system-specific policies, the "implementation-point" property must be present and set + to "internal".

    +

    For corproate policies, the "implementation-point" property must be present and set to + "external" with its class set to "corporate".

    +

    For any policy that is niether system-specific, nor corporate, the "implementation-point" + property must be present and set to "external", with a class set to anything other than + "corporate" or no class attribute at all.

    +

    An "attachment" link field must be present that identifies the back-matter resource + representing the attached policy.

    +

    The document version and date are represented in the linked resource. Not here.

    +

    At this time FedRAMP does not _require_ policy approver or audience information in the + SSP; however, both may be represented here using the responsible-role field. If electing + to include this information, use the "approver" role ID to represent approvers. Any other + role listed is assumed to be audience.

    +     - - - - Network Virtual Appliance + + AT Policy -

    A virtual appliance that exists within the authorization boundary.

    -

    Describe the virtual appliance and what it is used for.

    +

    The Awareness and Training Policy governs how access is managed and approved.

     -

    virtual function

     + -     - - - - Hardware + + Access Control Procedure -

    A component representing hardware that exists within the authorization boundary.

    -

    Describe the hardware and what it is used for.

    +

    The Access Control Procedure governs how access is managed and approved.

     - + + -     - - - - - - [SAMPLE]Cryptographic Module Name - -

    Provide a description and any pertinent note regarding the use of this CM.

    -

    For data-at-rest modules, describe type of encryption implemented (e.g., full disk, -file, record-level, etc.)

    -

    Lastly, provide any supporting notes on FIPS status (e.g. historical) or lack of FIPS -compliance (e.g., Module in Process).

    + + 11111111-2222-4000-8000-004000000010 + + + 11111111-2222-4000-8000-004000000011 + + +

    A "process-procedure" component is required for each process or procedure that governs + the system.

    +

    The title, description and status fields are required by core OSCAL. The title field + should reflect the actual title of the document.

    +

    For system-specific processes or procedures, the "implementation-point" property must be + present and set to "internal".

    +

    For corproate processes or procedures, the "implementation-point" property must be + present and set to "external" with its class set to "corporate".

    +

    For any processes or procedures that is niether system-specific, nor corporate, the + "implementation-point" property must be present and set to "external", with a class set to + anything other than "corporate" or no class attribute at all.

    +

    An "attachment" link field must be present that identifies the back-matter resource + representing the attached policy.

    +

    The document version and date are represented in the linked resource. Not here.

    +

    At this time FedRAMP does not _require_ policy approver or audience information in the + SSP; however, both may be represented here using the responsible-role field. If electing + to include this information, use the "approver" role ID to represent approvers. Any other + role listed is assumed to be audience.

    +     +     + + Awareness and Training Procedure + +

    The Awareness and Training Procedure governs how access is managed and approved.

     - - - - - - - - - + +     - - - [SAMPLE]Cryptographic Module Name + + + Corporate Data Lake -

    Provide a description and any pertinent note regarding the use of this CM.

    -

    For example, any supporting notes on FIPS status (e.g. historical) or lack of FIPS -compliance (e.g., Module in Process).

    +

    The corporate data lake. All logs are required to be sent here.

     - - - - - - - - - + + +     - - - - - - - - - - [SAMPLE]Product Name + + Database Queries -

    FUNCTION: Describe typical component function.

    +

    An encryptred communication between the API server and the database server for the + purpose of performing SQL queries.

     - - - - - - - - + + + + + + - - 11111111-2222-4000-8000-004000000010 - -

    COMMENTS: Provide other comments as needed.

    +

    Provide any notes here about this connection that you wish to appear in Table Q.

         - - [SAMPLE]Product Name + + Logging -

    FUNCTION: Describe typical component function.

    +

    An encryptred communication between components that generate logs and the corporate data + lake for the purpose of centralized logging.

     - - - - - - - - + + + + + + + - - 11111111-2222-4000-8000-004000000010 - -

    COMMENTS: Provide other comments as needed.

    +

    Provide any notes here about this connection that you wish to appear in Table Q.

         - - - Official container image for Debian Stable + + Database Sample -

    FUNCTION: This container image is the base operating system used in the example. A notional CSP, like Awesome Cloud, would update and customize this image for business, reliability, and security needs.

    +

    None

     - - - - - - - - - - - + + + +

    Briefly describe the function of the database

    +     +     + + + + + + - + 11111111-2222-4000-8000-004000000010 - -

    This example container image is for a non-commercial, community-maintained Linux distribution as a non-normative example with a currently valid checksum. See a link above to the example image metadata and technical details from its officially published location on the Docker Hub registry.

    -     + + + +     @@ -1819,34 +1811,226 @@ compliance (e.g., Module in Process).

    Briefly describe the cryptographic module.

    + + -

    Used to encrypt and decrypt rows in the database.

         + +     + + + Database Row Encryption Module (DREM) + +

    Briefly describe the cryptographic module.

    +     + + + + + + + +

    .

    +     +     + + + OpenSSL + +

    Provide a description and any pertinent note regarding the use of this CM.

    +

    For data-at-rest modules, describe type of encryption implemented (e.g., full disk, file, + record-level, etc.)

    +

    Lastly, provide any supporting notes on FIPS status (e.g. historical) or lack of FIPS + compliance (e.g., Module in Process).

    +     + + + + + + +

    Usage statement

    +     +     + + A link to the 3rd party validation information related to this cryptographic + module. + + + +     + + OpenSSL + +

    Provide a description and any pertinent note regarding the use of this CM.

    +

    For data-at-rest modules, describe type of encryption implemented (e.g., full disk, file, + record-level, etc.)

    +

    Lastly, provide any supporting notes on FIPS status (e.g. historical) or lack of FIPS + compliance (e.g., Module in Process).

    +     + + + + + + +

    Usage statement

    +     +     - A link to the 3rd party validation information related to this cryptographic module. + A link to the 3rd party validation information related to this cryptographic + module. - + A link to the operating system component that has this module embedded. - - A link to the software component that uses this module for encrypted communication. + + A link to the software component that uses this module for encrypted + communication.     + + OpenSSL FIPS 140-2 Validation + +

    Describe any relevant information regarding this validation of the CM.

    +     + + + + + + +

    .

    +     +     + + OpenSSL Some Other Validation + +

    This is another validation of the OpenSSL Cryptographic module that has nothing to do + with FIPS validation.

    +

    It may be present as a way of ensuring complete documentation, but may be ignored by + FedRAMP automation.

    +     + + + + + +

    .

    +     +     + + + Cryptographic Module Name + +

    Provide a description and any pertinent note regarding the use of this CM.

    +

    For example, any supporting notes on FIPS status (e.g. historical) or lack of FIPS + compliance (e.g., Module in Process).

    +     + + + + + +     + + API Server + +

    This is an API server that communicates with a database via an encrypted connection

    +     + + + + + + + + +     + + Linux Operating System + +

    This is a web server that communicates with a database via an encrypted connection

    +     + + + + + +     + + Service E + +

    A service that exists within the authorization boundary.

    +

    Describe the service and what it is used for.

    +     + + +     + + Container Image + +

    This is a container image used to create container instances within the system.

    +     + + + + + + + 44444444-2222-4000-8000-004000000001 + +     + + [SAMPLE]Product Name + +

    FUNCTION: Describe typical component function.

    +     + + + + + + + + + + 11111111-2222-4000-8000-004000000010 + + +

    COMMENTS: Provide other comments as needed.

    +     +     + + Email Service + +

    Email Service

    +     + + + + + + +     [SAMPLE]Product

    FUNCTION: Describe typical component function.

     - - - + + @@ -1861,541 +2045,122 @@ compliance (e.g., Module in Process).

    COMMENTS: Provide other comments as needed.

     - + OS Sample

    None

     - - +     - + Database Sample

    None

     - - - - - - - - - -

    If 'yes', describe the authentication method.

    -

    If 'no', explain why no authentication is used.

    -

    If 'not-applicable', attest explain why authentication is not applicable in the remarks.

    -     -     - - - - - - - - - + - - 11111111-2222-4000-8000-004000000011 - - - 33333333-2222-4000-8000-004000000001 -     - + Appliance Sample

    None

     - - - +

    Vendor appliance. No admin-level access.

         +     - - - - AC Policy - -

    The Access Control Policy governs how access is managed and approved.

    -     - - -     - - AT Policy - -

    The Awareness and Training Policy governs how access is managed and approved.

    -     - - -     - - AU Policy - -

    The Audit and Accountability governs how access is managed and approved.

    -     - - -     - - CA Policy - -

    The Assessment, Authorization, and Monitoring Policy governs how access is managed -and approved.

    -     - - -     - - CM Policy - -

    The Configuration Management Policy governs how access is managed and approved.

    -     - - -     - - CP Policy - -

    The Contingency Planning Policy governs how access is managed and approved.

    -     - - -     - - IA Policy + + VPC Routing -

    The Identificaiton and Authentication Policy governs how access is managed and -approved.

    +

    This is the routing capability within a VPC that provides access control between + networks.

     - + + + + +     - - IR Policy + + Data Network -

    The Incident Response Policy governs how access is managed and approved.

    +

    This network is dedicated to traffic to and from any databases or network attached + storage.

     - + + + +     - - MA Policy + + Production Subnet -

    The Maintenance Policy governs how access is managed and approved.

    +

    Production Network

     - + + +     - - MP Policy + + Management Network -

    The Media Protection Policy governs how access is managed and approved.

    +

    Management Network.

     - + + +     - - PE Policy + + Corporate Data Lake Network -

    The Physical and Enviornmental Protection Policy governs how access is managed and -approved.

    +

    -Facing DMZ Network.

     - + + + +     - - PL Policy + + DMZ Network -

    The Planning Policy governs how access is managed and approved.

    +

    Public-Facing DMZ Network.

     - + + +     - - PM Policy + -

    The Program Management Policy governs how access is managed and approved.

    +

    Legacy Example (No implemented-component).

     - - -     - - PS Policy - -

    The Personnel Security Policy governs how access is managed and approved.

    -     - - -     - - PT Policy - -

    The PII Processing and Transparency Policy governs how access is managed and -approved.

    -     - - -     - - RA Policy - -

    The Risk Assessment Policy governs how access is managed and approved.

    -     - - -     - - SA Policy - -

    The System and Services Acquisition Policy governs how access is managed and -approved.

    -     - - -     - - SC Policy - -

    The System and Communication Protection Policy governs how access is managed and -approved.

    -     - - -     - - SI Policy - -

    The System and Information Integrity Policy governs how access is managed and -approved.

    -     - - -     - - SR Policy - -

    The Supply Chain Risk Management Policy governs how access is managed and -approved.

    -     - - -     - - - - AC Procedure - -

    The Access Control Procedure governs how access is managed and approved.

    -     - - -     - - AT Procedure - -

    The Awareness and Training Procedure governs how access is managed and approved.

    -     - - -     - - AU Procedure - -

    The Audit and Accountability Procedure governs how access is managed and -approved.

    -     - - -     - - CA Procedure - -

    The Assessment, Authorization, and Monitoring Procedure governs how access is managed -and approved.

    -     - - -     - - CM Procedure - -

    The Configuration Management Procedure governs how access is managed and -approved.

    -     - - -     - - CP Procedure - -

    The Contingency Planning Procedure governs how access is managed and approved.

    -     - - -     - - IA Procedure - -

    The Identificaiton and Authentication Procedure governs how access is managed and -approved.

    -     - - -     - - IR Procedure - -

    The Incident Response Procedure governs how access is managed and approved.

    -     - - -     - - MA Procedure - -

    The Maintenance Procedure governs how access is managed and approved.

    -     - - -     - - MP Procedure - -

    The Media Protection Procedure governs how access is managed and approved.

    -     - - -     - - PE Procedure - -

    The Physical and Enviornmental Protection Procedure governs how access is managed and -approved.

    -     - - -     - - PL Procedure - -

    The Planning Procedure governs how access is managed and approved.

    -     - - -     - - PM Policy - -

    The Program Management Procedure governs how access is managed and approved.

    -     - - -     - - PS Procedure - -

    The Personnel Security Procedure governs how access is managed and approved.

    -     - - -     - - PT Policy - -

    The PII Processing and Transparency Procedure governs how access is managed and -approved.

    -     - - -     - - RA Policy - -

    The Risk Assessment Procedure governs how access is managed and approved.

    -     - - -     - - SA Policy - -

    The System and Services Acquisition Procedure governs how access is managed and -approved.

    -     - - -     - - SC Procedure - -

    The System and Communication Protection Procedure governs how access is managed and -approved.

    -     - - -     - - SI Procedure - -

    The System and Information Integrity Procedure governs how access is managed and -approved.

    -     - - -     - - SR Procedure - -

    The Supply Chain Risk Management Procedure governs how access is managed and -approved.

    -     - - -     - - - - - IPv4 Production Subnet - -

    IPv4 Production Subnet.

    -     - - - - -     - - IPv4 Management Subnet - -

    IPv4 Management Subnet.

    -     - - - - - -     - - Email Service - -

    Email Service

    -     - - - - - - - - - -

    If 'yes', describe the authentication method.

    -

    If 'no', explain why no authentication is used.

    -

    If 'not-applicable', attest explain why authentication is not applicable in the remarks.

    -     -     - - - - - - - - - - - - 11111111-2222-4000-8000-004000000011 - - - 33333333-2222-4000-8000-004000000001 - - - - - -     - - - Authorized Connection Information System Name - -

    Describe the purpose of the external system or service.

    -     - - - -

    If 'yes', describe the authentication method in the remarks.

    -

    If 'no', explain why no authentication is used in the remarks.

    -

    If 'not-applicable', attest explain why authentication is not applicable in the remarks.

    -     -     - - - - - - - - - - UUID of remote system - - - UUID of remote system - - - UUID of remote system - - - - 44444444-2222-4000-8000-004000000001 - - - 11111111-2222-4000-8000-004000000008 - - - 11111111-2222-4000-8000-004000000008 - - - - 11111111-2222-4000-8000-004000000010 - 11111111-2222-4000-8000-004000000011 - 11111111-2222-4000-8000-004000000012 - -     - - - - -

    Legacy Example (No implemented-component).

    -     - + @@ -2406,23 +2171,18 @@ approved.

    - - - - - - + +

    If no, explain why. If yes, omit remarks field.

         - @@ -2435,6 +2195,7 @@ approved.

         + 11111111-2222-4000-8000-004000000016 @@ -2442,48 +2203,41 @@ approved.

    11111111-2222-4000-8000-004000000017 -

    This inventory items demonstrates the legacy approach in which the inventory item does not have a reference to a component.

    +

    COMMENTS: Additional information about this item.

    +

    This links to a FIPS 140-2 validated software component that is used by this inventory + item. This type of linkage to a validation through the component is preferable to the + link[rel='validation'] example above.

    Component Inventory Example

     - - - - - - -

    If no, explain why. If yes, omit remark.

         - -

    no function

     -     - + 11111111-2222-4000-8000-004000000010 11111111-2222-4000-8000-004000000017 - + @@ -2494,50 +2248,35 @@ approved.

    None.

     - - - - - - - -

    Required, longer, formatted description.

    -     -     - +

    None.

     - - + - - - -

    a different kind of scan

     -     - + +

    None.

     - @@ -2545,49 +2284,31 @@ approved.

    - - - - - -

    Required, longer, formatted description.

    -     -     - +

    None.

     - -

    Asset wasn't running at time of scan.

         - - - -

    Required, longer, formatted description.

    -     -     - - - +

    None.

     - @@ -2595,47 +2316,32 @@ approved.

    - - - - -

    Optional, longer, formatted description.

    -     -     - +

    None.

     - -

    Asset wasn't running at time of scan.

         - - - -

    Optional, longer, formatted description.

    -     -     - - +

    Email-Service

     - @@ -2643,5873 +2349,14050 @@ approved.

    - - -

    virtual function

     - +     -     - - - - -

    Appendix A - FedRAMP SSP Rev5 Template

    -

    This description field is required by OSCAL.

    -

    FedRAMP does not require any specific information here.

    -     - - Merger or acquisition, change in leadership, update to regulatory requirements, system upgrade or replacement, or significant security incident. - - Events that would trigger a review and update of the current access control policy include: changes in the organizational structure, modifications to system or application configurations, updates to user roles or responsibilities, or the occurrence of a security incident or breach. - - Chief Information Security Officer (CISO) - - organization-level, mission/business process-level, system-level - - System Administrators, Network Engineers, and Security Personnel - - All employees, contractors, and third-party users with access to organizational systems and data. - - at least every 3 years - - at least annually + + + +

    Instance of a Service A

    +     + + + + + + + +     + + +

    Instance of a Service B

    +     + + + + + + + +     + + + +

    Instance of a Service C

    +     + + + + + + + +     + + + +

    Instance of the API Service

    +     + + + + + + + +     + + + +

    Instance of a Service D

    +     + + + + + + + +     + + + +

    Instance of a Service E

    +     + + + + + + + +     + + + + +

    Instance of the Data Network

    +     + + + + + + + + + +     + + + +

    Instance of the Data Network

    +     + + + + + + + + + +     + + + +

    Instance of a Production Network

    +     + + + + + + + + + +     + + + + + + +

    This description field is required by OSCAL.

    +

    FedRAMP does not require any specific information here.

    +

    +

    + + + + all managers, administrators and users of the system + +

    [Assignment: organization-defined personnel or roles]

    +

    This focuses on roles the POLICY is disseminated to.

    + +     + + all managers and administrators of the system + +

    [Assignment: organization-defined personnel or roles]

    +

    This focuses on roles PROCEDURES are disseminated to.

    +     +     + + System-level + +

    [Selection (one or more): Organization-level; Mission/business process-level; + Systemlevel]

    +

    This is a SELECT parameter. Use one "value" field for each selection.

    +     +     + + System Architect + +

    [Assignment: organization-defined official]

    +     +     + + at least every 3 years + +

    [Assignment: organization-defined frequency]

    +     +     + + change in organizational legal status or ownership + +

    [Assignment:organization-defined events]

    +     +     + + at least annually + +

    [Assignment: organization-defined frequency]

    +     +     + + change in policy or a security incident involving a failure of access control mechanisms + +

    [Assignment:organization-defined events]

    +     +     + + + +

    Describe how Part a is satisfied within the system as a whole.

    +

    FedRAMP prefers all policies and procedures be attached as a resource in the + back-matter. The link points to a resource.

    +     + + + 11111111-2222-4000-8000-004000000008 + + +

    This is the "this-system" component, which represents the system as a whole.

    +

    There are two reasons to provide a response here:

    +
      +
    • When first converting a legacy/Word-based SSP to OSCAL, the entire control + response may be placed here until it can be parsed out into appropriate component + responses.
      • +
    • When it is necessary to explain how two or more components work together to + satisfy this requirement.
      • +
    +     +     + + +

    Describe how this policy satisfies part a.

    +     + + + 11111111-2222-4000-8000-004000000008 + + +

    This is the "policy" component, which represents the Access Control and Identity + Management Policy.

    +     +     + + +

    Describe how this procedure satisfies part a.

    +     + + + 11111111-2222-4000-8000-004000000008 + + +

    This is the "process-procedure" component, which represents the Access Control + Process.

    +     +     +     + + + +

    Describe how Part b is satisfied within the system as a whole.

    +     + + + +

    Describe the plan to complete the implementation.

    +     +     + + 11111111-2222-4000-8000-004000000008 + + +

    This is the "this-system" component, which represents the system as a whole.

    +

    There are two reasons to provide a response here:

    +
      +
    • When first converting a legacy/Word-based SSP to OSCAL, the entire control + response may be placed here until it can be parsed out into appropriate component + responses.
      • +
    • When it is necessary to explain how two or more components work together to + satisfy this requirement.
      • +
    +     +     + + +

    Describe how this policy currently satisfies part a.

    +     + + +

    Describe the plan for addressing the missing policy elements.

    +     +     + + +

    Identify what is currently missing from this policy.

    +     +     + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    Describe how Part b-1 is satisfied.

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + [SAMPLE]privileged, non-privileged + + + [SAMPLE]all + + + [SAMPLE]The Access Control Procedure + + + at least annually + + + at least annually + + + at least annually + + + at least annually + + + at least annually + + + at least annually + + + at least annually + + + + + +

    Describe how AC-2, part a is satisfied within this system.

    +

    This points to the "This System" component, and is used any time a more specific + component reference is not available.

    +     + + + 11111111-2222-4000-8000-004000000008 + +     + + +

    Description for the "this-system" component.

    +

    Describe how AC-2, part a is satisfied within this system.

    +

    This points to the "This System" component, and is used any time a more specific + component reference is not available.

    +     + + + + +

    This system's statement of capabilities which may be inherited by a customer's + leveraging systems toward satisfaction of AC-2, part a.

    +     +     + + +

    Leveraged system's statement of a leveraging system's responsibilities in + satisfaction of AC-2, part a.

    +

    Not associated with inheritance, thus associated this with the by-component for + "this system".

    +     + + 11111111-2222-4000-8000-004000000001 + +     + + +

    Any content for the customer responsibility matrix must be included within + export.

    +

    + provided is a statement about what

    +     +     + + 11111111-2222-4000-8000-004000000008 + +     + + +

    For the portion of the control satisfied by the application component of this system, + describe how the control is met.

    +     + + + + +

    Consumer-appropriate description of what may be inherited from this application + component by a leveraging system.

    +

    In the context of the application component in satisfaction of AC-2, part a.

    +     + + 11111111-2222-4000-8000-004000000005 + +     + + +

    Leveraging system's responsibilities with respect to inheriting this capability + from this application.

    +

    In the context of the application component in satisfaction of AC-2, part a.

    +     + + 11111111-2222-4000-8000-004000000005 + +     +     + + 11111111-2222-4000-8000-004000000008 + + +

    The component-uuid above points to the "this system" component.

    +

    Any control response content that does not cleanly fit another system component is + placed here. This includes customer responsibility content.

    +

    This can also be used to provide a summary, such as a holistic overview of how + multiple components work together.

    +

    While the "this system" component is not explicitly required within every + statement, it will typically be present.

    +     +     + + +

    For the portion inherited from an underlying FedRAMP-authorized provider, describe + what is inherited.

    +     + + + +

    Optional description.

    +

    Consumer-appropriate description of what may be inherited as provided by the + leveraged system.

    +

    In the context of this component in satisfaction of AC-2, part a.

    +

    The provided-uuid links this to the same statement in the leveraged + system's SSP.

    +

    It may be linked directly, but is more commonly provided via an OSCAL-based CRM + (Inheritance and Responsibility Model).

    +     +     + + +

    Description of how the responsibility was satisfied.

    +

    The responsibility-uuid links this to the same statement in the + leveraged system's SSP.

    +

    It may be linked directly, but is more commonly provided via an OSCAL-based CRM + (Inheritance and Responsibility Model).

    +

    Tools should use this to ensure all identified customer responsibility + statements have a corresponding satisfied statement in the leveraging + system's SSP.

    +

    Tool developers should be mindful that

    +     +     + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + all managers, administrators and users of the system + +

    [Assignment: organization-defined personnel or roles]

    +

    This focuses on roles the POLICY is disseminated to.

    +     +     + + all managers and administrators of the system + +

    [Assignment: organization-defined personnel or roles]

    +

    This focuses on roles PROCEDURES are disseminated to.

    +     +     + + System-level + +

    [Selection (one or more): Organization-level; Mission/business process-level; + Systemlevel]

    +

    This is a SELECT parameter. Use one "value" field for each selection.

    +     +     + + System Architect + +

    [Assignment: organization-defined official]

    +     +     + + at least every 3 years + +

    [Assignment: organization-defined frequency]

    +     +     + + change in organizational legal status or ownership + +

    [Assignment:organization-defined events]

    +     +     + + at least annually + +

    [Assignment: organization-defined frequency]

    +     +     + + change in policy or a security incident involving a failure of access control mechanisms + +

    [Assignment:organization-defined events]

    +     +     + + + +

    Describe how Part a is satisfied within the system.

    +

    Legacy approach. If no policy component is defined, describe here how the policy + satisfies part a.

    +

    In this case, a link must be provided to the policy.

    +

    FedRAMP prefers all policies and procedures be attached as a resource in the + back-matter. The link points to a resource.

    +     + + 11111111-2222-4000-8000-004000000008 + + +

    The specified component is the system itself.

    +

    Any control implementation response that can not be associated with another component + is associated with the component representing the system.

    +     +     + + +

    Describe how this policy satisfies part a.

    +

    Component approach. This links to a component representing the Identity Management + and Access Control Policy.

    +

    That component contains a link to the policy, so it does not have to be linked here + too.

    +     + + + 11111111-2222-4000-8000-004000000008 + +     + + +

    Describe how this procedure satisfies part a.

    +

    Component approach. This links to a component representing the Identity Management + and Access Control Policy.

    +

    That component contains a link to the policy, so it does not have to be linked here + too.

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    There

    +     + + + +

    Describe the plan to complete the implementation.

    +     +     + + 11111111-2222-4000-8000-004000000008 + +     + + +

    Describe how this policy currently satisfies part a.

    +     + + +

    Describe the plan for addressing the missing policy elements.

    +     +     + + +

    Identify what is currently missing from this policy.

    +     +     + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    Describe how Part b-1 is satisfied.

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     + + +

    This is a 'policy' component that must be present for part a of every -1 control.

    +     + + + 11111111-2222-4000-8000-004000000008 + +     + + +

    This is a 'process-procedure' component that must be present for part a of every -1 + control.

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     + + +

    This is a 'policy' component that must be present for part a of every -1 control.

    +     + + + 11111111-2222-4000-8000-004000000008 + +     + + +

    This is a 'process-procedure' component that must be present for part a of every -1 + control.

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     + + +

    This is a 'policy' component that must be present for part a of every -1 control.

    +     + + + 11111111-2222-4000-8000-004000000008 + +     + + +

    This is a 'process-procedure' component that must be present for part a of every -1 + control.

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     + + +

    This is a 'policy' component that must be present for part a of every -1 control.

