CMMC Mapping

The easiest way to adhere to the mobility requirements of 800-171

SyncDog Applicability

SyncDog Notes

SyncDog offers out of the box functionality to accurately identify the end user and to control and administer access rights based on the profile and entitlements of that user

SyncDog uses profiles and entitlements to identify and administer rights and priviledges of every user and track and audit all access and usage of data and files and to the solution itself.

Out of the box Functionality

SyncDog uses FiPS 140-2 Certified 256 bit encryption to secure all information being accessed through our solution while in transit and while at rest

Out of the box Functionality

This would not be a concern and additional action would not be necessary if using SyncDog. SyncDog's trusted mobile workspace alleviates concerns on how the device is connected by ensuring all data that flows over such connections is encrypted at all times

SyncDog's trusted mobile workspace alleviates concerns on how the device is connected by ensuring all data that flows over such connections is encrypted at all times using FiPS Certified 256 bit encryption

SyncDog's Trusted Mobile Workspace creates fully secure access from mobile devices by using FiPS 140-2 Certified 256 bit enryption while assigning and incorporating profiles and entitlements to identify rights and priviledges of every authorized mobile user.

The SyncDog Trusted workspace controls and isolates data and applications being accessed for work purposes and completely separates and protects it from data and applications (and the malware that could go with it) being accessed for personal use. Our DLP and Data integrity capabilities are the hallmark of our solution.

Out of the box Functionality

SyncDog uses profiles and entitlements to identify rights and priviledges of every user and to track, audit and administer all access and usage of data and files and to the solution itself.

This would not be a concern and additional action would not be necessary if using SyncDog. The SyncDog Trusted workspace controls and isolates data and applications being accessed for work purposes and completely separates and protects it from data and applications (and the malware that could go with it) being accessed for personal use. Our DLP and Data integrity capabilities are the hallmark of our solution.

SyncDog offers out of the box functionality to accurately identify the end user and to control and administer access rights based on the profile and entitlements of that user

Fully Compliant

Fully Compliant. SyncDog protects against Man-in-the-Middle attacks and SSL replay attacks

Fully Compliant

SyncDog's Trusted Workspace uses a private, dedicated connection that fully secures access to data by using FiPS 140-2 Certified 256 bit encryption while assigning, incorporating and administering profiles and entitlements that identifies rights and privileges of every user. Our DLP and Data integrity capabilities are the hallmark of our solution.

Out of the box Functionality

SyncDog is fully compatible and integrates seamlessly with a segregated newtwork environment

SyncDog's Trusted Workspace goes one step further by only allowing one direct communication from our workspace and fully encrypts all data being transmitted through that communication channel. Our DLP and Data integrity capabilities are the hallmark of our solution.

SyncDog's Trusted Workspace encrypts all data being accessed, transmitted or stored by the environment but using FiPS 140-2 Certified 256 bit encryption. Our DLP and Data integrity capabilities are the hallmark of our solution.

Out of the box Functionality

The SyncDog Trusted workspace provisions using an Elliptic curve Diffie-Hellman key exchange generated with a SHA-256 hashing algorithm. The multi-part crypto key is then spread out over the device so it can not be re-generated

The SyncDog Trusted Workspace enables admistrative control over all devices accessing the workspace and administers control over what apps and data are allowed to be accessed

Out of the box Functionality

Controlled through our integration with Koolspan

SyncDog uses FiPS 140-2 Certified 256 bit encryption to secure all information being accessed through our solution while in transit and while at rest. Our DLP and Data integrity capabilities are the hallmark of our solution.

The SyncDog Trusted Workspace is fully maintained and updated by SyncDog

The SyncDog Trusted Workspace completely isolates CUI/Government and corporate data from the device and operating system creating a impenatrable shell that maicious code and other corruptive techniques are not able to access. So even if the device becomes corrupted or malicious code is accessed, CUI data and all other data in the workspace is still in tact and protected. Our DLP and Data integrity capabilities are the hallmark of our solution

The SyncDog Trusted Workspace incorporates Anti Virus and Mobile Threat Detection capapbilities as added security measures. But as stated above, even if corrupt data or files are accessed within the workspace or if the device or operating system is corrupted, all data and files within the workspace will remain in tact and protected. Our DLP and Data integrity capabilities are the hallmark of our solution

Supported. And as noted above, these security mechanisms are only secondary to the isolation and encryption techniques utilized that protects the itegrity of CUI and all other data even in the presence of malicious code and other threats

SyncDog uses profiles and entitlements to identify and administer rights and priviledges of every user and track and audit all access and usage of data and files and to the solution itself. Our DLP and Data integrity capabilities are the hallmark of our solution.

