From 16024cd4d5755c73b6ad656c23ab48074fefd857 Mon Sep 17 00:00:00 2001
From: Joyce Quach <jquach@mitre.org>
Date: Tue, 5 Nov 2024 13:43:17 -0500
Subject: [PATCH] Restructure CCI to NIST and NIST to CCI logic across mappers
and delete obsolete files
Signed-off-by: Joyce Quach <jquach@mitre.org>
---
.github/workflows/convert-cci-list.yml | 2 +-
.../data/converters/cciListXml2json.ts | 173 +-
.../src/asff-mapper/asff-mapper.ts | 10 +-
.../src/asff-mapper/case-previously-hdf.ts | 2 +-
.../src/asff-mapper/case-trivy.ts | 2 +-
libs/hdf-converters/src/burpsuite-mapper.ts | 6 +-
.../ckl-mapper/checklist-jsonix-converter.ts | 7 +-
.../src/ckl-mapper/checklist-mapper.ts | 11 +-
libs/hdf-converters/src/conveyor-mapper.ts | 4 +-
.../src/cyclonedx-sbom-mapper.ts | 4 +-
libs/hdf-converters/src/dbprotect-mapper.ts | 6 +-
.../src/dependency-track-mapper.ts | 6 +-
libs/hdf-converters/src/fortify-mapper.ts | 4 +-
libs/hdf-converters/src/ionchannel-mapper.ts | 8 +-
libs/hdf-converters/src/jfrog-xray-mapper.ts | 6 +-
.../src/mappings/CciNistMapping.ts | 232 +-
.../src/mappings/CciNistMappingData.ts | 19 +
.../src/mappings/CciNistMappingItem.ts | 9 -
.../src/mappings/NistCciMappingData.ts | 49 +-
.../src/mappings/ScoutsuiteNistMapping.ts | 2 +-
.../src/mappings/U_CCI_List.cci.json | 23491 ++++---
.../src/msft-secure-score-mapper.ts | 6 +-
libs/hdf-converters/src/nessus-mapper.ts | 5 +-
libs/hdf-converters/src/netsparker-mapper.ts | 6 +-
libs/hdf-converters/src/neuvector-mapper.ts | 2 +-
libs/hdf-converters/src/nikto-mapper.ts | 6 +-
libs/hdf-converters/src/prisma-mapper.ts | 6 +-
libs/hdf-converters/src/sarif-mapper.ts | 8 +-
libs/hdf-converters/src/scoutsuite-mapper.ts | 4 +-
libs/hdf-converters/src/snyk-mapper.ts | 7 +-
libs/hdf-converters/src/sonarqube-mapper.ts | 5 +-
libs/hdf-converters/src/twistlock-mapper.ts | 6 +-
libs/hdf-converters/src/utils/CCI_List.ts | 56255 ----------------
libs/hdf-converters/src/utils/global.ts | 17 -
libs/hdf-converters/src/veracode-mapper.ts | 5 +-
.../src/xccdf-results-mapper.ts | 26 +-
libs/hdf-converters/src/zap-mapper.ts | 6 +-
libs/inspecjs/src/nist.ts | 4 +-
38 files changed, 14431 insertions(+), 65996 deletions(-)
delete mode 100644 libs/hdf-converters/src/mappings/CciNistMappingItem.ts
delete mode 100644 libs/hdf-converters/src/utils/CCI_List.ts
diff --git a/.github/workflows/convert-cci-list.yml b/.github/workflows/convert-cci-list.yml
index 03cc86564d..e2ea5af9d0 100644
--- a/.github/workflows/convert-cci-list.yml
+++ b/.github/workflows/convert-cci-list.yml
@@ -48,7 +48,7 @@ jobs:
echo "OUTPUT_DIRECTORY=$ROOT_DIRECTORY/libs/hdf-converters/src/mappings" >> $GITHUB_ENV
- name: Convert CCI List XML to CCI->NIST, CCI->Definitions, and NIST->CCI JSON files
- run: yarn workspace @mitre/hdf-converters cciListXml2json $ROOT_DIRECTORY/U_CCI_List.xml $OUTPUT_DIRECTORY/U_CCI_List.nist.json $OUTPUT_DIRECTORY/U_CCI_List.defs.json $OUTPUT_DIRECTORY/U_CCI_List.cci.json
+ run: yarn workspace @mitre/hdf-converters cciListXml2json -i $ROOT_DIRECTORY/U_CCI_List.xml -n $OUTPUT_DIRECTORY/U_CCI_List.nist.json -d $OUTPUT_DIRECTORY/U_CCI_List.defs.json -c $OUTPUT_DIRECTORY/U_CCI_List.cci.json
- name: Commit changes to CciNistMappingData.ts
# run: |
diff --git a/libs/hdf-converters/data/converters/cciListXml2json.ts b/libs/hdf-converters/data/converters/cciListXml2json.ts
index e647c7af3d..ea8adebdb7 100644
--- a/libs/hdf-converters/data/converters/cciListXml2json.ts
+++ b/libs/hdf-converters/data/converters/cciListXml2json.ts
@@ -1,13 +1,29 @@
import fs from 'fs';
import * as _ from 'lodash';
import xml2js from 'xml2js';
+import {parseArgs} from 'node:util';
// Documentation is located at https://github.com/mitre/heimdall2/wiki/Control-Correlation-Identifier-(CCI)-Converter.
const parser = new xml2js.Parser();
-const pathToInfile = process.argv[2];
-const pathToCci2NistOutfile = process.argv[3];
-const pathToCci2DefinitionsOutfile = process.argv[4];
-const pathToNist2CciOutfile = process.argv[5];
+
+const options = {
+ input: {
+ type: 'string',
+ short: 'i'
+ },
+ cci2nist: {
+ type: 'string',
+ short: 'n'
+ },
+ cci2definitions: {
+ type: 'string',
+ short: 'd'
+ },
+ nist2cci: {
+ type: 'string',
+ short: 'c'
+ }
+} as const;
// XML Structure after conversion
export interface ICCIList {
@@ -26,61 +42,106 @@ export interface ICCIList {
};
}
-if (
- !pathToInfile ||
- !pathToCci2NistOutfile ||
- !pathToCci2DefinitionsOutfile ||
- !pathToNist2CciOutfile
-) {
- console.error(`You must provide the path to the input and two output files.`);
-} else {
- fs.readFile(pathToInfile, function (readFileError, data) {
- if (readFileError) {
- console.error(`Failed to read ${pathToInfile}: ${readFileError}`);
- } else {
- // Parse XML to JS Object
- parser.parseString(data, (parseFileError: any, converted: ICCIList) => {
- if (parseFileError) {
- console.error(`Failed to parse ${pathToInfile}: ${parseFileError}`);
- } else {
- // These store our CCI->NIST names, CCI->definitions, and NIST->CCI mappings
- const nists: Record<string, string> = {};
- const definitions: Record<string, string> = {};
- const ccis: Record<string, string[]> = {};
+// Check that we're not doing `npm test`; it will look for the arguments to the input and output files.
+const scriptIsCalled = process.argv[1].includes('cciListXml2json');
- // For all CCI items
- for (const cciItem of converted.cci_list.cci_items[0].cci_item) {
- // Get the latest reference
- const newestReference = _.maxBy(
- cciItem.references?.[0].reference,
- (item) => _.get(item, '$.version')
- );
- if (newestReference) {
- nists[cciItem.$.id] = newestReference.$.index;
- if (ccis[newestReference.$.index] === undefined) {
- ccis[newestReference.$.index] = [cciItem.$.id];
+if (scriptIsCalled) {
+ const {values} = parseArgs({options});
+
+ const pathToInfile = values.input;
+ const pathToCci2NistOutfile = values.cci2nist;
+ const pathToCci2DefinitionsOutfile = values.cci2definitions;
+ const pathToNist2CciOutfile = values.nist2cci;
+
+ if (
+ !pathToInfile ||
+ !pathToCci2NistOutfile ||
+ !pathToCci2DefinitionsOutfile ||
+ !pathToNist2CciOutfile
+ ) {
+ console.error(
+ 'You must provide the path to the input and three output files.'
+ );
+ } else {
+ fs.readFile(pathToInfile, function (readFileError, data) {
+ if (readFileError) {
+ console.error(`Failed to read ${pathToInfile}: ${readFileError}`);
+ } else {
+ // Parse XML to JS Object
+ parser.parseString(data, (parseFileError: any, converted: ICCIList) => {
+ if (parseFileError) {
+ console.error(`Failed to parse ${pathToInfile}: ${parseFileError}`);
+ } else {
+ // These store our CCI->NIST names, CCI->definitions, and NIST->CCI mappings
+ const nists: Record<string, string> = {};
+ const definitions: Record<string, string> = {};
+ const ccis: Record<string, string[]> = {};
+
+ // For all CCI items
+ for (const cciItem of converted.cci_list.cci_items[0].cci_item) {
+ // Get the latest reference
+ const newestReference = _.maxBy(
+ cciItem.references?.[0].reference,
+ (item) => _.get(item, '$.version')
+ );
+ if (newestReference) {
+ nists[cciItem.$.id] = newestReference.$.index;
+ if (ccis[newestReference.$.index] === undefined) {
+ ccis[newestReference.$.index] = [cciItem.$.id];
+ } else {
+ ccis[newestReference.$.index].push(cciItem.$.id);
+ }
+ definitions[cciItem.$.id] = cciItem.definition[0];
} else {
- ccis[newestReference.$.index].push(cciItem.$.id);
+ console.error(`No NIST Controls found for ${cciItem.$.id}`);
}
- definitions[cciItem.$.id] = cciItem.definition[0];
- } else {
- console.error(`No NIST Controls found for ${cciItem.$.id}`);
}
+ fs.writeFileSync(
+ pathToCci2NistOutfile,
+ JSON.stringify(nists, null, 2)
+ );
+ fs.writeFileSync(
+ pathToCci2DefinitionsOutfile,
+ JSON.stringify(definitions, null, 2)
+ );
+ fs.writeFileSync(
+ pathToNist2CciOutfile,
+ JSON.stringify(unflatten(ccis), null, 2)
+ );
}
- fs.writeFileSync(
- pathToCci2NistOutfile,
- JSON.stringify(nists, null, 2)
- );
- fs.writeFileSync(
- pathToCci2DefinitionsOutfile,
- JSON.stringify(definitions, null, 2)
- );
- fs.writeFileSync(
- pathToNist2CciOutfile,
- JSON.stringify(ccis, null, 2)
- );
- }
- });
- }
- });
+ });
+ }
+ });
+ }
+}
+
+const CCIS_KEY = 'ccis';
+
+type Leaf = {
+ [CCIS_KEY]?: string[];
+};
+
+type Branch = Leaf & {
+ [key: string]: Branch | string[] | undefined;
+};
+
+export type Trie = {
+ [key: string]: Branch;
+};
+
+export function removeParentheses(key: string): string {
+ return key.replace(/[()]/g, '');
+}
+
+function unflatten(fullNistPathToListOfCcis: Record<string, string[]>): Trie {
+ const DELIMITER = ' ';
+ const result = {};
+ const keys = _.keys(fullNistPathToListOfCcis);
+ for (const key of keys) {
+ const path = key.split(DELIMITER).map(removeParentheses);
+ path.push(CCIS_KEY);
+ const value = fullNistPathToListOfCcis[key];
+ _.setWith(result, path, value, Object);
+ }
+ return result;
}
diff --git a/libs/hdf-converters/src/asff-mapper/asff-mapper.ts b/libs/hdf-converters/src/asff-mapper/asff-mapper.ts
index b6aa91536a..bc54ec196b 100644
--- a/libs/hdf-converters/src/asff-mapper/asff-mapper.ts
+++ b/libs/hdf-converters/src/asff-mapper/asff-mapper.ts
@@ -7,7 +7,6 @@ import {ExecJSON} from 'inspecjs';
import * as _ from 'lodash';
import {version as HeimdallToolsVersion} from '../../package.json';
import {BaseConverter, ILookupPath, MappedTransform} from '../base-converter';
-import {DEFAULT_STATIC_CODE_ANALYSIS_NIST_TAGS} from '../utils/global';
import {getCMSInSpec} from './case-cms-inspec';
import {getFirewallManager} from './case-firewall-manager';
import {getGuardDuty} from './case-guardduty';
@@ -16,7 +15,8 @@ import {getPreviouslyHDF} from './case-previously-hdf';
import {getProwler} from './case-prowler';
import {getSecurityHub} from './case-security-hub';
import {getTrivy} from './case-trivy';
-import {getCCIsForNISTTags} from '../mappings/CciNistMapping';
+import {NIST2CCI} from '../mappings/CciNistMapping';