    +     + + + 11111111-2222-4000-8000-004000000008 + +     + + +

    This is a 'process-procedure' component that must be present for part a of every -1 + control.

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     + + +

    This is a 'policy' component that must be present for part a of every -1 control.

    +     + + + 11111111-2222-4000-8000-004000000008 + +     + + +

    This is a 'process-procedure' component that must be present for part a of every -1 + control.

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     + + +

    This is a 'policy' component that must be present for part a of every -1 control.

    +     + + + 11111111-2222-4000-8000-004000000008 + +     + + +

    This is a 'process-procedure' component that must be present for part a of every -1 + control.

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     + + +

    This is a 'policy' component that must be present for part a of every -1 control.

    +     + + + 11111111-2222-4000-8000-004000000008 + +     + + +

    This is a 'process-procedure' component that must be present for part a of every -1 + control.

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     + + +

    This is a 'policy' component that must be present for part a of every -1 control.

    +     + + + 11111111-2222-4000-8000-004000000008 + +     + + +

    This is a 'process-procedure' component that must be present for part a of every -1 + control.

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     + + +

    This is a 'policy' component that must be present for part a of every -1 control.

    +     + + + 11111111-2222-4000-8000-004000000008 + +     + + +

    This is a 'process-procedure' component that must be present for part a of every -1 + control.

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     + + +

    This is a 'policy' component that must be present for part a of every -1 control.

    +     + + + 11111111-2222-4000-8000-004000000008 + +     + + +

    This is a 'process-procedure' component that must be present for part a of every -1 + control.

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     + + +

    This is a 'policy' component that must be present for part a of every -1 control.

    +     + + + 11111111-2222-4000-8000-004000000008 + +     + + +

    This is a 'process-procedure' component that must be present for part a of every -1 + control.

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     + + +

    This is a 'policy' component that must be present for part a of every -1 control.

    +     + + + 11111111-2222-4000-8000-004000000008 + +     + + +

    This is a 'process-procedure' component that must be present for part a of every -1 + control.

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     + + +

    This is a 'policy' component that must be present for part a of every -1 control.

    +     + + + 11111111-2222-4000-8000-004000000008 + +     + + +

    This is a 'process-procedure' component that must be present for part a of every -1 + control.

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder + + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     +     + + + placeholder + + + placeholder - - + + -

    Describe how Part a is satisfied within the system.

    -

    Legacy approach. If no policy component is defined, describe here how the policy satisfies part a.

    -

    In this case, a link must be provided to the policy.

    -

    FedRAMP prefers all policies and procedures be attached as a resource in the back-matter. The link points to a resource.

    +

    This is the 'this-system' component that must be present for every statement

     - - - - 11111111-0000-4000-9000-000000000001 - - -

    The specified component is the system itself.

    -

    Any control implementation response that can not be associated with another component is associated with the component representing the system.

    -     + + 11111111-2222-4000-8000-004000000008 +     - +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Identity Management and Access Control Policy.

    -

    That component contains a link to the policy, so it does not have to be linked here too.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + 11111111-2222-4000-8000-004000000008 +     - - + + -

    Describe how Part a is satisfied within the system.

    -

    Legacy approach. If no policy component is defined, describe here how the policy satisfies part a.

    -

    In this case, a link must be provided to the policy.

    -

    FedRAMP prefers all policies and procedures be attached as a resource in the back-matter. The link points to a resource.

    +

    This is the 'this-system' component that must be present for every statement

     - - - - 11111111-0000-4000-9000-000000000001 - - -

    The specified component is the system itself.

    -

    Any control implementation response that can not be associated with another component is associated with the component representing the system.

    -     + + 11111111-2222-4000-8000-004000000008 +     - +     + + -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Identity Management and Access Control Policy.

    -

    That component contains a link to the policy, so it does not have to be linked here too.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + 11111111-2222-4000-8000-004000000008 +     - - +     + + + placeholder + + + -

    There

    +

    This is the 'this-system' component that must be present for every statement

     - - - -

    Describe the plan to complete the implementation.

    -     -     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     - +     + + -

    Describe how this policy currently satisfies part a.

    +

    This is the 'this-system' component that must be present for every statement

     - - -

    Describe the plan for addressing the missing policy elements.

    -     -     - - -

    Identify what is currently missing from this policy.

    -     -     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -     - + +     + + + placeholder + + + -

    Describe how Part b-1 is satisfied.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + 11111111-2222-4000-8000-004000000008 +     -     - + +     + + + placeholder + + + placeholder + + + placeholder + + + -

    Describe how Part b-2 is satisfied.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part ac-1_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how this policy satisfies part a.

    11111111-0000-4000-9000-000000000001

    This is the "policy" component, which represents the Access Control and Identity Management Policy.

    Describe how this procedure satisfies part a.

    11111111-0000-4000-9000-000000000001

    This is the "process-procedure" component, which represents the Access Control Process.

    Describe how Part ac-1_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-1_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-1_obj.a-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-1_obj.a-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-1_obj.a-3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-1_obj.a-4 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-1_obj.a.1.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-1_obj.a.1.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-1_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-1_obj.c.1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-1_obj.c.2 is satisfied.

    11111111-0000-4000-9000-000000000001     - - -

    Describe the plan to complete the implementation.

    -     -     - -

    Describe any customer-configured requirements for satisfying this control.

    -     -     - quarterly for privileged access, annually for non-privileged access - - userid, password, role, job function. - - 8 hours - - 8 hours - - 24 hours - - Privileged Access Administrator, Cybersecurity Operations Center (CSOC) Team Lead - - Account Management Policy: All requests for account creation, modification, or removal must be submitted through the IT Service Desk and approved by the system owner. Account creations require a valid business need and a completed Account Request Form. Accounts will be disabled after 90 days of inactivity and removed after 180 days. Modifications to accounts must be documented and approved by the system owner. Accounts will be enabled or disabled based on user role and job function. - - System Owners, Information System Security Officers (ISSOs), and Authorizing Officials - - Example value: "username, password, account-type, expiration-date, access-level, department, job-function - - AC-02(01): Group and role membership prerequisites and criteria are defined as follows: (i) group membership requires approval by a designated manager; (ii) role membership requires completion of a background check and a minimum of 6 months of employment with the organization. - - 11111111-2222-4000-8000-004000000010 - - 11111111-2222-4000-8000-004000000011 - - - -

    Describe how the control is satisfied within the system.

    -     - - [SAMPLE]privileged, non-privileged - - - [SAMPLE]all - - - [SAMPLE]The Access Control Procedure - - - at least annually - - - 11111111-0000-4000-9000-000000000001 - -     -     - + +     + + + placeholder + + + placeholder + + + placeholder + + + -

    Describe how AC-2, part a is satisfied within this system.

    -

    This points to the This System component, and is used any time a more specific component reference is not available.

    +

    This is the 'this-system' component that must be present for every statement

     - - - -

    Leveraged system's statement of capabilities which may be inherited by a leveraging systems to satisfy AC-2, part a.

    -     -     - - -

    Leveraged system's statement of a leveraging system's responsibilities in satisfaction of AC-2, part a.

    -

    Not associated with inheritance, thus associated this with the by-component for this system. -

    -     - - 11111111-2222-4000-8000-004000000001 - -     -     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     - +     + + -

    For the portion of the control satisfied by the application component of this system, describe how the control is met.

    +

    This is the 'this-system' component that must be present for every statement

     - - - -

    Consumer-appropriate description of what may be inherited from this application component by a leveraging system.

    -

    In the context of the application component in satisfaction of AC-2, part a.

    -     - - 11111111-2222-4000-8000-004000000005 - -     - - -

    Leveraging system's responsibilities with respect to inheriting this capability from this application.

    -

    In the context of the application component in satisfaction of AC-2, part a.

    -     - - 11111111-2222-4000-8000-004000000005 - -     -     - - 11111111-0000-4000-9000-000000000001 - - -

    The component-uuid above points to the this system component.

    -

    Any control response content that does not cleanly fit another system component is placed here. This includes customer responsibility content.

    -

    This can also be used to provide a summary, such as a holistic overview of how multiple components work together.

    -

    While the this system component is not explicitly required within every statement, it will typically be present.

    -     + + + 11111111-2222-4000-8000-004000000008 +     - +     + + -

    For the portion inherited from an underlying FedRAMP-authorized provider, describe what is inherited.

    +

    This is the 'this-system' component that must be present for every statement

     - - -

    Optional description.

    -

    Consumer-appropriate description of what may be inherited as provided by the leveraged system.

    -

    In the context of this component in satisfaction of AC-2, part a.

    -

    The provided-uuid links this to the same statement in the leveraged system's SSP.

    -

    It may be linked directly, but is more commonly provided via an OSCAL-based CRM (Inheritance and Responsibility Model).

    -     -     - - -

    Description of how the responsibility was satisfied.

    -

    The responsibility-uuid links this to the same statement in the leveraged system's SSP.

    -

    It may be linked directly, but is more commonly provided via an OSCAL-based CRM (Inheritance and Responsibility Model).

    -

    Tools should use this to ensure all identified customer responsibility statements have a corresponding satisfied statement in the leveraging system's SSP.

    -

    Tool developers should be mindful that

    -     -     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part ac-2_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-2_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-2_smt.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-2_smt.e is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-2_smt.f is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-2_smt.g is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-2_smt.h is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-2_smt.i is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-2_smt.j is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-2_smt.k is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-2_smt.l is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-2_obj.a-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-2_obj.a-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-2_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-2_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-2_obj.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-2_obj.e is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-2_obj.f is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-2_obj.g is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-2_obj.h is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-2_obj.i.1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-2_obj.i.2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-2_obj.i.3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-2_obj.j is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-2_obj.k-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-2_obj.k-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-2_obj.l is satisfied.

    11111111-0000-4000-9000-000000000001     - - -

    Describe the plan to complete the implementation.

    -     -     - merger with another company, change in regulatory requirements, or major system upgrade - - Annually - - Examples of events that would require the current awareness and training policy to be reviewed and updated include: major changes to organizational policies or procedures, changes to relevant laws or regulations, personnel changes, or significant security incidents. - - Every 2 years - - The Chief Information Security Officer (CISO) is appointed to oversee and manage the awareness and training policy and procedures. - - organization-level, mission/business process-level, system-level - - All employees, contractors, and third-party users with access to organizational systems and data. - - All employees, contractors, and third-party users with access to organization's information systems - - 11111111-2222-4000-8000-004000000011 - - + + + -

    Describe how the control is satisfied within the system.

    +

    This is the 'this-system' component that must be present for every statement

     - - at least every 3 years - - - at least annually - - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -     - + + + -

    Describe how Part a is satisfied.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     - +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked here too.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     - +     + + -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be linked here too.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -     - + + + -

    Describe how Part b-1 is satisfied.

    +

    This is the 'this-system' component that must be present for every statement

    +     + + + 11111111-2222-4000-8000-004000000008 + +     +     + + + +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -     - + + + -

    Describe how Part b-2 is satisfied.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part at-1_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part at-1_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part at-1_obj.a-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part at-1_obj.a-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part at-1_obj.a-3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part at-1_obj.a-4 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part at-1_obj.a.1.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part at-1_obj.a.1.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part at-1_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part at-1_obj.c.1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part at-1_obj.c.2 is satisfied.

    11111111-0000-4000-9000-000000000001     - - -

    Describe the plan to complete the implementation.

    -     -     - Modification to system access controls, changes to data repositories, or alterations to business processes - - Annually - - Changes to relevant laws or regulations, changes to the organization's mission or business operations, changes to audit or accountability policies, or discovery of unauthorized access or data breaches. - - Every 2 years - - The Chief Information Security Officer (CISO) is designated as the official responsible for managing the audit and accountability policy and procedures. - - organization-level, mission/business process-level, system-level - - Chief Information Security Officer, Information System Security Manager, and all personnel with access to the system - - CEO, CISO, IT Managers, System Administrators, and All Users with Privileged Access - - 11111111-2222-4000-8000-004000000011 - - + +     + + + -

    Describe how the control is satisfied within the system.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -     - + +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + -

    For the portion of the control satisfied by the service provider, describe how the control is met.

    +

    This is the 'this-system' component that must be present for every statement

     - - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     - +     + + -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked here too.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     - +     + + -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be linked here too.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -     - + + + -

    For the portion of the control satisfied by the service provider, describe how the control is met.

    +

    This is the 'this-system' component that must be present for every statement

     - - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -     - + +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + -

    For the portion of the control satisfied by the service provider, describe how the control is met.

    +

    This is the 'this-system' component that must be present for every statement

     - - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part au-1_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part au-1_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part au-1_obj.a-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part au-1_obj.a-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part au-1_obj.a-3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part au-1_obj.a-4 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part au-1_obj.a.1.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part au-1_obj.a.1.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part au-1_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part au-1_obj.c.1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part au-1_obj.c.2 is satisfied.

    11111111-0000-4000-9000-000000000001     - - -

    Describe the plan to complete the implementation.

    -     -     - Modification of security policies, changes to system architecture, or updates to system components. - - Annually - - Changes to laws or regulations, updates to system/software, or changes to organizational policies or procedures. - - Every 2 years - - The Chief Information Security Officer (CISO) is designated as the official responsible for managing the assessment, authorization, and monitoring policy and procedures. - - organization-level, mission/business process-level, system-level - - System Administrators, Information Security Officers, and IT Managers - - Chief Information Security Officer (CISO), IT Managers, System Administrators, and Security Team Members - - 11111111-2222-4000-8000-004000000011 - - + + + -

    Describe how the control is satisfied within the system.

    +

    This is the 'this-system' component that must be present for every statement

     - - at least every 3 years - - - at least annually - - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -     - + +     + + + placeholder + + + placeholder + + + placeholder + + + -

    For the portion of the control satisfied by the service provider, describe how the control is met.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     - +     + + -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked here too.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     - +     +     + + + placeholder + + + -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be linked here too.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -     - + +     + + + -

    For the portion of the control satisfied by the service provider, describe how the control is met.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -     - + + + -

    For the portion of the control satisfied by the service provider, describe how the control is met.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part ca-1_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-1_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-1_obj.a-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-1_obj.a-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-1_obj.a-3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-1_obj.a-4 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-1_obj.a.1.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-1_obj.a.1.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-1_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-1_obj.c.1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-1_obj.c.2 is satisfied.

    11111111-0000-4000-9000-000000000001     - - -

    Describe the plan to complete the implementation.

    -     -     - Merger or acquisition, major system upgrade, or change in regulatory requirements. - - Annually - - Examples of events that would require the current configuration management policy to be reviewed and updated include: changes in organizational structure, new system or application deployments, changes in regulatory requirements, and major network infrastructure upgrades. - - Every 2 years - - The Configuration Management Officer - - organization-level, mission/business process-level, system-level - - System Administrators, Network Engineers, and Database Managers - - System Administrators, IT Managers, and Developers - - 11111111-2222-4000-8000-004000000011 - - + + + -

    Describe how the control is satisfied within the system.

    +

    This is the 'this-system' component that must be present for every statement

     - - at least annually - - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -     - + +     + + + placeholder + + + placeholder + + + placeholder + + + -

    For the portion of the control satisfied by the service provider, describe how the control is met.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     - +     + + -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked here too.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     - +     +     + + + placeholder + + + placeholder + + + -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be linked here too.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -     - + + + -

    For the portion of the control satisfied by the service provider, describe how the control is met.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -     - + +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + -

    For the portion of the control satisfied by the service provider, describe how the control is met.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part cm-1_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-1_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-1_obj.a-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-1_obj.a-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-1_obj.a-3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-1_obj.a-4 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-1_obj.a.1.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-1_obj.a.1.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-1_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-1_obj.c.1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-1_obj.c.2 is satisfied.

    11111111-0000-4000-9000-000000000001     - - -

    Describe the plan to complete the implementation.

    -     -     - merger/acquisition, changes in leadership, new regulations, or major system updates - - Annually - - Example value for this parameter:"Events that would trigger a review and update of the contingency planning policy include: (1) changes to organizational structure or leadership, (2) significant changes to information systems or business processes, (3) a major security incident or breach, (4) a change in regulatory or compliance requirements, or (5) a significant change in the organization's risk profile. - - Every 2 years - - Chief Information Security Officer (CISO) - - organization-level, mission/business process-level, system-level - - Contingency Planning Team, Information System Security Officer (ISSO), IT Director - - Contingency Planning Team, IT Director, Senior Management - - 11111111-2222-4000-8000-004000000011 - - + -

    Describe how the control is satisfied within the system.

    +

    This is a 'policy' component that must be present for part a of every -1 control.

     - - at least every 3 years - - - at least annually - - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -     - + -

    For the portion of the control satisfied by the service provider, describe how the control is met.

    +

    This is a 'process-procedure' component that must be present for part a of every -1 + control.

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     - +     + + -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked here too.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     - +     + + -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be linked here too.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -     - + +     + + + -

    For the portion of the control satisfied by the service provider, describe how the control is met.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -     - + +     + + + -

    For the portion of the control satisfied by the service provider, describe how the control is met.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part cp-1_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-1_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-1_obj.a-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-1_obj.a-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-1_obj.a-3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-1_obj.a-4 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-1_obj.a.1.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-1_obj.a.1.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-1_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-1_obj.c.1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-1_obj.c.2 is satisfied.

    11111111-0000-4000-9000-000000000001     - - + + + + + -

    The organization coordinates contingency plan development with organizational elements responsible for related plans.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part cp-2.1_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Within 4 hours of a disaster declaration, the organization will resume mission and business functions. - - all - - + + + + + placeholder + + + placeholder + + + placeholder + + + -

    The organization plans for the resumption of essential missions and business functions within organization-defined time period of contingency plan activation.

    +

    This is the 'this-system' component that must be present for every statement

     - - within 24 hours - - - 11111111-0000-4000-9000-000000000001 - + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part cp-2.3_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - all - - + + + -

    The organization identifies critical system assets supporting essential missions and business functions.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part cp-2.8_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - + + + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + -

    The organization coordinates contingency plan testing with organizational elements responsible for related plans.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part cp-4.1_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - + + + -

    The organization conducts an assessment of the alternate storage site at least annually to determine its availability and readiness for operation.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part cp-6.1_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - + + + -

    The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part cp-6.3_obj-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-6.3_obj-2 is satisfied.

    11111111-0000-4000-9000-000000000001     - - + + + + + -

    The organization conducts an assessment of the alternate processing site at least annually to determine its availability and readiness for operation.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part cp-7.1_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - + + + + + placeholder + + + -

    The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part cp-7.2_obj-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-7.2_obj-2 is satisfied.

    11111111-0000-4000-9000-000000000001     - - + + + -

    The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives).

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part cp-7.3_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - + + + -

    The organization identifies primary and alternate telecommunications services supporting the system and documents provider contingency plans and recovery time objectives to ensure the availability of telecommunication services.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part cp-8.1_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-8.1_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-8.1_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-8.1_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - + + + -

    The organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part cp-8.2_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Every 6 months. - - Every 6 months. - - + + + -

    The organization conducts backups of user-level information contained in the system at least weekly.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part cp-9.1_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - param-value xmlns="http://csrc.nist.gov/ns/oscal/1.0" param-id="cp-09.08_odp" All sensitive data is backed up daily to an encrypted external hard drive and stored offsite, with access limited to authorized personnel./param-value - - + + + -

    The organization provides a means to restore system functions without loading backups (e.g., through system reinstallation).

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part cp-9.8_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - + + + -

    The organization implements transaction recovery for systems that are transaction-based.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part cp-10.2_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - -

    Describe the plan to complete the implementation.

    -     -     - merger or acquisition, change in organizational structure, or update to identity and access management system - - Annually - - Examples of events that would trigger a review and update of the current identification and authentication policy include: - Change in organizational structure or personnel - Introduction of new systems or applications - Change in user roles or access levels - Security incidents or breaches - Upgrade or modification to existing systems or applications - Changes in regulatory or legal requirements - - Every 2 years - - Chief Information Security Officer (CISO) - - organization-level, mission/business process-level, system-level - - System Administrators, Network Engineers, and Cybersecurity Team Members - - System Administrators, Network Engineers, Security Team, and All New Hires - - 11111111-2222-4000-8000-004000000011 - - + + + -

    Describe how the control is satisfied within the system.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -     - + +     + + + placeholder + + + placeholder + + + -

    For the portion of the control satisfied by the service provider, describe how the control is met.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     - +     +     + + + placeholder + + + -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked here too.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     - +     +     + + + placeholder + + + placeholder + + + -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be linked here too.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -     - + +     + + + placeholder + + + -

    For the portion of the control satisfied by the service provider, describe how the control is met.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -     - + + + -

    For the portion of the control satisfied by the service provider, describe how the control is met.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part ia-1_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-1_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-1_obj.a-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-1_obj.a-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-1_obj.a-3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-1_obj.a-4 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-1_obj.a.1.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-1_obj.a.1.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-1_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-1_obj.c.1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-1_obj.c.2 is satisfied.

    11111111-0000-4000-9000-000000000001     - - -

    Describe the plan to complete the implementation.

    -     -     - Example events: merger or acquisition, new regulatory requirements, changes in organizational structure, introduction of new technology, etc. - - Annually - - The current incident response policy will be reviewed and updated in response to the following events: - Changes to relevant laws or regulations;- Significant changes to the organization's mission, goals, or objectives;- Significant changes to the organization's business or operational environment;- Identification of material weaknesses or deficiencies in the incident response process;- Occurrence of a major incident or crisis;- Changes to the incident response team membership or roles;- Completion of incident response plan testing and exercises;- Receipt of feedback from stakeholders or interest parties;- Discovery of new threats, vulnerabilities, or risks. - - Every 2 years - - CISO (Chief Information Security Officer) is designated as the official responsible for managing the incident response policy and procedures. - - organization-level, mission/business process-level, system-level - - Incident Response Team, IT Operations Team, and Management Team. - - Incident Response Team, IT Manager, Security Officer, Compliance Officer. - - 11111111-2222-4000-8000-004000000011 - - + +     + + + placeholder + + + placeholder + + + -

    Describe how the control is satisfied within the system.

    +

    This is the 'this-system' component that must be present for every statement

     - - at least every 3 years - - - at least annually - - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -     - + +     + + + -

    For the portion of the control satisfied by the service provider, describe how the control is met.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     - +     +     + + + placeholder + + + -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked here too.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     - +     +     + + + placeholder + + + placeholder + + + -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be linked here too.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -     - + +     + + + placeholder + + + placeholder + + + -

    For the portion of the control satisfied by the service provider, describe how the control is met.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -     - + +     + + + placeholder + + + -

    For the portion of the control satisfied by the service provider, describe how the control is met.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part ir-1_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-1_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-1_obj.a-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-1_obj.a-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-1_obj.a-3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-1_obj.a-4 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-1_obj.a.1.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-1_obj.a.1.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-1_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-1_obj.c.1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-1_obj.c.2 is satisfied.

    11111111-0000-4000-9000-000000000001     - - -

    Describe the plan to complete the implementation.

    -     -     - Events such as changes to system hardware or software, changes to the organization's mission or business processes, or changes to relevant laws or regulations. - - Every 12 months. - - Here is an example value for this parameter:"change in organizational goals or objectives, changes in legislation or regulations, failure of a critical system or component, significant changes to information systems or infrastructure, emergence of new threats or vulnerabilities - - Every 2 years - - The Chief Information Security Officer (CISO) is designated as the official responsible for managing the maintenance policy and procedures. - - organization-level, mission/business process-level, system-level - - Network Administrators, System Engineers, and IT Managers - - System Administrators, Network Engineers, and Cybersecurity Team Leads - - 11111111-2222-4000-8000-004000000011 - - + +     + + + placeholder + + + -

    Describe how the control is satisfied within the system.

    +

    This is the 'this-system' component that must be present for every statement

     - - at least every 3 years - - - at least annually - - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -     - + +     + + + placeholder + + + -

    For the portion of the control satisfied by the service provider, describe how the control is met.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     - +     +     + + + -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked here too.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     - +     +     + + + placeholder + + + placeholder + + + -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be linked here too.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -     - + + + -

    For the portion of the control satisfied by the service provider, describe how the control is met.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -     - + +     + + + placeholder + + + -

    For the portion of the control satisfied by the service provider, describe how the control is met.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part ma-1_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ma-1_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ma-1_obj.a-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ma-1_obj.a-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ma-1_obj.a-3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ma-1_obj.a-4 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ma-1_obj.a.1.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ma-1_obj.a.1.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ma-1_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ma-1_obj.c.1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ma-1_obj.c.2 is satisfied.

    11111111-0000-4000-9000-000000000001     - - Organizational maintenance records shall include: (i) date and time of maintenance activity, (ii) description of maintenance performed, (iii) identity of personnel performing maintenance, and (iv) maintenance activity results. - - All sensitive data, including Personally Identifiable Information (PII), financial information, and confidential business data, must be removed from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement. - - System Administrators, IT Managers, and Authorized Maintenance Personnel - - + + + -

    The organization:

    +

    This is the 'this-system' component that must be present for every statement

     - - System Administrators, Security Administrators - - - at least annually - - - 11111111-0000-4000-9000-000000000001 - + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part ma-2_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ma-2_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ma-2_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ma-2_smt.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ma-2_smt.e is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ma-2_smt.f is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ma-2_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ma-2_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ma-2_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ma-2_obj.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ma-2_obj.e is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ma-2_obj.f is satisfied.