NIST 800-171 Control Number

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

3.1.13

3.1.14

3.1.15

3.1.16

3.1.17

3.1.18

3.1.19

3.1.20

3.1.21

3.1.22

3.2.1

3.2.2

3.2.3

3.3.1

3.3.2

3.3.3

3.3.4

3.3.5

3.3.6

3.3.7

3.3.8

3.3.9

3.4.1

3.4.2

3.4.3

3.4.4

3.4.5

3.4.6

3.4.7

3.4.8

3.4.9

3.5.1

3.5.2

3.5.3

3.5.4

3.5.5

3.5.6

3.5.7

3.5.8

3.5.9

3.5.10

3.5.12

3.6.1

3.6.2

3.6.3

3.7.1

3.7.2

3.7.3

3.7.4

3.7.5

3.7.6

3.8.1

3.8.2

3.8.3

3.8.5

3.8.6

3.8.7

3.8.8

3.8.9

3.9.1

3.9.2

3.10.1

3.10.2

3.10.3

3.10.4

3.10.5

3.10.6

3.11.1

3.11.2

3.11.3

3.12.1

3.12.2

3.12.3

3.13.1

3.13.2

3.13.3

3.1.4

3.13.5

3.13.6

3.13.7

3.13.8

3.13.9

3.13.10

3.13.11

3.13.12

3.13.13

3.13.14

3.13.15

3.13.16

3.14.1

3.14.2

3.14.3

3.14.4

3.14.5

3.14.6

3.14.7

Control Family

Access Control

Awareness and Training

Audit and Accountability

Configuration Management

Identification and Authentication

Incident Response

Maintenance

Media Protection

Personnel Security

Physical Protection

Risk Assessment

Security Assessment

System and Communications Protection

System and Information Integrity

Access Control

NIST 800-53 Mapped Control

AC-2, AC-3, AC-17

AC-4

AC-5

AC-6, AC-6(1), AC-6(5)

AC-6(2)

AC-6(9), AC-6(10)

AC-7

AC-8

AC-11, AC-11(1)

AC-12

AC-17(1)

AC-17(2)

AC-17(3)

AC-17(4)

AC-18

AC-18(1)

AC-19

AC-19(5)

AC-20, AC-20(1)

AC 20(2)

AC-22

AT-2, AT-3

AT-2(2)

AU-2, AU-3, AU-3(1), AU-6, AU-12

AU-2(3)

AU-5

AU-6(3)

AU-7

AU-8, AU-8(1)

AU-9

AU-9(4)

CM-2, CM-6, CM-8, CM-8(1)

CM-3

CM-4

CM-5

CM-7

CM-7(1), CM-7(2)

CM-7(4), CM-7(5)

CM-11

IA-2, IA-5

IA-2(1), IA-2(2), IA-2(3)

IA-2(8), IA-2(9)

IA-4

IA-5(1)

IA-6

IR-2, IR-4, IR-5, IR-6, IR-7

IR-3, IR-3(2)

MA-2, MA-3, MA-3(1), MA-3(2)

MA-3(2)

MA-4

MA-5

MP-2, MP-4, MP-6

MP-3

MP-5

MP-5(4)

MP-7

MP-7(1)

CP-9

PS-3, PS-4, PS-5

PE-2, PE-5, PE-6

PE-3

PE-17

RA-3

RA-5, RA-5(5)

RA-5

CA-2, CA-5, CA-7

SC-7, SA-8

SC-2

SC-4

SC-7

SC-7 (5)

SC-7 (7)

SC-8, SC-8(1)

SC-10

SC-12

SC-13

SC-15

SC-18

SC-19

SC-23

SC-28

SI-2, SI-3, SI-5

SI-3

SI-4, SI-4(4)

SI-4

Control Text

Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

Control the flow of CUI in accordance with approved authorizations.