+import {DEFAULT_STATIC_CODE_ANALYSIS_NIST_TAGS} from '../mappings/CciNistMappingData';
const IMPACT_MAPPING: Map<string, number> = new Map([
['CRITICAL', 0.9],
@@ -455,11 +455,9 @@ export class ASFFMapper extends BaseConverter {
[]
) as string[];
if (tags.length === 0) {
- return getCCIsForNISTTags(
- DEFAULT_STATIC_CODE_ANALYSIS_NIST_TAGS
- );
+ return NIST2CCI(DEFAULT_STATIC_CODE_ANALYSIS_NIST_TAGS);
} else {
- return getCCIsForNISTTags(tags);
+ return NIST2CCI(tags);
}
}
},
diff --git a/libs/hdf-converters/src/asff-mapper/case-previously-hdf.ts b/libs/hdf-converters/src/asff-mapper/case-previously-hdf.ts
index ccbdce7e2c..60d25738bf 100644
--- a/libs/hdf-converters/src/asff-mapper/case-previously-hdf.ts
+++ b/libs/hdf-converters/src/asff-mapper/case-previously-hdf.ts
@@ -4,10 +4,10 @@ import * as _ from 'lodash';
import {ILookupPath, MappedTransform} from '../base-converter';
import {
conditionallyProvideAttribute,
- DEFAULT_STATIC_CODE_ANALYSIS_NIST_TAGS,
FROM_ASFF_TYPES_SLASH_REPLACEMENT
} from '../utils/global';
import {ASFFMapper, consolidate, SpecialCasing} from './asff-mapper';
+import {DEFAULT_STATIC_CODE_ANALYSIS_NIST_TAGS} from '../mappings/CciNistMappingData';
function replaceTypesSlashes<T>(type: T): T | string {
if (!_.isString(type)) {
diff --git a/libs/hdf-converters/src/asff-mapper/case-trivy.ts b/libs/hdf-converters/src/asff-mapper/case-trivy.ts
index a212d1e016..a7c3c37ad1 100644
--- a/libs/hdf-converters/src/asff-mapper/case-trivy.ts
+++ b/libs/hdf-converters/src/asff-mapper/case-trivy.ts
@@ -1,7 +1,7 @@
import {encode} from 'html-entities';
import {ExecJSON} from 'inspecjs';
import * as _ from 'lodash';
-import {DEFAULT_UPDATE_REMEDIATION_NIST_TAGS} from '../utils/global';
+import {DEFAULT_UPDATE_REMEDIATION_NIST_TAGS} from '../mappings/CciNistMappingData';
function findingId(finding: unknown): string {
const generatorId = _.get(finding, 'GeneratorId');
diff --git a/libs/hdf-converters/src/burpsuite-mapper.ts b/libs/hdf-converters/src/burpsuite-mapper.ts
index 4f41befd38..55da44341e 100644
--- a/libs/hdf-converters/src/burpsuite-mapper.ts
+++ b/libs/hdf-converters/src/burpsuite-mapper.ts
@@ -10,8 +10,8 @@ import {
parseXml
} from './base-converter';
import {CweNistMapping} from './mappings/CweNistMapping';
-import {DEFAULT_STATIC_CODE_ANALYSIS_NIST_TAGS} from './utils/global';
-import {getCCIsForNISTTags} from './mappings/CciNistMapping';
+import {NIST2CCI} from './mappings/CciNistMapping';
+import {DEFAULT_STATIC_CODE_ANALYSIS_NIST_TAGS} from './mappings/CciNistMappingData';
// Constant
const IMPACT_MAPPING: Map<string, number> = new Map([
@@ -107,7 +107,7 @@ export class BurpSuiteMapper extends BaseConverter {
},
cci: {
path: 'vulnerabilityClassifications',
- transformer: (data: string) => getCCIsForNISTTags(nistTag(data))
+ transformer: (data: string) => NIST2CCI(nistTag(data))
},
confidence: {path: 'confidence'}
},
diff --git a/libs/hdf-converters/src/ckl-mapper/checklist-jsonix-converter.ts b/libs/hdf-converters/src/ckl-mapper/checklist-jsonix-converter.ts
index 1ed43e7e44..1078a9a695 100644
--- a/libs/hdf-converters/src/ckl-mapper/checklist-jsonix-converter.ts
+++ b/libs/hdf-converters/src/ckl-mapper/checklist-jsonix-converter.ts
@@ -1,7 +1,7 @@
import {ExecJSON} from 'inspecjs';
import _ from 'lodash';
import {JsonixIntermediateConverter} from '../jsonix-intermediate-converter';
-import {CciNistTwoWayMapper} from '../mappings/CciNistMapping';
+import {NIST2CCI} from '../mappings/CciNistMapping';
import {getDescription} from '../utils/global';
import {
Asset,
@@ -632,10 +632,9 @@ export class ChecklistJsonixConverter extends JsonixIntermediateConverter<
matchNistToCcis(nistRefs: string[]): string[] {
if (!nistRefs) {
- return [''];
+ return [];
}
- const CCI_NIST_TWO_WAY_MAPPER = new CciNistTwoWayMapper();
- return CCI_NIST_TWO_WAY_MAPPER.cciFilter(nistRefs, ['']);
+ return NIST2CCI(nistRefs);
}
getComments(descriptions: ExecJSON.ControlDescription[]): string {
diff --git a/libs/hdf-converters/src/ckl-mapper/checklist-mapper.ts b/libs/hdf-converters/src/ckl-mapper/checklist-mapper.ts
index ce8b8fed80..590639feb2 100644
--- a/libs/hdf-converters/src/ckl-mapper/checklist-mapper.ts
+++ b/libs/hdf-converters/src/ckl-mapper/checklist-mapper.ts
@@ -8,8 +8,7 @@ import {
ILookupPath,
MappedTransform
} from '../base-converter';
-import {CciNistTwoWayMapper} from '../mappings/CciNistMapping';
-import {DEFAULT_STATIC_CODE_ANALYSIS_NIST_TAGS} from '../utils/global';
+import {CCI2NIST} from '../mappings/CciNistMapping';
import {
ChecklistJsonixConverter,
ChecklistObject,
@@ -21,6 +20,7 @@ import {Checklist} from './checklistJsonix';
import {jsonixMapping} from './jsonixMapping';
import {throwIfInvalidAssetMetadata} from './checklist-metadata-utils';
import {parseJson} from '../utils/parseJson';
+import {DEFAULT_STATIC_CODE_ANALYSIS_NIST_TAGS} from '../mappings/CciNistMappingData';
enum ImpactMapping {
high = 0.7,
@@ -28,8 +28,6 @@ enum ImpactMapping {
low = 0.3
}
-const CCI_NIST_TWO_WAY_MAPPER = new CciNistTwoWayMapper();
-
/**
* Tranformer function that splits a string and return array
* @param input - string of CCI references
@@ -47,10 +45,7 @@ function cciRef(input: string): string[] {
*/
function nistTag(input: string): string[] {
const identifiers: string[] = cciRef(input);
- return CCI_NIST_TWO_WAY_MAPPER.nistFilter(
- identifiers,
- DEFAULT_STATIC_CODE_ANALYSIS_NIST_TAGS
- );
+ return CCI2NIST(identifiers, DEFAULT_STATIC_CODE_ANALYSIS_NIST_TAGS);
}
/**
diff --git a/libs/hdf-converters/src/conveyor-mapper.ts b/libs/hdf-converters/src/conveyor-mapper.ts
index 4f37f3b81a..051078abf5 100644
--- a/libs/hdf-converters/src/conveyor-mapper.ts
+++ b/libs/hdf-converters/src/conveyor-mapper.ts
@@ -5,7 +5,7 @@ import {BaseConverter, ILookupPath, MappedTransform} from './base-converter';
import {
DEFAULT_STATIC_CODE_ANALYSIS_CCI_TAGS,
DEFAULT_STATIC_CODE_ANALYSIS_NIST_TAGS
-} from './utils/global';
+} from './mappings/CciNistMappingData';
const CONVEYOR_MAX_SCORE = 1000;
enum scannerType {
ClamAV = 'Clamav',
@@ -188,7 +188,7 @@ function controlMappingConveyor(): MappedTransform<
size: {path: 'size'},
type: {path: 'type'},
nist: DEFAULT_STATIC_CODE_ANALYSIS_NIST_TAGS,
- cci: DEFAULT_STATIC_CODE_ANALYSIS_CCI_TAGS.flat()
+ cci: DEFAULT_STATIC_CODE_ANALYSIS_CCI_TAGS
},
source_location: {},
results: [
diff --git a/libs/hdf-converters/src/cyclonedx-sbom-mapper.ts b/libs/hdf-converters/src/cyclonedx-sbom-mapper.ts
index f1cc5560c0..f22c149c20 100644
--- a/libs/hdf-converters/src/cyclonedx-sbom-mapper.ts
+++ b/libs/hdf-converters/src/cyclonedx-sbom-mapper.ts
@@ -22,7 +22,7 @@ import {
ComponentClass,
ComponentObject
} from '../types/cyclonedx';
-import {getCCIsForNISTTags} from './mappings/CciNistMapping';
+import {NIST2CCI} from './mappings/CciNistMapping';
const cvssMethods = ['CVSSv2', 'CVSSv3', 'CVSSv31', 'CVSSv4'] as const;
type CVSSMethodEnum = Extract<MethodEnum, (typeof cvssMethods)[number]>;
@@ -396,7 +396,7 @@ export class CycloneDXSBOMMapper extends BaseConverter<DataStorage> {
input:
| CycloneDXBillOfMaterialsStandardVulnerability['cwes']
| CycloneDXSoftwareBillOfMaterialsStandardVulnerability['cwes']
- ): string[] => getCCIsForNISTTags(getNISTTags(input))
+ ): string[] => NIST2CCI(getNISTTags(input))
},
cwe: {path: 'cwes', transformer: formatCWETags},
'bom-ref': {
diff --git a/libs/hdf-converters/src/dbprotect-mapper.ts b/libs/hdf-converters/src/dbprotect-mapper.ts
index aee1d5983d..cdc5aa99e5 100644
--- a/libs/hdf-converters/src/dbprotect-mapper.ts
+++ b/libs/hdf-converters/src/dbprotect-mapper.ts
@@ -8,8 +8,8 @@ import {
MappedTransform,
parseXml
} from './base-converter';
-import {DEFAULT_STATIC_CODE_ANALYSIS_NIST_TAGS} from './utils/global';
-import {getCCIsForNISTTags} from './mappings/CciNistMapping';
+import {DEFAULT_STATIC_CODE_ANALYSIS_NIST_TAGS} from './mappings/CciNistMappingData';
+import {NIST2CCI} from './mappings/CciNistMapping';
const IMPACT_MAPPING: Map<string, number> = new Map([
['high', 0.7],
@@ -128,7 +128,7 @@ export class DBProtectMapper extends BaseConverter {
key: 'id',
tags: {
nist: DEFAULT_STATIC_CODE_ANALYSIS_NIST_TAGS,
- cci: getCCIsForNISTTags(DEFAULT_STATIC_CODE_ANALYSIS_NIST_TAGS)
+ cci: NIST2CCI(DEFAULT_STATIC_CODE_ANALYSIS_NIST_TAGS)
},
refs: [],
source_location: {},
diff --git a/libs/hdf-converters/src/dependency-track-mapper.ts b/libs/hdf-converters/src/dependency-track-mapper.ts
index 52d94452ae..81bac71a7e 100644
--- a/libs/hdf-converters/src/dependency-track-mapper.ts
+++ b/libs/hdf-converters/src/dependency-track-mapper.ts
@@ -8,8 +8,8 @@ import {
MappedTransform
} from './base-converter';
import {CweNistMapping} from './mappings/CweNistMapping';
-import {DEFAULT_STATIC_CODE_ANALYSIS_NIST_TAGS} from './utils/global';
-import {getCCIsForNISTTags} from './mappings/CciNistMapping';
+import {DEFAULT_STATIC_CODE_ANALYSIS_NIST_TAGS} from './mappings/CciNistMappingData';
+import {NIST2CCI} from './mappings/CciNistMapping';
interface ICweEntry {
cweId: number;
@@ -96,7 +96,7 @@ export class DependencyTrackMapper extends BaseConverter {
cci: {
path: 'vulnerability.cwes',
transformer: (cwes: ICweEntry[]) =>
- getCCIsForNISTTags(nistTags(getCweIds(cwes)))
+ NIST2CCI(nistTags(getCweIds(cwes)))
},
componentUuid: {path: 'component.uuid'},
componentName: {path: 'component.name'},
diff --git a/libs/hdf-converters/src/fortify-mapper.ts b/libs/hdf-converters/src/fortify-mapper.ts
index c3e960804d..805a223a87 100644
--- a/libs/hdf-converters/src/fortify-mapper.ts
+++ b/libs/hdf-converters/src/fortify-mapper.ts
@@ -8,7 +8,7 @@ import {
parseHtml,
parseXml
} from './base-converter';
-import {getCCIsForNISTTags} from './mappings/CciNistMapping';
+import {NIST2CCI} from './mappings/CciNistMapping';
const NIST_REFERENCE_NAME =
'Standards Mapping - NIST Special Publication 800-53 Revision 4';
@@ -155,7 +155,7 @@ export class FortifyMapper extends BaseConverter {
nist: {transformer: nistTag},
cci: {