    11111111-0000-4000-9000-000000000001     - - at least annually - - + + + + + placeholder + + + -

    The organization:

    -

    a. Approves and monitors the use of system maintenance tools; and

    -

    b. Controls maintenance tools through one or more of the following: removal, disabling, preventing unauthorized removal.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part ma-3_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ma-3_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ma-3_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ma-3_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - + + + -

    The organization inspects the maintenance tools used by maintenance personnel for improper or unauthorized modifications.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part ma-3.1_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - + + + + + -

    The organization checks media containing diagnostic and test programs for malicious code before the media are used in the system.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part ma-3.2_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Facility Manager, IT Director - - + + + -

    The organization prevents the unauthorized removal of maintenance equipment containing organizational information by:

    -

    (a) Verifying that there is no organizational information contained on the equipment;

    -

    (b) Sanitizing or destroying the equipment;

    -

    (c) Retaining the equipment within the facility; or

    -

    (d) Obtaining an exemption from the authorizing official explicitly authorizing removal of the equipment from the facility.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part ma-3.3_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ma-3.3_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ma-3.3_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ma-3.3_smt.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ma-3.3_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - + + + + + -

    The organization:

    -

    a. Approves and monitors nonlocal maintenance and diagnostic activities;

    -

    b. Documents and monitors maintenance and diagnostic activities;

    -

    c. Requires that nonlocal maintenance and diagnostic activities be performed from an information system that implements a security capability comparable to the capability implemented on the system being serviced; or

    -

    d. Removes the component to be serviced from the system prior to nonlocal maintenance or diagnostic services.

    +

    This is the 'this-system' component that must be present for every statement

     - - System Administrators, Security Administrators - - - 11111111-0000-4000-9000-000000000001 - + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part ma-4_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ma-4_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ma-4_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ma-4_smt.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ma-4_smt.e is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ma-4_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ma-4_obj.b-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ma-4_obj.b-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ma-4_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ma-4_obj.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ma-4_obj.e is satisfied.

    11111111-0000-4000-9000-000000000001     - - + + + -

    The organization:

    -

    a. Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel;

    -

    b. Ensures that non-escorted personnel performing maintenance on the system possess the required access authorizations; and

    -

    c. Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part ma-5_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ma-5_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ma-5_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ma-5_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ma-5_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ma-5_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001     - - Procurement of alternate firewall devices to be implemented in the event that the primary firewall cannot be sanitized or removed from the system. - - + + + + + -

    The organization:

    -

    a. Implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:

    -
      -
    1. Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified;
      2. -
    2. Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and
      3. -
    -

    b. Develops and implements alternate security safeguards in the event a system component cannot be sanitized, removed, or disconnected from the system.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part ma-5.1_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ma-5.1_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ma-5.1_obj.a.1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ma-5.1_obj.a.2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ma-5.1_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - Within 4 hours - - All production servers, network devices, and custom software applications - - + + + + + -

    The organization performs maintenance on organization-defined system components within organization-defined time periods of failure.

    +

    This is the 'this-system' component that must be present for every statement

     - - all system components - - - within 24 hours of failure - - - 11111111-0000-4000-9000-000000000001 - + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part ma-6_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - -

    Describe the plan to complete the implementation.

    -     -     - changes to media handling policies, incidents resulting in data breaches, or updates to relevant regulations - - Annually - - Changes in organizational policies, changes in regulatory requirements, changes in technology used for data storage and transmission, and changes in the threat landscape. - - Every 24 months - - The Chief Information Security Officer (CISO) - - organization-level, mission/business process-level, system-level - - Chief Information Security Officer (CISO), Information System Security Officer (ISSO), and Media Protection Team - - All employees, contractors, and third-party vendors who handle sensitive information or have access to organizational media. - - 11111111-2222-4000-8000-004000000011 - - + +     + + + -

    Describe how the control is satisfied within the system.

    +

    This is the 'this-system' component that must be present for every statement

     - - at least every 3 years - - - at least annually - - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     - - - +     + + + placeholder + + + placeholder + + + placeholder + + + -

    For the portion of the control satisfied by the service provider, describe how the control is met.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     - +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked here too.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     - +     +     + + + placeholder + + + placeholder + + + -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be linked here too.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -     - + +     + + + -

    For the portion of the control satisfied by the service provider, describe how the control is met.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -     - + +     + + + placeholder + + + placeholder + + + placeholder + + + -

    For the portion of the control satisfied by the service provider, describe how the control is met.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part mp-1_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part mp-1_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part mp-1_obj.a-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part mp-1_obj.a-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part mp-1_obj.a-3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part mp-1_obj.a-4 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part mp-1_obj.a.1.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part mp-1_obj.a.1.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part mp-1_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part mp-1_obj.c.1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part mp-1_obj.c.2 is satisfied.

    11111111-0000-4000-9000-000000000001     - - -

    Describe the plan to complete the implementation.

    -     -     - Examples of significant events that would trigger a review and update of physical and environmental protection procedures include: relocation of facilities, changes in organizational structure, new equipment or system deployments, natural disasters, or major security breaches. - - Annually - - The organization recognizes the following events that would require the current physical and environmental protection policy to be reviewed and updated: changes in regulatory requirements, incidents resulting in physical damage or data breaches, significant changes in the organization's physical infrastructure or operations, and changes in senior leadership or organizational structure. - - every 2 years - - Chief Information Security Officer (CISO) - - organization-level, mission/business process-level, system-level - - Facility Security Officer, IT Manager, and Data Center Administrators - - All personnel with access to company facilities or systems, including employees, contractors, and third-party vendors. - - 11111111-2222-4000-8000-004000000011 - - + +     + + + placeholder + + + placeholder + + + placeholder + + + -

    Describe how the control is satisfied within the system.

    +

    This is the 'this-system' component that must be present for every statement

     - - at least every 3 years - - - at least annually - - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -     - + + + -

    For the portion of the control satisfied by the service provider, describe how the control is met.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     - +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked here too.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     - + -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be linked here too.

    +

    This is a 'policy' component that must be present for part a of every -1 control.

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -     - + -

    For the portion of the control satisfied by the service provider, describe how the control is met.

    +

    This is a 'process-procedure' component that must be present for part a of every -1 + control.

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -     - + + + -

    For the portion of the control satisfied by the service provider, describe how the control is met.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part pe-1_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-1_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-1_obj.a-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-1_obj.a-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-1_obj.a-3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-1_obj.a-4 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-1_obj.a.1.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-1_obj.a.1.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-1_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-1_obj.c.1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-1_obj.c.2 is satisfied.

    11111111-0000-4000-9000-000000000001     - - -

    Describe the plan to complete the implementation.

    -     -     - MERGER_ACQUISITION, CHANGE_IN_BUSINESS_PROCESS, NEW_REGULATORY_REQUIREMENT, SOFTWARE_UPGRADE, CHANGE_IN_ORGANIZATIONAL_STRUCTURE - - Annually - - Change in senior leadership, merger or acquisition, significant changes to business operations, introduction of new technologies, or changes to relevant laws and regulations. - - Every 2 years - - The Chief Information Security Officer (CISO) is designated as the official to oversee the planning policy and procedures. - - organization-level, mission/business process-level, system-level - - Chief Information Security Officer (CISO), IT Director, System Administrators, and Data Owners - - Chief Information Officer, IT Department, and System Administrators - - 11111111-2222-4000-8000-004000000011 - - + + + -

    Describe how the control is satisfied within the system.

    +

    This is the 'this-system' component that must be present for every statement

     - - at least every 3 years - - - at least annually - - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -     - + +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + -

    For the portion of the control satisfied by the service provider, describe how the control is met.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     - +     + + -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked here too.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     - +     + + -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be linked here too.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -     - + + + -

    For the portion of the control satisfied by the service provider, describe how the control is met.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -     - + +     + + + placeholder + + + placeholder + + + -

    For the portion of the control satisfied by the service provider, describe how the control is met.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part pl-1_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-1_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-1_obj.a-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-1_obj.a-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-1_obj.a-3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-1_obj.a-4 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-1_obj.a.1.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-1_obj.a.1.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-1_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-1_obj.c.1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-1_obj.c.2 is satisfied.

    11111111-0000-4000-9000-000000000001     - - -

    Describe the plan to complete the implementation.

    -     -     - Modification to personnel access, changes to security policies, or updates to personnel roles and responsibilities. - - Annual - - Change in federal regulations, newly identified threats, major system changes, or changes in personnel roles or responsibilities. - - Every 2 years - - The Chief Security Officer (CSO) is designated as the official responsible for managing the personnel security policy and procedures. - - organization-level, mission/business process-level, system-level - - All personnel with access to classified information, including system administrators, developers, and quality assurance testers. - - All employees, contractors, and third-party users with access to organizational systems and data. - - 11111111-2222-4000-8000-004000000011 - - + +     + + + placeholder + + + -

    Describe how the control is satisfied within the system.

    +

    This is the 'this-system' component that must be present for every statement

     - - at least every 3 years - - - at least annually - - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -     - + + + -

    For the portion of the control satisfied by the service provider, describe how the control is met.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     - +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked here too.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     - +     + + -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be linked here too.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -     - + + + -

    For the portion of the control satisfied by the service provider, describe how the control is met.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -     - + + + -

    For the portion of the control satisfied by the service provider, describe how the control is met.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part ps-1_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-1_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-1_obj.a-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-1_obj.a-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-1_obj.a-3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-1_obj.a-4 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-1_obj.a.1.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-1_obj.a.1.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-1_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-1_obj.c.1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-1_obj.c.2 is satisfied.

    11111111-0000-4000-9000-000000000001     - - -

    Describe the plan to complete the implementation.

    -     -     - merger or acquisition, changes in leadership, or major updates to critical systems or infrastructure - - Annually - - Merge or acquisition of another organization, changes to laws or regulations, significant changes to business operations or technology, identification of new threat sources or vulnerabilities, or changes to risk tolerance. - - Every 2 years - - The Chief Information Security Officer (CISO) is designated as the official responsible for managing the risk assessment policy and procedures. - - organization-level, mission/business process-level, system-level - - Risk Assessment Team, Information System Security Officer, Chief Information Officer - - Chief Information Security Officer (CISO), IT Director, and System Administrators - - 11111111-2222-4000-8000-004000000011 - - + +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + -

    Describe how the control is satisfied within the system.

    +

    This is the 'this-system' component that must be present for every statement

     - - at least every 3 years - - - at least annually - - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -     - + + + -

    For the portion of the control satisfied by the service provider, describe how the control is met.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     - +     + + -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked here too.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     - +     + + -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be linked here too.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -     - + + + -

    For the portion of the control satisfied by the service provider, describe how the control is met.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -     - + + + -

    For the portion of the control satisfied by the service provider, describe how the control is met.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part ra-1_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ra-1_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ra-1_obj.a-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ra-1_obj.a-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ra-1_obj.a-3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ra-1_obj.a-4 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ra-1_obj.a.1.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ra-1_obj.a.1.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ra-1_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ra-1_obj.c.1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ra-1_obj.c.2 is satisfied.

    11111111-0000-4000-9000-000000000001     - - -

    Describe the plan to complete the implementation.

    -     -     - Major software updates, changes in regulatory requirements, or alteration of system architecture. - - Annually - - merger/acquisition, changes in regulatory requirements, new technology adoption, major system upgrades, or changes in organizational mission/objectives. - - Every 2.5 years - - The Chief Information Officer (CIO) has been designated as the official responsible for managing the system and services acquisition policy and procedures. - - organization-level, mission/business process-level, system-level - - System Administrators, Information Security Officers, and Acquisition Team Leads. - - System Administrators, Network Engineers, and IT Managers - - 11111111-2222-4000-8000-004000000011 - - + + + -

    Describe how the control is satisfied within the system.

    +

    This is the 'this-system' component that must be present for every statement

     - - at least every 3 years - - - at least annually - - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -     - + +     + + + -

    For the portion of the control satisfied by the service provider, describe how the control is met.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     - +     +     + + + -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked here too.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     - +     +     + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be linked here too.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -     - + + + -

    For the portion of the control satisfied by the service provider, describe how the control is met.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -     - + +     + + + placeholder + + + placeholder + + + -

    For the portion of the control satisfied by the service provider, describe how the control is met.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part sa-1_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-1_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-1_obj.a-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-1_obj.a-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-1_obj.a-3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-1_obj.a-4 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-1_obj.a.1.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-1_obj.a.1.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-1_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-1_obj.c.1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-1_obj.c.2 is satisfied.

    11111111-0000-4000-9000-000000000001     - - -

    Describe the plan to complete the implementation.

    -     -     - events": ["merger or acquisition", "change in leadership", "new regulatory requirements", "system upgrade or migration", "security incident or breach"] - - Annually - - Examples of events that would trigger a review and update of the current system and communications protection policy include: (1) changes in business strategy or operations; (2) changes in the threat landscape or risk environment; (3) significant changes to the system or network architecture; (4) new regulatory or compliance requirements; or (5) discovery of a security incident or breach. - - Every 2 years - - Chief Information Security Officer (CISO) - - organization-level, mission/business-process-level, system-level - - System Administrators, Network Engineers, and Cybersecurity Team Members - - System Administrators, Cybersecurity Team, and IT Managers - - 11111111-2222-4000-8000-004000000011 - - + +     + + + placeholder + + + placeholder + + + -

    Describe how the control is satisfied within the system.

    +

    This is the 'this-system' component that must be present for every statement

     - - at least every 3 years - - - at least annually - - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -     - + +     + + + placeholder + + + -

    For the portion of the control satisfied by the service provider, describe how the control is met.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     - +     +     + + + placeholder + + + placeholder + + + placeholder + + + -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked here too.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     - +     +     + + + -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be linked here too.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -     - + +     + + + -

    For the portion of the control satisfied by the service provider, describe how the control is met.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -     - + +     + + + placeholder + + + -

    For the portion of the control satisfied by the service provider, describe how the control is met.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part sc-1_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-1_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-1_obj.a-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-1_obj.a-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-1_obj.a-3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-1_obj.a-4 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-1_obj.a.1.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-1_obj.a.1.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-1_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-1_obj.c.1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-1_obj.c.2 is satisfied.

    11111111-0000-4000-9000-000000000001     - - -

    Describe the plan to complete the implementation.

    -     -     - Modification to system architecture, changes to user access, or updates to security software - - Annually - - Events that would require the current system and information integrity policy to be reviewed and updated include: changes to legal or regulatory requirements, changes to organizational policies or procedures, changes to system or network architecture, discovery of a security incident, or failure of a system or component. - - Every 2 years - - The Chief Information Officer (CIO) is designated as the official responsible for managing the system and information integrity policy and procedures. - - organization-level, mission/business process-level, system-level - - System Administrators, Network Engineers, Cybersecurity Team, and Information System Owners. - - System Administrators, Network Engineers, Incident Responders, and all personnel with privileged access. - - 11111111-2222-4000-8000-004000000011 - - - -

    Describe how the control is satisfied within the system.

    -     - - at least every 3 years - - - at least annually - - - 11111111-0000-4000-9000-000000000001 - -     -     - - -

    For the portion of the control satisfied by the service provider, describe how the control is met.

    -     - - 11111111-0000-4000-9000-000000000001 - -     - - -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked here too.

    -     - - 11111111-0000-4000-9000-000000000001 - -     - - -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be linked here too.

    -     - - 11111111-0000-4000-9000-000000000001 - -     -     - - -

    For the portion of the control satisfied by the service provider, describe how the control is met.

    -     - - 11111111-0000-4000-9000-000000000001 - -     -     - - -

    For the portion of the control satisfied by the service provider, describe how the control is met.

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part si-1_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-1_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-1_obj.a-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-1_obj.a-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-1_obj.a-3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-1_obj.a-4 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-1_obj.a.1.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-1_obj.a.1.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-1_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-1_obj.c.1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-1_obj.c.2 is satisfied.

    11111111-0000-4000-9000-000000000001     - - 11111111-2222-4000-8000-004000000018 - - - -

    For the portion of the control satisfied by the service provider, describe how the control is met.

    -     - - 11111111-0000-4000-9000-000000000001 - -     - - -

    Describe how the control is satisfied within the system.

    -

    DMARC is employed.

    -

    SPF is employed.

    -

    DKIM is employed.

    -     - - organization-defined personnel or roles - - - [specify frequency] - - - [specify frequency] - - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part si-8_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-8_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-8_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-8_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - -

    Describe the plan to complete the implementation.

    -     -     - Merger or acquisition of a supplier company, change in ownership of a supplier company, or a significant change in a supplier's business practices. - - Annually on January 1st - - Events that trigger a review and update of the current supply chain risk management policy include: changes to organizational policies or procedures; changes to supplier relationships or contracts; occurrence of a supply chain risk event or incident; changes to relevant laws, regulations, or industry standards; and material changes to the organization's products or services. - - Every 2 years - - Chief Information Security Officer (CISO) - - organization-level, mission/business process-level, system-level - - Chief Information Security Officer (CISO), Procurement Officer, and IT Managers - - System Administrators, Network Engineers, Procurement Officers, and Supply Chain Managers - - 11111111-2222-4000-8000-004000000011 - - + +     + + + placeholder + + + placeholder + + + -

    Describe how the control is satisfied within the system.

    +

    This is the 'this-system' component that must be present for every statement

     - - at least every 3 years - - - at least annually - - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -     - + +     + + + placeholder + + + -

    For the portion of the control satisfied by the service provider, describe how the control is met.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     - +     +     + + + placeholder + + + placeholder + + + placeholder + + + -

    Describe how this policy component satisfies part a.

    -

    Component approach. This links to a component representing the Policy.

    -

    That component contains a link to the policy, so it does not have to be linked here too.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     - +     + + -

    Describe how this procedure component satisfies part a.

    -

    Component approach. This links to a component representing the procedure.

    -

    That component contains a link to the procedure, so it does not have to be linked here too.

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part sr-1_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sr-1_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sr-1_obj.a-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sr-1_obj.a-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sr-1_obj.a-3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sr-1_obj.a-4 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sr-1_obj.a.1.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sr-1_obj.a.1.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sr-1_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sr-1_obj.c.1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sr-1_obj.c.2 is satisfied.

    11111111-0000-4000-9000-000000000001     - - + + + + + placeholder + + + placeholder + + + -

    Implementation description needed

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part ca-7.1_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - + + + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + -

    Implementation description needed

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part cm-4.2_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - + + + -

    Implementation description needed

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part ia-5.7_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Session duration, bytes received (1024), bytes sent (512), additional message 'login failed', object ID 'file123', user ID 'jdoe' - - + + + -

    Implementation description needed

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part au-3.1_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - + + + -

    Implementation description needed

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part ia-5.6_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - + + + + + placeholder + + + -

    Implementation description needed

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part ac-11.1_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Interior points within the system where communications traffic is to be analyzed include all network switches, routers, and servers. - - + + + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + -

    Implementation description needed

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part si-4.18_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - CISO, IT Director, or their designees - - + + + -

    Implementation description needed

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part sa-9.1_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-9.1_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-9.1_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-9.1_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - system components value p firewalls, routers, switches, and servers - - + + + -

    Implementation description needed

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part sr-11.2_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - + + + -

    Implementation description needed

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part ca-7.4_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-7.4_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-7.4_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-7.4_obj is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-7.4_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-7.4_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-7.4_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001     - - Cloud-based email services (Office 365), virtual private network (VPN) connections to remote sites, and cloud-based storage services (Amazon S3). - - + + + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + -

    Implementation description needed

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part sa-9.2_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - System Administrators, Network Engineers, and Procurement Officials. - - + + + -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part sr-11.1_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Authenticators must be at least 12 characters long, contain at least one uppercase letter, one lowercase letter, one number, and one special character. - - Every 90 days. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ia-5.1_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-5.1_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-5.1_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-5.1_smt.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-5.1_smt.e is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-5.1_smt.f is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-5.1_smt.g is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-5.1_smt.h is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-5.1_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-5.1_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-5.1_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-5.1_obj.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-5.1_obj.e is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-5.1_obj.f is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-5.1_obj.g is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-5.1_obj.h is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ia-5.2_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-5.2_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-5.2_obj.a.1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-5.2_obj.a.2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-5.2_obj.b.1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-5.2_obj.b.2 is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part si-4.16_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Example value: "Automated incident response tools, such as SIEM systems and incident response platforms, are utilized to streamline incident response processes and provide real-time incident response information to support personnel. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ir-7.1_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Every 24 hours - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part si-8.2_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Every 3 years - - CISO, Senior Management, IT Director, Information Security Team, and System Administrators. - - Every 3 years or when significant changes occur. - - Risk Assessment Findings Document - - security and privacy plans - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ra-3_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ra-3_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ra-3_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ra-3_smt.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ra-3_smt.e is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ra-3_smt.f is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ra-3_obj.a.1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ra-3_obj.a.2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ra-3_obj.a.3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ra-3_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ra-3_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ra-3_obj.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ra-3_obj.e is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ra-3_obj.f is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ra-2_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ra-2_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ra-2_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ra-2_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ra-2_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ra-2_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001     - - IT Security Team, Compliance Officer, and System Administrators - - High-risk: 30 days, Moderate-risk: 90 days, Low-risk: 180 days - - Weekly, with a minimum of quarterly comprehensive scans, and randomly on a monthly basis to ensure adequate coverage. - - Weekly vulnerability scans of all Internet-facing systems and quarterly vulnerability assessments of hosted applications. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ra-5_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ra-5_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ra-5_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ra-5_smt.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ra-5_smt.e is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ra-5_smt.f is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ra-5_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ra-5_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ra-5_obj.b.1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ra-5_obj.b.2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ra-5_obj.b.3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ra-5_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ra-5_obj.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ra-5_obj.e is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ra-5_obj.f is satisfied.

    11111111-0000-4000-9000-000000000001     - - Session disconnect is triggered after 15 minutes of inactivity, upon login failure exceeding 3 attempts, or upon reaching the maximum allowed concurrent sessions. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ac-12_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - View public website content, download publicly available files, receive system notifications. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ac-14_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-14_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-14_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-14_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ra-7_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - The decision points in the system development life cycle when a criticality analysis is to be performed are defined as: (1) during the initiation phase, prior to allocating resources; (2) during the development phase, upon completion of system design; and (3) during the implementation phase, prior to deploying the system to production. - - All externally-facing web applications, database servers, and email services. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ra-9_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - 15 minutes - - initiating a device lock after of inactivity, requiring the user to initiate a device lock before leaving the system unattended - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ac-11_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-11_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-11_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-11_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ac-17_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-17_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-17_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-17_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ac-18_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-18_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-18_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-18_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ac-19_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-19_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-19_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-19_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - Key generation, distribution, storage, access, and destruction requirements are defined in accordance with FIPS 140-2 and supplemented by NIST Special Publication 800-57. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part sc-12_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - types of cryptography value AES for data at rest, RSA for digital signatures, and SHA-256 for data integrity. - - cryptographic uses value All data transmitted over the network, authentication, and digital signatures. - - - -

    Implementation description needed

    -     - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part sc-13_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-13_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-13_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-13_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - 10 minutes for privileged sessions, 15 minutes for user sessions - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part sc-10_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - All contracts with cloud service providers include clauses that require the provider to notify us within 24 hours of a security incident, and to provide us with a detailed incident report within 72 hours. - - standardized contract language, - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part sa-4_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-4_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-4_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-4_smt.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-4_smt.e is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-4_smt.f is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-4_smt.g is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-4_smt.h is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-4_smt.i is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-4_obj.a-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-4_obj.a-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-4_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-4_obj.e is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-4_obj.f is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-4_obj.g is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-4_obj.h is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-4_obj.i is satisfied.

    11111111-0000-4000-9000-000000000001     - - End of standard work day (e.g., 5:00 PM) or after 30 minutes of inactivity - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - +

    This is the 'this-system' component that must be present for every statement

    + + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part ac-2.5_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - The system development life cycle at our organization is defined as: "The organization follows a iterative development methodology that includes the following stages: planning, requirements, design, implementation, testing, deployment, and maintenance. Each stage includes specific activities, reviews, and approvals to ensure that systems are developed in a secure and efficient manner. - - + + + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part sa-3_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-3_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-3_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-3_smt.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-3_obj.a-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-3_obj.a-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-3_obj.b-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-3_obj.b-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-3_obj.c-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-3_obj.c-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-3_obj.d-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-3_obj.d-2 is satisfied.

    11111111-0000-4000-9000-000000000001     - - Our organization's certificate policy is based on the X.509v3 standard, and is defined in the document 'Certificate Policy and Certification Practice Statement' (Version 1.2, dated 2022-01-01), which outlines the rules and practices for issuing, managing, and revoking public key certificates. - - - -

    Implementation description needed

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part sc-17_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-17_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-17_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-17_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - 90 days - - 24 hours - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ac-2.3_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-2.3_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-2.3_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-2.3_smt.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-2.3_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-2.3_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-2.3_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-2.3_obj.d is satisfied.

    11111111-0000-4000-9000-000000000001     - - ISSO, System Administrators, and IT Managers - - actions value p When system documentation is unavailable, the system administrator will attempt to contact the documentation owner for retrieval or recreation. If documentation is nonexistent, the system administrator will create new documentation based on system analysis and testing, and obtain approval from the system owner. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part sa-5_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-5_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-5_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-5_smt.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-5_obj.a.1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-5_obj.a.2-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-5_obj.a.2-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-5_obj.a.2-3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-5_obj.a.2-4 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-5_obj.a.3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-5_obj.b.1-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-5_obj.b.1-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-5_obj.b.1-3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-5_obj.b.1-4 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-5_obj.b.2-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-5_obj.b.2-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-5_obj.b.3-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-5_obj.b.3-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-5_obj.c-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-5_obj.c-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-5_obj.d is satisfied.

    11111111-0000-4000-9000-000000000001     - - Exceptions for remote activation are allowed for authorized IT personnel during non-business hours for the purpose of performing critical system maintenance. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part sc-15_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-15_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-15_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-15_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ac-2.4_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Example: The organization utilizes automated mechanisms such as Active Directory and scripts to manage system accounts, including automatic disabling and removal of inactive accounts. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ac-2.1_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - 96 hours - - remove - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ac-2.2_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part sa-2_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-2_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-2_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-2_obj.a-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-2_obj.a-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-2_obj.b-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-2_obj.b-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-2_obj.c-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-2_obj.c-2 is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part sc-18_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-18_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-18_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-18_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - Daily - - as needed, - - System Administrators, Incident Responders, and IT Managers - - Security Operations Center (SOC) personnel receive real-time monitoring information from the SIEM system, including alerts, logs, and performance metrics. - - The organization uses a combination of automated tools and manual reviews to identify unauthorized use of the system, including log analysis, network traffic monitoring, and periodic access reviews. - - Monitor system logs for unusual activity, detect and respond to brute-force login attempts, and alert on suspicious network traffic patterns. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part si-4_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-4_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-4_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-4_smt.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-4_smt.e is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-4_smt.f is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-4_smt.g is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-4_obj.a.1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-4_obj.a.2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-4_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-4_obj.c.1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-4_obj.c.2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-4_obj.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-4_obj.e is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-4_obj.f is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-4_obj.g is satisfied.