Separate the duties of individuals to reduce the risk of malevolent activity without collusion.

Employ the principle of least privilege, including for specific security functions and privileged accounts.

Use non-privileged accounts or roles when accessing nonsecurity functions.

Prevent non-privileged users from executing privileged functions and audit the execution of such functions.

Limit unsuccessful logon attempts.

Provide privacy and security notices consistent with applicable CUI rules.

Use session lock with pattern-hiding displays to prevent access/viewing of data after period of inactivity.

Terminate (automatically) a user session after a defined condition.

Monitor and control remote access sessions.

Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.

Route remote access via managed access control points.

Authorize remote execution of privileged commands and remote access to security-relevant information.

Authorize wireless access prior to allowing such connections.

Protect wireless access using authentication and encryption.

Control connection of mobile devices.

Encrypt CUI on mobile devices.

Verify and control/limit connections to and use of external information systems.

Limit use of organizational portable storage devices on external information systems.

Control information posted or processed on publicly accessible information systems.

Ensure that managers, systems administrators, and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of organizational information systems.

Ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities.

Provide security awareness training on recognizing and reporting potential indicators of insider threat.

Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity.

Ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions.

Review and update audited events.

Alert in the event of an audit process failure.

Use automated mechanisms to integrate and correlate audit review, analysis, and reporting processes for investigation and response to indications of inappropriate, suspicious, or unusual activity.

Provide audit reduction and report generation to support on-demand analysis and reporting.

Provide an information system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.

Protect audit information and audit tools from unauthorized access, modification, and deletion.

Limit management of audit functionality to a subset of privileged users.

Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.

Establish and enforce security configuration settings for information technology products employed in organizational information systems.

Track, review, approve/disapprove, and audit changes to information systems.

Analyze the security impact of changes prior to implementation.

Define, document, approve, and enforce physical and logical access restrictions associated with changes to the information system.

Employ the principle of least functionality by configuring the information system to provide only essential capabilities.

Restrict, disable, and prevent the use of nonessential programs, functions, ports, protocols, and services.

Apply deny-by-exception (blacklist) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.

Control and monitor user-installed software.

Identify information system users, processes acting on behalf of users, or devices.

Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.

Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.

Prevent reuse of identifiers for a defined period.

Disable identifiers after a defined period of inactivity.

Enforce a minimum password complexity and change of characters when new passwords are created.

Prohibit password reuse for a specified number of generations.

Allow temporary password use for system logons with an immediate change to a permanent password.

Store and transmit only encrypted representation of passwords.

Obscure feedback of authentication information.

Establish an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities.

Track, document, and report incidents to appropriate officials and/or authorities both internal and external to the organization.

Test the organizational incident response capability.

Perform maintenance on organizational information systems.

Provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance.

Ensure equipment removed for off-site maintenance is sanitized of any CUI.

Applies Computer Data and Media Disposal Policy (IT-21); media must be sanitized of all UI data before it it moved out of UI control

Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.

Supervise the maintenance activities of maintenance personnel without required access authorization.

Protect (i.e., physically control and securely store) information system media containing CUI, both paper and digital.

Limit access to CUI on information system media to authorized users.

Sanitize or destroy information system media containing CUI before disposal or release for reuse.

Mark media with necessary CUI markings and distribution limitations.

Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.

Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.

Control the use of removable media on information system components.

Prohibit the use of portable storage devices when such devices have no identifiable owner.

Control the flow of CUI in accordance with approved authorizations.

Screen individuals prior to authorizing access to information systems containing CUI.

Ensure that CUI and information systems containing CUI are protected during and after personnel actions such as terminations and transfers.

Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.

Protect and monitor the physical facility and support infrastructure for those information systems.

Escort visitors and monitor visitor activity.

Maintain audit logs of physical access.

Control and manage physical access devices.

Enforce safeguarding measures for CUI at alternate work sites (e.g., telework sites).

Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of CUI.

Scan for vulnerabilities in the information system and applications periodically and when new vulnerabilities affecting the system are identified.

Remediate vulnerabilities in accordance with assessments of risk.

Periodically assess the security controls in organizational information systems to determine if the controls are effective in their application.

Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems.

Monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls.

Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational information systems.

Separate user functionality from information system management functionality.