transformer: (data: Record<string, unknown>) =>
- getCCIsForNISTTags(nistTag(data))
+ NIST2CCI(nistTag(data))
}
},
refs: [],
diff --git a/libs/hdf-converters/src/ionchannel-mapper.ts b/libs/hdf-converters/src/ionchannel-mapper.ts
index 831f8d1215..8995898e1d 100644
--- a/libs/hdf-converters/src/ionchannel-mapper.ts
+++ b/libs/hdf-converters/src/ionchannel-mapper.ts
@@ -11,8 +11,8 @@ import {
import {Project} from '../types/ionchannelProjects';
import {Team} from '../types/ionchannelTeams';
import {BaseConverter, ILookupPath, MappedTransform} from './base-converter';
-import {DEFAULT_INFORMATION_SYSTEM_COMPONENT_MANAGEMENT_NIST_TAGS} from './utils/global';
-import {getCCIsForNISTTags} from './mappings/CciNistMapping';
+import {NIST2CCI} from './mappings/CciNistMapping';
+import {DEFAULT_INFORMATION_SYSTEM_COMPONENT_MANAGEMENT_NIST_TAGS} from './mappings/CciNistMappingData';
// Extracts all levels of dependencies from any dependency (including sub-dependencies)
function extractAllDependencies(
@@ -264,7 +264,7 @@ export class IonChannelMapper extends BaseConverter {
? {
..._.omit(dependency, 'dependencies'),
nist: DEFAULT_INFORMATION_SYSTEM_COMPONENT_MANAGEMENT_NIST_TAGS,
- cci: getCCIsForNISTTags(
+ cci: NIST2CCI(
DEFAULT_INFORMATION_SYSTEM_COMPONENT_MANAGEMENT_NIST_TAGS
),
dependencies: dependency.dependencies.map(
@@ -274,7 +274,7 @@ export class IonChannelMapper extends BaseConverter {
: {
..._.omit(dependency, 'dependencies'),
nist: DEFAULT_INFORMATION_SYSTEM_COMPONENT_MANAGEMENT_NIST_TAGS,
- cci: getCCIsForNISTTags(
+ cci: NIST2CCI(
DEFAULT_INFORMATION_SYSTEM_COMPONENT_MANAGEMENT_NIST_TAGS
)
};
diff --git a/libs/hdf-converters/src/jfrog-xray-mapper.ts b/libs/hdf-converters/src/jfrog-xray-mapper.ts
index 7a3fc60cff..7c07f9d0c9 100644
--- a/libs/hdf-converters/src/jfrog-xray-mapper.ts
+++ b/libs/hdf-converters/src/jfrog-xray-mapper.ts
@@ -9,8 +9,8 @@ import {
MappedTransform
} from './base-converter';
import {CweNistMapping} from './mappings/CweNistMapping';
-import {DEFAULT_STATIC_CODE_ANALYSIS_NIST_TAGS} from './utils/global';
-import {getCCIsForNISTTags} from './mappings/CciNistMapping';
+import {DEFAULT_STATIC_CODE_ANALYSIS_NIST_TAGS} from './mappings/CciNistMappingData';
+import {NIST2CCI} from './mappings/CciNistMapping';
// Constants
const IMPACT_MAPPING: Map<string, number> = new Map([
@@ -138,7 +138,7 @@ export class JfrogXrayMapper extends BaseConverter {
cci: {
path: CWE_PATH,
transformer: (identifier: Record<string, unknown>) =>
- getCCIsForNISTTags(nistTag(identifier))
+ NIST2CCI(nistTag(identifier))
},
nist: {
path: CWE_PATH,
diff --git a/libs/hdf-converters/src/mappings/CciNistMapping.ts b/libs/hdf-converters/src/mappings/CciNistMapping.ts
index 2f2d411fc2..a82103f1f5 100644
--- a/libs/hdf-converters/src/mappings/CciNistMapping.ts
+++ b/libs/hdf-converters/src/mappings/CciNistMapping.ts
@@ -1,206 +1,44 @@
-import {XMLParser} from 'fast-xml-parser';
import _ from 'lodash';
-import {CCI_List} from '../utils/CCI_List';
+import {NIST_TO_CCI} from '../mappings/NistCciMappingData';
+import {is_control, parse_nist} from 'inspecjs';
import {CCI_TO_NIST} from './CciNistMappingData';
-import {CciNistMappingItem} from './CciNistMappingItem';
-import {data as NistCciMappingData} from '../mappings/NistCciMappingData';
+import {removeParentheses} from '../../data/converters/cciListXml2json';
-type Reference = {
- '@_creator': string;
- '@_title': string;
- '@_version': string;
- '@_location': string;
- '@_index': string;
-};
-
-type CciItem = {
- status: string;
- publishdate: string;
- contributor: string;
- definition: string;
- type: string;
- references: {
- reference: Reference[];
- };
- '@_id': string;
-};
-type CciItems = {
- cci_item: CciItem[];
-};
-
-type Metadata = {
- version: string;
- publishdate: string;
-};
-
-type CciList = {
- metadata: Metadata;
- cci_items: CciItems;
-};
-
-type CciNistData = {
- '?xml': {
- '@_version': string;
- '@_encoding': string;
- };
- '?xml-stylesheet': {
- '@_type': string;
- '@_href': string;
- };
- cci_list: CciList;
-};
-
-export class CciNistTwoWayMapper {
- data: CciNistData;
-
- constructor() {
- const alwaysArray = ['cci_item', 'reference'];
- const options = {
- ignoreAttributes: false,
- isArray: (tagName: string) => {
- if (alwaysArray.includes(tagName)) {
- return true;
- } else {
- return false;
- }
- }
- };
- const parser = new XMLParser(options);
- this.data = parser.parse(CCI_List);
- }
-
- nistFilter(
- identifiers: string[],
- defaultNist: string[],
- collapse = true
- ): string[] {
- const DEFAULT_NIST_TAGS = defaultNist;
- let matches: string[] = [];
- for (const id of identifiers) {
- const nistRef = this.findHighestVersionNistControlByCci(id);
- if (nistRef) {
- matches.push(nistRef);
- }
- }
- if (collapse) {
- matches = _.uniq(matches);
+export function CCI2NIST(
+ identifiers: string[],
+ defaultCci2Nist: string[],
+ collapse = true
+): string[] {
+ const DEFAULT_NIST_TAGS = defaultCci2Nist;
+ let matches: string[] = [];
+ for (const id of identifiers) {
+ const nistRef = CCI_TO_NIST[id];
+ if (nistRef) {
+ matches.push(nistRef);
}
- return matches ?? DEFAULT_NIST_TAGS;
}
-
- cciFilter(identifiers: string[], defaultCci: string[]): string[] {
- const matches: string[] = [];
- for (const id of identifiers) {
- matches.push(...this.findMatchingCciIdsByNistControl(id));
- }
- return matches ?? defaultCci;
- }
-
- private findHighestVersionNistControlByCci(targetId: string): string | null {
- let highestVersionControl: string | null = null;
- let highestVersion = -1;
-
- const {cci_item} = this.data.cci_list.cci_items;
- const targetItem = cci_item.find((item) => item['@_id'] === targetId);
-
- if (targetItem) {
- for (const reference of targetItem.references.reference) {
- const version = parseFloat(reference['@_version']);
- if (version > highestVersion) {
- highestVersion = version;
- highestVersionControl = reference['@_index'];
- }
- }
- }
- return highestVersionControl;
- }
-
- private findMatchingCciIdsByNistControl(pattern: string): string[] {
- const matchingIds: string[] = [];
-
- const {cci_item} = this.data.cci_list.cci_items;
-
- for (const item of cci_item) {
- for (const reference of item.references.reference) {
- // first try the pattern as is
- const regexPattern = new RegExp(`^${pattern}`);
- if (
- RegExp(regexPattern).exec(reference['@_index']) &&
- item.type === 'technical'
- ) {
- matchingIds.push(item['@_id']);
- break;
- }
- // if there were no matches using the original pattern, try using only 2 letters hyphen followed by one or two numbers
- if (matchingIds.length === 0) {
- const regexEditedPattern = new RegExp(
- `${/\w\w-\d\d?\d?/g.exec(pattern)}`
- );
- if (
- RegExp(regexEditedPattern).exec(reference['@_index']) &&
- item.type === 'technical'
- ) {
- matchingIds.push(item['@_id']);
- break;
- }
- }
- }
- }
-
- return matchingIds;
- }
-}
-
-export class CciNistMapping {
- data: CciNistMappingItem[];
-
- constructor() {
- this.data = [];
-
- if (typeof CCI_TO_NIST === 'object') {
- for (const item of Object.entries(CCI_TO_NIST)) {
- this.data.push(new CciNistMappingItem(item[0], item[1]));
- }
- }
- }
-
- nistFilter(
- identifiers: string[],
- defaultNist: string[],
- collapse = true
- ): string[] {
- const DEFAULT_NIST_TAG = defaultNist;
- const matches: string[] = [];
- identifiers.forEach((id) => {
- const item = this.data.find((element) => element.cci === id);
- if (item && item.nistId) {
- if (collapse) {
- if (matches.indexOf(item.nistId) === -1) {
- matches.push(item.nistId);
- }
- } else {
- matches.push(item.nistId);
- }
- }
- });
- if (matches.length === 0) {
- return DEFAULT_NIST_TAG;
- }
- return matches;
+ if (collapse) {
+ matches = _.uniq(matches);
}
+ return matches.length > 0 ? matches : DEFAULT_NIST_TAGS;
}
-export function getCCIsForNISTTags(nistTags: string[]): string[] {
- const cciTags: string[] = [];
- for (const nistTag of nistTags) {
- const baseTag = /\w\w-\d\d?\d?/g.exec(nistTag);
- if (
- Array.isArray(baseTag) &&
- baseTag.length > 0 &&
- baseTag[0] in NistCciMappingData
- ) {
- cciTags.push(...NistCciMappingData[baseTag[0]]);
- }
- }
- return cciTags;
+export function NIST2CCI(
+ identifiers: string[],
+ defaultNist2Cci?: string[],
+ collapse = true
+): string[] {
+ const DEFAULT_CCI_TAGS = defaultNist2Cci || [];
+ const createPath = (nist: string) => [...nist.split(' '), 'ccis'];
+ const nists = identifiers.map(parse_nist);
+ const controls = nists.filter(is_control);
+ const paths = controls.map((control) =>
+ createPath(removeParentheses(control.canonize({add_spaces: true})))
+ );
+ const ccis = paths.flatMap((path) => _.get(NIST_TO_CCI, path, []));
+ if (collapse) {
+ const uniques = _.uniq(ccis);
+ return uniques.length > 0 ? uniques : DEFAULT_CCI_TAGS;
+ }
+ return ccis.length > 0 ? ccis : DEFAULT_CCI_TAGS;
}
diff --git a/libs/hdf-converters/src/mappings/CciNistMappingData.ts b/libs/hdf-converters/src/mappings/CciNistMappingData.ts
index 1dc452b87f..e6ea6795ed 100644
--- a/libs/hdf-converters/src/mappings/CciNistMappingData.ts
+++ b/libs/hdf-converters/src/mappings/CciNistMappingData.ts
@@ -1,5 +1,24 @@
import cciToNistData from './U_CCI_List.nist.json';
import cciToDefinitionData from './U_CCI_List.defs.json';
+import {data as NistCciMappingData} from '../mappings/NistCciMappingData';
export const CCI_TO_NIST: Record<string, string> = cciToNistData;
export const CCI_TO_DEFINITION: Record<string, string> = cciToDefinitionData;
+
+// DEFAULT_NIST_TAG is applicable to all automated configuration tests.
+// SA-11 (DEVELOPER SECURITY TESTING AND EVALUATION) - RA-5 (VULNERABILITY SCANNING)
+export const DEFAULT_STATIC_CODE_ANALYSIS_NIST_TAGS = ['SA-11', 'RA-5'];
+
+export const DEFAULT_STATIC_CODE_ANALYSIS_CCI_TAGS =
+ DEFAULT_STATIC_CODE_ANALYSIS_NIST_TAGS.map(
+ (tag) => NistCciMappingData[tag]
+ ).flat();
+
+// REMEDIATION_NIST_TAG the set of default applicable NIST 800-53 controls for ensuring up-to-date packages.