    11111111-0000-4000-9000-000000000001     - - users, devices - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ac-18.1_obj-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-18.1_obj-2 is satisfied.

    11111111-0000-4000-9000-000000000001     - - Chief Information Security Officer, Security Operations Center Team - - Isolate affected systems, notify incident response team, and initiate remediation procedures within 1 hour of detection. - - block malicious code, quarantine malicious code, take - - endpoint, network entry and exit points - - Weekly - - signature-based, non-signature-based - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part si-3_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-3_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-3_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-3_smt.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-3_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-3_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-3_obj.c.1-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-3_obj.c.1-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-3_obj.c.2-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-3_obj.c.2-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-3_obj.d is satisfied.

    11111111-0000-4000-9000-000000000001     - - Isolate affected systems and networks, and activate incident response team to contain and eradicate the anomaly. - - shut the system down, restart the system, - - System Administrators, Information Security Officer, Chief Information Security Officer - - Monthly - - _system startup: initial boot sequence, system initialization, and login prompt; system restart: shutdown, reboot, and restart from hibernation or sleep mode_ - - , upon command by user with appropriate privilege, - - privacy functions privacy functions to be verified for correct operation are defined; value The system's data encryption, access controls, and data anonymization functions are verified for correct operation. - - security functions value The following security functions are defined for correct operation: authentication, authorization, data encryption, and access control. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part si-6_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-6_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-6_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-6_smt.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-6_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-6_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-6_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-6_obj.d is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ac-18.3_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Example value: List of external organizations: Internet Engineering Task Force (IETF), Open Web Application Security Project (OWASP), SANS Internet Storm Center (ISC) - - Network Operations Center (NOC), IT Department, Incident Response Team, and System Administrators - - Chief Information Security Officer (CISO), IT Manager, System Administrators, and Cybersecurity Team Leads - - , , - - US-CERT, Cybersecurity and Infrastructure Security Agency (CISA), Department of Homeland Security (DHS), Federal Bureau of Investigation (FBI) - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part si-5_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-5_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-5_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-5_smt.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-5_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-5_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-5_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-5_obj.d is satisfied.

    11111111-0000-4000-9000-000000000001     - - Privacy engineering principles are defined as fairness, transparency, and accountability, ensuring personal data is processed in a way that is respectful of individuals' autonomy and privacy, and that privacy risks are identified and mitigated throughout the system development lifecycle. - - Systems security engineering principles are defined as ensuring confidentiality, integrity, and availability of data throughout the system development lifecycle. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part sa-8_obj-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-8_obj-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-8_obj-3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-8_obj-4 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-8_obj-5 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-8_obj-6 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-8_obj-7 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-8_obj-8 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-8_obj-9 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-8_obj-10 is satisfied.

    11111111-0000-4000-9000-000000000001     - - Types of external systems prohibited from use are: Public Cloud Services, Personal Email Services, and Social Media Platforms. - - The organization has asserted that the following controls are implemented on external systems: AC-20(1), AC-20(2), and AC-20(3), which are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems. - - Terms and conditions for external connections require written agreements, including mutual nondisclosure agreements, that explicitly define the responsibilities and obligations of each party, and ensure compliance with organizational security policies and procedures. - - establish , identify - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ac-20_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-20_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-20_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-20_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - The organization uses a collaboration platform that provides automated access requests and approvals, as well as a data categorization tool that helps users determine the appropriate level of access for collaborators. - - Defined circumstances include: mission partners requiring access to sensitive information for collaborative operations, foreign nationals requiring access to classified information for joint research projects, and emergency responders needing access to restricted information during crisis situations. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ac-21_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-21_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-21_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-21_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - 30 days - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part si-2_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-2_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-2_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-2_smt.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-2_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-2_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-2_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-2_obj.d is satisfied.

    11111111-0000-4000-9000-000000000001     - - Every 90 days - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ac-22_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-22_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-22_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-22_smt.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-22_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-22_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-22_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-22_obj.d is satisfied.

    11111111-0000-4000-9000-000000000001     - - Establish a continuous monitoring program that includes regular security assessments, vulnerability scanning, and compliance monitoring of external systems where Federal information is processed or stored, with quarterly reporting to FedRAMP PMO. - - FedRAMP Moderate Baseline controls are implemented for the external system. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part sa-9_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-9_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-9_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-9_obj.a-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-9_obj.a-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-9_obj.a-3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-9_obj.b-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-9_obj.b-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-9_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part cm-3.2_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - IT Change Advisory Board (CAB) - - The organization's privacy representatives include the Chief Privacy Officer, the Data Protection Officer, and the System Security Officer. - - Members of the IT Security Team, including the Chief Information Security Officer (CISO) and IT Security Analysts, who are responsible for reviewing and approving changes to the system. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part cm-3.4_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Implementation of new firewall rules, updates to access control lists, and modifications to system configuration files. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part si-7.7_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - The Information System Security Officer (ISSO) and the Facility Security Officer (FSO) - - Monthly - - 1 year - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part pe-8_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-8_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-8_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-8_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-8_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-8_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part pe-9_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Conduct quarterly red team exercises to simulate attempts by adversaries to compromise organizational systems, including phishing, social engineering, and network penetration testing, with the goal of identifying vulnerabilities and improving incident response capabilities. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ca-8.2_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ca-8.1_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part sc-20_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-20_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-20_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-20_obj.b-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-20_obj.b-2 is satisfied.

    11111111-0000-4000-9000-000000000001     - - Every 6 hours - - System startup, system shutdown, user login, user logout, data transfer, or filesystem modifications - - at startup, at , - - information value Data files stored on the Finance Server - - Every 30 days. - - Initial power-up, firmware updates, and reset to factory defaults. - - at startup, at , - - firmware value The BIOS firmware and all firmware updates - - Every 30 days - - System initialization, system shutdown, and software updates - - at startup, at , - - _all Windows 10 operating system files and Microsoft Office application files_ - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part si-7.1_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part sc-23_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - The organization requires shared accounts for emergency response teams to access critical infrastructure systems during high-severity incidents, as justified by the Incident Response Policy (IRP-001) and approved by the Chief Information Security Officer (CISO). - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ac-2.9_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - US citizen, US national, Lawful permanent resident, Refugees, Asylees, Foreign nationals (authorized to work), Contractors (cleared personnel). - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ia-4.4_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Example value: The organization's security information and event management (SIEM) system is configured to automatically generate incident reports for all detected security events, including unauthorized access attempts, malware detections, and system crashes. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ir-6.1_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part sc-21_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - a role-based access scheme - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ac-2.7_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-2.7_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-2.7_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-2.7_smt.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-2.7_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-2.7_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-2.7_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-2.7_obj.d is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part sc-22_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part ir-6.3_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - information at restAll sensitive data stored on laptops, mobile devices, and external hard drives. - - confidentiality, integrity - - + + + + + placeholder + + + -

    Implementation description needed

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part sc-28_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part pe-6.1_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Web servers, application servers, and database servers in the DMZ. - - Windows Defender Advanced Threat Protection (ATP) for host-based intrusion prevention and detection, with Windows Defender Firewall for host-based firewall capabilities. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part sc-7.12_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Implement access controls such as biometric authentication, smart cards, and PINs to restrict physical access to system distribution and transmission lines within the organizational facility. - - All electrical substations, transmission towers, and distribution lines with voltage ratings of 100kV or higher. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part pe-4_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - publicly accessible systems - - locations where the system is to be restricted are defined; for example, data centers, server rooms, or other areas with sensitive information or equipment. - - information processing, information or data, system services - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part sa-9.5_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - printers, plotters, and fax machines in the main office and branch offices - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part pe-5_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Unexpected door alarms, unauthorized badge access attempts, or system generated alerts for physical access control system failures. - - Monthly - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part pe-6_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-6_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-6_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-6_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-6_obj.b-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-6_obj.b-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-6_obj.c-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-6_obj.c-2 is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part sc-7.18_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Annually on January 1st - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part pe-2_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-2_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-2_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-2_smt.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-2_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-2_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-2_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-2_obj.d is satisfied.

    11111111-0000-4000-9000-000000000001     - - Every 90 days - - Every 90 days - - Annually - - _example value:_ "Biometric scanners, proximity card readers, and keypad locks - - All visitors to the server room must be escorted by authorized personnel at all times. - - badge-reader system with 24/7 monitoring and secure doors - - All exterior doors and gates, including the main entrance, emergency exit doors, and loading dock doors. - - Biometric scanners and turnstiles at all entrances and exits - - , guards - - Main entrance at 123 Main St, emergency exit at rear of building, and loading dock entrance at alleyway. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part pe-3_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-3_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-3_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-3_smt.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-3_smt.e is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-3_smt.f is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-3_smt.g is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-3_obj.a.1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-3_obj.a.2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-3_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-3_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-3_obj.d-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-3_obj.d-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-3_obj.e-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-3_obj.e-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-3_obj.e-3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-3_obj.f is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-3_obj.g-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-3_obj.g-2 is satisfied.

    11111111-0000-4000-9000-000000000001     - - Supply Chain Process and Controls Document v1.2, dated 2022-01-01 - - security and privacy plans, supply chain risk management plan, - - The organization implements supply chain controls to protect against supply chain risks, including: (i) vendor risk assessments and due diligence; (ii) contractual requirements for vendors to implement security controls; (iii) vendor monitoring and oversight; and (iv) incident response planning to limit the harm or consequences from supply chain-related events. - - Procurement Officer, Logistics Manager, and Chief Information Security Officer - - system or system componentThe organization's public-facing web application. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part sr-3_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sr-3_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sr-3_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sr-3_obj.a-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sr-3_obj.a-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sr-3_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sr-3_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001     - - Every 12 months - - All company-owned servers, workstations, and network devices; all cloud-based services, including Amazon Web Services and Microsoft Azure; all outsourced IT services, including email and help desk support. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part sr-2_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sr-2_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sr-2_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sr-2_obj.a-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sr-2_obj.a-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sr-2_obj.a-3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sr-2_obj.a-4 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sr-2_obj.a-5 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sr-2_obj.a-6 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sr-2_obj.a-7 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sr-2_obj.a-8 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sr-2_obj.a-9 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sr-2_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sr-2_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001     - - inputsinput Network traffic from trusted sources/input User authentication credentials/inputinput Data from sensors and IoT devices/input /inputs - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part si-10_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - The organization uses a multi-layered approach to protect against supply chain risks, including:* Acquisition strategies: implementing a "buy American" policy to reduce reliance on foreign-made components;* Contract tools: incorporating supply chain risk management clauses into contracts, requiring suppliers to disclose any potential risks;* Procurement methods: conducting regular supplier audits and implementing a third-party risk management program to monitor and mitigate risks. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part sr-5_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - ISSO, System Administrators, Cybersecurity Team - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part si-11_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-11_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-11_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-11_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ia-2.12_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - controls value Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) are implemented to prevent unauthorized code execution in system memory. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part si-16_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - All server and workstation assets within the organization's network. - - Windows Defender Advanced Threat Protection (ATP), Linux Auditd, and Mac OS X Audit - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part si-4.23_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part si-12_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Annually - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part sr-6_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Risk management reports from quarterly security assessments and annual compliance audits. - - notification of supply chain compromises, - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part sr-8_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - The Internet, third-party cloud services, and partner networks. - - HTTP and HTTPS traffic from internal servers to external networks via the DMZ. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part sc-7.8_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Ensure all tools and configurations comply with GDPR Article 25 (Data Protection by Design and by Default) and implement adequate measures to protect sensitive customer data. - - FedRAMP Moderate baseline security requirements, including access controls, awareness and training, audit and accountability, security assessment and authorization, configuration management, contingency planning, incident response, maintenance, media protection, personnel security, physical and environmental protection, planning, program management, risk assessment, system and services acquisition, system and communications protection, and system and information integrity. - - Annually - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part sa-15_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-15_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-15_obj.a.1-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-15_obj.a.1-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-15_obj.a.2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-15_obj.a.3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-15_obj.a.4 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-15_obj.b-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-15_obj.b-2 is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part pl-4.1_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-4.1_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-4.1_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-4.1_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-4.1_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-4.1_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001     - - Internet-facing systems, including web servers, and internal systems, including file servers and print servers. - - at managed interfaces, for - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part sc-7.5_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Every 120 days or whenever a new vulnerability is discovered. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part sc-7.4_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-7.4_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-7.4_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-7.4_smt.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-7.4_smt.e is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-7.4_smt.f is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-7.4_smt.g is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-7.4_smt.h is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-7.4_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-7.4_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-7.4_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-7.4_obj.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-7.4_obj.e is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-7.4_obj.f is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-7.4_obj.g is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-7.4_obj.h is satisfied.

    11111111-0000-4000-9000-000000000001     - - Split tunneling is provisioned using a VPN with multi-factor authentication, encrypted traffic, and access controls that restrict user access to authorized networks and systems. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part sc-7.7_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - 3-tiers of impact analysis, including organizational, system, and data level assessments - - Enterprise-wide, including all critical assets and business processes - - The decision points in the system development life cycle are defined as: 1) Conceptualization, 2) Requirements definition, 3) Design, 4) Implementation, 5) Testing, 6) Deployment, and 7) Maintenance. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part sa-15.3_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-15.3_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-15.3_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ia-2_obj-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-2_obj-2 is satisfied.

    11111111-0000-4000-9000-000000000001     - - 24 months - - ISSO, IT Director, InfoSec Team Lead - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ia-4_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-4_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-4_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-4_smt.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-4_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-4_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-4_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-4_obj.d is satisfied.

    11111111-0000-4000-9000-000000000001     - - local, remote, network - - All company-owned laptops, desktops, and mobile devices, as well as any personally-owned devices connecting to the company network, must be uniquely identified and authenticated before establishing a connection. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ia-3_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - 3 - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part cm-2.3_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Annually - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ir-9.2_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - procedures value Incident Response Procedures Document, Section 3.2. The document outlines steps to isolate affected systems, activate backup systems, and delegate tasks to unaffected personnel to ensure business continuity. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ir-9.3_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - at least annually and when a significant change occurs - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part pl-8_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-8_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-8_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-8_obj.a.1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-8_obj.a.2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-8_obj.a.3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-8_obj.a.4 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-8_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-8_obj.c-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-8_obj.c-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-8_obj.c-3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-8_obj.c-4 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-8_obj.c-5 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-8_obj.c-6 is satisfied.

    11111111-0000-4000-9000-000000000001     - - controls Access to sensitive information is restricted to authorized personnel with a need-to-know; all documents and materials are labeled with classification markings and handling instructions. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ir-9.4_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Unsuccessful login attempts exceeding 5 times within 30 minutes, unauthorized access to sensitive data, and suspicious account activity during non-working hours - - 1 hour - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ac-2.13_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Annually - - Chief Information Security Officer (CISO), Chief Privacy Officer (CPO), Information System Security Officer (ISSO) - - Chief Information Security Officer (CISO), Chief Privacy Officer (CPO), System Administrator, and designated IT staff. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part pl-2_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-2_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-2_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-2_smt.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-2_smt.e is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-2_obj.a.1-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-2_obj.a.1-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-2_obj.a.4-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-2_obj.a.4-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-2_obj.a.5 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-2_obj.a.6 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-2_obj.a.7 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-2_obj.a.8 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-2_obj.a.9 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-2_obj.a.10-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-2_obj.a.10-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-2_obj.a.11 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-2_obj.a.12-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-2_obj.a.12-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-2_obj.a.13-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-2_obj.a.13-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-2_obj.a.14-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-2_obj.a.14-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-2_obj.a.15-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-2_obj.a.15-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-2_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-2_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-2_obj.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-2_obj.e is satisfied.

    11111111-0000-4000-9000-000000000001     - - ISSO, IT Director - - Unusual login times, multiple concurrent logins from different locations, or login attempts from unfamiliar IP addresses. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ac-2.12_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-2.12_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-2.12_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-2.12_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - Every 6 months - - , when the rules are revised or updated - - Every 2 years - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part pl-4_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-4_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-4_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-4_smt.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-4_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-4_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-4_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pl-4_obj.d is satisfied.

    11111111-0000-4000-9000-000000000001     - - scripted-parameterparam-id cm-02.02_odp/param-idPuppet configuration management tool is used to maintain the baseline configuration of all system components./scripted-parameter - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part cm-2.2_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - controls values value Upon return from travel, individuals must undergo a 14-day quarantine, and their devices must be scanned for malware and wiped clean before being allowed to connect to the organizational network.s - - configurations value Laptop: Enable firewall, encrypt data, and update antivirus software; Mobile Device: Enable encryption and remote wipe - - Laptops, mobile devices, and portable storage media. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part cm-2.7_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-2.7_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-2.7_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-2.7_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - The organization utilizes external providers for cloud-based email services and third-party antivirus software, with clear contractual agreements outlining respective roles and responsibilities. - - in-house support, - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part sa-22_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-22_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-22_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-22_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ir-5_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - an orderly shutdown of the system - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part pe-11_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ir-4_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-4_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-4_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-4_smt.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-4_obj.a-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-4_obj.a-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-4_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-4_obj.c-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-4_obj.c-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-4_obj.d is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part pe-12_obj-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-12_obj-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-12_obj-3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-12_obj-4 is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ir-7_obj-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-7_obj-2 is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part pe-13_obj-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-13_obj-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-13_obj-3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-13_obj-4 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-13_obj-5 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-13_obj-6 is satisfied.

    11111111-0000-4000-9000-000000000001     - - US CERT, Incident Response Team, and Senior Management - - Within 1 hour of discovery - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ir-6_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-6_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-6_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-6_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - Every 30 minutes - - Temperature: 68-72°F (20-22°C), Humidity: 40-60%, Air quality: EPA standard for indoor air quality - - Temperature (22°C ± 2°C), humidity (50% ± 10%), air quality (no hazardous substances). - - temperature, humidity, pressure, radiation, - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part pe-14_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-14_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-14_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-14_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - At least annually - - Internal connections are terminated when a system or application is decommissioned, or when a security incident is detected. - - ["Firewall", "Router", "Web Server", "Database Server"] - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ca-9_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-9_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-9_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-9_smt.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-9_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-9_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-9_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-9_obj.d is satisfied.

    11111111-0000-4000-9000-000000000001     - - Develop an incident response plan; Establish an incident response team; Identify incident response scenarios; Develop incident response procedures. - - Security Operations Center (SOC) Team, Chief Information Security Officer (CISO), and affected system owners via phone call or SMS. - - Chief Information Security Officer (CISO), IT Operations Team, and Data Owners - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ir-9_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-9_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-9_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-9_smt.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-9_smt.e is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-9_smt.f is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-9_smt.g is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-9_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-9_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-9_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-9_obj.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-9_obj.e is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-9_obj.f is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-9_obj.g is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part pe-15_obj-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-15_obj-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-15_obj-3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-15_obj-4 is satisfied.

    11111111-0000-4000-9000-000000000001     - - The Chief Information Officer (CIO), Chief Information Security Officer (CISO), and Facility Managers. - - John Doe, Incident Response Team Lead; Jane Smith, Incident Response Specialist; Bob Johnson, IT Manager. - - Incident Response Team, IT Department, Facilities Management, Executive Management, and Security Team. - - Incident Response Team Lead, Cyber Security Manager, Network Operations Center (NOC) Team - - Chief Information Security Officer (CISO), IT Director, and members of the Incident Response Team (IRT) - - Annually - - Incident Response Team Lead, Information Systems Security Officer (ISSO), Chief Information Security Officer (CISO) - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ir-8_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-8_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-8_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-8_smt.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-8_smt.e is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-8_obj.a.1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-8_obj.a.2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-8_obj.a.3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-8_obj.a.4 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-8_obj.a.5 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-8_obj.a.6 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-8_obj.a.7 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-8_obj.a.8 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-8_obj.a.9 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-8_obj.a.10 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-8_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-8_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-8_obj.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-8_obj.e is satisfied.

    11111111-0000-4000-9000-000000000001     - - Laptops, mobile devices, USB drives, and external hard drives. - - Laptops, mobile devices, USB drives, and external hard drives. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part pe-16_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-16_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-16_obj.a-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-16_obj.a-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-16_obj.a-3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-16_obj.a-4 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-16_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - Monthly - - Chief Information Security Officer (CISO), System Owners, and Privacy Officers - - Weekly - - Information System Security Officer (ISSO), Information System Owner (ISO), Authorizing Official (AO) - - The organization assesses control effectiveness at the following frequencies: annually, quarterly, and monthly. - - Daily, weekly, monthly, quarterly, and annually. - - CPU utilization, memory usage, disk usage, network bandwidth, and system response time. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ca-7_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-7_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-7_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-7_smt.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-7_smt.e is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-7_smt.f is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-7_smt.g is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-7_obj-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-7_obj-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-7_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-7_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-7_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-7_obj.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-7_obj.e is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-7_obj.f is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-7_obj.g is satisfied.

    11111111-0000-4000-9000-000000000001     - - Example value: "Firewall rules, VPN access, and multi-factor authentication are defined for all alternate work sites. - - alternate work sites include employee homes, coffee shops, and coworking spaces approved by management. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part pe-17_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-17_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-17_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-17_smt.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-17_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-17_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-17_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-17_obj.d is satisfied.

    11111111-0000-4000-9000-000000000001     - - system(s) or system components value The organization's public-facing web application, backend database, and network infrastructure - - at least annually - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ca-8_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - The 15th of every month - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ca-5_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-5_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-5_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-5_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - Annually or when a significant change occurs - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ca-6_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-6_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-6_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-6_smt.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-6_smt.e is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-6_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-6_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-6_obj.c.1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-6_obj.c.2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-6_obj.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-6_obj.e is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part sa-4.9_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - at least annually and on input from JAB/AO - - Non-Disclosure Agreement (NDA) - - interconnection security agreements, information exchange security agreements, memoranda of understanding or agreement, service level agreements, user agreements, non-disclosure agreements, - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ca-3_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-3_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-3_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-3_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-3_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-3_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001     - - System Administrators, Security Team Leads, and Audit Managers - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part au-9.4_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - FedRAMP PMO, ISO, System Owner, System Administrator, Information Security Officer - - Annually - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ca-2_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-2_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-2_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-2_smt.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-2_smt.e is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-2_smt.f is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-2_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-2_obj.b.1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-2_obj.b.2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-2_obj.b.3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-2_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-2_obj.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-2_obj.e is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ca-2_obj.f is satisfied.

    11111111-0000-4000-9000-000000000001     - - Data Center Room 101, near east and west exits, labeled as 'Emergency Power Shutoff' and protected by a locked cover. - - Main electrical panels, generators, and critical system servers. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part pe-10_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-10_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-10_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-10_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-10_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-10_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001     - - Actions include notification of the incident response team, isolation of affected systems, and restoration of systems and data from approved backups or sources; all actions are documented and reviewed by the incident response team leader. - - Immediately notify the incident response team and disconnect the affected system from the network to prevent further unauthorized changes. - - Upon detection of unauthorized changes to software, the following actions will be taken: 1) notify the Chief Information Security Officer (CISO) and system owners immediately; 2) isolate the affected system from the network; 3) conduct a thorough investigation to determine the scope and impact of the change; 4) restore the system to a known good state; and 5) document the incident and implement additional controls to prevent similar incidents in the future. - - SI-07 information requiring integrity verification tools includes, but is not limited to, critical system files, executable code, and configuration files. - - firmware value The firmware for the network devices requires the use of SHA-256 checksums to detect unauthorized changes. - - Operating System software - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part si-7_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-7_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-7_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-7_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - controls value Physical access controls (e.g., locks, gates), Cryptographic controls (e.g., encryption), and Logical access controls (e.g., passwords, biometrics) are used to control system media outside of controlled areas. - - 例: "Encryption, access controls, and physical locks are used to protect system media outside of controlled areas. - - Hard drives, solid state drives, USB drives, CDs, DVDs, backup tapes, and mobile devices. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part mp-5_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part mp-5_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part mp-5_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part mp-5_smt.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part mp-5_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part mp-5_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part mp-5_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part mp-5_obj.d-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part mp-5_obj.d-2 is satisfied.

    11111111-0000-4000-9000-000000000001     - - Data Center Room 301, Server Room 101, and Archives Room 202 - - Example value: "Server Room 101, Data Center 3, and Media Storage Closet 2 - - CDs, DVDs, USB drives, and external hard drives - - Hard drives, solid-state drives, flash drives, magnetic tapes, CDs, DVDs, Blu-ray discs, and external hard drives. - - CDs, DVDs, USB flash drives, and printed documents - - Hard drives, solid state drives, USB drives, CDs, DVDs, and tapes. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part mp-4_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part mp-4_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part mp-4_obj.a-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part mp-4_obj.a-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part mp-4_obj.a-3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part mp-4_obj.a-4 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part mp-4_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - Data Center Room 101 and Server Room 202 - - USB drives, CDs, and DVDs used for authorized workstations within restricted access areas - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part mp-3_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part mp-3_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part mp-3_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part mp-3_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - Authorized personnel with a need-to-know clearance, including system administrators, senior management, and designated data custodians. - - CDs, DVDs, USB drives, and printed documents - - System Administrator, Security Officer, Incident Responder - - USB drives, CD/DVDs, external hard drives, and cloud storage devices - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part mp-2_obj-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part mp-2_obj-2 is satisfied.