Prevent unauthorized and unintended information transfer via shared system resources.

Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).

Prevent remote devices from simultaneously establishing non-remote connections with the information system and communicating via some other connection to resources in external networks.

Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.

Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.

Establish and manage cryptographic keys for cryptography employed in the information system;

Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.

Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.

Control and monitor the use of mobile code.

Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.

Protect the authenticity of communications sessions.

Protect the confidentiality of CUI at rest.

Identify, report, and correct information and information system flaws in a timely manner.

Provide protection from malicious code at appropriate locations within organizational information systems.

Monitor information system security alerts and advisories and take appropriate actions in response.

Update malicious code protection mechanisms when new releases are available.

Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

Monitor the information system including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.

Identify unauthorized use of the information system.

Requirement

Maintain list of authorized users defining their identity and associated role and sync with system, application and data layers. Account requests must be authorized before access is granted.

Utilize access control lists (derived from 3.1.1) to limit access to applications and data based on role and/or identity. Log access as appropriate.

Enforce approved authorizations for controlling the flow of information within the system and between interconnected systems based on University policies.

If a system user accesses data as well as maintains the system in someway, create separate accounts with approriate access levels to separate functions.

Only grant enough privileges to a system user to allow them to sufficiently fulfill their job duties. 3.1.4 references account separation.

Users with multiple accounts (as defined in 3.1.4 and 3.1.5) must logon with the least privileged account. Access to non-security functions must be performed with an unprivileged account.

Enable auditing of all privileged functions, and control access using access control lists based on identity or role.

Configure system to lock logon mechanism for a predetermined time and lock user account out of system after a predetermined number of invalid logon attempts.

Logon screen should display appropriate notices.

Configure system to lock session after a predetermined time of inactivity. Allow user to lock session for temporary absence.

Configure system to end a user session after a predetermined time based on duration and/or inactivity of session.

Run network and system monitoring applications to monitor remote system access and log accordingly.

Any application used to remotely access the system must use approved encryption methods.

The information system routes all remote access through managed network access control points.

The organization authorizes the execution of privileged commands and access to security-relevant information via remote access only for emergency purposes, and documents the rationale for such access in the security plan for the information system

The organization establishes usage restrictions, configuration/ connection requirements, and implementation guidance for wireless access; and authorizes wireless access to the IS before allowing such connections

The information system protects wireless access to the system using authentication of users and encryption.

The organization establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, and authorizes the connection of mobile devices to the information system.

The organization employs full-device drive encryption to protect the confidentiality and integrity of information on organization-defined mobile devices

The organization establishes terms and conditions, consistent with any trust relationships established with other external information systems, allowing authorized individuals to access the UI information system from external locations; and process, store, and transmit organization-controlled information using external information systems.

The organization restricts the use of portable storage devices by authorized individuals on external information systems.

The organization designates individuals authorized to post information at publicly-accessible locations; trains authorized individuals to ensure public information does not contain non-public information; reviews proposed content prior to public posting; and annually reviews the content of public data for non-public information release (and removes such information if discovered).

Users, managers, and system administrators of the information system will receive initial and annual training commensurate with their role and responsibilities. The training will provide a basic understanding of the need for information security, applicable policies, standards, and procedures related to the security of the information system, as well as user actions to maintain security and respond to suspected security incidents. The content will also address awareness of the need for operations security.

Personnel with security-related duties and responsibilities will receive initial and annual training on their specific operational, managerial, and technical roles and responsibilities covering physical, personnel, and technical safeguards and countermeasures. Training will address required security controls related to environmental and physical security risks, as well as training on indications of potentially suspicious email or web communications, to include suspicious communications and other anomalous system behavior.

Users, managers, and administrators of the information system will receive annual training on potential indicators and possible precursors of insider threat, to include long-term job dissatisfaction, attempts to gain unauthorized accesss to information, unexplained access to financial resources, bullying or sexual harassment of fellow employees, workplace violence, and other serious violations of organizational policies, procedures, directives, rules, or practices. Security training will include how to communicate employee and management concerns regarding potential indicators of insider threat in accordance with established organizational policies and procedures.

The organization creates, protects, retains information system audit records for between 30-days and 1-year (depending on data source) in order to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity.

