3.1 |
ACCESS CONTROL |
3.1.1e |
Employ dual authorization to
execute critical or sensitive system and organizational operations. |
3.1.2e |
Restrict access to systems and
system components to only those information resources that are owned,
provisioned, or issued by the organization. |
3.1.3e |
Employ [Assignment:
organization-defined secure information transfer solutions] to control information
flows between security domains on connected systems. |
3.2 |
AWARENESS AND TRAINING |
3.2.1e |
Provide awareness training focused
on recognizing and responding to threats from social engineering, advanced
persistent threat actors, breaches, and suspicious behaviors; update the
training [Assignment: organization-defined frequency] or when there are
significant changes to the threat. |
3.2.2e |
Include practical exercises in
awareness training for [Assignment: organization-defined roles] that are
aligned with current threat scenarios and provide feedback to individuals
involved in the training and their supervisors. |
3.3 |
AUDIT AND ACCOUNTABILITY |
3.4 |
CONFIGURATION MANAGEMENT |
3.4.1e |
Establish and maintain an authoritative
source and repository to provide a trusted source and accountability for
approved and implemented system components. |
3.4.2e |
Employ automated mechanisms to
detect the presence of misconfigured or unauthorized system components;
remove the components or place the components in a quarantine or remediation
network that allows for patching, re-configuration, or other mitigations. |
3.4.3e |
Employ automated discovery and
management tools to maintain an up-to-date, complete, accurate, and readily
available inventory of system components. |
3.5 |
IDENTIFICATION AND
AUTHENTICATION |
3.5.1e |
Identify and authenticate
[Assignment: organization-defined systems and system components] before
establishing a network connection using bidirectional authentication that is
cryptographically based and replay resistant. |
3.5.2e |
Employ automated mechanisms for the
generation, protection, rotation, and management of passwords for systems and
system components that do not support multifactor authentication or complex
account management. |
3.5.3e |
Employ automated or
manual/procedural mechanisms to prohibit system components from connecting to
organizational systems unless the components are known, authenticated, in a
properly configured state, or in a trust profile. |
3.6 |
INCIDENT RESPONSE |
3.6.1e |
Establish and maintain a security
operations center capability that operates [Assignment: organization-defined
time period]. |
3.6.2e |
Establish and maintain a cyber
incident response team that can be deployed by the organization within
[Assignment: organization-defined time period]. |
3.7 |
MAINTENANCE |
3.8 |
MEDIA PROTECTION |
3.9 |
PERSONNEL SECURITY |
3.9.1e |
Conduct [Assignment:
organization-defined enhanced personnel screening] for individuals and
reassess individual positions and access on an ongoing basis. |
3.9.2e |
Ensure that organizational systems
are protected if adverse information develops about individuals with access
to CUI. |
3.10 |
PHYSICAL PROTECTION |
3.11 |
RISK ASSESSMENT |
3.11.1e |
Employ [Assignment:
organization-defined sources of threat intelligence] as part of a risk
assessment to guide and inform the development of organizational systems,
security architectures, selection of security solutions, monitoring, threat
hunting, and response and recovery activities. |
3.11.2e |
Conduct cyber threat hunting
activities [Selection (one or more): [Assignment: organization- defined
frequency]; [Assignment: organization-defined event]] to search for
indicators of compromise in [Assignment: organization-defined systems] and
detect, track, and disrupt threats that evade existing controls. |
3.11.3e |
Employ advanced automation and
analytics capabilities to predict and identify risks to organizations,
systems, and system components. |
3.11.4e |
Document or reference in the system
security plan the security solution selected, the rationale for the security
solution, and the risk determination. |
3.11.5e |
Assess the effectiveness of
security solutions [Assignment: organization-defined frequency] to address
anticipated risk to organizational systems and the organization based on
current and accumulated threat intelligence. |
3.11.6e |
Assess, respond to, and monitor
supply chain risks associated with organizational systems and system
components. |
3.11.7e |
Develop and update a plan for
managing supply chain risks associated with organizational systems and system
components. |
3.12 |
SECURITY ASSESSMENT |
3.12.1e |
Conduct penetration testing
[Assignment: organization-defined frequency], leveraging automated scanning
tools and ad hoc tests using human experts. |
3.13 |
SYSTEM AND COMMUNICATIONS
PROTECTION |
3.13.1e |
Create diversity in [Assignment:
organization-defined system components] to reduce the extent of malicious
code propagation. |
3.13.2e |
Disrupt the attack surface of
organizational systems and system components. |
3.13.3e |
Employ technical and procedural
means to confuse and mislead adversaries. |
3.13.4e |
Employ[Selection:(oneormore):[Assignment:organization-definedphysicalisolation
techniques]; [Assignment: organization-defined logical isolation techniques]]
in organizational systems and system components. |
3.14 |
SYSTEM AND INFORMATION INTEGRITY
|
3.14.1e |
Verify the integrity of
[Assignment: organization-defined security critical or essential software]
using root of trust mechanisms or cryptographic signatures. |
3.14.2e |
Monitor organizational systems and
system components on an ongoing basis for anomalous or suspicious behavior. |
3.14.3e |
Ensure that [Assignment:
organization-defined systems and system components] are included in the scope
of the specified enhanced security requirements or are segregated in purpose-
specific networks. |
3.14.4e |
Refresh [Assignment:
organization-defined systems and system components] from a known, trusted
state [Assignment: organization-defined frequency]. |
3.14.5e |
Conduct reviews of persistent
organizational storage locations [Assignment: organization- defined frequency]
and remove CUI that is no longer needed. |
3.14.6e |
Use threat indicator information
and effective mitigations obtained from [Assignment: organization-defined
external organizations] to guide and inform intrusion detection and threat
hunting. |
3.14.7e |
Verify the correctness of
[Assignment: organization-defined security critical or essential software]
using [Assignment: organization-defined verification methods or techniques]. |