    11111111-0000-4000-9000-000000000001     - - Database server, application server, and network infrastructure. - - PII, financial data, sensitive customer information - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part cm-12.1_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - tests value Vulnerability scanning, penetration testing, and simulation exercises are used to test the effectiveness of the incident response capability for the system. - - Annually - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ir-3_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Examples of restricted media include: USB flash drives, CD-ROMs, and floppy disks. - - Here is an example value for this parameter:"MP-07 OD P.03: Laptops, Mobile Devices, and External Storage Devices - - restrict - - Flash drives, CDs, DVDs, and external hard drives are restricted from use on systems or system components without explicit authorization from the IT department. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part mp-7_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part mp-7_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part mp-7_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part mp-7_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - Changes to incident response procedures, updates to relevant laws or regulations, and significant changes to the organization's operations or technology. - - annually - - Annually - - 30 days for Incident Response roles - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ir-2_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-2_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-2_obj.a.1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-2_obj.a.2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-2_obj.a.3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-2_obj.b-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ir-2_obj.b-2 is satisfied.

    11111111-0000-4000-9000-000000000001     - - sanitization techniques and procedures sanitization techniques and procedures to be used for sanitization prior to release for reuse are defined; value The organization uses the following sanitization techniques: (i) overwriting, (ii) degaussing, and (iii) physical destruction, as outlined in NIST Special Publication 800-88. - - Data sanitization techniques and procedures include: (1) overwrite sanitization using a minimum of three passes; (2) degaussing for magnetic media; and (3) physical destruction for all other media. - - sanitization techniques and procedures: NIST 800-88 Guidelines for Media Sanitization; Degaussing and physically destroying all storage media prior to disposal. - - All system media, including hard drives and solid-state drives, shall be sanitized prior to release for reuse using a National Institute of Standards and Technology (NIST)-approved method, such as overwrite or degaussing. - - All system media, including hard drives, solid state drives, and external storage devices, must be sanitized using a NIST-approved method (e.g. DoD 5220.22-M) prior to release from organizational control. - - All magnetic and solid-state media must be sanitized using NIST 800-88 guidelines prior to disposal. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part mp-6_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part mp-6_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part mp-6_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part mp-6_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - Unexplained system crashes, unusual network traffic patterns, or alerts from security information and event management (SIEM) systems. - - Every 90 days - - at random, at , upon - - systems or system components value All network devices, servers, and databases. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part sr-10_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - The organization defines and documents techniques and methods for disposing of data, documentation, tools, or system components, including but not limited to secure erase procedures, physical destruction, and responsible e-waste disposal. - - Hard drives, outdated software, and sensitive documents stored in the archival room. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part sr-12_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Security Manager, IT Director, and Procurement Officer - - Manufacturer's Internal Reporting Department, Government Agency for Counterfeit Reporting (GACR), and Industry-led Counterfeit Avoidance Program (ICAP). - - source of counterfeit component, , - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part sr-11_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sr-11_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sr-11_obj.a-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sr-11_obj.a-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sr-11_obj.a-3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sr-11_obj.a-4 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sr-11_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - personnel or roles value Security Operations Center (SOC) team, IT Director - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part au-9_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part au-9_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part au-9_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part au-9_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - at least annually and upon any change to user's level of access - - At least annually - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ps-6_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-6_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-6_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-6_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-6_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-6_obj.c.1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-6_obj.c.2 is satisfied.

    11111111-0000-4000-9000-000000000001     - - 72 hours - - Within 4 hours and 1 day, respectively. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part cp-10_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - within twenty-four (24) hours - - System Administrators, Security Officers, and Facility Managers - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ps-7_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-7_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-7_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-7_smt.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-7_smt.e is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-7_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-7_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-7_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-7_obj.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-7_obj.e is satisfied.

    11111111-0000-4000-9000-000000000001     - - 24 hours - - Chief Information Security Officer (CISO), Information System Security Officer (ISSO), Human Resources Manager - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ps-8_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-8_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-8_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-8_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ps-9_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Every 3 years. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ps-2_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-2_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-2_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-2_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-2_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-2_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001     - - Every 6 months. - - Individuals are required to be rescreened under the following conditions: * When there is a change in their job duties or responsibilities that alters their level of access to sensitive information or systems. * When there is a change in their employment status, such as a promotion or transfer to a different department. * When they have been absent from work for an extended period of time (e.g., more than 6 months). - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ps-3_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-3_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-3_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-3_obj.b-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-3_obj.b-2 is satisfied.

    11111111-0000-4000-9000-000000000001     - - Confidentiality agreements, system access revocation, and incident reporting procedures - - 4 hours - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ps-4_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-4_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-4_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-4_smt.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-4_smt.e is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-4_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-4_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-4_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-4_obj.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-4_obj.e is satisfied.

    11111111-0000-4000-9000-000000000001     - - 24 hours - - System Administrators, Information Security Officers, and Department Managers - - 24 hours - - Transfer of sensitive data to a new system administrator is initiated within 24 hours of role change; Reassignment of access privileges to a new team member is completed within 3 business days of role change. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ps-5_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-5_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-5_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-5_smt.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-5_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-5_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-5_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-5_obj.d is satisfied.

    11111111-0000-4000-9000-000000000001     - - The Chief Information Security Officer (CISO) and the System Administrators. - - inappropriate or unusual activity is defined as multiple failed login attempts from a single IP address within a 1-hour time frame. - - Every Sunday at 2 AM - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part au-6_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part au-6_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part au-6_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part au-6_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part au-6_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part au-6_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ia-6_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Upon audit logging process failure, restart the logging process and overwrite the oldest record when storage capacity is exceeded, and notify the IT department via email and SMS. - - within 1 hour of audit logging process failure - - Security Operations Center (SOC) team, IT Operations Manager, and Chief Information Security Officer (CISO) - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part au-5_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part au-5_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part au-5_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part au-5_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - The organization defines events that trigger the change or refreshment of authenticators, including: password expiration every 60 days, account lockout after 3 unsuccessful login attempts, and reset of authenticators following a reported instance of phishing or unauthorized access. - - 60 days for passwords, 90 days for smart cards, 1 year for biometric authenticators - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ia-5_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-5_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-5_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-5_smt.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-5_smt.e is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-5_smt.f is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-5_smt.g is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-5_smt.h is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-5_smt.i is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-5_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-5_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-5_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-5_obj.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-5_obj.e is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-5_obj.f is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-5_obj.g is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-5_obj.h-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-5_obj.h-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-5_obj.i is satisfied.

    11111111-0000-4000-9000-000000000001     - - 1 second - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part au-8_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part au-8_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part au-8_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part au-8_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ia-8_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part au-7_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part au-7_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part au-7_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part au-7_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ia-7_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Annually and whenever there is a change in the threat environment. - - daily for login attempts, real-time for privileged access, and on-change for system configuration modifications - - Login attempts, Disk space usage, Network traffic, System crashes, Unauthorized access - - Successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, system events, administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, permission changes - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part au-2_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part au-2_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part au-2_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part au-2_smt.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part au-2_smt.e is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part au-2_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part au-2_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part au-2_obj.c-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part au-2_obj.c-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part au-2_obj.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part au-2_obj.e is satisfied.

    11111111-0000-4000-9000-000000000001     - - value Retain audit logs for at least 1 year, with a minimum of 3 months online and 9 months offline - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part au-4_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Within 4 hours - - Mission critical systems, including email and database servers, will be prioritized for restart in the event of a system failure to ensure continued operation of essential business functions. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part cp-8_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part au-3_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part au-3_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part au-3_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part au-3_smt.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part au-3_smt.e is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part au-3_smt.f is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part au-3_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Daily incremental backups with weekly full backups. - - Daily incremental backups at 2am and weekly full backups every Sunday at 3am. - - Daily incremental backups, weekly full backups on Sundays at 2:00 AM - - system components value database servers, email servers, file servers, and virtual machines - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part cp-9_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-9_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-9_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-9_smt.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-9_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-9_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-9_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-9_obj.d is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part cp-6_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-6_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-6_obj.a-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-6_obj.a-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-6_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - Within 4 hours and 2 hours, respectively, to ensure minimal disruption to business operations. - - System operations for essential mission and business functions are defined as follows: 1) Data processing and storage, 2) Network infrastructure maintenance, and 3) Cybersecurity threat monitoring and response. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part cp-7_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-7_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-7_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-7_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-7_obj.b-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-7_obj.b-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-7_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001     - - tests value The organization conducts a tabletop exercise to test the contingency plan every 6 months, and a full-scale exercise every 12 months. - - tests value The contingency plan will be tested every 6 months to ensure its effectiveness in restoring operations within 24 hours of an incident. - - Annually - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part cp-4_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-4_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-4_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-4_obj.a-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-4_obj.a-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-4_obj.a-3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-4_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-4_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part sc-7.3_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - IT Department, HR Department, and Executive Management Team - - John Smith (IT Director), Jane Doe (Network Administrator), and all members of the Incident Response Team - - Annually - - Chief Information Officer, Chief Information Security Officer, IT Department, and Emergency Response Team - - John Doe (IT Director), Jane Smith (Chief Information Security Officer), Bob Johnson (Network Administrator) - - Chief Information Officer (CIO), Chief Information Security Officer (CISO), IT Director - - IT Manager, Chief Information Security Officer, Incident Response Team Lead - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part cp-2_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-2_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-2_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-2_smt.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-2_smt.e is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-2_smt.f is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-2_smt.g is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-2_smt.h is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-2_obj.a.1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-2_obj.a.2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-2_obj.a.3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-2_obj.a.4 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-2_obj.a.5 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-2_obj.a.6 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-2_obj.a.7 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-2_obj.b-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-2_obj.b-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-2_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-2_obj.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-2_obj.e-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-2_obj.e-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-2_obj.f is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-2_obj.g is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-2_obj.h is satisfied.

    11111111-0000-4000-9000-000000000001     - - Events necessitating review and update of contingency training include: changes to system components, updates to threat intelligence, changes in laws or regulations, and changes to business operations or processes. - - at least annually - - Annually - - Within 6 months of assuming a contingency role or responsibility. - - + + + + + placeholder + + + placeholder + + + -

    Implementation description needed

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part cp-3_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-3_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-3_obj.a.1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-3_obj.a.2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-3_obj.a.3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-3_obj.b-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cp-3_obj.b-2 is satisfied.

    11111111-0000-4000-9000-000000000001     - - circumstances or situations value The circumstances or situations requiring re-authentication are: item changing job functions/item item accessing sensitive information/item item after a specified period of time (e.g., 30 minutes)/item - - + + + + + placeholder + + + -

    Implementation description needed

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part ia-11_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - + + + + + placeholder + + + -

    Implementation description needed

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part ia-12_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-12_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-12_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-12_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-12_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-12_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001     - - All hard drives, solid state drives, and removable storage media used to store Federal data or system data classified as High or Moderate impact levels. - - all sensitive user data and financial information transmitted over the internet - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part sc-28.1_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Unexpected DNS queries, unauthorized access to sensitive data, or unusual network packet sizes - - Every 15 minutes, with a minimum of 4 hours of log storage, to ensure timely detection and response to potential security incidents. - - Examples of unusual or unauthorized activities or conditions to be monitored in inbound communications traffic include: * Unsolicited incoming messages from unknown sources; * Unusual protocols or packet structures; * Inbound traffic on unused or closed ports; * Traffic from countries or IP addresses known to be associated with cyber threats; * Traffic that exceeds predefined bandwidth or frequency thresholds. - - Every 15 minutes during peak hours and every 60 minutes during non-peak hours. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part si-4.4_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-4.4_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-4.4_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-4.4_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part si-4.1_obj-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-4.1_obj-2 is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ir-3.2_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part si-4.2_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ac-6.10_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part cm-8.1_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - compromise indicators value Unexpected network traffic patterns, unusual account activity, and unexplained system crashes - - Chief Information Security Officer (CISO), IT Operations Manager, and Incident Response Team Lead - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part si-4.5_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Help Desk, incident response team, and system owners - - disable network access by unauthorized components, isolate unauthorized components, notify - - Every 24 hours. - - Automated mechanisms include weekly scans by the firmware integrity tool to detect any unauthorized firmware changes. - - Automated mechanisms include weekly sweeps using a commercial off-the-shelf (COTS) software inventory tool to detect and report on unauthorized software. - - automated mechanismsp automated mechanisms used to detect the presence of unauthorized hardware within the system are defined; value Network-based intrusion detection systems (NIDS) and host-based intrusion detection systems (HIDS) are used to detect unauthorized hardware. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part cm-8.3_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-8.3_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-8.3_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-8.3_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - + + + + + placeholder + + + -

    Implementation description needed

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part at-2.3_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - + + + -

    Implementation description needed

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part at-2.2_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - username, timestamp, event_type, resource_id, outcome - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part au-7.1_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Events requiring updated role-based training content include: changes to job responsibilities, updates to regulatory requirements, and notification of security incidents. - - Annually - - at least annually - - roles and responsibilities value The following roles are defined for role-based privacy training: Chief Privacy Officer (CPO), Privacy Officer, System Administrators, and Data Analysts. Responsibilities include: CPO: overall program management; Privacy Officer: training development and delivery; System Administrators: technical support; Data Analysts: data validation and reporting. - - CEO - oversees security training program, CISO - develops security training content, IT Manager - schedules security training sessions, Employees - participate in security training - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part at-3_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part at-3_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part at-3_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part at-3_obj.a.1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part at-3_obj.a.2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part at-3_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part at-3_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001     - - Example value: "Changes to organizational policies, new phishing scams, and updates to regulatory requirements. - - Annually - - Security awareness training sessions, phishing simulation exercises, and regular security bulletin notifications are employed to increase the security and privacy awareness of system users. - - The following events require privacy literacy training for system users: annual security awareness training, onboarding for new employees, and role changes that involve access to sensitive data. - - Password reset, suspicious email reporting, and incident response - - at least annually - - At least every 6 months, with additional training provided as needed based on changes to the system or environment. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part at-2_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part at-2_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part at-2_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part at-2_smt.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part at-2_obj.a.1-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part at-2_obj.a.1-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part at-2_obj.a.1-3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part at-2_obj.a.1-4 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part at-2_obj.a.2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part at-2_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part at-2_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part at-2_obj.d is satisfied.

    11111111-0000-4000-9000-000000000001     - - 1 year after completion of training program - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part at-4_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part at-4_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part at-4_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part at-4_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - prevent unauthorized disclosure of information, detect changes to information - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part sc-8.1_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Employee roles, clearance levels, and user IDs for access to confidential data repositories. - - Firewall rules, intrusion detection, and authentication modules integrated into the device's firmware to ensure secure access and protect against unauthorized access. - - Example value: "Authentication, Authorization, and Accounting (AAA) services using multi-factor authentication and role-based access control. - - _smart cards, Trusted Platform Modules (TPMs), and Hardware Security Modules (HSMs)_ - - System Administrators, Security Officers, and Audit Team Members - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ac-6.1_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-6.1_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-6.1_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-6.1_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - List of security functions or security-relevant information requiring non-privileged access: login authentication, password reset, and backups. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ac-6.2_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Organization's Identity Management Profiles: - Contractor Profile: requires background check and signed non-disclosure agreement.- Employee Profile: requires badge identification and access to internal systems.- Customer Profile: requires login credentials and access to restricted areas. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ia-8.4_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Medium: system components and connections are described, including network diagrams and data flows. - - The system design document, which includes architecture diagrams and component specifications, is available and up-to-date, and is stored in the company's document management system. - - security-relevant external system interfaces, high-level design, low-level design, source code or hardware schematics, - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part sa-4.2_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part sa-4.1_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - FTP, Telnet, and Rlogin. - - The following software applications are deemed unnecessary or non-secure and will be disabled or removed: Flash, Java, and Autorun. - - Telnet, FTP, RDP on non-standard ports, and any other unencrypted or outdated protocols. - - UDP 161, TCP 21, TCP 23. - - Telnet, FTP, and TFTP. - - Annually - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part cm-7.1_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-7.1_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-7.1_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-7.1_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ac-6.9_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - System Administrators, Network Engineers, Database Administrators, Developers - - Annually - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ac-6.7_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-6.7_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-6.7_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-6.7_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - System Administrators, Network Administrators, and Database Administrators - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ac-6.5_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Company-wide software usage policy document, which outlines acceptable use of productivity software, prohibits personal use of company-issued devices, and requires all employees to sign an annual acknowledgment of understanding. - - , rules authorizing the terms and conditions of software program usage - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part cm-7.2_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Every 3 months or when software changes occur. - - Microsoft Office, Google Chrome, Mozilla Firefox, Adobe Acrobat - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part cm-7.5_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-7.5_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-7.5_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-7.5_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-7.5_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-7.5_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ia-8.2_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-8.2_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-8.2_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-8.2_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ia-8.1_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - _example value_: "User acknowledges acceptance of terms and conditions, agrees to comply with organizational policies, and is warned about consequences of unauthorized access. - - This system is for authorized use only. All activities are monitored and recorded. By accessing this system, you acknowledge that you have read and understood the terms of use and privacy policy. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ac-8_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-8_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-8_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-8_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-8_obj.a.1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-8_obj.a.2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-8_obj.a.3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-8_obj.a.4 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-8_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-8_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001     - - Disable account for 30 minutes and require admin approval for reactivation - - 3 minutes - - 30 minutes - - lock the account or node for , lock the account or node until released by an administrator, delay next logon prompt per , notify system administrator, take other - - 30 minutes - - 5 - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ac-7_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-7_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-7_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-7_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - AC-04_odp_example: "All internal and external connections to the system require authentication and authorization, and data is encrypted in transit to ensure information flow control policies are enforced. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ac-4_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ac-3_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - monthly - - Vulnerability scanner (e.g., Nessus) to detect missing security patches and software updates. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part si-2.2_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ac-6_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - System Administrators, Security Officers, and Network Engineers - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ac-5_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-5_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-5_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-5_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - The Security Information and Event Management (SIEM) system utilizes automated rules and correlation engines to integrate audit record review, analysis, and reporting processes. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part au-6.1_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Every 6 months - - systems, system components, and system services systems, system components, and system services to assess supply chain risks are defined, Enterprise Resource Planning (ERP) system, firewall, and intrusion detection - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ra-3.1_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ra-3.1_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ra-3.1_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ra-3.1_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part au-6.3_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Unit testing covers 80% of critical components and 50% of non-critical components, while integration testing covers 90% of all system interfaces. - - Every 6 months - - unit, integration, system, regression - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part sa-11_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-11_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-11_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-11_smt.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-11_smt.e is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-11_obj.a-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-11_obj.a-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-11_obj.a-3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-11_obj.a-4 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-11_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-11_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-11_obj.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-11_obj.e is satisfied.

    11111111-0000-4000-9000-000000000001     - - System Administrators, Cybersecurity Team, and Development Leads - - List of configuration items under configuration management: network devices, servers, software applications, and databases. - - design, development, implementation, operation, disposal - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part sa-10_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-10_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-10_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-10_smt.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-10_smt.e is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-10_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-10_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-10_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-10_obj.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-10_obj.e is satisfied.

    11111111-0000-4000-9000-000000000001     - - Acceptance criteria for vulnerability analysis evidence includes: (i) identification of all vulnerabilities with a CVSS score of 7.0 or higher, (ii) documentation of vulnerability mitigation strategies, and (iii) verification of remediation actions. - - Acceptance criteria for threat modeling evidence: The produced evidence must demonstrate a clear and concise identification of potential threats, a thorough analysis of threat vectors, and a comprehensive risk assessment that aligns with the organization's risk management framework. - - The organization conducts vulnerability analyses on all external-facing systems and applications, as well as on all systems and applications that process sensitive data, with a depth of analysis that includes reconnaissance, scanning, and penetration testing. - - The breadth and depth of threat modeling to be conducted is defined as follows: Identify and analyze high-impact, high-likelihood threats to the system, focusing on critical components, data flows, and interfaces, with a minimum of 10 use cases and 20 potential vulnerabilities to be evaluated. - - tools and methods value The organization employs OpenVAS for vulnerability scanning and Microsoft Threat Modeling Tool for threat modeling and analysis. - - Confidentiality of customer data, operating in a public cloud environment, potential threat from nation-state actors, and a risk tolerance of $100,000 per incident. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part sa-11.2_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-11.2_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-11.2_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-11.2_smt.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-11.2_obj.a-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-11.2_obj.a-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-11.2_obj.a-3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-11.2_obj.a-4 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-11.2_obj.b-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-11.2_obj.b-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-11.2_obj.b-3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-11.2_obj.b-4 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-11.2_obj.c-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-11.2_obj.c-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-11.2_obj.d-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-11.2_obj.d-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-11.2_obj.d-3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sa-11.2_obj.d-4 is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part sc-39_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part sa-11.1_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ac-17.2_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ac-17.1_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Example value: "Employees working from home require remote access to the company's confidential database for project development. - - System administrators require remote access to execute privileged commands for troubleshooting and maintenance of production systems. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ac-17.4_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-17.4_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-17.4_obj.a-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-17.4_obj.a-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-17.4_obj.a-3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-17.4_obj.a-4 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-17.4_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ac-17.3_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Every 24 hours - - NIST Internet Time Service (time.nist.gov) - - Every 60 minutes - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part sc-45.1_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-45.1_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-45.1_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-45.1_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - Script-based configuration verification using PowerShell Desired State Configuration (DSC) to ensure consistency across all system components. - - Puppet, Ansible, or Microsoft System Center Configuration Manager (SCCM) are used to define and apply configuration settings. - - automated mechanisms value Puppet or Ansible scripts are used to define and manage configuration settings for all systems. - - All production servers, network devices, and databases. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part cm-6.1_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Fire Department, Local Police Department, On-site Security Team - - Facilities Manager, Security Team Lead - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part pe-13.1_obj-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-13.1_obj-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-13.1_obj-3 is satisfied.

    11111111-0000-4000-9000-000000000001     - - Local Fire Department, 911 Emergency Services, and Facility Management Team - - Facility Manager, Fire Marshal, and local emergency services. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part pe-13.2_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-13.2_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-13.2_obj.a-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-13.2_obj.a-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-13.2_obj.a-3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part pe-13.2_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - benchmarks the benchmarks for taking corrective actions are defined; value The following metrics are used to measure the effectiveness of corrective actions: Mean Time To Detect (MTTD), Mean Time To Respond (MTTR), and Mean Time To Resolve (MTTR). - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part si-2.3_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-2.3_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-2.3_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part si-2.3_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part sc-45_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - supply chain risk management activities value The organization's supply chain risk management activities include: (i) Supplier risk assessments; (ii) Contract language updates; and (iii) Ongoing monitoring and reporting. - - The supply chain risk management team consists of: - John Doe, Supply Chain Risk Manager, responsible for overall strategy and management of supply chain risks;- Jane Smith, Supply Chain Risk Analyst, responsible for identifying, assessing, and mitigating supply chain risks;- Bob Johnson, IT Security Specialist, responsible for ensuring the security of supply chain information systems;- Procurement Team, responsible for ensuring that supply chain contracts include provisions for supply chain risk management. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part sr-2.1_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Upon change of IT system design or architecture, upon installation of new software or hardware, upon change of organizational policies or procedures, or upon identification of a security incident or vulnerability. - - At least annually and when a significant change occurs. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part cm-2_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-2_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-2_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-2_obj.b.1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-2_obj.b.2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-2_obj.b.3 is satisfied.

    11111111-0000-4000-9000-000000000001     - - Configuration Manager, IT Director - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part cm-9_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-9_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-9_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-9_smt.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-9_smt.e is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-9_obj is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-9_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-9_obj.b-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-9_obj.b-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-9_obj.c-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-9_obj.c-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-9_obj.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-9_obj.e is satisfied.

    11111111-0000-4000-9000-000000000001     - - registration code - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ia-12.5_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Example value: "Prohibited services: telnet, ftp. Restricted services: ssh (only for authorized personnel). - - software The following software is prohibited or restricted: Peer-to-Peer file sharing applications, games, and unauthorized encryption tools. - - FTP, TELNET, and RSH - - 80, 21, 23 - - functions value Unauthorized access to sensitive data, Untrusted network connections, Execution of unapproved software - - Maintain situational awareness, process transactions, and provide secure communication - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part cm-7_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-7_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-7_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-7_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - Public, Sensitive, Confidential, Top Secret - - Network segmentation using VLANs, firewalls, and access control lists (ACLs) to separate sensitive information flows from non-sensitive information flows. - - mechanisms and/or techniques value VLANs, Subnets, and Access Control Lists (ACLs) - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ac-4.21_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Every 30 days - - information deemed necessary to achieve effective system component accountability is defined; value System logs, network traffic records, and user access history are defined as necessary information for effective system component accountability. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part cm-8_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-8_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-8_obj.a.1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-8_obj.a.2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-8_obj.a.3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-8_obj.a.4 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-8_obj.a.5 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-8_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part cm-5_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - deviations to standard operating procedures require approval from the Chief Operations Officer, and must be documented with justification and risk assessment, with approval granted only in exceptional circumstances. - - All production servers, network devices, and databases requiring configuration changes or updates. - - common secure configurations value The organization's secure configuration guidelines require all Windows 10 laptops to have BitLocker encryption enabled, Windows Defender set to scan for malware daily, and the firewall configured to only allow incoming HTTPS traffic. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part cm-6_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-6_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-6_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-6_smt.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-6_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-6_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-6_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-6_obj.d is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part sa-4.10_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Changes to system software or firmware, modifications to network architecture, or updates to system interfaces that affect system functionality or security. - - Quarterly. - - , when - - The Change Management Committee, chaired by the IT Director, is responsible for coordinating and overseeing change control activities. - - At least 3 years after the change has been approved and implemented. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part cm-3_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-3_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-3_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-3_smt.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-3_smt.e is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-3_smt.f is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-3_smt.g is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-3_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-3_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-3_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-3_obj.d is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-3_obj.e is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-3_obj.f is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-3_obj.g-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-3_obj.g-2 is satisfied.