The organization correlates network activity to individual user information order to uniquely trace and hold accountable users responsible for unauthorized actions.

The organization reviews and updates audited events annually.

The information system alerts the Security Office in the event of an audit processing failure, and maintains audit records on host servers

The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness.

The information system's audit capability provides an audit reduction and report generation capability that supports on-demand audit review, analysis, and reporting requirements and after-the-fact security investigations; and does not alter the original content or time ordering of audit records.

The information system uses internal system clocks to generate time stamps for audit records, and records time stamps that can be mapped to UTC; compares system clocks with authoritative NTP servers, and synchronizes system clocks when the time difference is greater than 1 second.

The information system protects audit information and audit tools from unauthorized access, modification, and deletion.

The organization authorizes access to management of audit functionality to only authorized individuals

Enforce approved authorizations for controlling the flow of information within the system and between interconnected systems based on University policies.

Security settings will be included as part of baseline configurations. Security settings will reflect the most restrictive appropriate for compliance requirements. Changes or deviations to security settings will be documented.

Changes or deviations to information system security control configurations that affect compliance requirements will be reviewed and approved by a change advisory board. The changes will also be tracked and documented in an approved service management system (ITSM) or equivalent tracking service. Change control tracking will be audited annually.

Only those individuals approved to make physical or logical changes on information systems will be allowed to do so. Authorized personnel will be approved and documented by the service owner and IT security. All change documentation will include the authorized personnel making the change.

Information systems will be configured to deliver one function per system where practical.

Only those ports and protocols necessary to provide the service of the information system will be configured for that system. Applications and services not necessary to provide the service of the information system will not be configured or enabled. Systems services will be reviewed to determine what is essential for the function of that system.

The information system will be configured to only allow authorized software to run. The system will be configured to disallow running unauthorized software. The controls for allowing or disallowing the running of software may include but is not limited to the use of firewalls to restrict port access and user operational controls.

User controls will be in place to prohibit the installation of unauthorized software. All software for information systems must be approved.

Systems will make use of institutionally assigned accounts for unique access by individual. Should service accounts be necessary for device or process authentication, the accounts will be created by the central identity management team and assigned to a member of the research team. Institutional and service accounts are managed centrally and deprovisioned automatically when an individual leaves.

Per control 3.5.1, the accounts in use will be assigned and managed by the university's central identity management system. Accounts are provisioned as part of the established account creation process. Accounts are uniquely assigned to faculty, staff upon hire; students upon matriculation; or affiliates when sponsored by an authorized faculty or staff member. Access to data associated with the project is controlled through role-based authorization by the project's PI. Initial passwords are randomly generated strings provided via a password reset mechanism to each facutly, staff, student or affiliate. The password must be reset upon first use. All passwords are at least 8 characters, and require a mix of upper and lower case letters, numbers, and special characters.

Any network access to servers and virtual machines hosting the project data requires multifactor authentication regardless if the account is privileged or unprivileged.

Only anti-replay authentication mechanisms will be used. The authentication front-end technologies include shibboleth, SSH, Microsoft remote desktop protocol, and Cisco SSL VPN. Backend authentication mechanisms in use include Kerberos and Active Directory.

User accounts or identifiers associated with a project or contract covered by NIST 800-171 are monitored for inactivity. Account access to the in-scope systems after 90/180/365 days of inactivity.

Account passwords must be a minimum of 8 characters and a mix of upper/lower case, numbers and symbols.

Passwords may not be re-used for XX days. Users may not re-use the same password when changing their password for at least XX changes.

New employees will receive an account and instructions for creating a password from HR during the hiring process. New students receive notification of their account via email with an activation link to set their initial password. Temporary password activation links are sent to validated faculty, staff and students should they require a password reset or change. Temporary passwords are only good to allow for a password reset.

Passwords are not stored in reversible encryption form in any of our systems. Instead, they are stored as one-way hashes constructed from passwords.

The most basic feedback control is never informing the user in an error message what part of the of the authentication transaction failed.

The organization maintains a standardized incident-response framework that includes adequate preparation, detection, analysis, containment, recovery, and user response activities.

The organization tracks, documents, and reports incidents to appropriate authorities and/or officials both inside and outside the organization.

