NIST SP 800-53A
.pdfSpecial Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
FAMILY: SYSTEM AND SERVICES ACQUISITION |
CLASS: MANAGEMENT |
||
|
|
|
|
|
|
ASSESSMENT PROCEDURE |
|
|
|
|
|
SA-12 |
SUPPLY CHAIN PROTECTION |
|
|
|
|
|
|
SA-12.1 |
ASSESSMENT OBJECTIVE: |
|
|
|
Determine if: |
|
|
|
(i) |
the organization defines the measures to be employed to protect against supply chain |
|
|
|
threats; and |
|
|
(ii) |
the organization protects against supply chain threats by employing organization- |
|
|
|
defined measures as part of a comprehensive, defense-in-breadth information |
|
|
|
security strategy. |
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and services acquisition policy; procedures addressing supply chain protection; procedures addressing the integration of information security requirements and/or security specifications into the acquisition process; acquisition contracts and service level agreements; list of supply chain threats; list of measures to be taken against supply chain threats; information system development life cycle documentation; other relevant documents or records].
SA-12(1) SUPPLY CHAIN PROTECTION
SA-12(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization purchases all anticipated information system components and spares in the initial acquisition.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and services acquisition policy; procedures addressing supply chain protection; procedures addressing the integration of information security requirements and/or security specifications into the acquisition process; solicitation documents; acquisition documentation; acquisition contracts for information systems or services; other relevant documents or records].
SA-12(2) SUPPLY CHAIN PROTECTION
SA-12(2).1 ASSESSMENT OBJECTIVE:
Determine if the organization conducts a due diligence review of suppliers prior to entering into contractual agreements to acquire information system hardware, software, firmware, or services.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and services acquisition policy; procedures addressing supply chain protection; procedures addressing the integration of information security requirements and/or security specifications into the acquisition process; due diligence reviews documentation; acquisition documentation; acquisition contracts for information systems or services; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with supply chain protection responsibilities; organizational personnel with information system security, acquisition, and contracting responsibilities].
APPENDIX F-SA |
PAGE F-251 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
SA-12(3) SUPPLY CHAIN PROTECTION
SA-12(3).1 ASSESSMENT OBJECTIVE:
Determine if the organization uses trusted shipping and warehousing for:
-information systems;
-information system components; and
-information technology products.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and services acquisition policy; procedures addressing supply chain protection; procedures addressing the integration of information security requirements and/or security specifications into the acquisition process; solicitation documents; acquisition documentation; acquisition contracts for information systems or services; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with supply chain protection responsibilities; organizational personnel with information system security, acquisition, and contracting responsibilities].
SA-12(4) SUPPLY CHAIN PROTECTION
SA-12(4).1 ASSESSMENT OBJECTIVE:
Determine if the organization employs a diverse set of suppliers for:
-information systems;
-information system components;
-information technology products; and
-information system services.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and services acquisition policy; procedures addressing supply chain protection; procedures addressing the integration of information security requirements and/or security specifications into the acquisition process; solicitation documents; acquisition documentation; acquisition contracts for information systems or services; other relevant documents or records].
SA-12(5) SUPPLY CHAIN PROTECTION
SA-12(5).1 ASSESSMENT OBJECTIVE:
Determine if the organization employs standard configurations for:
-information systems;
-information system components; and
-information technology products.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and services acquisition policy; procedures addressing supply chain protection; procedures addressing the integration of information security requirements and/or security specifications into the acquisition process; configuration management policy; procedures addressing the baseline configuration of the information system; configuration management plan; information system design documentation; information system architecture and configuration documentation; acquisition documentation; acquisition contracts for information systems or services; other relevant documents or records].
APPENDIX F-SA |
PAGE F-252 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
SA-12(6) SUPPLY CHAIN PROTECTION
SA-12(6).1 ASSESSMENT OBJECTIVE:
Determine if the organization minimizes the time between purchase decisions and delivery of:
-information systems;
-information system components; and
-information technology products.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and services acquisition policy; procedures addressing supply chain protection; procedures addressing the integration of information security requirements and/or security specifications into the acquisition process; solicitation documents; acquisition documentation; acquisition contracts for information systems or services; shipment records; other relevant documents or records].
SA-12(7) SUPPLY CHAIN PROTECTION
SA-12(7).1 ASSESSMENT OBJECTIVE:
Determine if the organization employs independent analysis and penetration testing against delivered:
-information systems;
-information system components; and
-information technology products.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and services acquisition policy; procedures addressing supply chain protection; procedures addressing the integration of information security requirements and/or security specifications into the acquisition process; penetration testing records; security test and evaluation results reports; other relevant documents or records].