    11111111-0000-4000-9000-000000000001     - - methods of validation and verification value p The organization uses government-issued ID cards, biometric authentication, and knowledge-based authentication to validate and verify identity evidence. Specifically, the following methods are used: (i) government-issued ID cards are verified against a trusted database; (ii) biometric authentication uses fingerprint recognition with a minimum acceptable match probability of 0.99; and (iii) knowledge-based authentication uses a minimum of three questions with a minimum acceptable answer accuracy of 80%. - - + + + + + placeholder + + + -

    Implementation description needed

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ia-12.3_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - + + + 11111111-2222-4000-8000-004000000008 + + + + + + + placeholder + + + -

    Implementation description needed

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part cm-4_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - + + + + + placeholder + + + -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - +

    This is the 'this-system' component that must be present for every statement

    + + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part ia-12.2_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - + + + -

    Implementation description needed

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part sc-2_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - information value The location of classified data and sensitive intellectual property is defined as follows: p Data centers in Reston, VA and San Jose, CA; backup storage facilities in Chicago, IL and Dallas, TX. - - + + + + + -

    Implementation description needed

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part cm-12_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-12_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-12_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-12_obj.a-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-12_obj.a-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-12_obj.a-3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-12_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-12_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001     - - + + + + + placeholder + + + -

    Implementation description needed

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part sc-4_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Daily - - methods used to enforce software installation policies are defined as: whitelisting, blacklisting, and digital signatures. - - Only authorized personnel are permitted to install software on company devices, and all software installations must be approved by the IT department in advance. - - + + + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + -

    Implementation description needed

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part cm-11_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-11_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-11_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-11_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-11_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-11_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001     - - + + + 11111111-2222-4000-8000-004000000008 + + + -

    Implementation description needed

    +

    This is a 'policy' component that must be present for part a of every -1 control.

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part cm-10_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-10_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-10_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-10_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-10_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-10_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001     - - + -

    Implementation description needed

    +

    This is a 'process-procedure' component that must be present for part a of every -1 + control.

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part ra-5.11_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - + + + -

    Implementation description needed

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part pl-10_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - + + + -

    Implementation description needed

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part pl-11_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - controls by type of denial-of-service event controls to achieve the denial-of-service objective by type of denial-of-service event are defined; value list id="dos-controls"item Flow-based attacks (e.g., TCP SYN flood)/itemitem Vulnerability-based attacks (e.g., buffer overflow)/itemitem Application-based attacks (e.g., HTTP GET flood)/item /list - - protect against - - ICMP (ping) flood, SYN flood, slowloris, buffer overflow attack, volume attack, teardrop attack, smurf attack, and ping of death. - - + + + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + -

    Implementation description needed

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part sc-5_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-5_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-5_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-5_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - confidentiality, integrity - - + + + -

    Implementation description needed

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part sc-8_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - physically - - + + + -

    Implementation description needed

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part sc-7_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-7_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-7_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-7_obj.a-1 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-7_obj.a-2 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-7_obj.a-3 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-7_obj.a-4 is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-7_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part sc-7_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001     - - automated mechanisms value The organization uses Active Directory Group Policy Objects (GPOs) to automate the enforcement of access restrictions. - - + + + + + placeholder + + + placeholder + + + -

    Implementation description needed

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part cm-5.1_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-5.1_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-5.1_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-5.1_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - The conditions of the JAB/AO in the FedRAMP Repository include ensuring the system meets all FedRAMP moderate impact level security requirements, as defined in the FedRAMP Security Assessment Framework. - - value ACME Corporation's Enterprise Resource Planning System - - Coalfire, Schellman & Co. - - + + + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + -

    Implementation description needed

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ca-2.3_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - 3 years - - + + + 11111111-2222-4000-8000-004000000008 + + + + + -

    Implementation description needed

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part au-11_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - System Administrators, Security Managers, and Auditors - - Firewalls, routers, servers, workstations, databases, and applications. - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part au-12_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part au-12_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part au-12_smt.c is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part au-12_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part au-12_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part au-12_obj.c is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ia-2.1_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - + + + 11111111-2222-4000-8000-004000000008 + + + + + -

    Implementation description needed

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ia-2.2_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - value Automated ticketing system, intrusion detection systems, and security information and event management (SIEM) systems. - - + + + 11111111-2222-4000-8000-004000000008 + + + + + + + placeholder + + + -

    Implementation description needed

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ir-4.1_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Every 6 months - - Every 90 days - - + + + 11111111-2222-4000-8000-004000000008 + + + + + + + placeholder + + + -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part cm-5.5_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-5.5_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-5.5_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part cm-5.5_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ia-2.5_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - - -

    Implementation description needed

    -     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part ca-2.1_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - FIPS-140-2 validated AES 256-bit encryption - - privileged accounts, non-privileged accounts - - local, network, remote - - + + + + + placeholder + + + placeholder + + + -

    Implementation description needed

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part ia-2.6_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-2.6_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-2.6_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ia-2.6_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - privileged accounts, non-privileged accounts - - + + + + + -

    Implementation description needed

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part ia-2.8_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Government-issued security clearance, CITI training certification, and signed non-disclosure agreement. - - + + + + + -

    Implementation description needed

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part ps-3.3_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-3.3_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-3.3_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ps-3.3_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     - - + + + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + -

    Implementation description needed

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part ra-5.3_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Quarterly network vulnerability scans and monthly web application scans - - system components value p Domain Controllers, Authentication Servers, VPN Concentrators - - + + + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + placeholder + + + -

    Implementation description needed

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - -     -

    Describe how Part ra-5.5_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Daily - - , prior to a new scan, when new vulnerabilities are identified and reported - - + + + 11111111-2222-4000-8000-004000000008 + + + + + -

    Implementation description needed

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part ra-5.2_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - - mobile devices value All Company-owned and personal mobile devices used for business purposes, including smartphones and laptops. - - full-device encryption - - + + + + + placeholder + + + -

    Implementation description needed

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part ac-19.5_smt is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-19.5_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - Restrictions on the use of organization-controlled portable storage devices include: only authorized personnel are allowed to use organization-controlled portable storage devices on external systems; portable storage devices must be encrypted and password-protected; and portable storage devices must be scanned for malware before being connected to an external system. - - + + + + + placeholder + + + -

    Implementation description needed

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part ac-20.2_obj is satisfied.

    11111111-0000-4000-9000-000000000001     - - + + + + + placeholder + + + placeholder + + + -

    Implementation description needed

    +

    This is the 'this-system' component that must be present for every statement

     - - 11111111-0000-4000-9000-000000000001 - + + + 11111111-2222-4000-8000-004000000008 +     -

    Describe how Part ac-20.1_smt.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-20.1_smt.b is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-20.1_obj.a is satisfied.

    11111111-0000-4000-9000-000000000001

    Describe how Part ac-20.1_obj.b is satisfied.

    11111111-0000-4000-9000-000000000001     + + +     - - Signed System Security Plan

    SSP Signature

     - 00000000

    The FedRAMP PMO is formulating guidelines for handling digital/electronic signatures in -OSCAL, and welcome feedback on solutions.

    + OSCAL, and welcome feedback on solutions.

    For now, the PMO recommends one of the following:

    • Render the OSCAL SSP content as a PDF that is digitally signed and attached.
      • -
    • Render the OSCAL SSP content as a printed page that is physically signed, -scanned, and attached.
      • +
    • Render the OSCAL SSP content as a printed page that is physically signed, scanned, and + attached.

    If your organization prefers another approach, please seek prior approval from the -FedRAMP PMO.

    + FedRAMP PMO.

         - FedRAMP Applicable Laws and Regulations - - +

    Must be present in a FedRAMP SSP.

         - - - Access Control Policy Title + Access Control and Identity Management Policy -

    AC Policy document

    +

    A single policy that addresses both the AC and IA families.

     - - - - - 00000000 + + + 00000000 -

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    +

    Each policy must be attached as back-matter resources, and must include:

    +
      +
    • a title field with the attached document's published title.
      • +
    • a "type" property with a value of "policy".
      • +
    • a "published" property with the attached document's publication date.
      • +
    • a "version" property with the attached document's published version.
      • +
    • Either base64 embedded attachment or an rlink with a valid href value.
      • +
    • both base64 and rlink require a media-type for policies
      • +
    +

    Each policy must have a corrisponding "policy" component.

         @@ -8519,15 +16402,12 @@ FedRAMP PMO.

    - 00000000

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    +

    May use rlink with a relative path, or embedded as base64.

         @@ -8537,15 +16417,12 @@ FedRAMP PMO.

    - 00000000

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    +

    May use rlink with a relative path, or embedded as base64.

         @@ -8555,15 +16432,12 @@ FedRAMP PMO.

    - 00000000

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    +

    May use rlink with a relative path, or embedded as base64.

         @@ -8572,16 +16446,13 @@ FedRAMP PMO.

    CM Policy document

    - - + 00000000

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    +

    May use rlink with a relative path, or embedded as base64.

         @@ -8591,16 +16462,12 @@ FedRAMP PMO.

    - - 00000000

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    +

    May use rlink with a relative path, or embedded as base64.

         @@ -8610,15 +16477,12 @@ FedRAMP PMO.

    - 00000000

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    +

    May use rlink with a relative path, or embedded as base64.

         @@ -8628,15 +16492,12 @@ FedRAMP PMO.

    - 00000000

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    +

    May use rlink with a relative path, or embedded as base64.

         @@ -8646,15 +16507,12 @@ FedRAMP PMO.

    - - + 00000000

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    +

    May use rlink with a relative path, or embedded as base64.

         @@ -8664,15 +16522,12 @@ FedRAMP PMO.

    - 00000000

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    +

    May use rlink with a relative path, or embedded as base64.

         @@ -8682,15 +16537,12 @@ FedRAMP PMO.

    - 00000000

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    +

    May use rlink with a relative path, or embedded as base64.

         @@ -8700,15 +16552,12 @@ FedRAMP PMO.

    - 00000000

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    +

    May use rlink with a relative path, or embedded as base64.

         @@ -8718,15 +16567,12 @@ FedRAMP PMO.

    - 00000000

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    +

    May use rlink with a relative path, or embedded as base64.

         @@ -8736,15 +16582,12 @@ FedRAMP PMO.

    - 00000000

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    +

    May use rlink with a relative path, or embedded as base64.

         @@ -8754,15 +16597,12 @@ FedRAMP PMO.

    - 00000000

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    +

    May use rlink with a relative path, or embedded as base64.

         @@ -8772,15 +16612,12 @@ FedRAMP PMO.

    - 00000000

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    +

    May use rlink with a relative path, or embedded as base64.

         @@ -8790,15 +16627,12 @@ FedRAMP PMO.

    - 00000000

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    +

    May use rlink with a relative path, or embedded as base64.

         @@ -8808,18 +16642,14 @@ FedRAMP PMO.

    - 00000000

    Table 12-1 Attachments: Policy Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    +

    May use rlink with a relative path, or embedded as base64.

         - Access Control Procedure Title @@ -8827,15 +16657,19 @@ FedRAMP PMO.

     - - + 00000000 -

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    +

    Procedures must be attached as back-matter resources, and must include:

    +
      +
    • a title field with the attached document's published title.
      • +
    • a "type" property with a value of "procedure".
      • +
    • a "published" property with the attached document's publication date.
      • +
    • a "version" property with the attached document's published version.
      • +
    • Either base64 embedded attachment or an rlink with a valid href value.
      • +
    • both base64 and rlink require a media-type for policies
      • +
    @@ -8845,15 +16679,12 @@ FedRAMP PMO.

    - 00000000

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    +

    May use rlink with a relative path, or embedded as base64.

         @@ -8863,15 +16694,12 @@ FedRAMP PMO.

    - 00000000

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    +

    May use rlink with a relative path, or embedded as base64.

         @@ -8881,15 +16709,12 @@ FedRAMP PMO.

    - 00000000

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    +

    May use rlink with a relative path, or embedded as base64.

         @@ -8899,15 +16724,12 @@ FedRAMP PMO.

    - 00000000

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    +

    May use rlink with a relative path, or embedded as base64.

         @@ -8917,15 +16739,12 @@ FedRAMP PMO.

    - 00000000

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    +

    May use rlink with a relative path, or embedded as base64.

         @@ -8935,15 +16754,12 @@ FedRAMP PMO.

    - 00000000

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    +

    May use rlink with a relative path, or embedded as base64.

         @@ -8953,15 +16769,12 @@ FedRAMP PMO.

    - 00000000

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    +

    May use rlink with a relative path, or embedded as base64.

         @@ -8971,15 +16784,12 @@ FedRAMP PMO.

    - 00000000

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    +

    May use rlink with a relative path, or embedded as base64.

         @@ -8989,15 +16799,12 @@ FedRAMP PMO.

    - 00000000

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    +

    May use rlink with a relative path, or embedded as base64.

         @@ -9007,15 +16814,12 @@ FedRAMP PMO.

    - 00000000

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    +

    May use rlink with a relative path, or embedded as base64.

         @@ -9025,15 +16829,12 @@ FedRAMP PMO.

    - 00000000

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    +

    May use rlink with a relative path, or embedded as base64.

         @@ -9043,15 +16844,12 @@ FedRAMP PMO.

    - 00000000

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    +

    May use rlink with a relative path, or embedded as base64.

         @@ -9061,15 +16859,12 @@ FedRAMP PMO.

    - 00000000

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    +

    May use rlink with a relative path, or embedded as base64.

         @@ -9079,15 +16874,12 @@ FedRAMP PMO.

    - 00000000

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    +

    May use rlink with a relative path, or embedded as base64.

         @@ -9097,15 +16889,12 @@ FedRAMP PMO.

    - 00000000

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    +

    May use rlink with a relative path, or embedded as base64.

         @@ -9115,15 +16904,12 @@ FedRAMP PMO.

    - 00000000

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    +

    May use rlink with a relative path, or embedded as base64.

         @@ -9133,18 +16919,14 @@ FedRAMP PMO.

    - 00000000

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    +

    May use rlink with a relative path, or embedded as base64.

         - User's Guide @@ -9152,19 +16934,12 @@ FedRAMP PMO.

     - -

    Table 12-1 Attachments: User's Guide Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    +

    May use rlink with a relative path, or embedded as base64.

         - - - Document Title @@ -9172,18 +16947,14 @@ FedRAMP PMO.

     - 00000000

    Table 12-1 Attachments: Rules of Behavior (ROB)

    -

    May use rlink with a relative path, or embedded as - base64. -

    +

    May use rlink with a relative path, or embedded as base64.

         - Document Title @@ -9191,18 +16962,14 @@ FedRAMP PMO.

     - 00000000

    Table 12-1 Attachments: Contingency Plan (CP) Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    +

    May use rlink with a relative path, or embedded as base64.

         - Document Title @@ -9210,18 +16977,14 @@ FedRAMP PMO.

     - 00000000

    Table 12-1 Attachments: Configuration Management (CM) Plan Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    +

    May use rlink with a relative path, or embedded as base64.

         - Document Title @@ -9229,27 +16992,18 @@ FedRAMP PMO.

     - 00000000

    Table 12-1 Attachments: Incident Response (IR) Plan Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    +

    May use rlink with a relative path, or embedded as base64.

         - - - - - CSP-specific Law Citation - Identification Number 00000000 @@ -9257,11 +17011,7 @@ FedRAMP PMO.

    A CSP-specific law citation

    The "type" property must be present and contain the value "law".

    -     - - - Document Title @@ -9269,30 +17019,35 @@ FedRAMP PMO.

     - 00000000

    Table 12-1 Attachments: Continuous Monitoring Plan Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    +

    May use rlink with a relative path, or embedded as base64.

         - Plan of Actions and Milestones (POAM) - - - - - - 00000000 - + + + +

    The POA&M attachment may either be a legacy Excel workbook or OSCAL file. The + resource must have:

    +
      +
    • a title field with the the value, "Plan of Actions and Milestones (POAM)"
      • +
    • a "published" property with the effective date of the attached POA&M.
      • +
    • a "type" property with a value of "plan" and a class of "poam".
      • +
    • Either base64 embedded attachment or an rlink with a valid href value.
      • +
    • Both base64 and rlink require a media-type for policies
      • +
    +

    A "version" property is optional.

    +

    The appropriate media types for OSCAL content are, "application/xml", "application/json" + or "application/yaml".

    +

    FedRAMP does not accept base64 POA&M contenta at this time.

    +     - Supply Chain Risk Management Plan @@ -9300,28 +17055,20 @@ FedRAMP PMO.

     - 00000000

    Table 12-1 Attachments: Procedure Attachment

    -

    May use rlink with a relative path, or embedded as - base64. -

    +

    May use rlink with a relative path, or embedded as base64.

         - - - - [SAMPLE]Interconnection Security Agreement Title + Interconnection Security Agreement - - 00000000 @@ -9329,9 +17076,8 @@ FedRAMP PMO.

    FedRAMP Logo

     - + - 00000000

    Must be present in a FedRAMP SSP.

    @@ -9345,12 +17091,10 @@ FedRAMP PMO.

    00000000 -

    May use rlink with a relative path, or embedded as - base64. -

    +

    May use rlink with a relative path, or embedded as base64.

    FedRAMP prefers base64 for images and diagrams.

    -

    Images must be in sufficient resolution to read all detail when rendered in a browser -via HTML5.

    +

    Images must be in sufficient resolution to read all detail when rendered in a browser via + HTML5.

         @@ -9361,15 +17105,12 @@ via HTML5.

    00000000 -

    May use rlink with a relative path, or embedded as - base64. -

    +

    May use rlink with a relative path, or embedded as base64.

    FedRAMP prefers base64 for images and diagrams.

    -

    Images must be in sufficient resolution to read all detail when rendered in a browser -via HTML5.

    +

    Images must be in sufficient resolution to read all detail when rendered in a browser via + HTML5.

         - Boundary Diagram @@ -9381,14 +17122,12 @@ via HTML5.

    Section 8.1, Figure 8-1 Authorization Boundary Diagram (graphic)

    This should be referenced in the -system-characteristics/authorization-boundary/diagram/link/@href flag using a value -of "#11111111-2222-4000-8000-001000000054"

    -

    May use rlink with a relative path, or embedded as - base64. -

    + system-characteristics/authorization-boundary/diagram/link/@href flag using a value of + "#11111111-2222-4000-8000-001000000054"

    +

    May use rlink with a relative path, or embedded as base64.

    FedRAMP prefers base64 for images and diagrams.

    -

    Images must be in sufficient resolution to read all detail when rendered in a browser -via HTML5.

    +

    Images must be in sufficient resolution to read all detail when rendered in a browser via + HTML5.

         @@ -9397,20 +17136,17 @@ via HTML5.

    The primary network diagram.

    - 00000000

    Section 8.1, Figure 8-2 Network Diagram (graphic)

    This should be referenced in the -system-characteristics/network-architecture/diagram/link/@href flag using a value of -"#11111111-2222-4000-8000-001000000055"

    -

    May use rlink with a relative path, or embedded as - base64. -

    + system-characteristics/network-architecture/diagram/link/@href flag using a value of + "#11111111-2222-4000-8000-001000000055"

    +

    May use rlink with a relative path, or embedded as base64.

    FedRAMP prefers base64 for images and diagrams.

    -

    Images must be in sufficient resolution to read all detail when rendered in a browser -via HTML5.

    +

    Images must be in sufficient resolution to read all detail when rendered in a browser via + HTML5.

         @@ -9423,14 +17159,12 @@ via HTML5.

    00000000

    Section 8.1, Figure 8-3 Data Flow Diagram (graphic)

    -

    This should be referenced in the system-characteristics/data-flow/diagram/link/@href -flag using a value of "#11111111-2222-4000-8000-001000000056"

    -

    May use rlink with a relative path, or embedded as - base64. -

    +

    This should be referenced in the system-characteristics/data-flow/diagram/link/@href flag + using a value of "#11111111-2222-4000-8000-001000000056"

    +

    May use rlink with a relative path, or embedded as base64.

    FedRAMP prefers base64 for images and diagrams.

    -

    Images must be in sufficient resolution to read all detail when rendered in a browser -via HTML5.

    +

    Images must be in sufficient resolution to read all detail when rendered in a browser via + HTML5.

         @@ -9445,12 +17179,13 @@ via HTML5.

    - Federal Acquisition Supply Chain Security Act; Rule, 85 Federal Register 54263 (September 1, 2020), pp 54263-54271. + Federal Acquisition Supply Chain Security Act; Rule, 85 Federal Register 54263 + (September 1, 2020), pp 54263-54271. -

    CSP-specific citation. Note the "type" property's class is "law" -and the value is "citation".

    +

    CSP-specific citation. Note the "type" property's class is "law" and the value is + "citation".

         @@ -9458,36 +17193,16 @@ and the value is "citation".

    -

    CSP-specific citation. Note the "type" property's class is "acronyms" -and the value is "citation".

    -     -     - - CSP Reference - - - -

    CSP-specific reference. Note the "type" property's class is "reference" -and the value is "citation".

    +

    CSP-specific citation. Note the "type" property's class is "acronyms" and the value is + "citation".