+// SI-2 (FLAW REMEDIATION) - RA-5 (VULNERABILITY SCANNING)
+export const DEFAULT_UPDATE_REMEDIATION_NIST_TAGS = ['SI-2', 'RA-5'];
+
+// Applicable to dependency management
+export const DEFAULT_INFORMATION_SYSTEM_COMPONENT_MANAGEMENT_NIST_TAGS = [
+ 'CM-8'
+];
diff --git a/libs/hdf-converters/src/mappings/CciNistMappingItem.ts b/libs/hdf-converters/src/mappings/CciNistMappingItem.ts
deleted file mode 100644
index 0ca760965a..0000000000
--- a/libs/hdf-converters/src/mappings/CciNistMappingItem.ts
+++ /dev/null
@@ -1,9 +0,0 @@
-export class CciNistMappingItem {
- cci: string;
- nistId: string;
-
- constructor(cci: string, nistId: string) {
- this.cci = cci;
- this.nistId = nistId;
- }
-}
diff --git a/libs/hdf-converters/src/mappings/NistCciMappingData.ts b/libs/hdf-converters/src/mappings/NistCciMappingData.ts
index b2541e86c8..bae1d977c2 100644
--- a/libs/hdf-converters/src/mappings/NistCciMappingData.ts
+++ b/libs/hdf-converters/src/mappings/NistCciMappingData.ts
@@ -1,23 +1,28 @@
+import {Trie} from '../../data/converters/cciListXml2json';
+import nistToCciData from './U_CCI_List.cci.json';
+
+export const NIST_TO_CCI: Trie = nistToCciData;
+
export const data = {
- "AC-3": ["CCI-000213"],
- "AC-4": ["CCI-001368", "CCI-001414"],
- "AC-6": ["CCI-000225"],
- "AC-7": ["CCI-000044"],
- "AC-12": ["CCI-002361"],
- "AU-12": ["CCI-000172"],
- "CM-6": ["CCI-000366"],
- "IA-5": ["CCI-001544", "CCI-000183", "CCI-002042"],
- "IA-8": ["CCI-000804"],
- "RA-5": ["CCI-001643"],
- "SA-11": ["CCI-003173"],
- "SC-4": ["CCI-001090"],
- "SC-8": ["CCI-002418"],
- "SC-12": ["CCI-002438"],
- "SC-13": ["CCI-002450"],
- "SC-23": ["CCI-001184"],
- "SC-28": ["CCI-001199"],
- "SI-2": ["CCI-002605"],
- "SI-10": ["CCI-001310"],
- "SI-11": ["CCI-001312"],
- "SI-16": ["CCI-002824"]
- } as Record<string, string[]>
+ 'AC-3': ['CCI-000213'],
+ 'AC-4': ['CCI-001368', 'CCI-001414'],
+ 'AC-6': ['CCI-000225'],
+ 'AC-7': ['CCI-000044'],
+ 'AC-12': ['CCI-002361'],
+ 'AU-12': ['CCI-000172'],
+ 'CM-6': ['CCI-000366'],
+ 'IA-5': ['CCI-001544', 'CCI-000183', 'CCI-002042'],
+ 'IA-8': ['CCI-000804'],
+ 'RA-5': ['CCI-001643'],
+ 'SA-11': ['CCI-003173'],
+ 'SC-4': ['CCI-001090'],
+ 'SC-8': ['CCI-002418'],
+ 'SC-12': ['CCI-002438'],
+ 'SC-13': ['CCI-002450'],
+ 'SC-23': ['CCI-001184'],
+ 'SC-28': ['CCI-001199'],
+ 'SI-2': ['CCI-002605'],
+ 'SI-10': ['CCI-001310'],
+ 'SI-11': ['CCI-001312'],
+ 'SI-16': ['CCI-002824']
+} as Record<string, string[]>;
diff --git a/libs/hdf-converters/src/mappings/ScoutsuiteNistMapping.ts b/libs/hdf-converters/src/mappings/ScoutsuiteNistMapping.ts
index 7bceecf61c..49a070555f 100644
--- a/libs/hdf-converters/src/mappings/ScoutsuiteNistMapping.ts
+++ b/libs/hdf-converters/src/mappings/ScoutsuiteNistMapping.ts
@@ -1,4 +1,4 @@
-import {DEFAULT_STATIC_CODE_ANALYSIS_NIST_TAGS} from '../utils/global';
+import {DEFAULT_STATIC_CODE_ANALYSIS_NIST_TAGS} from './CciNistMappingData';
import {data} from './ScoutsuiteNistMappingData';
import {ScoutsuiteNistMappingItem} from './ScoutsuiteNistMappingItem';
diff --git a/libs/hdf-converters/src/mappings/U_CCI_List.cci.json b/libs/hdf-converters/src/mappings/U_CCI_List.cci.json
index 80dc5b406b..48ab99e223 100644
--- a/libs/hdf-converters/src/mappings/U_CCI_List.cci.json
+++ b/libs/hdf-converters/src/mappings/U_CCI_List.cci.json
@@ -1,9335 +1,14160 @@
{
- "AC-1 a 1": [
- "CCI-000001",
- "CCI-002106"
- ],
- "AC-1 a 1 (a)": [
- "CCI-000002",
- "CCI-002107",
- "CCI-003602"
- ],
- "AC-1 c 1": [
- "CCI-000003",
- "CCI-001545",
- "CCI-003608",
- "CCI-003609"
- ],
- "AC-1 a 2": [
- "CCI-000004",
- "CCI-000005",
- "CCI-002108",
- "CCI-002109",
- "CCI-003604"
- ],
- "AC-1 c 2": [
- "CCI-000006",
- "CCI-001546",
- "CCI-003610",
- "CCI-003611"
- ],
- "AC-2 a": [
- "CCI-000007",
- "CCI-002110",
- "CCI-002111",
- "CCI-003612"
- ],
- "AC-2 c": [
- "CCI-000008",
- "CCI-000009",
- "CCI-002113",
- "CCI-003613",
- "CCI-003614",
- "CCI-003615"
- ],
- "AC-2 e": [
- "CCI-000010",
- "CCI-002120"
- ],
- "AC-2 f": [
- "CCI-000011",
- "CCI-000237",
- "CCI-002121",
- "CCI-003617",
- "CCI-003618",
- "CCI-003619",
- "CCI-003620",
- "CCI-003621",
- "CCI-003622"
- ],
- "AC-2 j": [
- "CCI-000012",
- "CCI-001547"
- ],
- "AC-2 g": [
- "CCI-000013",
- "CCI-002122"
- ],
- "AC-2 i": [
- "CCI-000014"
- ],
- "AC-2 (1)": [
- "CCI-000015"
- ],
- "AC-2 (2)": [
- "CCI-000016",
- "CCI-001361",
- "CCI-001365",
- "CCI-001682"
- ],
- "AC-2 (3) (d)": [
- "CCI-000017"
- ],
- "AC-2 (4)": [
- "CCI-000018",
- "CCI-001403",
- "CCI-001404",
- "CCI-001405",
- "CCI-001683",
- "CCI-001684",
- "CCI-001685",
- "CCI-001686",
- "CCI-002130",
- "CCI-002131",
- "CCI-002132"
- ],
- "AC-2 (5)": [
- "CCI-000019",
- "CCI-001406",
- "CCI-002133"
- ],
- "AC-2 (6)": [
- "CCI-000020",
- "CCI-002134",
- "CCI-002135"
- ],
- "AC-3 (2)": [
- "CCI-000021",
- "CCI-001408",
- "CCI-002152"
- ],
- "AC-3 (3) (a)": [
- "CCI-000022",
- "CCI-002154"
- ],
- "PM-1 a": [
- "CCI-000023",
- "CCI-001543"
- ],
- "AC-3 (5)": [
- "CCI-000024",
- "CCI-001411"
- ],
- "AC-4 (1)": [
- "CCI-000025",
- "CCI-002187",
- "CCI-002188",
- "CCI-002189",
- "CCI-002190",
- "CCI-003661"
- ],
- "AC-4 (2)": [
- "CCI-000026",
- "CCI-002191"
- ],
- "AC-4 (3)": [
- "CCI-000027",
- "CCI-001552",
- "CCI-002192"
- ],
- "AC-4 (4)": [
- "CCI-000028",
- "CCI-002193",
- "CCI-003662"
- ],
- "AC-4 (5)": [
- "CCI-000029",
- "CCI-001415"
- ],
- "AC-4 (6)": [
- "CCI-000030",
- "CCI-002194"
- ],
- "AC-4 (7)": [
- "CCI-000031",
- "CCI-001416"
- ],
- "AC-4 (8) (a)": [
- "CCI-000032",
- "CCI-001417",
- "CCI-002195",
- "CCI-003663"
- ],
- "AC-4 (9)": [
- "CCI-000033",
- "CCI-001418",
- "CCI-002196",
- "CCI-002197",
- "CCI-002198"
- ],
- "AC-4 (10)": [
- "CCI-000034",
- "CCI-001553",
- "CCI-002199"
- ],
- "AC-4 (11)": [
- "CCI-000035",
- "CCI-001554"
- ],
- "AC-5 a": [
- "CCI-000036",
- "CCI-002219",
- "CCI-003684"
- ],
- "AC-5 c": [
- "CCI-000037"
- ],
- "AC-6 (1)": [
- "CCI-000038"
- ],
- "AC-6 (2)": [
- "CCI-000039",
- "CCI-000040",
- "CCI-001419"
- ],
- "AC-6 (3)": [
- "CCI-000041",
- "CCI-000042",
- "CCI-001420",
- "CCI-002224"
- ],
- "AC-7 a": [
- "CCI-000043",
- "CCI-000044",
- "CCI-001423",
- "CCI-001452"
- ],
- "AC-7 b": [
- "CCI-000045",
- "CCI-000046",
- "CCI-000047",
- "CCI-002236",
- "CCI-002237",
- "CCI-002238"
- ],
- "AC-8 a": [
- "CCI-000048",
- "CCI-000049",
- "CCI-000051",
- "CCI-002247"
- ],
- "AC-8 b": [
- "CCI-000050"
- ],
- "AC-9": [
- "CCI-000052"
- ],
- "AC-9 (1)": [
- "CCI-000053"
- ],
- "AC-10": [
- "CCI-000054",
- "CCI-000055",
- "CCI-002252",
- "CCI-002253"
- ],
- "AC-11 b": [
- "CCI-000056"
- ],
- "AC-11 a": [
- "CCI-000057",
- "CCI-000058",
- "CCI-000059"
- ],
- "AC-11 (1)": [
- "CCI-000060"
- ],
- "AC-14 a": [
- "CCI-000061",
- "CCI-002255",
- "CCI-003695"
- ],
- "AC-14 (1)": [
- "CCI-000062"
- ],
- "AC-17 a": [
- "CCI-000063",
- "CCI-002310",
- "CCI-002311",
- "CCI-002312"
- ],
- "AC-17 b": [
- "CCI-000064",
- "CCI-000065"
- ],
- "AC-17 e": [
- "CCI-000066"
- ],
- "AC-17 (1)": [
- "CCI-000067",
- "CCI-002313",
- "CCI-002314"
- ],
- "AC-17 (2)": [
- "CCI-000068",
- "CCI-001453"
- ],
- "AC-17 (3)": [
- "CCI-000069",
- "CCI-001561",
- "CCI-002315"
- ],
- "AC-17 (4) (a)": [
- "CCI-000070",
- "CCI-002316",
- "CCI-002317",
- "CCI-002318"
- ],
- "AC-17 (5)": [
- "CCI-000071",
- "CCI-001431",
- "CCI-001432",
- "CCI-001562"
- ],
- "AC-17 (6)": [
- "CCI-000072"
- ],
- "PM-1 a 1": [
- "CCI-000073",
- "CCI-002985"
- ],
- "PM-1 a 4": [
- "CCI-000074",
- "CCI-002988"
- ],
- "PM-1 b": [
- "CCI-000075",
- "CCI-000076",
- "CCI-004312",
- "CCI-004313"
- ],
- "PM-1 c": [
- "CCI-000077",
- "CCI-002989",
- "CCI-002990"
- ],
- "PM-2": [
- "CCI-000078"
- ],
- "AC-17 (7)": [
- "CCI-000079",
- "CCI-001433",
- "CCI-001434",
- "CCI-001454"
- ],
- "PM-3 a": [
- "CCI-000080",
- "CCI-004314",
- "CCI-004315"
- ],
- "PM-3 b": [
- "CCI-000081",
- "CCI-004316",
- "CCI-004317"
- ],
- "AC-19 a": [
- "CCI-000082",
- "CCI-000083",
- "CCI-002325",
- "CCI-002326"
- ],
- "AC-19 b": [
- "CCI-000084"
- ],
- "AC-19 c": [
- "CCI-000085"
- ],
- "AC-19 d": [
- "CCI-000086"
- ],
- "AC-19 e": [
- "CCI-000087"
- ],
- "AC-19 f": [
- "CCI-000088",
- "CCI-001456"
- ],
- "AC-19 g": [
- "CCI-000089",
- "CCI-001457"
- ],
- "AC-19 (1)": [
- "CCI-000090"
- ],
- "AC-19 (2)": [
- "CCI-000091"
- ],
- "AC-19 (3)": [
- "CCI-000092"
- ],
- "AC-20 a 1": [
- "CCI-000093",
- "CCI-003750",
- "CCI-003751"
- ],
- "AC-20 b": [
- "CCI-000094",
- "CCI-001465",
- "CCI-001466",
- "CCI-003754",
- "CCI-003755"
- ],
- "AC-20 (1) (a)": [
- "CCI-000095",
- "CCI-001467",
- "CCI-001468",
- "CCI-001469",
- "CCI-002333",
- "CCI-002334",
- "CCI-002335",
- "CCI-002336",
- "CCI-003756",
- "CCI-003757"
- ],
- "AC-20 (1) (b)": [
- "CCI-000096",
- "CCI-002337"
- ],
- "AC-20 (2)": [
- "CCI-000097",
- "CCI-003758"
- ],
- "AC-21 a": [