The organization tests the incident response capability for the information system at least annually using tabletop exercises and simulations to determine incident response effectiveness and documents the results.

All systems, devices, supporting systems for organizational information systems must be maintained according to manufacturer recommendations or organizationally defined schedules

Organizations will put in place controls that limit the tools, techniques, mechanisms and personnel that will be used to maintain information systems, devices, and supporting systems. This can include a lists of authorized tools, authorized personnel, and authorized techniques and mechanisms. Any such maintenance must occur within the context of other information systems controls in place.

Any media that is removed from the premises for maintenance or disposal must be sanitized according to the organization's media sanitization policies.

Any media that is provided by authorized maintenance personnel (and not normal Systems administrators/owners) for troubleshooting, diagnostics, or other maintenance must be run through an anti-virus/anti-malware program prior to use in an organizational information system.

All remote access to an information system for maintenance or diagnostics must occur via an approved remote solution using multi-factor authentication. A remote session must be disconnected when maintenance is complete

All activities of maintenance personnel who do not normally have access to a system must be monitored. The organization will define approved methods for supervision.

Responsible parties for data in these systems will document and ensure proper authorization controls for data in media and print. Documented workflow, data access contols and media policy will be enforced to ensure proper access controls.

All CUI systems will be managed under least access rules.

All managed data storage will be erased, encrypted or destroyed using mechanisms with sufficient power to ensure that no usable data is retrievable from storage devices identified in the workflow of these systems/services.

All CUI system will be identified with an asset control identifier

Only approved individuals are to have access to media from CUI systems. Chain of evidence will be maintained for any media removed from these systems.

All CUI data on media will be encrypted or physically locked prior to transport outside of the institutions secure locations.

Removable media will only be allowed if there are processes in place to control them. Removable media must be able to support physical encryption and key vaulting must be utilized to ensure recoverabliity

Only approved portable storage devices under asset management are to be used to store CUI data.

Data backups will be encrypted on media before removal from a secured facility

The organization will screen individuals prior to authorizing access to the information system, in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, guidance, and specific criteria established for the risk designations of assigned positions. Criteria may include, for example, position sensitivity background screening requirements.

The organzation will disable information system accesss prior to individual termination or transfer. Within 24 hours of termination or transfer, the organization will revoke any authenticators/credentials associated with the individual, retrieve all organizational information system-related property from the individual, retain access to organizational information and information systems formerly controlled by the individual, and notify the information security office and data owner of the change in authorization.

The Area/Building Manager will desginate building areas as "sensitve" and design physical security protections (including guards, locks, cameras, card readers, etc) as necessary to limit physical access to the area to only authorized individuals. Output devices such as printers should be placed in areas where their use does not expose data to unauthorized individuals.

The Area/Building Manager will review the location and type of physical security in use (including guards, locks, card readers, etc) and evaluate its suitability for the organization's needs.

All visitors to sensitive areas will be escorted by an authorized employee at all times.

Logs of physical access to sensitive areas are maintained according to retention policies. This includes authorized access as well as visitor access.

Physical access devices (such as card readers, proximity readers, and locks) will be maintained and operated according to the manufacturer recommendations. These devices will be updated with any changed access control information as necessary to prevent unauthorized access. The Area/Building Manager will review the location and type of each physical access device and evaluate its suitability for the organization's needs.

All alternate sites where sensitive data is stored or processed must meet the same physical security requirements as the main site.

The stewards of the system/services will provide an initial and periodic risk assessment. The assessments will be impact scored using FIPS 199. Changes in the environment that may affect the system or service, changes in use of or infrastructure will be documented and assessed as modified. The impact analysis is to be a living document and incorporated into a larger risk assessment profile for the system/service.

Systems will be periodically scanned for common and new vulnerabilities. Any vulnerability not documented will be risk assessed and documented. Reports regarding the scans will be made available to system stewards and owners in a timely manner.

Stewards and owners upon recognition of any vulnerablity will provide an action plan for remediation, acceptance, aversion or transferance of the vulnerability risk including a reasonable time frame for implementation. All high vulnerabilities will be prioritized.