         - - Separation of Duties Matrix - -

    Separation of Duties Matrix

    -     - - - - - 00000000 - -

    May use rlink with a relative path, or embedded as base64. -

    -     + + Server Security Technical Implementation Guide (STIG) + + + + - - -     \ No newline at end of file From bcedb8d6ab09612735809674b194fb86c30c8638 Mon Sep 17 00:00:00 2001 From: Gabeblis Date: Tue, 18 Feb 2025 18:35:00 +0000 Subject: [PATCH 2/5] First Pass Fix Errors --- features/fedramp_extensions.feature | 3 - .../ssp/xml/fedramp-ssp-example.oscal.xml | 223 +++++++++++++++++- ...ventory-item-has-diagram-label-INVALID.xml | 5 +- .../content/ssp-privilege-level-INVALID.xml | 11 - .../fedramp-external-allowed-values.xml | 10 - .../fedramp-external-constraints.xml | 12 +- .../unit-tests/privilege-level-FAIL.yaml | 7 - .../unit-tests/privilege-level-PASS.yaml | 7 - 8 files changed, 226 insertions(+), 52 deletions(-) delete mode 100644 src/validations/constraints/content/ssp-privilege-level-INVALID.xml delete mode 100644 src/validations/constraints/unit-tests/privilege-level-FAIL.yaml delete mode 100644 src/validations/constraints/unit-tests/privilege-level-PASS.yaml diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature index 8e4ca3a19..7559cb77f 100644 --- a/features/fedramp_extensions.feature +++ b/features/fedramp_extensions.feature @@ -166,7 +166,6 @@ Examples: | network-component-has-implementation-point | | non-provider-responsible-role-references-user | | party-has-name | - | privilege-level | | prop-response-point-has-cardinality-one | | resource-has-base64-or-rlink | | resource-has-title | @@ -494,8 +493,6 @@ Examples: | non-provider-responsible-role-references-user-PASS.yaml | | party-has-name-FAIL.yaml | | party-has-name-PASS.yaml | - | privilege-level-FAIL.yaml | - | privilege-level-PASS.yaml | | resource-has-base64-or-rlink-FAIL.yaml | | resource-has-base64-or-rlink-PASS.yaml | | resource-has-title-FAIL.yaml | diff --git a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml index 7527c4945..f10253244 100644 --- a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml +++ b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml @@ -585,8 +585,7 @@ - + fips-199-high @@ -758,6 +757,7 @@ + <function-performed>none</function-performed> @@ -822,6 +822,7 @@ <prop name="implementation-point" value="external"/> <prop name="inherited-uuid" value="22222222-0000-4000-9001-009000000001"/> <prop name="nature-of-agreement" value="sla" ns="http://fedramp.gov/ns/oscal"/> + <prop ns="http://fedramp.gov/ns/oscal" name="end-of-life-date" value="2025-12-31"/> <prop name="authentication-method" value="yes" ns="http://fedramp.gov/ns/oscal"> <remarks> <p>If 'yes', describe the authentication method.</p> @@ -929,6 +930,8 @@ <prop name="leveraged-authorization-uuid" value="11111111-2222-4000-8000-019000000001"/> <prop name="implementation-point" value="external"/> <prop ns="http://fedramp.gov/ns/oscal" name="connection-security" value="tls-1.3"/> + <prop name="diagram-label" value="Service A" ns="http://fedramp.gov/ns/oscal"/> + <prop name="allows-authenticated-scan" value="yes"/> <prop ns="http://fedramp.gov/ns/oscal" class="incoming" name="information-type" value="C.3.5.1"/> <prop ns="http://fedramp.gov/ns/oscal" class="outgoing" name="information-type" @@ -991,7 +994,9 @@ </description> <prop name="implementation-point" value="external"/> <prop name="connection-security" value="ipsec" ns="http://fedramp.gov/ns/oscal"/> + <prop name="diagram-label" value="Service B" ns="http://fedramp.gov/ns/oscal"/> <prop name="still-supported" value="yes" ns="http://fedramp.gov/ns/oscal"/> + <prop name="allows-authenticated-scan" value="yes"/> <prop name="authentication-method" value="yes" ns="http://fedramp.gov/ns/oscal"> <remarks> <p>If 'yes', describe the authentication method.</p> @@ -1067,6 +1072,9 @@ </description> <prop name="asset-type" value="saas"/> <prop name="inherited-uuid" value="22222222-0000-4000-9001-009000000001"/> + <link rel="used-by" href="#11111111-2222-4000-8000-009000000000"> + <text>UUID of "this system" or a component within this system's boundary</text> + </link> <status state="operational"/> <responsible-role role-id="provider"> <party-uuid>33333333-2222-4000-8000-004000000001</party-uuid> @@ -1122,6 +1130,7 @@ <p>Describe the purpose of the external system/service; specifically, provide reasons for connectivity (e.g., system monitoring, system alerting, download updates, etc.)</p> </description> + <prop name="diagram-label" value="Authorized Connection" ns="http://fedramp.gov/ns/oscal"/> <prop name="nature-of-agreement" value="contract" ns="http://fedramp.gov/ns/oscal"/> <prop name="authentication-method" value="yes" ns="http://fedramp.gov/ns/oscal"> <remarks> @@ -1238,6 +1247,7 @@ <prop ns="http://fedramp.gov/ns/oscal" name="nature-of-agreement" value="isa"/> <prop name="implementation-point" value="external"/> <prop name="inherited-uuid" value="22222222-0000-4000-9001-009000000001"/> + <prop name="allows-authenticated-scan" value="yes"/> <status state="operational"/> <responsible-role role-id="system-owner"> <party-uuid>11111111-2222-4000-8000-004000000010</party-uuid> @@ -1273,6 +1283,8 @@ </description> <prop name="implementation-point" value="external"/> <prop ns="http://fedramp.gov/ns/oscal" name="connection-security" value="ipsec"/> + <prop name="diagram-label" value="Service C" ns="http://fedramp.gov/ns/oscal"/> + <prop name="allows-authenticated-scan" value="yes"/> <prop ns="http://fedramp.gov/ns/oscal" name="nature-of-agreement" value="sla"/> <prop ns="http://fedramp.gov/ns/oscal" name="authentication-method" value="yes"> <remarks> @@ -1293,6 +1305,7 @@ </remarks> </prop> <link rel="provided-by" href="#11111111-2222-4000-8000-009000100003"/> + <link rel="used-by" href="#11111111-2222-4000-8000-009000100003"/> <link rel="poam-item" href="./attachments/plan-of-action-and-milestones.xlxs" resource-fragment="V-1234"/> <status state="operational"/> @@ -1398,6 +1411,7 @@ <prop name="information-type" class="outgoing" value="C.3.5.8" ns="http://fedramp.gov/ns/oscal"/> <prop name="connection-security" value="tls-1.3" ns="http://fedramp.gov/ns/oscal"/> + <prop name="diagram-label" value="API Service" ns="http://fedramp.gov/ns/oscal"/> <prop name="authentication-method" value="yes" ns="http://fedramp.gov/ns/oscal"> <remarks> <p>If 'yes', describe the authentication method in the remarks.</p> @@ -1488,6 +1502,7 @@ boundary.</p> </description> <prop name="asset-type" value="cli"/> + <prop name="diagram-label" value="Management CLI" ns="http://fedramp.gov/ns/oscal"/> <prop name="implementation-point" value="internal"/> <prop name="information-type" class="incoming" value="C.3.5.1" ns="http://fedramp.gov/ns/oscal"/> @@ -1578,6 +1593,7 @@ this system..</p> </description> <prop name="asset-type" value="cli"/> + <prop name="diagram-label" value="Management CLI" ns="http://fedramp.gov/ns/oscal"/> <prop name="implementation-point" value="external"/> <prop name="information-type" class="incoming" value="C.3.5.1" ns="http://fedramp.gov/ns/oscal"/> @@ -1737,9 +1753,29 @@ <p>The corporate data lake. All logs are required to be sent here.</p> </description> <prop name="asset-type" value="logging"/> + <prop name="implementation-point" value="external"/> <prop name="diagram-label" value="Corporate Data Lake" ns="http://fedramp.gov/ns/oscal"/> + <prop name="connection-security" value="ipsec" ns="http://fedramp.gov/ns/oscal"/> + <prop name="information-type" value="C.3.5.1" class="incoming" + ns="http://fedramp.gov/ns/oscal"/> + <prop name="information-type" value="C.3.5.8" class="outgoing" + ns="http://fedramp.gov/ns/oscal"/> + <prop name="authentication-method" value="yes" ns="http://fedramp.gov/ns/oscal"> + <remarks> + <p>If 'yes', describe the authentication method in the remarks.</p> + <p>If 'no', explain why no authentication is used in the remarks.</p> + <p>If 'not-applicable', explain why authentication is not applicable in the + remarks.</p> + </remarks> + </prop> <link rel="receives" href="#11111111-2222-4000-8000-009001400002"/> <status state="operational"/> + <responsible-role role-id="provider"> + <party-uuid>11111111-2222-4000-8000-004000000001</party-uuid> + </responsible-role> + <responsible-role role-id="administrator"> + <party-uuid>11111111-2222-4000-8000-004000000010</party-uuid> + </responsible-role> </component> <component uuid="11111111-2222-4000-8000-009001400001" type="connection"> @@ -1783,6 +1819,7 @@ <description> <p>None</p> </description> + <prop name="diagram-label" value="Database Sample" ns="http://fedramp.gov/ns/oscal"/> <prop name="asset-type" value="database"/> <prop name="function" value="see-remarks"> <remarks> @@ -1811,6 +1848,7 @@ <p>Briefly describe the cryptographic module.</p> </description> <prop name="asset-type" value="cryptographic-module"/> + <prop name="diagram-label" value="Database Encryption" ns="http://fedramp.gov/ns/oscal"/> <prop name="software-name" value="abc"/> <prop name="software-version" value="1.2.3"/> <prop name="vendor-name" value="Databases-R-Us" ns="http://fedramp.gov/ns/oscal"/> @@ -1819,6 +1857,14 @@ <p>Used to encrypt and decrypt rows in the database.</p> </remarks> </prop> + <link rel="provided-by" href="#11111111-2222-4000-8000-009000100001"/> + <link rel="used-by" href="#11111111-2222-4000-8000-009000000000"> + <text>UUID of "this system" or a component within this system's boundary</text> + </link> + <link rel="validation" href="#11111111-2222-4000-8000-009001200001"> + <text>A link to the 3rd party validation information related to this cryptographic + module.</text> + </link> <status state="operational"/> </component> @@ -1849,6 +1895,7 @@ compliance (e.g., Module in Process).</p> </description> <prop name="asset-type" value="cryptographic-module"/> + <prop name="diagram-label" value="Open SSL" ns="http://fedramp.gov/ns/oscal"/> <prop name="software-name" value="OpenSSL"/> <prop name="software-version" value="3.0.8"/> <prop name="vendor-name" value="OpenSSL FIPS Provider" ns="http://fedramp.gov/ns/oscal"/> @@ -1862,6 +1909,9 @@ module.</text> </link> <link rel="provided-by" href="#"/> + <link rel="used-by" href="#11111111-2222-4000-8000-009000000000"> + <text>UUID of "this system" or a component within this system's boundary</text> + </link> <status state="operational"/> </component> <component type="software" uuid="11111111-2222-4000-8000-009000300011"> @@ -1874,6 +1924,7 @@ compliance (e.g., Module in Process).</p> </description> <prop name="asset-type" value="cryptographic-module"/> + <prop name="diagram-label" value="Open SSL" ns="http://fedramp.gov/ns/oscal"/> <prop name="software-name" value="OpenSSL"/> <prop name="software-version" value="3.0.9"/> <prop name="vendor-name" value="OpenSSL FIPS Provider" ns="http://fedramp.gov/ns/oscal"/> @@ -1948,6 +1999,7 @@ <p>This is an API server that communicates with a database via an encrypted connection</p> </description> <prop name="asset-type" value="api-server"/> + <prop name="diagram-label" value="API Service" ns="http://fedramp.gov/ns/oscal"/> <prop name="allows-authenticated-scan" value="no"/> <prop name="scan-type" value="web" ns="http://fedramp.gov/ns/oscal"/> <link rel="validation" href="#11111111-2222-4000-8000-009001200002"/> @@ -1962,6 +2014,7 @@ <p>This is a web server that communicates with a database via an encrypted connection</p> </description> <prop name="asset-type" value="operating-system"/> + <prop name="diagram-label" value="Linux Operating System" ns="http://fedramp.gov/ns/oscal"/> <prop name="allows-authenticated-scan" value="yes"/> <prop name="scan-type" value="web" ns="http://fedramp.gov/ns/oscal"/> <link rel="baseline" href="#11111111-2222-4000-8000-001000000059"/> @@ -1975,6 +2028,9 @@ <p>Describe the service and what it is used for.</p> </description> <prop name="implementation-point" value="internal"/> + <prop name="diagram-label" value="Service E" ns="http://fedramp.gov/ns/oscal"/> + <prop name="allows-authenticated-scan" value="yes"/> + <prop name="public" value="yes"/> <status state="operational"/> </component> <component uuid="11111111-2222-4000-8000-009000300008" type="software"> @@ -1983,6 +2039,7 @@ <p>This is a container image used to create container instances within the system.</p> </description> <prop name="asset-type" value="image"/> + <prop name="diagram-label" value="Container Image" ns="http://fedramp.gov/ns/oscal"/> <prop name="asset-id" value="image"/> <prop name="checksum" value="a1b2c3" ns="http://fedramp.gov/ns/oscal"/> <link href="#11111111-2222-4000-8000-001000000059" rel="attachment"/> @@ -1997,6 +2054,7 @@ <p>FUNCTION: Describe typical component function.</p> </description> <prop name="asset-type" value="operating-system"/> + <prop name="diagram-label" value="Sample" ns="http://fedramp.gov/ns/oscal"/> <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/> <prop name="vendor-name" value="Vendor Name"/> <prop name="model" value="Model Number"/> @@ -2016,8 +2074,30 @@ <description> <p>Email Service</p> </description> + <prop name="diagram-label" value="Email Service" ns="http://fedramp.gov/ns/oscal"/> + <prop name="allows-authenticated-scan" value="yes"/> + <prop name="implementation-point" value="external"/> + <prop name="connection-security" value="ipsec" ns="http://fedramp.gov/ns/oscal"/> + <prop name="information-type" value="C.3.5.1" class="incoming" + ns="http://fedramp.gov/ns/oscal"/> + <prop name="information-type" value="C.3.5.8" class="outgoing" + ns="http://fedramp.gov/ns/oscal"/> + <prop name="authentication-method" value="yes" ns="http://fedramp.gov/ns/oscal"> + <remarks> + <p>If 'yes', describe the authentication method in the remarks.</p> + <p>If 'no', explain why no authentication is used in the remarks.</p> + <p>If 'not-applicable', explain why authentication is not applicable in the + remarks.</p> + </remarks> + </prop> <link href="#11111111-2222-4000-8000-009000500005" rel="used-by"/> <status state="operational"/> + <responsible-role role-id="provider"> + <party-uuid>11111111-2222-4000-8000-004000000001</party-uuid> + </responsible-role> + <responsible-role role-id="administrator"> + <party-uuid>11111111-2222-4000-8000-004000000010</party-uuid> + </responsible-role> <protocol name="smtp"> <port-range start="23" end="23" transport="TCP"/> <port-range start="23" end="23" transport="UDP"/> @@ -2028,7 +2108,8 @@ <description> <p>FUNCTION: Describe typical component function.</p> </description> - <prop name="asset-type" value="database"/> + <prop name="asset-type" value="Sample"/> + <prop name="diagram-label" value="Service C" ns="http://fedramp.gov/ns/oscal"/> <prop name="scan-type" value="infrastructure" ns="http://fedramp.gov/ns/oscal"/> <prop name="scan-type" value="database" ns="http://fedramp.gov/ns/oscal"/> <prop name="vendor-name" value="Vendor Name"/> @@ -2051,6 +2132,7 @@ <p>None</p> </description> <prop name="asset-type" value="operating-system"/> + <prop name="diagram-label" value="OS Sample" ns="http://fedramp.gov/ns/oscal"/> <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/> <prop name="allows-authenticated-scan" value="yes"/> <link rel="baseline" href="#11111111-2222-4000-8000-001000000059"/> @@ -2062,8 +2144,12 @@ <p>None</p> </description> <prop name="asset-type" value="database"/> + <prop name="diagram-label" value="Database Sample" ns="http://fedramp.gov/ns/oscal"/> <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="database"/> <prop name="allows-authenticated-scan" value="yes"/> + <link rel="used-by" href="#11111111-2222-4000-8000-009000000000"> + <text>UUID of "this system" or a component within this system's boundary</text> + </link> <link href="#11111111-2222-4000-8000-009000500006" rel="used-by"/> <link rel="baseline" href="#11111111-2222-4000-8000-001000000059"/> <status state="operational"/> @@ -2078,6 +2164,7 @@ <p>None</p> </description> <prop name="asset-type" value="appliance"/> + <prop name="diagram-label" value="Appliance Sample" ns="http://fedramp.gov/ns/oscal"/> <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="web"/> <prop ns="http://fedramp.gov/ns/oscal" name="login-url" value="https://admin.offering.com/login"/> @@ -2111,6 +2198,7 @@ <prop name="asset-type" value="subnet"/> <prop name="public" value="no"/> <prop name="diagram-label" value="Data Network" ns="http://fedramp.gov/ns/oscal"/> + <prop name="allows-authenticated-scan" value="yes"/> <link rel="used-by" href="#11111111-2222-4000-8000-009000300100"/> <status state="operational"/> </component> @@ -2122,6 +2210,7 @@ <prop name="asset-type" value="subnet"/> <prop name="public" value="no"/> <prop name="diagram-label" value="Production Network" ns="http://fedramp.gov/ns/oscal"/> + <prop name="allows-authenticated-scan" value="yes"/> <status state="operational"/> </component> <component type="network" uuid="11111111-2222-4000-8000-009000000018"> @@ -2132,6 +2221,7 @@ <prop name="asset-type" value="subnet"/> <prop name="public" value="no"/> <prop name="diagram-label" value="Management Network" ns="http://fedramp.gov/ns/oscal"/> + <prop name="allows-authenticated-scan" value="yes"/> <status state="operational"/> </component> <component type="network" uuid="11111111-2222-4000-8000-009000000019"> @@ -2175,6 +2265,7 @@ <prop name="asset-tag" value="Asset Tag"/> <prop name="vlan-id" value="VLAN Identifier"/> <prop name="network-id" value="Network Identifier"/> + <prop name="diagram-label" value="Legacy Inventory Item" ns="http://fedramp.gov/ns/oscal"/> <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/> <prop ns="http://fedramp.gov/ns/oscal" name="vendor-name" value="Big Vendor, Inc."/> <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="database"/> @@ -2220,6 +2311,7 @@ <prop name="asset-type" value="appliance"/> <prop name="virtual" value="no"/> <prop name="public" value="no"/> + <prop name="is-scanned" value="yes"/> <prop name="fqdn" value="dns.name"/> <prop name="uri" value="uniform.resource.locator"/> <prop name="netbios-name" value="netbios-name"/> @@ -2249,13 +2341,16 @@ <p>None.</p> </description> <prop name="asset-id" value="unique-asset-ID-03"/> - <prop name="asset-type" value="web-server"/> + <prop name="asset-type" value="software"/> <prop name="virtual" value="yes"/> <prop name="public" value="no"/> <prop name="ipv4-address" value="10.3.3.3"/> <prop name="ipv6-address" value="0000:0000:0000:0000:0000:ffff:0a03:0303"/> <prop name="is-scanned" value="yes"/> <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/> + <responsible-party role-id="asset-owner"> + <party-uuid>11111111-2222-4000-8000-004000000016</party-uuid> + </responsible-party> <implemented-component component-uuid="11111111-2222-4000-8000-009000300100" > </implemented-component> </inventory-item> @@ -2271,6 +2366,9 @@ <prop name="ipv6-address" value="0000:0000:0000:0000:0000:ffff:0a04:0404"/> <prop name="is-scanned" value="yes"/> <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/> + <responsible-party role-id="asset-owner"> + <party-uuid>11111111-2222-4000-8000-004000000016</party-uuid> + </responsible-party> <implemented-component component-uuid="11111111-2222-4000-8000-009000300100"/> </inventory-item> <inventory-item uuid="11111111-2222-4000-8000-011000000005"> @@ -2285,6 +2383,9 @@ <prop name="public" value="yes"/> <prop name="is-scanned" value="yes"/> <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/> + <responsible-party role-id="asset-owner"> + <party-uuid>11111111-2222-4000-8000-004000000016</party-uuid> + </responsible-party> <implemented-component component-uuid="11111111-2222-4000-8000-009000300100"/> </inventory-item> <inventory-item uuid="11111111-2222-4000-8000-011000000006"> @@ -2302,6 +2403,9 @@ <p>Asset wasn't running at time of scan.</p> </remarks> </prop> + <responsible-party role-id="asset-owner"> + <party-uuid>11111111-2222-4000-8000-004000000016</party-uuid> + </responsible-party> <implemented-component component-uuid="11111111-2222-4000-8000-009000300100" > </implemented-component> </inventory-item> @@ -2316,7 +2420,14 @@ <prop name="virtual" value="no"/> <prop name="public" value="no"/> <prop name="is-scanned" value="yes"/> - <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/> + <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="other"> + <remarks> + <p>Remarks</p> + </remarks> + </prop> + <responsible-party role-id="asset-owner"> + <party-uuid>11111111-2222-4000-8000-004000000016</party-uuid> + </responsible-party> <implemented-component component-uuid="11111111-2222-4000-8000-009000300100" > </implemented-component> </inventory-item> @@ -2335,6 +2446,9 @@ <p>Asset wasn't running at time of scan.</p> </remarks> </prop> + <responsible-party role-id="asset-owner"> + <party-uuid>11111111-2222-4000-8000-004000000016</party-uuid> + </responsible-party> <implemented-component component-uuid="11111111-2222-4000-8000-009000300100" > </implemented-component> </inventory-item> @@ -2350,6 +2464,9 @@ <prop name="public" value="no"/> <prop name="is-scanned" value="yes"/> <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/> + <responsible-party role-id="asset-owner"> + <party-uuid>11111111-2222-4000-8000-004000000016</party-uuid> + </responsible-party> <implemented-component component-uuid="11111111-2222-4000-8000-009000300100"/> </inventory-item> @@ -2360,9 +2477,19 @@ <prop name="asset-id" value="unique-asset-ID-10"/> <prop name="ipv4-address" value="10.10.10.100"/> <prop name="ipv6-address" value="0000:0000:0000:0000:0000:ffff:0a08:0808"/> + <prop name="asset-type" value="software"/> <prop name="virtual" value="yes"/> <prop name="is-scanned" value="yes"/> + <prop name="public" value="yes"/> + <prop name="function" value="data-in-transit" ns="http://fedramp.gov/ns/oscal"> + <remarks> + <p>Usage statement</p> + </remarks> + </prop> <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/> + <responsible-party role-id="asset-owner"> + <party-uuid>11111111-2222-4000-8000-004000000016</party-uuid> + </responsible-party> <implemented-component component-uuid="11111111-2222-4000-8000-009000500001"/> </inventory-item> <inventory-item uuid="11111111-2222-4000-8000-011000000011"> @@ -2372,9 +2499,19 @@ <prop name="asset-id" value="unique-asset-ID-11"/> <prop name="ipv4-address" value="10.10.10.100"/> <prop name="ipv6-address" value="0000:0000:0000:0000:0000:ffff:0a08:0808"/> + <prop name="asset-type" value="software"/> <prop name="virtual" value="yes"/> <prop name="is-scanned" value="yes"/> + <prop name="public" value="yes"/> + <prop name="function" value="data-in-transit" ns="http://fedramp.gov/ns/oscal"> + <remarks> + <p>Usage statement</p> + </remarks> + </prop> <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/> + <responsible-party role-id="asset-owner"> + <party-uuid>11111111-2222-4000-8000-004000000016</party-uuid> + </responsible-party> <implemented-component component-uuid="11111111-2222-4000-8000-009000500002"/> </inventory-item> @@ -2385,9 +2522,19 @@ <prop name="asset-id" value="unique-asset-ID-12"/> <prop name="ipv4-address" value="10.10.10.100"/> <prop name="ipv6-address" value="0000:0000:0000:0000:0000:ffff:0a08:0808"/> + <prop name="asset-type" value="software"/> <prop name="virtual" value="yes"/> <prop name="is-scanned" value="yes"/> + <prop name="public" value="yes"/> + <prop name="function" value="data-in-transit" ns="http://fedramp.gov/ns/oscal"> + <remarks> + <p>Usage statement</p> + </remarks> + </prop> <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/> + <responsible-party role-id="asset-owner"> + <party-uuid>11111111-2222-4000-8000-004000000016</party-uuid> + </responsible-party> <implemented-component component-uuid="11111111-2222-4000-8000-009000500003"/> </inventory-item> @@ -2398,9 +2545,19 @@ <prop name="asset-id" value="unique-asset-ID-13"/> <prop name="ipv4-address" value="10.10.10.100"/> <prop name="ipv6-address" value="0000:0000:0000:0000:0000:ffff:0a08:0808"/> + <prop name="asset-type" value="software"/> <prop name="virtual" value="yes"/> <prop name="is-scanned" value="yes"/> + <prop name="public" value="yes"/> + <prop name="function" value="data-in-transit" ns="http://fedramp.gov/ns/oscal"> + <remarks> + <p>Usage statement</p> + </remarks> + </prop> <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/> + <responsible-party role-id="asset-owner"> + <party-uuid>11111111-2222-4000-8000-004000000016</party-uuid> + </responsible-party> <implemented-component component-uuid="11111111-2222-4000-8000-009000500004"/> </inventory-item> @@ -2411,9 +2568,19 @@ <prop name="asset-id" value="unique-asset-ID-14"/> <prop name="ipv4-address" value="10.10.10.100"/> <prop name="ipv6-address" value="0000:0000:0000:0000:0000:ffff:0a08:0808"/> + <prop name="asset-type" value="software"/> <prop name="virtual" value="yes"/> <prop name="is-scanned" value="yes"/> + <prop name="public" value="yes"/> <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/> + <prop name="function" value="data-in-transit" ns="http://fedramp.gov/ns/oscal"> + <remarks> + <p>Usage statement</p> + </remarks> + </prop> + <responsible-party role-id="asset-owner"> + <party-uuid>11111111-2222-4000-8000-004000000016</party-uuid> + </responsible-party> <implemented-component component-uuid="11111111-2222-4000-8000-009000500005"/> </inventory-item> @@ -2424,9 +2591,19 @@ <prop name="asset-id" value="unique-asset-ID-15"/> <prop name="ipv4-address" value="10.10.10.100"/> <prop name="ipv6-address" value="0000:0000:0000:0000:0000:ffff:0a08:0808"/> + <prop name="asset-type" value="software"/> <prop name="virtual" value="yes"/> <prop name="is-scanned" value="yes"/> + <prop name="public" value="yes"/> + <prop name="function" value="data-in-transit" ns="http://fedramp.gov/ns/oscal"> + <remarks> + <p>Usage statement</p> + </remarks> + </prop> <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/> + <responsible-party role-id="asset-owner"> + <party-uuid>11111111-2222-4000-8000-004000000016</party-uuid> + </responsible-party> <implemented-component component-uuid="11111111-2222-4000-8000-009000500006"/> </inventory-item> @@ -2435,14 +2612,25 @@ <description> <p>Instance of the Data Network</p> </description> + <prop name="asset-id" value="unique-asset-ID-16"/> <prop name="vlan-id" value="vlan-ID-16"/> <prop name="ipv4-address" class="network" value="10.10.20.0"/> <prop name="ipv4-address" class="subnet-mask" value="255.255.255.0"/> <prop name="ipv4-address" class="gateway" value="10.10.20.1"/> <prop name="ipv6-address" value="0000:0000:0000:0000:0000:ffff:0a08:0808"/> + <prop name="asset-type" value="software"/> <prop name="virtual" value="yes"/> <prop name="is-scanned" value="yes"/> + <prop name="public" value="yes"/> + <prop name="function" value="data-in-transit" ns="http://fedramp.gov/ns/oscal"> + <remarks> + <p>Usage statement</p> + </remarks> + </prop> <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/> + <responsible-party role-id="asset-owner"> + <party-uuid>11111111-2222-4000-8000-004000000016</party-uuid> + </responsible-party> <implemented-component component-uuid="11111111-2222-4000-8000-009000000016"/> </inventory-item> @@ -2450,14 +2638,25 @@ <description> <p>Instance of the Data Network</p> </description> + <prop name="asset-id" value="unique-asset-ID-17"/> <prop name="vlan-id" value="vlan-ID-17"/> <prop name="ipv4-address" class="network" value="10.20.20.0"/> <prop name="ipv4-address" class="subnet-mask" value="255.255.255.0"/> <prop name="ipv4-address" class="gateway" value="10.20.20.1"/> <prop name="ipv6-address" value="0000:0000:0000:0000:0000:ffff:0a08:0808"/> + <prop name="asset-type" value="software"/> <prop name="virtual" value="yes"/> <prop name="is-scanned" value="yes"/> + <prop name="public" value="yes"/> + <prop name="function" value="data-in-transit" ns="http://fedramp.gov/ns/oscal"> + <remarks> + <p>Usage statement</p> + </remarks> + </prop> <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/> + <responsible-party role-id="asset-owner"> + <party-uuid>11111111-2222-4000-8000-004000000016</party-uuid> + </responsible-party> <implemented-component component-uuid="11111111-2222-4000-8000-009000000017"/> </inventory-item> @@ -2465,14 +2664,25 @@ <description> <p>Instance of a Production Network</p> </description> + <prop name="asset-id" value="unique-asset-ID-18"/> <prop name="vlan-id" value="vlan-ID-18"/> <prop name="ipv4-address" class="network" value="30.30.30.0"/> <prop name="ipv4-address" class="subnet-mask" value="255.255.255.0"/> <prop name="ipv4-address" class="gateway" value="30.30.30.1"/> <prop name="ipv6-address" value="0000:0000:0000:0000:0000:ffff:0a08:0808"/> + <prop name="asset-type" value="software"/> <prop name="virtual" value="yes"/> <prop name="is-scanned" value="yes"/> + <prop name="public" value="yes"/> + <prop name="function" value="data-in-transit" ns="http://fedramp.gov/ns/oscal"> + <remarks> + <p>Usage statement</p> + </remarks> + </prop> <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/> + <responsible-party role-id="asset-owner"> + <party-uuid>11111111-2222-4000-8000-004000000016</party-uuid> + </responsible-party> <implemented-component component-uuid="11111111-2222-4000-8000-009000000018"/> </inventory-item> @@ -2908,7 +3118,7 @@ <party-uuid>11111111-2222-4000-8000-004000000008</party-uuid> </responsible-role> </by-component> - <by-component component-uuid="11111111-2222-4000-8000-009000700001" + <by-component component-uuid="11111111-2222-4000-8000-009000800001" uuid="11111111-2222-4000-8000-012000030103"> <description> <p>Describe how this procedure satisfies part a.</p> @@ -16448,6 +16658,7 @@ <prop name="type" value="policy"/> <prop name="published" value="2023-01-01T00:00:00Z"/> <prop name="version" value="Document Version"/> + <prop name="last-accessed" ns="http://fedramp.gov/ns/oscal" value="2024-12-23T14:30:00-05:00"/> <rlink media-type="application/pdf" href="./attachments/policies/sample_CM_policy.pdf"/> <base64 filename="sample_policy.pdf" media-type="application/pdf">00000000</base64> <remarks> diff --git a/src/validations/constraints/content/ssp-inventory-item-has-diagram-label-INVALID.xml b/src/validations/constraints/content/ssp-inventory-item-has-diagram-label-INVALID.xml index 0c145ab13..cf9bf6af2 100644 --- a/src/validations/constraints/content/ssp-inventory-item-has-diagram-label-INVALID.xml +++ b/src/validations/constraints/content/ssp-inventory-item-has-diagram-label-INVALID.xml @@ -1,10 +1,11 @@ <system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="11111111-2222-4000-8000-000000000000"> <system-implementation> - <component uuid="11111111-2222-4000-8000-009000000007" type="process-procedure"> + <component uuid="11111111-2222-4000-8000-009000000007" type="service"> <!-- <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/> Missing "diagram-label" prop. --> </component> <inventory-item uuid="11111111-2222-4000-8000-011000000001"> - <!-- <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/> Missing "diagram-label" prop. --> + <!-- <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/> --> + <implemented-component component-uuid="11111111-2222-4000-8000-009000000007"/> </inventory-item> </system-implementation> </system-security-plan> \ No newline at end of file diff --git a/src/validations/constraints/content/ssp-privilege-level-INVALID.xml b/src/validations/constraints/content/ssp-privilege-level-INVALID.xml deleted file mode 100644 index 84120558b..000000000 --- a/src/validations/constraints/content/ssp-privilege-level-INVALID.xml +++ /dev/null @@ -1,11 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd" - uuid="12345678-1234-4321-8765-123456789012"> - <system-implementation> - <user uuid="44444444-0000-4000-9000-000000000004"> - <prop ns="http://fedramp.gov/ns/oscal" name="privilege-level" value="unsupported-access-type"/> - </user> - </system-implementation> -</system-security-plan> \ No newline at end of file diff --git a/src/validations/constraints/fedramp-external-allowed-values.xml b/src/validations/constraints/fedramp-external-allowed-values.xml index d79f04ccb..59f4a8960 100644 --- a/src/validations/constraints/fedramp-external-allowed-values.xml +++ b/src/validations/constraints/fedramp-external-allowed-values.xml @@ -596,16 +596,6 @@ <enum value="cui">Controlled Unclassified Information</enum> </allowed-values> - <allowed-values id="privilege-level" target="system-implementation/user/prop[@name='privilege-level'][@ns='http://fedramp.gov/ns/oscal']/@value" allow-other="no" level="ERROR"> - <formal-name>Privilege Level</formal-name> - <description>The privilege level of the user.</description> - <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#user"/> - <enum value="read">Read</enum> - <enum value="read-write">Read-Write</enum> - <enum value="write">Write</enum> - <enum value="no-access">No Access</enum> - </allowed-values> - <allowed-values id="scan-type" target="system-implementation//prop[@name='scan-type'][@ns='http://fedramp.gov/ns/oscal']/@value" allow-other="no" level="ERROR"> <formal-name>Scan Type</formal-name> <description>Identifies the type of scan.</description> diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml index 88711efd9..206d32388 100644 --- a/src/validations/constraints/fedramp-external-constraints.xml +++ b/src/validations/constraints/fedramp-external-constraints.xml @@ -11,22 +11,22 @@ <expect id="cryptographic-module-component-has-function" target=".[@type='software' and prop[@name='asset-type' and @value='cryptographic-module']]" test="(count(prop[@name='function']) eq 1) and (if (prop[@name='function' and @value='other']) then exists(prop[@name='function' and @value='other']/remarks) else true())" level="ERROR"> <formal-name>Cryptographic Module Component Has Function</formal-name> <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/> - <message>In a FedRAMP SSP, a crytographic module component MUST include its function and use remarks to describe its function.</message> + <message>In a FedRAMP SSP, a cryptographic module component MUST include its function and use remarks to describe its function.</message> </expect> <expect id="cryptographic-module-component-has-provided-by-link" target=".[@type='software' and prop[@name='asset-type' and @value='cryptographic-module']]" test="count(link[@rel='provided-by']) >= 1" level="ERROR"> <formal-name>Cryptographic Module Component Has Provided By Link</formal-name> <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/> - <message>In a FedRAMP SSP, a crytographic module component MUST include at least one "provided by" link.</message> + <message>In a FedRAMP SSP, a cryptographic module component MUST include at least one "provided by" link.</message> </expect> <expect id="cryptographic-module-component-has-used-by-link" target=".[@type='software' and prop[@name='asset-type' and @value='cryptographic-module']]" test="count(link[@rel='used-by']) >= 1" level="ERROR"> <formal-name>Cryptographic Module Component Has Used By Link</formal-name> <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/> - <message>In a FedRAMP SSP, a crytographic module component MUST include at least one "used by" link.</message> + <message>In a FedRAMP SSP, a cryptographic module component MUST include at least one "used by" link.</message> </expect> <expect id="cryptographic-module-component-has-validation-link" target=".[@type='software' and prop[@name='asset-type' and @value='cryptographic-module']]" test="count(link[@rel='validation']) >= 1" level="ERROR"> <formal-name>Cryptographic Module Component Has Validation Link</formal-name> <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/> - <message>In a FedRAMP SSP, a crytographic module component MUST include at least one "validation" link.</message> + <message>In a FedRAMP SSP, a cryptographic module component MUST include at least one "validation" link.</message> </expect> </constraints> </context> @@ -912,12 +912,12 @@ 'si-1_smt.a' : 'at least one procedure that addresses System and Information Integrity MUST be associated with SI-1 part a.', 'sr-1_smt.a' : 'at least one procedure that addresses Supply Chain Risk Management MUST be associated with SR-1 part a.'}"/> <let var="component-uuid" expression="by-component/@component-uuid"/> - <expect id="has-policy" target=".[@statement-id=$control-statement-ids]" test="some $uuid in $component-uuid satisfies count(../../../system-implementation/component[@uuid=$component-uuid and @type='policy']) >= 1" level="ERROR"> + <expect id="has-policy" target=".[@statement-id=$control-statement-ids]" test="some $uuid in $component-uuid satisfies count(../../../system-implementation/component[@uuid=$uuid and @type='policy']) >= 1" level="ERROR"> <formal-name>Has Policy</formal-name> <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/6-security-controls/#organization-policy-and-procedure-statements"/> <message>In a FedRAMP SSP, {$policy-messages(./@statement-id)}</message> </expect> - <expect id="has-procedure" target=".[@statement-id=$control-statement-ids]" test="some $uuid in $component-uuid satisfies count(../../../system-implementation/component[@uuid=$component-uuid and @type='process-procedure']) >= 1" level="ERROR"> + <expect id="has-procedure" target=".[@statement-id=$control-statement-ids]" test="some $uuid in $component-uuid satisfies count(../../../system-implementation/component[@uuid=$uuid and @type='process-procedure']) >= 1" level="ERROR"> <formal-name>Has Procedure</formal-name> <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/6-security-controls/#organization-policy-and-procedure-statements"/> <message>In a FedRAMP SSP, {$procedure-messages(./@statement-id)}</message> diff --git a/src/validations/constraints/unit-tests/privilege-level-FAIL.yaml b/src/validations/constraints/unit-tests/privilege-level-FAIL.yaml deleted file mode 100644 index 5e8cbdf47..000000000 --- a/src/validations/constraints/unit-tests/privilege-level-FAIL.yaml +++ /dev/null @@ -1,7 +0,0 @@ -test-case: - name: Negative Test for privilege-level - description: This test case validates the behavior of constraint privilege-level - content: ssp-privilege-level-INVALID.xml - expectations: - - constraint-id: privilege-level - result: fail diff --git a/src/validations/constraints/unit-tests/privilege-level-PASS.yaml b/src/validations/constraints/unit-tests/privilege-level-PASS.yaml deleted file mode 100644 index 0d97c01b7..000000000 --- a/src/validations/constraints/unit-tests/privilege-level-PASS.yaml +++ /dev/null @@ -1,7 +0,0 @@ -test-case: - name: Positive Test for privilege-level - description: This test case validates the behavior of constraint privilege-level - content: ../../../content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml - expectations: - - constraint-id: privilege-level - result: pass From ab9f04f4f3b07e5a17eb9022e566d5998bdaea8f Mon Sep 17 00:00:00 2001 From: Gabeblis <gabriel.rodriguez@gsa.gov> Date: Wed, 19 Feb 2025 15:23:18 +0000 Subject: [PATCH 3/5] Second Pass Fix Errors --- .../ssp/xml/fedramp-ssp-example.oscal.xml | 237 ++++++++++++------ 1 file changed, 157 insertions(+), 80 deletions(-) diff --git a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml index f10253244..d3094b133 100644 --- a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml +++ b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml @@ -758,6 +758,9 @@ </leveraged-authorization> <user uuid="11111111-2222-4000-8000-008000000001"> <prop ns="http://fedramp.gov/ns/oscal" name="privilege-level" value="read-write"/> + <prop name="type" value="internal"/> + <prop ns="http://fedramp.gov/ns/oscal" name="sensitivity" value="high-risk"/> + <role-id>system-poc-technical</role-id> <authorized-privilege> <title/> <function-performed>none</function-performed> @@ -771,28 +774,36 @@ </remarks> </user> <user uuid="11111111-2222-4000-8000-008000000002"> + <prop name="type" value="internal"/> <prop name="separation-of-duties-matrix" value="yes" ns="http://fedramp.gov/ns/oscal"/> + <role-id>system-poc-technical</role-id> <authorized-privilege> <title>Add/Remove Admins This can add and remove admins. + + system-poc-technical <function-performed>add/remove non-privliged admins</function-performed> </authorized-privilege> </user> <user uuid="11111111-2222-4000-8000-008000000004"> + <prop name="type" value="internal"/> <prop name="separation-of-duties-matrix" value="yes" ns="http://fedramp.gov/ns/oscal"/> + <role-id>system-poc-technical</role-id> <authorized-privilege> <title/> <function-performed>Manage services and components within the virtual cloud environment.</function-performed> </authorized-privilege> </user> <user uuid="11111111-2222-4000-8000-008000000005"> + <prop name="type" value="internal"/> <prop name="separation-of-duties-matrix" value="yes" ns="http://fedramp.gov/ns/oscal"/> + <role-id>system-poc-technical</role-id> <authorized-privilege> <title/> <function-performed>Add and remove users from the virtual cloud environment.</function-performed> @@ -2863,35 +2874,26 @@ </statement> </implemented-requirement> <implemented-requirement control-id="ac-2" uuid="11111111-2222-4000-8000-012000020000"> - <set-parameter param-id="ac-2_odp.01"> - <value>[SAMPLE]privileged, non-privileged</value> - </set-parameter> - <set-parameter param-id="ac-2_odp.02"> - <value>[SAMPLE]all</value> - </set-parameter> - <set-parameter param-id="ac-2_odp.03"> - <value>[SAMPLE]The Access Control Procedure</value> - </set-parameter> - <set-parameter param-id="ac-2_odp.04"> - <value>at least annually</value> - </set-parameter> - <set-parameter param-id="ac-2_odp.05"> - <value>at least annually</value> - </set-parameter> - <set-parameter param-id="ac-2_odp.06"> - <value>at least annually</value> - </set-parameter> - <set-parameter param-id="ac-2_odp.07"> - <value>at least annually</value> - </set-parameter> - <set-parameter param-id="ac-2_odp.08"> - <value>at least annually</value> - </set-parameter> - <set-parameter param-id="ac-2_odp.09"> - <value>at least annually</value> - </set-parameter> - <set-parameter param-id="ac-2_odp.10"> - <value>at least annually</value> + <set-parameter param-id="ac-02_odp.10"> + <value>quarterly for privileged access, annually for non-privileged access</value> + </set-parameter><set-parameter param-id="ac-02_odp.09"> + <value>userid, password, role, job function.</value> + </set-parameter><set-parameter param-id="ac-02_odp.08"> + <value>8 hours</value> + </set-parameter><set-parameter param-id="ac-02_odp.07"> + <value>8 hours</value> + </set-parameter><set-parameter param-id="ac-02_odp.06"> + <value>24 hours</value> + </set-parameter><set-parameter param-id="ac-02_odp.05"> + <value>Privileged Access Administrator, Cybersecurity Operations Center (CSOC) Team Lead</value> + </set-parameter><set-parameter param-id="ac-02_odp.04"> + <value>Account Management Policy: All requests for account creation, modification, or removal must be submitted through the IT Service Desk and approved by the system owner. Account creations require a valid business need and a completed Account Request Form. Accounts will be disabled after 90 days of inactivity and removed after 180 days. Modifications to accounts must be documented and approved by the system owner. Accounts will be enabled or disabled based on user role and job function.</value> + </set-parameter><set-parameter param-id="ac-02_odp.03"> + <value>System Owners, Information System Security Officers (ISSOs), and Authorizing Officials</value> + </set-parameter><set-parameter param-id="ac-02_odp.02"> + <value>Example value: "username, password, account-type, expiration-date, access-level, department, job-function</value> + </set-parameter><set-parameter param-id="ac-02_odp.01"> + <value>AC-02(01): Group and role membership prerequisites and criteria are defined as follows: (i) group membership requires approval by a designated manager; (ii) role membership requires completion of a background check and a minimum of 6 months of employment with the organization.</value> </set-parameter> <statement statement-id="ac-2_smt.a" uuid="11111111-2222-4000-8000-012000020100"> @@ -3029,60 +3031,135 @@ </responsible-role> </by-component> </statement> + <statement statement-id="ac-2_smt.b" uuid="238c9945-0cdb-4833-bed1-f566e74460ad"> + <by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="7b525048-9618-4b4e-995e-7df0c206dcf2"> + <description> + <p>Describe how Part ac-2_smt.b is satisfied.</p> + </description> + <responsible-role role-id="system-admin"> + <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid> + </responsible-role> + </by-component> + </statement> + <statement statement-id="ac-2_smt.c" uuid="afdfa833-4679-40ca-b160-0f50c920a646"> + <by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="06a23fc8-cd2c-4d81-9e95-727eea1888b7"> + <description> + <p>Describe how Part ac-2_smt.c is satisfied.</p> + </description> + <responsible-role role-id="system-admin"> + <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid> + </responsible-role> + </by-component> + </statement> + <statement statement-id="ac-2_smt.d" uuid="09fbbc71-37b4-489a-9b52-aae5febfb6ae"> + <by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="f5160c64-567f-4fdd-8c26-5190bce07b07"> + <description> + <p>Describe how Part ac-2_smt.d is satisfied.</p> + </description> + <responsible-role role-id="system-admin"> + <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid> + </responsible-role> + </by-component> + </statement> + <statement statement-id="ac-2_smt.e" uuid="a174e64b-dc03-4c99-8151-2624d579e80b"> + <by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="6f9b0b46-a6ea-440f-b18f-c0d7bc20b6c1"> + <description> + <p>Describe how Part ac-2_smt.e is satisfied.</p> + </description> + <responsible-role role-id="system-admin"> + <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid> + </responsible-role> + </by-component> + </statement> + <statement statement-id="ac-2_smt.f" uuid="25056199-8af0-4ed0-9870-470b860a93a9"> + <by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="96eff6bf-ebdb-41ce-99fe-d0038b5fc071"> + <description> + <p>Describe how Part ac-2_smt.f is satisfied.</p> + </description> + <responsible-role role-id="system-admin"> + <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid> + </responsible-role> + </by-component> + </statement> + <statement statement-id="ac-2_smt.g" uuid="dfc44d61-4c5f-40b7-aadd-a3a2a1b2f5dc"> + <by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="f1284b59-5e17-4538-9e61-811da7c18d74"> + <description> + <p>Describe how Part ac-2_smt.g is satisfied.</p> + </description> + <responsible-role role-id="system-admin"> + <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid> + </responsible-role> + </by-component> + </statement> + <statement statement-id="ac-2_smt.h" uuid="f5b8a244-bfb5-423b-816c-a2913a0b2ff9"> + <by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="fb880871-642b-4469-b221-6dee07622a9a"> + <description> + <p>Describe how Part ac-2_smt.h is satisfied.</p> + </description> + <responsible-role role-id="system-admin"> + <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid> + </responsible-role> + </by-component> + </statement> + <statement statement-id="ac-2_smt.i" uuid="90080065-6c60-4c85-b94b-40fb4da9b5b3"> + <by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="1647d8f5-1408-44b5-a6ff-965dd5bfaec5"> + <description> + <p>Describe how Part ac-2_smt.i is satisfied.</p> + </description> + <responsible-role role-id="system-admin"> + <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid> + </responsible-role> + </by-component> + </statement> + <statement statement-id="ac-2_smt.j" uuid="6b388e61-39d4-45a2-a28d-60e0b83d1dc0"> + <by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="c272cb95-3ad8-4333-80cf-745836eb7493"> + <description> + <p>Describe how Part ac-2_smt.j is satisfied.</p> + </description> + <responsible-role role-id="system-admin"> + <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid> + </responsible-role> + </by-component> + </statement> + <statement statement-id="ac-2_smt.k" uuid="537e7f8a-1476-4460-babf-aab9333eff51"> + <by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="1d6cfc74-b3c5-4535-b96d-e18c136dd7ba"> + <description> + <p>Describe how Part ac-2_smt.k is satisfied.</p> + </description> + <responsible-role role-id="system-admin"> + <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid> + </responsible-role> + </by-component> + </statement> + <statement statement-id="ac-2_smt.l" uuid="fc20d1f2-3100-4989-a06e-e4c14d6e91c2"> + <by-component component-uuid="11111111-2222-4000-8000-009000000000" uuid="df571e00-8119-464e-8016-5a35961c39e7"> + <description> + <p>Describe how Part ac-2_smt.l is satisfied.</p> + </description> + <responsible-role role-id="system-admin"> + <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid> + </responsible-role> + </by-component> + </statement> </implemented-requirement> <implemented-requirement control-id="ia-1" uuid="11111111-2222-4000-8000-012000030000"> <prop ns="http://fedramp.gov/ns/oscal" name="control-origination" value="sp-system"/> - <set-parameter param-id="ac-01_odp.01"> - <value>all managers, administrators and users of the system</value> - <remarks> - <p>[Assignment: organization-defined personnel or roles]</p> - <p>This focuses on roles the POLICY is disseminated to.</p> - </remarks> - </set-parameter> - <set-parameter param-id="ac-01_odp.02"> - <value>all managers and administrators of the system</value> - <remarks> - <p>[Assignment: organization-defined personnel or roles]</p> - <p>This focuses on roles PROCEDURES are disseminated to.</p> - </remarks> - </set-parameter> - <set-parameter param-id="ac-01_odp.03"> - <value>System-level</value> - <remarks> - <p>[Selection (one or more): Organization-level; Mission/business process-level; - Systemlevel]</p> - <p>This is a SELECT parameter. Use one "value" field for each selection.</p> - </remarks> - </set-parameter> - <set-parameter param-id="ac-01_odp.04"> - <value>System Architect</value> - <remarks> - <p>[Assignment: organization-defined official]</p> - </remarks> - </set-parameter> - <set-parameter param-id="ac-01_odp.05"> - <value>at least every 3 years</value> - <remarks> - <p>[Assignment: organization-defined frequency]</p> - </remarks> - </set-parameter> - <set-parameter param-id="ac-01_odp.06"> - <value>change in organizational legal status or ownership</value> - <remarks> - <p>[Assignment:organization-defined events]</p> - </remarks> - </set-parameter> - <set-parameter param-id="ac-01_odp.07"> - <value>at least annually</value> - <remarks> - <p>[Assignment: organization-defined frequency]</p> - </remarks> - </set-parameter> - <set-parameter param-id="ac-01_odp.08"> - <value>change in policy or a security incident involving a failure of access control mechanisms</value> - <remarks> - <p>[Assignment:organization-defined events]</p> - </remarks> + <set-parameter param-id="ia-01_odp.08"> + <value>merger or acquisition, change in organizational structure, or update to identity and access management system</value> + </set-parameter><set-parameter param-id="ia-01_odp.07"> + <value>Annually</value> + </set-parameter><set-parameter param-id="ia-01_odp.06"> + <value>Examples of events that would trigger a review and update of the current identification and authentication policy include: - Change in organizational structure or personnel - Introduction of new systems or applications - Change in user roles or access levels - Security incidents or breaches - Upgrade or modification to existing systems or applications - Changes in regulatory or legal requirements</value> + </set-parameter><set-parameter param-id="ia-01_odp.05"> + <value>Every 2 years</value> + </set-parameter><set-parameter param-id="ia-01_odp.04"> + <value>Chief Information Security Officer (CISO)</value> + </set-parameter><set-parameter param-id="ia-01_odp.03"> + <value>organization-level, mission/business process-level, system-level</value> + </set-parameter><set-parameter param-id="ia-01_odp.02"> + <value>System Administrators, Network Engineers, and Cybersecurity Team Members</value> + </set-parameter><set-parameter param-id="ia-01_odp.01"> + <value>System Administrators, Network Engineers, Security Team, and All New Hires</value> </set-parameter> <statement statement-id="ia-1_smt.a" uuid="11111111-2222-4000-8000-012000030100"> <by-component component-uuid="11111111-2222-4000-8000-009000000000" From a12fc5f7a35f5a37d12e26f6cc67588f242a19a9 Mon Sep 17 00:00:00 2001 From: Gabeblis <gabriel.rodriguez@gsa.gov> Date: Wed, 19 Feb 2025 15:57:00 +0000 Subject: [PATCH 4/5] Third Pass Fix Errors --- .../ssp/xml/fedramp-ssp-example.oscal.xml | 50 +++++++++++-------- 1 file changed, 29 insertions(+), 21 deletions(-) diff --git a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml index d3094b133..1056f00e5 100644 --- a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml +++ b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml @@ -340,6 +340,11 @@ <party uuid="11111111-2222-4000-8000-004000000007" type="organization"> <name>[SAMPLE]Remote System Org Name</name> </party> + <party uuid="11111111-0000-4000-9000-000000000001" type="organization"> + <name>Example Organization</name> + <short-name>ExOrg</short-name> + <link rel="website" href="https://example.com"/> + </party> <party uuid="11111111-2222-4000-8000-004000000008" type="person"> <name>[SAMPLE]ICA POC's Name</name> <prop name="job-title" value="Individual's Title"/> @@ -477,6 +482,9 @@ <responsible-party role-id="isso"> <party-uuid>11111111-2222-4000-8000-004000000010</party-uuid> </responsible-party> + <responsible-party role-id="creator"> + <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid> + </responsible-party> <responsible-party role-id="cloud-service-provider"> <party-uuid>11111111-2222-4000-8000-004000000001</party-uuid> <party-uuid>22222222-2222-4000-8000-004000000001</party-uuid> @@ -1102,10 +1110,10 @@ <responsible-role role-id="system-poc-technical"> <party-uuid>11111111-2222-4000-8000-004000000012</party-uuid> </responsible-role> - <protocol name="ldap" uuid="11111111-2222-4000-8000-010000000002"> + <!-- <protocol name="ldap" uuid="11111111-2222-4000-8000-010000000002"> <title>services - + -->