- "CCI-000098",
- "CCI-001470"
- ],
- "AC-21 (1)": [
- "CCI-000099"
- ],
- "AT-1 a 1 (a)": [
- "CCI-000100",
- "CCI-000101",
- "CCI-002048"
- ],
- "AT-1 c 1": [
- "CCI-000102",
- "CCI-001564"
- ],
- "AT-1 a 2": [
- "CCI-000103",
- "CCI-000104",
- "CCI-002049"
- ],
- "AT-1 c 2": [
- "CCI-000105",
- "CCI-001565"
- ],
- "AT-2 a 1": [
- "CCI-000106",
- "CCI-005147"
- ],
- "AT-2 (1)": [
- "CCI-000107"
- ],
- "AT-3 a 1": [
- "CCI-000108",
- "CCI-003783"
- ],
- "AT-3 a 2": [
- "CCI-000109",
- "CCI-003784"
- ],
- "AT-3 c": [
- "CCI-000110",
- "CCI-000111",
- "CCI-003789"
- ],
- "AT-2 a 2": [
- "CCI-000112",
- "CCI-003766"
- ],
- "AT-4 a": [
- "CCI-000113",
- "CCI-000114",
- "CCI-003794",
- "CCI-003795"
- ],
- "AT-5": [
- "CCI-000115",
- "CCI-000116"
- ],
- "AU-1 a 1 (a)": [
- "CCI-000117",
- "CCI-001832"
- ],
- "AU-1 a": [
- "CCI-000118"
- ],
- "AU-1 c 1": [
- "CCI-000119",
- "CCI-001569",
- "CCI-003806",
- "CCI-003807"
- ],
- "AU-1 a 2": [
- "CCI-000120",
- "CCI-001833",
- "CCI-001834",
- "CCI-001931"
- ],
- "AU-1 b": [
- "CCI-000121",
- "CCI-003800",
- "CCI-003801",
- "CCI-003802",
- "CCI-003803",
- "CCI-003804",
- "CCI-003805"
- ],
- "AU-1 c 2": [
- "CCI-000122",
- "CCI-001570",
- "CCI-003808",
- "CCI-003809"
- ],
- "AU-2 a": [
- "CCI-000123",
- "CCI-000129",
- "CCI-001571"
- ],
- "AU-2 b": [
- "CCI-000124"
- ],
- "AU-2 d": [
- "CCI-000125"
- ],
- "AU-2 c": [
- "CCI-000126",
- "CCI-001484",
- "CCI-001485"
- ],
- "AU-2 (3)": [
- "CCI-000127",
- "CCI-001486",
- "CCI-001843"
- ],
- "AU-2 (4)": [
- "CCI-000128"
- ],
- "AU-3 a": [
- "CCI-000130"
- ],
- "AU-3 b": [
- "CCI-000131"
- ],
- "AU-3 c": [
- "CCI-000132"
- ],
- "AU-3 d": [
- "CCI-000133"
- ],
- "AU-3 e": [
- "CCI-000134"
- ],
- "AU-3 (1)": [
- "CCI-000135",
- "CCI-001488"
- ],
- "AU-3 (2)": [
- "CCI-000136",
- "CCI-001489",
- "CCI-001844",
- "CCI-001845",
- "CCI-001846",
- "CCI-001847"
- ],
- "AU-4": [
- "CCI-000137",
- "CCI-000138",
- "CCI-001848",
- "CCI-001849"
- ],
- "AU-5 a": [
- "CCI-000139",
- "CCI-001572",
- "CCI-003814"
- ],
- "AU-5 b": [
- "CCI-000140",
- "CCI-001490"
- ],
- "PM-3 c": [
- "CCI-000141",
- "CCI-004318"
- ],
- "PM-4 a 1": [
- "CCI-000142",
- "CCI-002991",
- "CCI-004319",
- "CCI-004320",
- "CCI-004321",
- "CCI-004322"
- ],
- "AU-5 (1)": [
- "CCI-000143",
- "CCI-000146",
- "CCI-001852",
- "CCI-001853",
- "CCI-001854",
- "CCI-001855"
- ],
- "AU-5 (2)": [
- "CCI-000144",
- "CCI-000147",
- "CCI-001856",
- "CCI-001857",
- "CCI-001858"
- ],
- "AU-5 (3)": [
- "CCI-000145",
- "CCI-001573",
- "CCI-001574",
- "CCI-001859"
- ],
- "AU-6 a": [
- "CCI-000148",
- "CCI-000151",
- "CCI-001862",
- "CCI-003817"
- ],
- "AU-6 b": [
- "CCI-000149",
- "CCI-000150",
- "CCI-001863"
- ],
- "AU-6 (1)": [
- "CCI-000152",
- "CCI-001864",
- "CCI-001865",
- "CCI-003820"
- ],
- "AU-6 (3)": [
- "CCI-000153"
- ],
- "AU-6 (4)": [
- "CCI-000154",
- "CCI-003821"
- ],
- "AU-6 (5)": [
- "CCI-000155",
- "CCI-001866",
- "CCI-001867"
- ],
- "AU-7": [
- "CCI-000156",
- "CCI-000157"
- ],
- "AU-7 (1)": [
- "CCI-000158",
- "CCI-001883",
- "CCI-003830"
- ],
- "AU-8 a": [
- "CCI-000159"
- ],
- "AU-8 (1)": [
- "CCI-000160"
- ],
- "AU-8 (1) (a)": [
- "CCI-000161",
- "CCI-001492",
- "CCI-001891"
- ],
- "AU-9 a": [
- "CCI-000162",
- "CCI-000163",
- "CCI-000164",
- "CCI-001493",
- "CCI-001494",
- "CCI-001495"
- ],
- "AU-9 (1)": [
- "CCI-000165"
- ],
- "AU-10": [
- "CCI-000166",
- "CCI-001899"
- ],
- "AU-11": [
- "CCI-000167",
- "CCI-000168"
- ],
- "AU-12 a": [
- "CCI-000169",
- "CCI-001459"
- ],
- "PM-4 a 2": [
- "CCI-000170",
- "CCI-004323",
- "CCI-004324"
- ],
- "AU-12 b": [
- "CCI-000171",
- "CCI-001910"
- ],
- "AU-12 c": [
- "CCI-000172"
- ],
- "AU-12 (1)": [
- "CCI-000173",
- "CCI-000174",
- "CCI-001576",
- "CCI-001577"
- ],
- "IA-5 a": [
- "CCI-000175",
- "CCI-001980"
- ],
- "IA-5 b": [
- "CCI-000176"
- ],
- "IA-5 d": [
- "CCI-000177",
- "CCI-001981",
- "CCI-001982",
- "CCI-001983",
- "CCI-001984",
- "CCI-001985",
- "CCI-001986",
- "CCI-001987",
- "CCI-001988",
- "CCI-004053",
- "CCI-004054"
- ],
- "IA-5 e": [
- "CCI-000178",
- "CCI-001989",
- "CCI-004055"
- ],
- "IA-5 f": [
- "CCI-000179",
- "CCI-000180",
- "CCI-000181",
- "CCI-000182",
- "CCI-001610",
- "CCI-004056"
- ],
- "IA-5 g": [
- "CCI-000183",
- "CCI-002042"
- ],
- "IA-5 h": [
- "CCI-000184"
- ],
- "IA-5 (2) (b) (1)": [
- "CCI-000185"
- ],
- "IA-5 (2) (a) (1)": [
- "CCI-000186"
- ],
- "IA-5 (2) (a) (2)": [
- "CCI-000187"
- ],
- "IA-5 (3)": [
- "CCI-000188",
- "CCI-001620",
- "CCI-001992",
- "CCI-001993",
- "CCI-001994",
- "CCI-001995"
- ],
- "IA-5 (4)": [
- "CCI-000189",
- "CCI-001996",
- "CCI-001997"
- ],
- "IA-5 (5)": [
- "CCI-000190",
- "CCI-001998"
- ],
- "IA-5 (1) (a)": [
- "CCI-000191",
- "CCI-000192",
- "CCI-000193",
- "CCI-000194",
- "CCI-000205",
- "CCI-001611",
- "CCI-001612",
- "CCI-001613",
- "CCI-001614",
- "CCI-001619",
- "CCI-004057",
- "CCI-004058",
- "CCI-004059",
- "CCI-004060"
- ],
- "IA-5 (1) (b)": [
- "CCI-000195",
- "CCI-001615",
- "CCI-004061"
- ],
- "IA-5 (1) (c)": [
- "CCI-000196",
- "CCI-000197"
- ],
- "IA-5 (1) (d)": [
- "CCI-000198",
- "CCI-000199",
- "CCI-001616",
- "CCI-001617",
- "CCI-004062"
- ],
- "IA-5 (1) (e)": [
- "CCI-000200",
- "CCI-001618",
- "CCI-004063"
- ],
- "IA-5 (6)": [
- "CCI-000201"
- ],
- "IA-5 (7)": [
- "CCI-000202",
- "CCI-000203",
- "CCI-002367",
- "CCI-004069"
- ],
- "IA-5 (8)": [
- "CCI-000204",
- "CCI-001621"
- ],
- "IA-6": [
- "CCI-000206"
- ],
- "PM-5": [
- "CCI-000207",
- "CCI-004328",
- "CCI-004329",
- "CCI-004330"
- ],
- "AC-2 (5) (b)": [
- "CCI-000208"
- ],
- "PM-6": [
- "CCI-000209",
- "CCI-000210",
- "CCI-000211",
- "CCI-004335",
- "CCI-004336",
- "CCI-004337"
- ],
- "PM-7": [
- "CCI-000212",
- "CCI-004338",
- "CCI-004339",
- "CCI-004340"
- ],
- "AC-3": [
- "CCI-000213"
- ],
- "AC-3 (4) (b)": [
- "CCI-000214",
- "CCI-003639"
- ],
- "AC-3 (4) (c)": [
- "CCI-000215",
- "CCI-003640"
- ],
- "PM-8": [
- "CCI-000216",
- "CCI-001640",
- "CCI-004343",
- "CCI-004344"
- ],
- "AC-2 (3)": [
- "CCI-000217"
- ],
- "AC-4 (12)": [
- "CCI-000218",
- "CCI-002200",
- "CCI-002201"
- ],
- "AC-4 (13)": [
- "CCI-000219",
- "CCI-002202"
- ],
- "AC-4 (16)": [
- "CCI-000221"
- ],
- "AC-4 (17) (b)": [
- "CCI-000223"
- ],
- "AC-4 (17) (c)": [
- "CCI-000224"
- ],
- "AC-6": [
- "CCI-000225"
- ],
- "AC-6 (4)": [
- "CCI-000226",
- "CCI-002225"
- ],
- "PM-9 a 1": [
- "CCI-000227"
- ],
- "PM-9 b": [
- "CCI-000228"
- ],
- "PM-10 a": [
- "CCI-000229",
- "CCI-000230",
- "CCI-000231",
- "CCI-004346",
- "CCI-004347"
- ],
- "AC-14 b": [
- "CCI-000232"
- ],
- "PM-10 b": [
- "CCI-000233"
- ],
- "PM-10 c": [
- "CCI-000234"
- ],
- "PM-11 a": [
- "CCI-000235",
- "CCI-004348"
- ],
- "PM-11 b": [
- "CCI-000236",
- "CCI-004349"
- ],
- "CA-1 c 1": [
- "CCI-000238",
- "CCI-000241",
- "CCI-003855",
- "CCI-003856"
- ],
- "CA-1 a 1 (a)": [
- "CCI-000239",
- "CCI-000240",
- "CCI-002061"
- ],
- "CA-1 a 2": [
- "CCI-000242",
- "CCI-000243",
- "CCI-002062",
- "CCI-003850"
- ],
- "CA-1 c 2": [
- "CCI-000244",
- "CCI-001578",
- "CCI-003857",
- "CCI-003858"
- ],
- "CA-2 a": [
- "CCI-000245",
- "CCI-000249",
- "CCI-000250",
- "CCI-003859"
- ],
- "CA-2 b 1": [
- "CCI-000246"
- ],
- "CA-2 b 2": [
- "CCI-000247"
- ],
- "CA-2 b 3": [
- "CCI-000248",
- "CCI-002070"
- ],
- "CA-2 d": [
- "CCI-000251",
- "CCI-000252",
- "CCI-003861"
- ],
- "CA-2 e": [
- "CCI-000253"
- ],
- "CA-2 f": [
- "CCI-000254",
- "CCI-002071"
- ],
- "CA-2 (1)": [
- "CCI-000255",
- "CCI-002063"
- ],
- "CA-2 (2)": [
- "CCI-000256",
- "CCI-001579",
- "CCI-001582",
- "CCI-001583",
- "CCI-001681",
- "CCI-002064",
- "CCI-002065"
- ],
- "CA-3 a": [
- "CCI-000257",
- "CCI-003862"
- ],
- "CA-3 b": [
- "CCI-000258",
- "CCI-000259",
- "CCI-000260",
- "CCI-001580",
- "CCI-003863"
- ],
- "CA-3 c": [
- "CCI-000261",
- "CCI-002083",
- "CCI-002084"
- ],
- "CA-3 (1)": [
- "CCI-000262",
- "CCI-002072",
- "CCI-002073"
- ],
- "CA-3 (2)": [
- "CCI-000263",
- "CCI-002074"
- ],
- "CA-5 a": [
- "CCI-000264"
- ],
- "CA-5 b": [
- "CCI-000265",
- "CCI-000266"
- ],
- "CA-5 (1)": [
- "CCI-000267",
- "CCI-000268",
- "CCI-000269",
- "CCI-003867"
- ],
- "CA-6 a": [
- "CCI-000270"
- ],
- "CA-6 c 2": [
- "CCI-000271"
- ],
- "CA-6 e": [
- "CCI-000272",
- "CCI-000273"
- ],
- "CA-7": [
- "CCI-000274",
- "CCI-003873"
- ],
- "CA-7 a": [
- "CCI-000275",
- "CCI-000276",
- "CCI-002087",
- "CCI-003874"
- ],
- "CA-7 b": [
- "CCI-000277",
- "CCI-000278",
- "CCI-002088",
- "CCI-002089",
- "CCI-003875",
- "CCI-003876",
- "CCI-003877"
- ],
- "CA-7 c": [
- "CCI-000279",
- "CCI-003878"
- ],
- "CA-7 g": [
- "CCI-000280",
- "CCI-000281",
- "CCI-001581",
- "CCI-003879",
- "CCI-003880"
- ],
- "CA-7 (1)": [
- "CCI-000282",
- "CCI-002085"
- ],
- "CA-7 (2)": [
- "CCI-000283",
- "CCI-000284",
- "CCI-000285"
- ],
- "CM-1 c 1": [
- "CCI-000286",
- "CCI-000289",
