NIST SP 800-53A
.pdfSpecial Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
SC-23(3) SESSION AUTHENTICITY
SC-23(3).1 ASSESSMENT OBJECTIVE:
Determine if:
(i)the information system generates a unique session identifier for each session; and
(ii)the information system recognizes only session identifiers that are system-generated.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy; procedures addressing session authenticity; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms generating and monitoring unique session identifiers].
SC-23(4) SESSION AUTHENTICITY
SC-23(4).1 ASSESSMENT OBJECTIVE:
Determine if:
(i)the organization defines requirements for randomly generating unique session identifiers; and
(ii)the information system generates unique session identifiers in accordance with organization-defined randomness requirements.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy; procedures addressing session authenticity; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms generating unique session identifiers].
APPENDIX F-SC |
PAGE F-291 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION |
CLASS: TECHNICAL |
||
|
|
|
|
|
|
ASSESSMENT PROCEDURE |
|
|
|
|
|
SC-24 |
FAIL IN KNOWN STATE |
|
|
|
|
|
|
SC-24.1 |
ASSESSMENT OBJECTIVE: |
|
|
|
Determine if: |
|
|
|
(i) |
the organization defines the known-states the information system should fail to in the |
|
|
|
event of a system failure; |
|
|
(ii) |
the organization defines types of failures for which the information system should |
|
|
|
fail to an organization-defined known-state; |
|
|
(iii) |
the organization defines the system state information that should be preserved in the |
|
|
|
event of a system failure; |
|
|
(iv) |
the information system fails to an organization-defined known-state for an |
|
|
|
organization-defined type of failure; and |
|
|
(v) |
the information system preserves organization-defined system state information in |
|
|
|
the event of a system failure. |
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy; procedures addressing information system failure; information system design documentation; information system configuration settings and associated documentation; list of failures requiring information system to fail in a known state; state information to be preserved in system failure; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing fail-in-known-state capability].
APPENDIX F-SC |
PAGE F-292 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION |
CLASS: TECHNICAL |
|
|
|
|
|
ASSESSMENT PROCEDURE |
|
|
|
|
SC-25 |
THIN NODES |
|
|
|
|
SC-25.1 |
ASSESSMENT OBJECTIVE: |
|
|
Determine if the information system employs processing components that have minimal |
|
|
functionality and information storage. |
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy; procedures addressing use of thin nodes; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
APPENDIX F-SC |
PAGE F-293 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION |
CLASS: TECHNICAL |
|
|
|
|
|
ASSESSMENT PROCEDURE |
|
|
|
|
SC-26 |
HONEYPOTS |
|
|
|
|
SC-26.1 |
ASSESSMENT OBJECTIVE: |
|
|
Determine if the information system includes components specifically designed to be the |
|
|
target of malicious attacks for the purpose of detecting, deflecting, and analyzing such |
|
|
attacks. |
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy; procedures addressing use of honeypots; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
SC-26(1) |
HONEYPOTS |
|
|
SC-26(1).1 |
ASSESSMENT OBJECTIVE: |
|
Determine if the information system includes components that proactively seek to identify |
|
Web-based malicious code. |
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS: |
|
Examine: [SELECT FROM: System and communications protection policy; procedures addressing use of |
|
honeypots; access control policy and procedures; boundary protection procedures; |
|
information system design documentation; information system configuration settings and |
|
associated documentation; other relevant documents or records]. |
|
Test: [SELECT FROM: Automated mechanisms proactively seeking Web-based malicious code]. |
|
|
APPENDIX F-SC |
PAGE F-294 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION |
CLASS: TECHNICAL |
||
|
|
|
|
|
|
ASSESSMENT PROCEDURE |
|
|
|
|
|
SC-27 |
OPERATING SYSTEM-INDEPENDENT APPLICATIONS |
|
|
|
|
|
|
SC-27.1 |
ASSESSMENT OBJECTIVE: |
|
|
|
Determine if: |
|
|
|
(i) |
the organization defines applications that are operating system-independent; and |
|
|
(ii) |
the information system includes organization-defined operating system-independent |
|
|
|
applications. |
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy; procedures addressing operating system-independent applications; information system design documentation; information system configuration settings and associated documentation; list of operating system-independent applications; other relevant documents or records].
APPENDIX F-SC |
PAGE F-295 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION |
CLASS: TECHNICAL |
|
|
|
|
|
ASSESSMENT PROCEDURE |
|
|
|
|
SC-28 |
PROTECTION OF INFORMATION AT REST |
|
|
|
|
SC-28.1 |
ASSESSMENT OBJECTIVE: |
|
|
Determine if the information system protects the confidentiality and integrity of |
|
|
information at rest. |
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy; procedures addressing protection of information at rest; information system design documentation; information system configuration settings and associated documentation; cryptographic mechanisms and associated configuration documentation; list of information at rest requiring confidentiality and integrity protections; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing confidentiality and integrity protections for information at-rest].