An annual security assessment will be conducted to ensure that security controls are implemented correctly and meet the security requirements for the compliance environment. The assessment scope includes all information systems and networks in or directly connected to the compliance environment and all security controls and procedures necessary to meet the compliance requirements of the environment. The assessment will include, but is not limited to, vulnerability scanning, penetration testing, security control testing and reviews, configuration testing and reviews, log reviews, and personnel interviews. A representative sampling of systems will be assessed. Information Security, or an independent security auditor, will conduct the assessment. A final written assessment report and findings will be provided to the CIO at the conclusion of the assessment.

An action plan to remediate identified weaknesses or deficiencies will be maintained. The action plan will designate remediation dates and milestones for each item. Definiciencies and weaknesses identified in security controls assessments, security impact analyses, and continuous monitoring activities will be added to the action plan within 30 days of the findings being reported.

At a minimum, systems will be monitored for privileged access, permission changes, kernel modifications, and binary changes, against a control and system baseline. Continuous monitoring reports and alerts will be reviewed daily. Unauthorized changes or unauthorized access will be reported to the CISO and information system owner within 24 hours of it being reported.

Enumerate policies for managed interfaces such as gateways, routers, firewalls, VPNs; organizational DMZs; and restricting external web traffic to only designated servers.

Outline organizational information security policies, to include standards for architectural design, software development, and system engineering principles designed to promote information security.

Enumerate the physical or logical controls used to separate user functionality from system management-related functionality (e.g., to ensure that administration (e.g. privilege) options are not available to general users).

Enumerate the controls implemented to prevent object reuse and to protect residual information.

Outline the policies for organizational DMZs.

Document all business need exceptions to network communications traffic (inbound/outbound) “deny all” policies.

Outline controls to prevent split tunneling in remote devices, and to mandate VPN use when necessary for business functions.

Outline the processes and automated mechanisms used to provide encryption of CUI during transmission; or document all alternative physical safeguards used to provide confidentiality of CUI during transmission.

Outline controls for terminating communications sessions on both internal and external networks (e.g., deallocating TCP/IP addresses/port pairs); and institute time periods of inactivity based on type of network accesses.

Outline the processes and automated mechanisms used to provide key management within the information system (should also follow any relevant laws, regulations, and policies).

Outline where FIPS-validated cryptographic is used.

Enumerate actions to remove or disable collaborative computing devices from information systems housing CUI; and to notify users when collaborative computing devices are in use (e.g., cameras, microphones, etc.).

Define limits of mobile code usage, establish usage restrictions, and specifically authorize use of mobile code (e.g., Java, ActiveX, Flash, etc.) within an information system.

Define and establish usage restrictions, and specifically authorize the business necessary use of VoIP technologies within an information system.

Outline the controls implemented to protect session communications (e.g., the controls implemented to validate identities and information transmitted to protect against MITM attacks, session hijacking, and insertion of false information into sessions).

Outline controls used to protect CUI while stored in organizational information systems.

The organization will perform all security-relevant software updates, to include patching, service packs, hot fixes, and anti-virus signature additions in response to identified system flas and vulnerabilities within the time prescribed by organizational policy (Critical/High: 5 days, Moderate: 30 days, Low: As-Available). When available, managers and administrators of the information system will rely on centralized management of the flaw remediation process, to include the use of automated update software, patch management tools, and automated status scanning.

The organization will employ malicious code protection mechanisms at information system entry and exit points to minimize the presence of malicious code. These protection mechanisms may include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, notebook computers, and mobile devices.

The organization will receive security alerts, advisories, and directives from reputable external agencies, and disseminate this information to individuals with need-to-know in the organization. In the event of alerts, advisories, or directives that have widespread impact on the organization, internal security directives will be disseminated directly to information system users, managers, and administrators.

The organization will update information system protection mechanisms within 5 days of new releases.

The organization will perform quarterly scans of the information system, as well as real-time scanning of files from external sources.

The organizaiton will monitor the information system to detect attacks and indicators of potential attacks, as well as unauthorized local, network, and remote connections. The organization will strategically deploy monitoring devices within the information system to collect essential information system. Information gained from these monitoring tools will be protected from unauthorized access, modification, and deletion.

The organization will monitor the information system to identify unauthorized access and use, as well as potential misuse of the information system.

Get Started

Take control of your Enterprise Mobile Security. Get started with a free 30 day trial with us.

Contact our Sales team