- "CCI-003904",
- "CCI-003905"
- ],
- "CM-1 a 1 (a)": [
- "CCI-000287",
- "CCI-001821",
- "CCI-001822"
- ],
- "CM-1 a": [
- "CCI-000288"
- ],
- "CM-1 a 2": [
- "CCI-000290",
- "CCI-000292",
- "CCI-001823",
- "CCI-001824",
- "CCI-001825"
- ],
- "CM-1 b": [
- "CCI-000291",
- "CCI-003898",
- "CCI-003899",
- "CCI-003900",
- "CCI-003901",
- "CCI-003902",
- "CCI-003903"
- ],
- "CM-2": [
- "CCI-000293",
- "CCI-000294"
- ],
- "CM-2 a": [
- "CCI-000295",
- "CCI-003909"
- ],
- "CM-2 b 1": [
- "CCI-000296",
- "CCI-001497"
- ],
- "CM-2 b 2": [
- "CCI-000297",
- "CCI-001585"
- ],
- "CM-2 (1) (c)": [
- "CCI-000298",
- "CCI-000299"
- ],
- "CM-2 (2)": [
- "CCI-000300",
- "CCI-000301",
- "CCI-000302",
- "CCI-000303",
- "CCI-003911"
- ],
- "CM-2 (3)": [
- "CCI-000304",
- "CCI-001736"
- ],
- "CM-2 (4) (a)": [
- "CCI-000305",
- "CCI-000306"
- ],
- "CM-2 (4) (b)": [
- "CCI-000307"
- ],
- "CM-2 (5) (a)": [
- "CCI-000308",
- "CCI-000309"
- ],
- "CM-2 (5) (b)": [
- "CCI-000310"
- ],
- "CM-2 (6)": [
- "CCI-000311",
- "CCI-000312"
- ],
- "CM-3 a": [
- "CCI-000313"
- ],
- "CM-3 b": [
- "CCI-000314",
- "CCI-001740",
- "CCI-003912"
- ],
- "CM-3 c": [
- "CCI-000315",
- "CCI-001741"
- ],
- "CM-3 e": [
- "CCI-000316"
- ],
- "CM-3 d": [
- "CCI-000317",
- "CCI-001819",
- "CCI-002056"
- ],
- "CM-3 f": [
- "CCI-000318"
- ],
- "CM-3 g": [
- "CCI-000319",
- "CCI-000320",
- "CCI-000321",
- "CCI-001586"
- ],
- "CM-3 (1) (a)": [
- "CCI-000322",
- "CCI-003913"
- ],
- "CM-3 (1) (b)": [
- "CCI-000323",
- "CCI-001742",
- "CCI-003914"
- ],
- "CM-3 (1) (c)": [
- "CCI-000324",
- "CCI-001498",
- "CCI-003915"
- ],
- "CM-3 (1) (d)": [
- "CCI-000325",
- "CCI-003916"
- ],
- "CM-3 (1) (e)": [
- "CCI-000326",
- "CCI-003917"
- ],
- "CM-3 (2)": [
- "CCI-000327",
- "CCI-000328",
- "CCI-000329"
- ],
- "CM-3 (3)": [
- "CCI-000330",
- "CCI-000331",
- "CCI-003919",
- "CCI-003920"
- ],
- "CM-3 (4)": [
- "CCI-000332",
- "CCI-003921",
- "CCI-003922",
- "CCI-003923",
- "CCI-003924"
- ],
- "CM-4": [
- "CCI-000333",
- "CCI-003930"
- ],
- "CM-4 (1)": [
- "CCI-000334",
- "CCI-001587",
- "CCI-001817",
- "CCI-001818",
- "CCI-003931"
- ],
- "CM-4 (2)": [
- "CCI-000335",
- "CCI-000336",
- "CCI-000337",
- "CCI-003932",
- "CCI-003933",
- "CCI-003934"
- ],
- "CM-5": [
- "CCI-000338",
- "CCI-000339",
- "CCI-000340",
- "CCI-000341",
- "CCI-000342",
- "CCI-000343",
- "CCI-000344",
- "CCI-000345",
- "CCI-003935",
- "CCI-003936"
- ],
- "CM-5 (1)": [
- "CCI-000346",
- "CCI-000347",
- "CCI-001814"
- ],
- "CM-5 (2)": [
- "CCI-000348",
- "CCI-000349",
- "CCI-000350",
- "CCI-001826"
- ],
- "CM-5 (3)": [
- "CCI-000351",
- "CCI-000352",
- "CCI-001747",
- "CCI-001748",
- "CCI-001749",
- "CCI-001750"
- ],
- "CM-5 (4)": [
- "CCI-000353",
- "CCI-000354",
- "CCI-001751",
- "CCI-001752"
- ],
- "CM-5 (5) (a)": [
- "CCI-000355",
- "CCI-000356",
- "CCI-000357",
- "CCI-000358",
- "CCI-001753",
- "CCI-001754"
- ],
- "CM-5 (5) (b)": [
- "CCI-000359",
- "CCI-000360",
- "CCI-000361",
- "CCI-000362",
- "CCI-001827",
- "CCI-001828",
- "CCI-001829",
- "CCI-001830",
- "CCI-003939",
- "CCI-003940"
- ],
- "CM-6 a": [
- "CCI-000363",
- "CCI-000364",
- "CCI-000365",
- "CCI-001588",
- "CCI-003941",
- "CCI-003942"
- ],
- "CM-6 b": [
- "CCI-000366"
- ],
- "CM-6 c": [
- "CCI-000367",
- "CCI-000368",
- "CCI-000369",
- "CCI-001755",
- "CCI-001756"
- ],
- "CM-6 (1)": [
- "CCI-000370",
- "CCI-000371",
- "CCI-000372",
- "CCI-002059",
- "CCI-003947"
- ],
- "CM-6 (2)": [
- "CCI-000373",
- "CCI-000374",
- "CCI-001757",
- "CCI-001758",
- "CCI-001759"
- ],
- "CM-6 (3)": [
- "CCI-000375",
- "CCI-000376",
- "CCI-000377",
- "CCI-000378",
- "CCI-001589"
- ],
- "CM-6 (4)": [
- "CCI-000379"
- ],
- "CM-7 b": [
- "CCI-000380",
- "CCI-000382"
- ],
- "CM-7 a": [
- "CCI-000381",
- "CCI-003948"
- ],
- "CM-7 (1)": [
- "CCI-000383",
- "CCI-000385"
- ],
- "CM-7 (1) (a)": [
- "CCI-000384",
- "CCI-001760"
- ],
- "CM-7 (2)": [
- "CCI-000386",
- "CCI-001590",
- "CCI-001591",
- "CCI-001592",
- "CCI-001593",
- "CCI-001594",
- "CCI-001595",
- "CCI-001763",
- "CCI-001764"
- ],
- "CM-7 (3)": [
- "CCI-000387",
- "CCI-000388"
- ],
- "CM-8 a 1": [
- "CCI-000389",
- "CCI-000390",
- "CCI-003962"
- ],
- "CM-8 a": [
- "CCI-000391"
- ],
- "CM-8 a 2": [
- "CCI-000392",
- "CCI-000393",
- "CCI-003963"
- ],
- "CM-8 b": [
- "CCI-000394",
- "CCI-001779",
- "CCI-001780",
- "CCI-001781",
- "CCI-001782"
- ],
- "CM-8 a 3": [
- "CCI-000395",
- "CCI-000396",
- "CCI-003964"
- ],
- "CM-8 c": [
- "CCI-000397"
- ],
- "CM-8 a 5": [
- "CCI-000398",
- "CCI-003967"
- ],
- "CM-8 a 4": [
- "CCI-000399",
- "CCI-000400",
- "CCI-003965",
- "CCI-003966"
- ],
- "CM-8 d": [
- "CCI-000401"
- ],
- "CM-8 e": [
- "CCI-000402",
- "CCI-000403",
- "CCI-000404",
- "CCI-000405",
- "CCI-000406",
- "CCI-000407"
- ],
- "CM-8 (1)": [
- "CCI-000408",
- "CCI-000409",
- "CCI-000410"
- ],
- "CM-8 (2)": [
- "CCI-000411",
- "CCI-000412",
- "CCI-000413",
- "CCI-000414",
- "CCI-003968"
- ],
- "CM-8 (3) (a)": [
- "CCI-000415",
- "CCI-000416",
- "CCI-003969"
- ],
- "CM-8 (3) (b)": [
- "CCI-000417",
- "CCI-001783",
- "CCI-001784"
- ],
- "CM-8 (4)": [
- "CCI-000418"
- ],
- "CM-8 (5)": [
- "CCI-000419"
- ],
- "CM-8 (6)": [
- "CCI-000420"
- ],
- "CM-9 a": [
- "CCI-000421",
- "CCI-000422",
- "CCI-000423",
- "CCI-003971",
- "CCI-003972"
- ],
- "CM-9 c": [
- "CCI-000424",
- "CCI-000425",
- "CCI-000426",
- "CCI-000430",
- "CCI-000431",
- "CCI-000432",
- "CCI-000433",
- "CCI-000434",
- "CCI-000435",
- "CCI-001796",
- "CCI-001797",
- "CCI-001798",
- "CCI-003975",
- "CCI-003976"
- ],
- "CM-9 b": [
- "CCI-000427",
- "CCI-000428",
- "CCI-000429",
- "CCI-001790",
- "CCI-001791",
- "CCI-001792",
- "CCI-001793",
- "CCI-001794",
- "CCI-001795",
- "CCI-003973",
- "CCI-003974"
- ],
- "CM-9 (1)": [
- "CCI-000436"
- ],
- "CP-1 c 1": [
- "CCI-000437",
- "CCI-000440",
- "CCI-004002",
- "CCI-004003"
- ],
- "CP-1 a 1 (a)": [
- "CCI-000438",
- "CCI-000439",
- "CCI-002825"
- ],
- "CP-1 a 2": [
- "CCI-000441",
- "CCI-001597",
- "CCI-002826"
- ],
- "CP-2 a 1": [
- "CCI-000443",
- "CCI-000444",
- "CCI-000445"
- ],
- "CP-2 a 2": [
- "CCI-000446",
- "CCI-000447",
- "CCI-000448"
- ],
- "CP-2 a 3": [
- "CCI-000449"
- ],
- "CP-2 a 4": [
- "CCI-000450",
- "CCI-000451",
- "CCI-000452",
- "CCI-000453",
- "CCI-000454",
- "CCI-000455",
- "CCI-004006",
- "CCI-004007"
- ],
- "CP-2 a 5": [
- "CCI-000456"
- ],
- "CP-2 a 7": [
- "CCI-000457",
- "CCI-002830"
- ],
- "CP-2 b": [
- "CCI-000458",
- "CCI-000459"
- ],
- "CP-2 c": [
- "CCI-000460"
- ],
- "CP-2 d": [
- "CCI-000461",
- "CCI-000462"
- ],
- "CP-2 e": [
- "CCI-000463",
- "CCI-000464",
- "CCI-000465",
- "CCI-000466"
- ],
- "CP-2 f": [
- "CCI-000468",
- "CCI-002831"
- ],
- "CP-2 (1)": [
- "CCI-000469"
- ],
- "CP-2 (2)": [
- "CCI-000470",
- "CCI-000471",
- "CCI-000472"
- ],
- "CP-2 (3)": [
- "CCI-000473",
- "CCI-000474",
- "CCI-000475",
- "CCI-000476"
- ],
- "CP-2 (4)": [
- "CCI-000477",
- "CCI-000478",
- "CCI-000479",
- "CCI-000480"
- ],
- "CP-2 (5)": [
- "CCI-000481",
- "CCI-000482",
- "CCI-001599",
- "CCI-001600"
- ],
- "CP-2 (6)": [
- "CCI-000483",
- "CCI-000484",
- "CCI-001601",
- "CCI-001602"
- ],
- "CP-3 a 3": [
- "CCI-000485",
- "CCI-000487"
- ],
- "CP-3 a 1": [
- "CCI-000486",
- "CCI-002833"
- ],
- "CP-3 (1)": [
- "CCI-000488"
- ],
- "CP-3 (2)": [
- "CCI-000489"
- ],
- "CP-4 a": [
- "CCI-000490",
- "CCI-000492",
- "CCI-000494",
- "CCI-000495"
- ],
- "CP-4": [
- "CCI-000491",
- "CCI-000493"
- ],
- "CP-4 b": [
- "CCI-000496"
- ],
- "CP-4 c": [
- "CCI-000497"
- ],
- "CP-4 (1)": [
- "CCI-000498",
- "CCI-000499"
- ],
- "CP-4 (2) (a)": [
- "CCI-000500"
- ],
- "CP-4 (2)": [
- "CCI-000501"
- ],
- "CP-4 (3)": [
- "CCI-000502",
- "CCI-000503",
- "CCI-004014"
- ],
- "CP-4 (4)": [
- "CCI-000504"
- ],
- "CP-6 a": [
- "CCI-000505",
- "CCI-004018"
- ],
- "CP-6": [
- "CCI-000506"
- ],
- "CP-6 (1)": [
- "CCI-000507",
- "CCI-001603"
- ],
- "CP-6 (2)": [
- "CCI-000508"
- ],
- "CP-6 (3)": [
- "CCI-000509",
- "CCI-001604"
- ],
- "CP-7 a": [
- "CCI-000510",
- "CCI-000512",
- "CCI-000513",
- "CCI-000514",
- "CCI-002839"
- ],
- "CP-7": [
- "CCI-000511"
- ],
- "CP-7 b": [
- "CCI-000515"
- ],
- "CP-7 (1)": [
- "CCI-000516",
- "CCI-001605"
- ],
- "CP-7 (2)": [
- "CCI-000517",
- "CCI-001606"
- ],
- "CP-7 (3)": [
- "CCI-000518"
- ],
- "CP-7 (4)": [
- "CCI-000519",
- "CCI-000520"
- ],
- "CP-7 c": [
- "CCI-000521"
- ],
- "CP-8": [
- "CCI-000522",
- "CCI-000523",
- "CCI-000524",
- "CCI-000525",
- "CCI-002840",
- "CCI-002841"
- ],
- "CP-8 (1) (a)": [
- "CCI-000526",
- "CCI-000527"
- ],
- "CP-8 (1) (b)": [
- "CCI-000528",
- "CCI-000529",
- "CCI-004019"
- ],
- "CP-8 (2)": [
- "CCI-000530",
- "CCI-001607"
- ],
- "CP-8 (3)": [
- "CCI-000531",
- "CCI-001608"
- ],
- "CP-8 (4) (a)": [
- "CCI-000532",
- "CCI-000533"
- ],
- "CP-9 (a)": [
- "CCI-000534",
- "CCI-000535",
- "CCI-004020"