APPENDIX F-SA |
PAGE F-253 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
FAMILY: SYSTEM AND SERVICES ACQUISITION |
CLASS: MANAGEMENT |
ASSESSMENT PROCEDURE
SA-13 TRUSTWORTHINESS
SA-13.1 ASSESSMENT OBJECTIVE:
Determine if:
(i)the organization defines the organization’s level of trustworthiness; and
(ii)the organization requires that the information system meet the organization-defined level of trustworthiness.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and services acquisition policy; procedures addressing security engineering principles used in the development and implementation of the information system; information system design documentation; security requirements and security specifications for the information system; penetration test and vulnerability scan reports; security test and evaluation results; authority to operate documentation; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with system and services acquisition responsibilities; information system authorizing official].
APPENDIX F-SA |
PAGE F-254 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
FAMILY: SYSTEM AND SERVICES ACQUISITION |
CLASS: MANAGEMENT |
||
|
|
|
|
|
|
ASSESSMENT PROCEDURE |
|
|
|
|
|
SA-14 |
CRITICAL INFORMATION SYSTEM COMPONENTS |
|
|
|
|
|
|
SA-14.1 |
ASSESSMENT OBJECTIVE: |
|
|
|
Determine if: |
|
|
|
(i) |
the organization defines the critical information system components that require re- |
|
|
|
implementation; and |
|
|
(ii) |
the organization re-implements organization-defined critical information system |
|
|
|
components. |
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and services acquisition policy; configuration management plan; list of critical information system components requiring re-implementation; configuration baseline for critical information system components; configuration management records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel implementing, operating, and/or maintaining the information system].
SA-14(1) CRITICAL INFORMATION SYSTEM COMPONENTS
SA-14(1).1 ASSESSMENT OBJECTIVE:
Determine if:
(i)the organization identifies information system components for which alternative sourcing is not viable;
(ii)the organization defines the measures to be employed to prevent critical security controls for information system components from being compromised; and
(iii)the organization employs organization-defined measures to ensure that critical security controls for information system components are not compromised.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and services acquisition policy; information system design documentation; information system configuration settings and associated documentation; list of information system components; security requirements and security specifications for the information system; penetration test and vulnerability scan reports; security test and evaluation results; other relevant documents or records].
APPENDIX F-SA |
PAGE F-255 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION |
CLASS: TECHNICAL |
|||
|
|
|
|
|
|
|
|
ASSESSMENT PROCEDURE |
|
|
|
|||
SC-1 |
SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES |
|||
|
|
|
||
SC-1.1 |
ASSESSMENT OBJECTIVE: |
|
||
|
Determine if: |
|
||
|
(i) |
the organization develops and formally documents system and communications |
||
|
|
protection policy; |
|
|
|
(ii) |
the organization system and communications protection policy addresses: |
||
|
|
- |
purpose; |
|
|
|
- |
scope; |
|
|
|
- |
roles and responsibilities; |
|
|
|
- |
management commitment; |
|
|
|
- coordination among organizational entities; and |
|
|
|
|
- |
compliance; |
|
|
(iii) |
the organization disseminates formal documented system and communications |
||
|
|
protection policy to elements within the organization having associated system and |
||
|
|
communications protection roles and responsibilities; |
|
|
|
(iv) |
the organization develops and formally documents system and communications |
||
|
|
protection procedures; |
|
|
|
(v) |
the organization system and communications protection procedures facilitate |
||
|
|
implementation of the system and communications protection policy and associated |
||
|
|
system and communications protection controls; and |
|
|
|
(vi) |
the organization disseminates formal documented system and communications |
||
|
|
protection procedures to elements within the organization having associated system |
||
|
|
and communications protection roles and responsibilities. |
|
|
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS: |
|
||
|
Examine: [SELECT FROM: System and communications protection policy and procedures; other |
|||
|
|
|
relevant documents or records]. |
|
|
Interview: [SELECT FROM: Organizational personnel with system and communications protection |
|||
|
|
|
responsibilities]. |
|
|
|
|
||
SC-1.2 |
ASSESSMENT OBJECTIVE: |
|
||
|
Determine if: |
|
||
|
(i) |
the organization defines the frequency of system and communications protection |
||
|
|
policy reviews/updates; |
|
|
|
(ii) |
the organization reviews/updates system and communications protection policy in |
||
|
|
accordance with organization-defined frequency; and |
|
|
|
(iii) |
the organization defines the frequency of system and communications protection |
||
|
|
procedure reviews/updates; |
|
|
|
(iv) |
the organization reviews/updates system and communications protection procedures |
||
|
|
in accordance with organization-defined frequency. |
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy and procedures; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with system and communications protection responsibilities].