    Each interconnection to one or more remote systems must have:

      @@ -1847,10 +1855,10 @@ 11111111-2222-4000-8000-004000000010 - + @@ -1860,8 +1868,8 @@ - - + + @@ -1888,7 +1896,7 @@ - @@ -1907,8 +1915,8 @@ - - + + @@ -1925,7 +1933,7 @@ - + OpenSSL

      Provide a description and any pertinent note regarding the use of this CM.

      @@ -1936,8 +1944,8 @@       - - + + @@ -1965,14 +1973,14 @@ -

      .

             - + OpenSSL Some Other Validation

      This is another validation of the OpenSSL Cryptographic module that has nothing to do @@ -1982,7 +1990,7 @@ - @@ -2000,7 +2008,7 @@ - @@ -2164,10 +2172,10 @@ - + Appliance Sample @@ -2261,7 +2269,7 @@

      Legacy Example (No implemented-component).

       - + @@ -2270,7 +2278,7 @@ - + @@ -2909,7 +2917,7 @@ 11111111-2222-4000-8000-004000000008 -

      Description for the "this-system" component.

      From 9914d24640e00df28b6ae019b3d8c6deeec4e47a Mon Sep 17 00:00:00 2001 From: Gabeblis Date: Wed, 19 Feb 2025 16:32:35 +0000 Subject: [PATCH 5/5] Fourth Pass Fix Errors --- .../examples/ssp/xml/fedramp-ssp-example.oscal.xml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml index 1056f00e5..3cc43cc78 100644 --- a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml +++ b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml @@ -66,6 +66,12 @@ Cloud Service Provider CSP + + Document Creator + + + System Administrator + Information System Owner @@ -1186,6 +1192,7 @@ UUID of remote system + @@ -1809,6 +1816,7 @@ +

      Provide any notes here about this connection that you wish to appear in Table Q.

      @@ -1828,6 +1836,7 @@ +

      Provide any notes here about this connection that you wish to appear in Table Q.

      @@ -1887,7 +1896,7 @@       - + Database Row Encryption Module (DREM)

      Briefly describe the cryptographic module.