- ],
- "CP-9 (b)": [
- "CCI-000536",
- "CCI-000537"
- ],
- "CP-9 (c)": [
- "CCI-000538",
- "CCI-000539",
- "CCI-004021"
- ],
- "CP-9 (d)": [
- "CCI-000540",
- "CCI-004022",
- "CCI-004023",
- "CCI-004024"
- ],
- "CP-9 (1)": [
- "CCI-000541",
- "CCI-000542"
- ],
- "CP-9 (2)": [
- "CCI-000543"
- ],
- "CP-9 (3)": [
- "CCI-000544",
- "CCI-000545",
- "CCI-000546",
- "CCI-002849",
- "CCI-002850"
- ],
- "CP-9 (5)": [
- "CCI-000547",
- "CCI-000548"
- ],
- "CP-9 (6)": [
- "CCI-000549",
- "CCI-001609"
- ],
- "CP-10": [
- "CCI-000550",
- "CCI-000551",
- "CCI-000552",
- "CCI-004028",
- "CCI-004029"
- ],
- "CP-10 (2)": [
- "CCI-000553"
- ],
- "CP-10 (3)": [
- "CCI-000554",
- "CCI-000555"
- ],
- "CP-10 (4)": [
- "CCI-000556",
- "CCI-000557"
- ],
- "SI-13 (5)": [
- "CCI-000558",
- "CCI-000559"
- ],
- "CP-10 (6)": [
- "CCI-000560",
- "CCI-000561",
- "CCI-000562",
- "CCI-004030"
- ],
- "PL-1 a 1 (a)": [
- "CCI-000563",
- "CCI-000564",
- "CCI-003047"
- ],
- "PL-1 a": [
- "CCI-000565"
- ],
- "PL-1 a 2": [
- "CCI-000566",
- "CCI-000567",
- "CCI-003048"
- ],
- "PL-1 c 2": [
- "CCI-000568",
- "CCI-001638",
- "CCI-004277"
- ],
- "PL-2 a": [
- "CCI-000570",
- "CCI-003049"
- ],
- "PL-2 a 15": [
- "CCI-000571"
- ],
- "PL-2 c": [
- "CCI-000572",
- "CCI-000573"
- ],
- "PL-2 d": [
- "CCI-000574"
- ],
- "PL-2 (1) (a)": [
- "CCI-000576"
- ],
- "PL-7 b": [
- "CCI-000577",
- "CCI-000578"
- ],
- "PL-2 (2) (a)": [
- "CCI-000580",
- "CCI-000581",
- "CCI-000582"
- ],
- "PL-2 (2) (b)": [
- "CCI-000583",
- "CCI-000584"
- ],
- "PL-2 (2) (c)": [
- "CCI-000585"
- ],
- "PL-2 (2) (d)": [
- "CCI-000586",
- "CCI-000587",
- "CCI-000588",
- "CCI-000589"
- ],
- "PL-2 (2) (e)": [
- "CCI-000590",
- "CCI-000591"
- ],
- "PL-4 a": [
- "CCI-000592",
- "CCI-001639",
- "CCI-004284",
- "CCI-004285",
- "CCI-004286",
- "CCI-004287",
- "CCI-004288"
- ],
- "PL-4 b": [
- "CCI-000593"
- ],
- "PL-4 (1) (a)": [
- "CCI-000594"
- ],
- "PL-4 (1) (b)": [
- "CCI-000595"
- ],
- "PL-4 (1)": [
- "CCI-000596"
- ],
- "PL-5": [
- "CCI-000597"
- ],
- "PL-6": [
- "CCI-000598",
- "CCI-000599",
- "CCI-000600"
- ],
- "SA-1 c 1": [
- "CCI-000601",
- "CCI-000604",
- "CCI-004662",
- "CCI-004663"
- ],
- "SA-1 a 1 (a)": [
- "CCI-000602",
- "CCI-003089"
- ],
- "SA-1 a 1": [
- "CCI-000603"
- ],
- "SA-1 a 2": [
- "CCI-000605",
- "CCI-000606",
- "CCI-003090"
- ],
- "SA-1 c 2": [
- "CCI-000607",
- "CCI-001646",
- "CCI-004664",
- "CCI-004665"
- ],
- "SA-2 a": [
- "CCI-000608",
- "CCI-000609",
- "CCI-003091",
- "CCI-004666"
- ],
- "SA-2 b": [
- "CCI-000610",
- "CCI-000611",
- "CCI-000612"
- ],
- "SA-2 c": [
- "CCI-000613",
- "CCI-000614",
- "CCI-004667",
- "CCI-004668"
- ],
- "SA-3 a": [
- "CCI-000615",
- "CCI-003092",
- "CCI-004669",
- "CCI-004670",
- "CCI-004671",
- "CCI-004672",
- "CCI-004673",
- "CCI-004674",
- "CCI-004675"
- ],
- "SA-3 b": [
- "CCI-000616",
- "CCI-000617",
- "CCI-004676"
- ],
- "SA-3 c": [
- "CCI-000618",
- "CCI-004677"
- ],
- "SA-4 a": [
- "CCI-000619",
- "CCI-003094",
- "CCI-004687"
- ],
- "SA-4 b": [
- "CCI-000620",
- "CCI-003095"
- ],
- "SA-4 c": [
- "CCI-000621",
- "CCI-003096",
- "CCI-004688"
- ],
- "SA-4 (1)": [
- "CCI-000623"
- ],
- "SA-4 (2)": [
- "CCI-000624",
- "CCI-000625",
- "CCI-003101",
- "CCI-003102",
- "CCI-003103",
- "CCI-003104",
- "CCI-003105",
- "CCI-003106"
- ],
- "SA-4 (3)": [
- "CCI-000626",
- "CCI-000627",
- "CCI-000628",
- "CCI-003107",
- "CCI-003108"
- ],
- "SA-4 (4)": [
- "CCI-000629"
- ],
- "SA-4 (5)": [
- "CCI-000630"
- ],
- "SA-4 (6) (a)": [
- "CCI-000631",
- "CCI-000632"
- ],
- "SA-4 (6) (b)": [
- "CCI-000633"
- ],
- "SA-4 (7) (a)": [
- "CCI-000634"
- ],
- "SA-4 (7) (b)": [
- "CCI-000635",
- "CCI-001647"
- ],
- "SA-5 a": [
- "CCI-000636",
- "CCI-000637",
- "CCI-000638"
- ],
- "SA-5 b": [
- "CCI-000639",
- "CCI-000640",
- "CCI-000641"
- ],
- "SA-5 c": [
- "CCI-000642",
- "CCI-003132",
- "CCI-003133"
- ],
- "SA-5 (1)": [
- "CCI-000643",
- "CCI-000644",
- "CCI-001690",
- "CCI-001691"
- ],
- "SA-5 (2)": [
- "CCI-000645",
- "CCI-000646"
- ],
- "SA-5 (3)": [
- "CCI-000647",
- "CCI-000648"
- ],
- "SA-5 (4)": [
- "CCI-000650",
- "CCI-000651",
- "CCI-001692"
- ],
- "SA-5 (5)": [
- "CCI-000653",
- "CCI-000654",
- "CCI-001648"
- ],
- "SA-6 a": [
- "CCI-000655"
- ],
- "SA-6 b": [
- "CCI-000656"
- ],
- "SA-6 c": [
- "CCI-000657",
- "CCI-000658"
- ],
- "SA-6 (1) (a)": [
- "CCI-000659",
- "CCI-000660"
- ],
- "SA-6 (1) (b)": [
- "CCI-000661",
- "CCI-000662"
- ],
- "SA-7": [
- "CCI-000663",
- "CCI-001649"
- ],
- "SA-8": [
- "CCI-000664",
- "CCI-000665",
- "CCI-000666",
- "CCI-000667",
- "CCI-000668",
- "CCI-004712",
- "CCI-004713",
- "CCI-004714",
- "CCI-004715",
- "CCI-004716"
- ],
- "SA-9": [
- "CCI-000669"
- ],
- "SA-9 a": [
- "CCI-000670",
- "CCI-003137",
- "CCI-004782",
- "CCI-004783",
- "CCI-004784"
- ],
- "SA-9 b": [
- "CCI-000671",
- "CCI-000672",
- "CCI-000673",
- "CCI-000674",
- "CCI-004785",
- "CCI-004786"
- ],
- "SA-9 c": [
- "CCI-000675",
- "CCI-003138",
- "CCI-003139"
- ],
- "SA-9 (1) (a)": [
- "CCI-000676",
- "CCI-000677",
- "CCI-003140"
- ],
- "SA-9 (1) (b)": [
- "CCI-000678",
- "CCI-000679",
- "CCI-000680",
- "CCI-000681",
- "CCI-003141",
- "CCI-003142"
- ],
- "SA-10 (a)": [
- "CCI-000682",
- "CCI-000683",
- "CCI-000684",
- "CCI-000685",
- "CCI-000686",
- "CCI-000687",
- "CCI-000688",
- "CCI-000689"
- ],
- "SA-10 (b)": [
- "CCI-000690",
- "CCI-000691",
- "CCI-001650",
- "CCI-001651",
- "CCI-001652",
- "CCI-001653",
- "CCI-001654",
- "CCI-001655"
- ],
- "SA-10 c": [
- "CCI-000692"
- ],
- "SA-10 (c)": [
- "CCI-000693"
- ],
- "SA-10 d": [
- "CCI-000694",
- "CCI-003160",
- "CCI-004794"
- ],
- "SA-10 (d)": [
- "CCI-000695"
- ],
- "SA-10 (e)": [
- "CCI-000696",
- "CCI-000697"
- ],
- "SA-10 (1)": [
- "CCI-000698",
- "CCI-000699"
- ],
- "SA-10 (2)": [
- "CCI-000700",
- "CCI-000701"
- ],
- "SA-11 (a)": [
- "CCI-000702",
- "CCI-000703",
- "CCI-000704",
- "CCI-000705"
- ],
- "SA-11 (b)": [
- "CCI-000706",
- "CCI-000707"
- ],
- "SA-11 (c)": [
- "CCI-000708",
- "CCI-000709",
- "CCI-000710",
- "CCI-000711"
- ],
- "SA-11 (1)": [
- "CCI-000712",
- "CCI-000713",
- "CCI-003179",
- "CCI-003180"
- ],
- "SA-11 (2)": [
- "CCI-000714",
- "CCI-000715",
- "CCI-000716",
- "CCI-000717",
- "CCI-000718",
- "CCI-000719",
- "CCI-003181",
- "CCI-003182"
- ],
- "SA-11 (3)": [
- "CCI-000720",
- "CCI-000721"
- ],
- "SA-12": [
- "CCI-000722",
- "CCI-000723"
- ],
- "SA-12 (1)": [
- "CCI-000724",
- "CCI-003198",
- "CCI-003199",
- "CCI-003207",
- "CCI-003208",
- "CCI-003209"
- ],
- "SA-12 (2)": [
- "CCI-000725",
- "CCI-000726",
- "CCI-000727",
- "CCI-000728",
- "CCI-003200"
- ],
- "SA-12 (3)": [
- "CCI-000729",
- "CCI-000730",
- "CCI-000731",
- "CCI-000732",
- "CCI-000733",
- "CCI-000734"
- ],
- "SA-12 (4)": [
- "CCI-000735",
- "CCI-000736",
- "CCI-000737",
- "CCI-000738"
- ],
- "SA-12 (5)": [
- "CCI-000739",
- "CCI-000740",
- "CCI-000741",
- "CCI-003201",
- "CCI-003202"
- ],
- "SA-12 (6)": [
- "CCI-000742",
- "CCI-000743",
- "CCI-000744"
- ],
- "SA-12 (7)": [
- "CCI-000745",
- "CCI-000746",
- "CCI-000747",
- "CCI-003203",
- "CCI-003204"
- ],
- "SA-13": [
- "CCI-000748",
- "CCI-000749"
- ],
- "SA-14": [
- "CCI-000750",
- "CCI-003229",
- "CCI-003230",
- "CCI-003231",
- "CCI-003232"
- ],
- "SA-14 a": [
- "CCI-000751"
- ],
- "SA-14 b": [
- "CCI-000752"
- ],
- "SA-14 (1) (a)": [
- "CCI-000753"
- ],
- "SA-14 (1) (b)": [
- "CCI-000754",
- "CCI-000755"
- ],
- "IA-1 a 1": [
- "CCI-000756",
- "CCI-001932",
- "CCI-001933",
- "CCI-004031"
- ],
- "IA-1 a 1 (a)": [
- "CCI-000757",
- "CCI-004032"
- ],
- "IA-1 c 1": [
- "CCI-000758",
- "CCI-000759",
- "CCI-004041",
- "CCI-004042"
- ],
- "IA-1 a 2": [
- "CCI-000760",
- "CCI-000761",
- "CCI-001934",
- "CCI-004034"
- ],
- "IA-1 c 2": [
- "CCI-000762",
- "CCI-000763",
- "CCI-004043",
- "CCI-004044"
- ],
- "IA-2": [
- "CCI-000764"
- ],
- "IA-2 (1)": [
- "CCI-000765"
- ],
- "IA-2 (2)": [
- "CCI-000766"
- ],
- "IA-2 (3)": [
- "CCI-000767"
- ],
- "IA-2 (4)": [
- "CCI-000768"
- ],
- "IA-2 (5) (a)": [
- "CCI-000769"
- ],
- "IA-2 (5)": [
- "CCI-000770",
- "CCI-004045"
- ],
- "IA-2 (6)": [
- "CCI-000771",
- "CCI-001935",
- "CCI-001936",
- "CCI-001937"
- ],
- "IA-2 (7)": [
- "CCI-000772",
- "CCI-001938",
- "CCI-001939",
- "CCI-001940"
- ],
- "IA-2 (8)": [
- "CCI-000773",
- "CCI-000774",
- "CCI-001941"
- ],
- "IA-2 (9)": [
- "CCI-000775",
- "CCI-000776",
- "CCI-001942"
- ],
- "IA-3": [
- "CCI-000777",
- "CCI-000778",
- "CCI-001958"
- ],
- "IA-3 (1)": [
- "CCI-000779",
- "CCI-000780",
- "CCI-001959",
- "CCI-001967"
- ],
- "IA-3 (2)": [
- "CCI-000781"
- ],
- "IA-3 (3)": [
- "CCI-000782"
- ],
- "IA-3 (3) (b)": [
- "CCI-000783"
- ],
- "IA-4 a": [
- "CCI-000784",
- "CCI-000785",
- "CCI-001970",
- "CCI-001971"
- ],
- "IA-4 b": [
- "CCI-000786",
- "CCI-000787",
- "CCI-001972"
- ],
- "IA-4 c": [
- "CCI-000788",