SC-28(1) PROTECTION OF INFORMATION AT REST
SC-28(1).1 ASSESSMENT OBJECTIVE:
Determine if:
(i)the organization employs cryptographic mechanisms to prevent unauthorized disclosure of information at rest unless otherwise protected by alternative physical measures; and
(ii)the organization employs cryptographic mechanisms to prevent unauthorized modification of information at rest unless otherwise protected by alternative physical measures.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy; procedures addressing protection of information at rest; information system design documentation; information system configuration settings and associated documentation; cryptographic mechanisms and associated configuration documentation; other relevant documents or records].
Test: [SELECT FROM: Cryptographic mechanisms implementing confidentiality and integrity protections for information at-rest].
APPENDIX F-SC |
PAGE F-296 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION |
CLASS: TECHNICAL |
ASSESSMENT PROCEDURE
SC-29 HETEROGENEITY
SC-29.1 ASSESSMENT OBJECTIVE:
Determine if the organization employs diverse information technologies in the implementation of the information system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy; information system design documentation; information system configuration settings and associated documentation; list of technologies deployed in the information system; acquisition documentation; acquisition contracts for information system components or services; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system acquisition, development, and implementation responsibilities].
APPENDIX F-SC |
PAGE F-297 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION |
CLASS: TECHNICAL |
|
|
|
|
|
ASSESSMENT PROCEDURE |
|
|
|
|
SC-30 |
VIRTUALIZATION TECHNIQUES |
|
|
|
|
SC-30.1 |
ASSESSMENT OBJECTIVE: |
|
|
Determine if the organization employs virtualization techniques to present information |
|
|
system components as other types of components, or components with differing |
|
|
configurations. |
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy; information system design documentation; information system configuration settings and associated documentation; information system architecture; list of virtualization techniques to be employed for organizational information systems; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with responsibilities for implementing approved virtualization techniques for information systems].
SC-30(1) VIRTUALIZATION TECHNIQUES
SC-30(1).1 ASSESSMENT OBJECTIVE:
Determine if:
(i)the organization defines the frequency of changes to operating systems and applications through the use of virtualization techniques; and
(ii)the organization employs virtualization techniques to support the deployment of a diversity of operating systems and applications that are changed in accordance with organization-defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy; configuration management policy and procedures; information system design documentation; information system configuration settings and associated documentation; information system architecture; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with responsibilities for implementing approved virtualization techniques for information systems].
SC-30(2) VIRTUALIZATION TECHNIQUES
SC-30(2).1 ASSESSMENT OBJECTIVE:
Determine if the organization employs randomness in the implementation of the virtualization techniques.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy; information system design documentation; information system configuration settings and associated documentation; information system architecture; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with responsibilities for implementing approved virtualization techniques for information systems].
APPENDIX F-SC |
PAGE F-298 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION |
CLASS: TECHNICAL |
|
|
|
|
|
ASSESSMENT PROCEDURE |
|
|
|
|
SC-31 |
COVERT CHANNEL ANALYSIS |
|
|
|
|
SC-31.1 |
ASSESSMENT OBJECTIVE: |
|
|
Determine if the organization requires that information system developers/integrators |
|
|
perform a covert channel analysis to identify those aspects of system communication that |
|
|
are potential avenues for covert storage and timing channels. |
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy; procedures addressing covert channel analysis; information system design documentation; information system configuration settings and associated documentation; covert channel analysis documentation; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with covert channel analysis responsibilities; information system developers/integrators].
SC-31(1) COVERT CHANNEL ANALYSIS
SC-31(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization tests a subset of the vendor-identified covert channel avenues to determine if such channels are exploitable.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy; procedures addressing covert channel analysis; information system design documentation; information system configuration settings and associated documentation; list of vendor-identified covert channel avenues or exploits; covert channel analysis documentation; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with covert channel analysis responsibilities; information system developers/integrators].
Test: [SELECT FROM: Covert channel avenues to determine if such channels are exploitable].
APPENDIX F-SC |
PAGE F-299 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION |
CLASS: TECHNICAL |
|
|
|
|
|
ASSESSMENT PROCEDURE |
|
|
|
|
SC-32 |
INFORMATION SYSTEM PARTITIONING |
|
|
|
|
SC-32.1 |
ASSESSMENT OBJECTIVE: |
|
|
Determine if the organization partitions the information system into components residing |
|
|
in separate physical domains (or environments) as deemed necessary. |
|
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS: |
|
|
Examine: [SELECT FROM: System and communications protection policy; information system design |
|
|
documentation; information system configuration settings and associated documentation; |
|
|
information system architecture; list of information system physical domains (or |
|
|
environments); information system facility diagrams; other relevant documents or records]. |
|
|
Interview: [SELECT FROM: Organizational personnel installing, configuring, and/or maintaining the |
|
|
information system]. |
|
|
|
|
APPENDIX F-SC |
PAGE F-300 |