APPENDIX F-SC |
PAGE F-256 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION |
CLASS: TECHNICAL |
|
|
|
|
|
ASSESSMENT PROCEDURE |
|
|
|
|
SC-2 |
APPLICATION PARTITIONING |
|
|
|
|
SC-2.1 |
ASSESSMENT OBJECTIVE: |
|
|
Determine if the information system separates user functionality (including user interface |
|
|
services) from information system management functionality. |
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy; procedures addressing application partitioning; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
Test: [SELECT FROM: Separation of user functionality from information system management functionality].
SC-2(1) APPLICATION PARTITIONING
SC-2(1).1 ASSESSMENT OBJECTIVE:
Determine if the information system prevents the presentation of information system management-related functionality at an interface for general (i.e., non-privileged) users.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy; procedures addressing application partitioning; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
Test: [SELECT FROM: Separation of user functionality from information system management functionality].
APPENDIX F-SC |
PAGE F-257 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION |
CLASS: TECHNICAL |
||
|
|
|
|
|
|
ASSESSMENT PROCEDURE |
|
|
|
|
|
SC-3 |
SECURITY FUNCTION ISOLATION |
|
|
|
|
|
|
SC-3.1 |
ASSESSMENT OBJECTIVE: |
|
|
|
Determine if: |
|
|
|
(i) |
the organization defines the security functions of the information system to be |
|
|
|
isolated from nonsecurity functions; and |
|
|
(ii) |
the information system isolates security functions from nonsecurity functions. |
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy; procedures addressing security function isolation; list of security functions to be isolated from nonsecurity functions; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
Test: [SELECT FROM: Separation of security functions from nonsecurity functions within the information system].
SC-3(1) SECURITY FUNCTION ISOLATION
SC-3(1).1 ASSESSMENT OBJECTIVE:
Determine if the information system implements underlying hardware separation mechanisms to facilitate security function isolation.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy; procedures addressing security function isolation; information system design documentation; hardware separation mechanisms; information system configuration settings and associated documentation; other relevant documents or records].
Test: [SELECT FROM: Hardware separation mechanisms facilitating security function isolation].
SC-3(2) SECURITY FUNCTION ISOLATION
SC-3(2).1 ASSESSMENT OBJECTIVE:
Determine if the information system isolates security functions enforcing access and information flow control from both nonsecurity functions and other security functions.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy; procedures addressing security function isolation; list of critical security functions; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
Test: [SELECT FROM: Isolation of security functions enforcing access and information flow control].
APPENDIX F-SC |
PAGE F-258 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
SC-3(3) SECURITY FUNCTION ISOLATION
SC-3(3).1 ASSESSMENT OBJECTIVE:
Determine if the organization implements an information system isolation boundary to minimize the number of nonsecurity functions included within the boundary containing security functions.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy; procedures addressing security function isolation; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
SC-3(4) SECURITY FUNCTION ISOLATION
SC-3(4).1 ASSESSMENT OBJECTIVE:
Determine if the organization implements security functions as largely independent modules that avoid unnecessary interactions between modules.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy; procedures addressing security function isolation; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
SC-3(5) SECURITY FUNCTION ISOLATION
SC-3(5).1 ASSESSMENT OBJECTIVE:
Determine if the organization implements security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy; procedures addressing security function isolation; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
APPENDIX F-SC |
PAGE F-259 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION |
CLASS: TECHNICAL |
|
|
|
|
|
ASSESSMENT PROCEDURE |
|
|
|
|
SC-4 |
INFORMATION IN SHARED RESOURCES |
|
|
|
|
SC-4.1 |
ASSESSMENT OBJECTIVE: |
|
|
Determine if the information system prevents unauthorized and unintended information |
|
|
transfer via shared system resources. |
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy; procedures addressing information remnance; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
Test: [SELECT FROM: Information system for unauthorized and unintended transfer of information via shared system resources].
SC-4(1) INFORMATION IN SHARED RESOURCES
SC-4(1).1 ASSESSMENT OBJECTIVE:
Determine if the information system does not share resources that are used to interface with systems operating at different security levels.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy; procedures addressing information remnance; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
APPENDIX F-SC |
PAGE F-260 |