- "CCI-000789",
- "CCI-001973"
- ],
- "IA-4 d": [
- "CCI-000790",
- "CCI-000791",
- "CCI-000792",
- "CCI-000793",
- "CCI-001974",
- "CCI-001975"
- ],
- "IA-4 e": [
- "CCI-000794",
- "CCI-000795"
- ],
- "IA-4 (1)": [
- "CCI-000796"
- ],
- "IA-4 (2)": [
- "CCI-000797",
- "CCI-000798",
- "CCI-002040"
- ],
- "IA-4 (3)": [
- "CCI-000799"
- ],
- "IA-4 (4)": [
- "CCI-000800",
- "CCI-000801"
- ],
- "IA-4 (5)": [
- "CCI-000802",
- "CCI-001976",
- "CCI-004049"
- ],
- "IA-7": [
- "CCI-000803"
- ],
- "IA-8": [
- "CCI-000804"
- ],
- "IR-1 a 1 (a)": [
- "CCI-000805",
- "CCI-000806",
- "CCI-002776"
- ],
- "IR-1 c 1": [
- "CCI-000807",
- "CCI-000808",
- "CCI-004113",
- "CCI-004114"
- ],
- "IR-1 a 2": [
- "CCI-000809",
- "CCI-000810",
- "CCI-002777"
- ],
- "IR-1 c 2": [
- "CCI-000811",
- "CCI-000812",
- "CCI-004115",
- "CCI-004116"
- ],
- "IR-2 a 1": [
- "CCI-000813",
- "CCI-002778"
- ],
- "IR-2 a 3": [
- "CCI-000814"
- ],
- "IR-2 c": [
- "CCI-000815"
- ],
- "IR-2 (1)": [
- "CCI-000816"
- ],
- "IR-2 (2)": [
- "CCI-000817",
- "CCI-004117"
- ],
- "IR-3": [
- "CCI-000818",
- "CCI-000819",
- "CCI-000820",
- "CCI-001624"
- ],
- "IR-3 (1)": [
- "CCI-000821",
- "CCI-004119"
- ],
- "IR-4 a": [
- "CCI-000822"
- ],
- "IR-4 b": [
- "CCI-000823"
- ],
- "IR-4 c": [
- "CCI-000824",
- "CCI-001625",
- "CCI-004130",
- "CCI-004131",
- "CCI-004132"
- ],
- "IR-4 (1)": [
- "CCI-000825",
- "CCI-004137"
- ],
- "IR-4 (2)": [
- "CCI-000826",
- "CCI-002781",
- "CCI-004138"
- ],
- "IR-4 (3)": [
- "CCI-000827",
- "CCI-000828",
- "CCI-004139",
- "CCI-004140"
- ],
- "IR-4 (4)": [
- "CCI-000829"
- ],
- "IR-4 (5)": [
- "CCI-000830",
- "CCI-000831"
- ],
- "IR-5": [
- "CCI-000832"
- ],
- "IR-5 (1)": [
- "CCI-000833",
- "CCI-001626",
- "CCI-001627",
- "CCI-004151",
- "CCI-004152",
- "CCI-004153",
- "CCI-004154"
- ],
- "IR-6 a": [
- "CCI-000834",
- "CCI-000835"
- ],
- "IR-6 b": [
- "CCI-000836",
- "CCI-002791"
- ],
- "IR-6 (1)": [
- "CCI-000837",
- "CCI-004155"
- ],
- "IR-6 (2)": [
- "CCI-000838",
- "CCI-002792"
- ],
- "IR-7": [
- "CCI-000839"
- ],
- "IR-7 (1)": [
- "CCI-000840"
- ],
- "IR-7 (2) (a)": [
- "CCI-000841"
- ],
- "IR-7 (2) (b)": [
- "CCI-000842"
- ],
- "IR-8 a": [
- "CCI-000843",
- "CCI-002794"
- ],
- "IR-8 a 9": [
- "CCI-000844",
- "CCI-002802",
- "CCI-004158"
- ],
- "IR-8 b": [
- "CCI-000845",
- "CCI-000846"
- ],
- "IR-8 c": [
- "CCI-000847",
- "CCI-000848",
- "CCI-000849"
- ],
- "IR-8 d": [
- "CCI-000850",
- "CCI-002803"
- ],
- "MA-1 c 1": [
- "CCI-000851",
- "CCI-000854",
- "CCI-004170",
- "CCI-004171"
- ],
- "MA-1 a 1 (a)": [
- "CCI-000852",
- "CCI-002861"
- ],
- "MA-1 a 1": [
- "CCI-000853"
- ],
- "MA-1 a 2": [
- "CCI-000855",
- "CCI-000856",
- "CCI-002862"
- ],
- "MA-1 c 2": [
- "CCI-000857",
- "CCI-001628",
- "CCI-004172",
- "CCI-004173"
- ],
- "MA-2 a": [
- "CCI-000858",
- "CCI-002866",
- "CCI-002867",
- "CCI-002868",
- "CCI-002869",
- "CCI-002870",
- "CCI-002871",
- "CCI-002872",
- "CCI-002873",
- "CCI-004174",
- "CCI-004175",
- "CCI-004176"
- ],
- "MA-2 b": [
- "CCI-000859",
- "CCI-004177",
- "CCI-004178",
- "CCI-004179",
- "CCI-004180"
- ],
- "MA-2 c": [
- "CCI-000860",
- "CCI-002874"
- ],
- "MA-2 d": [
- "CCI-000861",
- "CCI-004181"
- ],
- "MA-2 e": [
- "CCI-000862"
- ],
- "MA-2 (1) (a)(b)(c)(d)(e)": [
- "CCI-000863"
- ],
- "MA-2 (2)": [
- "CCI-000864",
- "CCI-001629"
- ],
- "MA-3 a": [
- "CCI-000865",
- "CCI-000866",
- "CCI-000867"
- ],
- "MA-3": [
- "CCI-000868"
- ],
- "MA-3 (1)": [
- "CCI-000869"
- ],
- "MA-3 (2)": [
- "CCI-000870"
- ],
- "MA-3 (3)": [
- "CCI-000871"
- ],
- "MA-3 (4)": [
- "CCI-000872",
- "CCI-002883"
- ],
- "MA-4 a": [
- "CCI-000873",
- "CCI-000874",
- "CCI-000875"
- ],
- "MA-4 b": [
- "CCI-000876"
- ],
- "MA-4 c": [
- "CCI-000877"
- ],
- "MA-4 d": [
- "CCI-000878"
- ],
- "MA-4 e": [
- "CCI-000879",
- "CCI-004190",
- "CCI-004191"
- ],
- "MA-4 (1)": [
- "CCI-000880",
- "CCI-001630"
- ],
- "MA-4 (2)": [
- "CCI-000881"
- ],
- "MA-4 (3) (a)": [
- "CCI-000882"
- ],
- "MA-4 (3) (b)": [
- "CCI-000883",
- "CCI-001631"
- ],
- "MA-4 (4) (a)": [
- "CCI-000884",
- "CCI-002887"
- ],
- "MA-4 (5) (a)": [
- "CCI-000885",
- "CCI-000887",
- "CCI-002888"
- ],
- "MA-4 (5) (b)": [
- "CCI-000886",
- "CCI-002889"
- ],
- "MA-4 (6)": [
- "CCI-000888",
- "CCI-002890",
- "CCI-003123",
- "CCI-004193"
- ],
- "MA-4 (7)": [
- "CCI-000889",
- "CCI-002891"
- ],
- "MA-5 a": [
- "CCI-000890",
- "CCI-000891"
- ],
- "MA-5 b": [
- "CCI-000892",
- "CCI-002894"
- ],
- "MA-5 (1) (a)": [
- "CCI-000893"
- ],
- "MA-5 (1) (a) (1)": [
- "CCI-000894"
- ],
- "MA-5 (1) (a) (2)": [
- "CCI-000895"
- ],
- "MA-5 (1) (c)": [
- "CCI-000896"
- ],
- "MA-5 (2)": [
- "CCI-000897"
- ],
- "MA-5 (3)": [
- "CCI-000898"
- ],
- "MA-5 (4) (a)": [
- "CCI-000899"
- ],
- "MA-5 (4) (b)": [
- "CCI-000900"
- ],
- "MA-6": [
- "CCI-000901",
- "CCI-000902",
- "CCI-000903",
- "CCI-002896",
- "CCI-002897"
- ],
- "PE-1 a 1 (a)": [
- "CCI-000904"
- ],
- "PE-1 a 1": [
- "CCI-000905",
- "CCI-002908"
- ],
- "PE-1 c 1": [
- "CCI-000906",
- "CCI-000907",
- "CCI-004236",
- "CCI-004237"
- ],
- "PE-1 a 2": [
- "CCI-000908",
- "CCI-000909",
- "CCI-002909"
- ],
- "PE-1 c 2": [
- "CCI-000910",
- "CCI-000911",
- "CCI-004238",
- "CCI-004239"
- ],
- "PE-2 a": [
- "CCI-000912",
- "CCI-002910",
- "CCI-002911"
- ],
- "PE-2 b": [
- "CCI-000913"
- ],
- "PE-2 c": [
- "CCI-000914",
- "CCI-000915"
- ],
- "PE-2 (1)": [
- "CCI-000916"
- ],
- "PE-2 (2)": [
- "CCI-000917",
- "CCI-002912"
- ],
- "PE-2 (3)": [
- "CCI-000918",
- "CCI-001634",
- "CCI-002913",
- "CCI-002914"
- ],
- "PE-3 a": [
- "CCI-000919",
- "CCI-002915",
- "CCI-004240",
- "CCI-004241"
- ],
- "PE-3 a 1": [
- "CCI-000920"
- ],
- "PE-3 a 2": [
- "CCI-000921",
- "CCI-002916",
- "CCI-004242",
- "CCI-004243"
- ],
- "PE-3 d": [
- "CCI-000922",
- "CCI-002921",
- "CCI-002922",
- "CCI-002923",
- "CCI-002924"
- ],
- "PE-3 e": [
- "CCI-000923"
- ],
- "PE-3 f": [
- "CCI-000924",
- "CCI-000925",
- "CCI-002925"
- ],
- "PE-3 g": [
- "CCI-000926",
- "CCI-000927"
- ],
- "PE-3 (1)": [
- "CCI-000928",
- "CCI-002926"
- ],
- "PE-3 (2)": [
- "CCI-000929",
- "CCI-002927"
- ],
- "PE-3 (3)": [
- "CCI-000930"
- ],
- "PE-3 (4)": [
- "CCI-000931",
- "CCI-000932"
- ],
- "PE-3 (5)": [
- "CCI-000933",
- "CCI-002928",
- "CCI-002929"
- ],
- "PE-3 (6)": [
- "CCI-000934",
- "CCI-000935"
- ],
- "PE-4": [
- "CCI-000936",
- "CCI-002930",
- "CCI-002931"
- ],
- "PE-5": [
- "CCI-000937"
- ],
- "PE-6 a": [
- "CCI-000938",
- "CCI-002939"
- ],
- "PE-6 b": [
- "CCI-000939",
- "CCI-000940",
- "CCI-002940",
- "CCI-002941"
- ],
- "PE-6 c": [
- "CCI-000941"
- ],
- "PE-6 (1)": [
- "CCI-000942"
- ],
- "PE-6 (2)": [
- "CCI-000943",
- "CCI-002942",
- "CCI-002943",
- "CCI-002944",
- "CCI-002945",
- "CCI-004248"
- ],
- "PE-7": [
- "CCI-000944"
- ],
- "PE-7 (1)": [
- "CCI-000945"
- ],
- "PE-7 (2)": [
- "CCI-000946"
- ],
- "PE-8 a": [
- "CCI-000947",
- "CCI-002952"
- ],
- "PE-8 b": [
- "CCI-000948",
- "CCI-000949"
- ],
- "PE-8 (1)": [
- "CCI-000950",
- "CCI-004253"
- ],
- "PE-8 (2)": [
- "CCI-000951"
- ],
- "PE-9": [
- "CCI-000952"
- ],
- "PE-9 (1)": [
- "CCI-000953",
- "CCI-002953",
- "CCI-002954"
- ],
- "PE-9 (2)": [
- "CCI-000954",
- "CCI-000955"
- ],
- "PE-10 a": [
- "CCI-000956",
- "CCI-004256"
- ],
- "PE-10 b": [
- "CCI-000957",
- "CCI-000958"
- ],
- "PE-10 c": [
- "CCI-000959"
- ],
- "PE-11": [
- "CCI-000960",
- "CCI-002955"
- ],
- "PE-11 (1)": [
- "CCI-000961"
- ],
- "PE-11 (2)": [
- "CCI-000962"
- ],
- "PE-12": [
- "CCI-000963"
- ],
- "PE-12 (1)": [
- "CCI-000964",
- "CCI-002959",
- "CCI-002960"
- ],
- "PE-13": [
- "CCI-000965"
- ],
- "PE-13 (1)": [
- "CCI-000966",
- "CCI-002961",
- "CCI-002962",
- "CCI-002963",
- "CCI-002964"
- ],
- "PE-13 (2)": [
- "CCI-000967"
- ],
- "PE-13 (2) (b)": [
- "CCI-000968"
- ],
- "PE-13 (4)": [
- "CCI-000969",
- "CCI-000970",
- "CCI-002968",
- "CCI-002969",
- "CCI-002970",
- "CCI-002971"
- ],
- "PE-14 a": [
- "CCI-000971",
- "CCI-000972"
- ],
- "PE-14 b": [
- "CCI-000973",
- "CCI-000974"
- ],
- "PE-14 (1)": [
- "CCI-000975",
- "CCI-004257"
- ],
- "PE-14 (2)": [
- "CCI-000976",
- "CCI-004258"
- ],
- "PE-15": [
- "CCI-000977",
- "CCI-000978",
- "CCI-000979"
- ],
- "PE-15 (1)": [
- "CCI-000980",
- "CCI-002972",
- "CCI-002973",
- "CCI-004259",
- "CCI-004260",
- "CCI-004261"
- ],
- "PE-16 a": [
- "CCI-000981",
- "CCI-000983",
- "CCI-002974"
- ],
- "PE-16": [
- "CCI-000982"
- ],
- "PE-16 b": [
- "CCI-000984"
- ],
- "PE-17 b": [
- "CCI-000985",
- "CCI-002975"
- ],
- "PE-17 a": [
- "CCI-000986",
- "CCI-004262"
- ],
- "PE-17 c": [
- "CCI-000987"
- ],
- "PE-17 d": [
- "CCI-000988",
- "CCI-004263"
- ],
- "PE-18": [
- "CCI-000989",
- "CCI-000990",
- "CCI-000991",
- "CCI-002976"
- ],
- "PE-18 (1)": [
- "CCI-000992",
- "CCI-002977",
- "CCI-002978"
- ],
- "PE-19": [
- "CCI-000993"
- ],
- "PE-19 (1)": [
- "CCI-000994",
- "CCI-004264",
- "CCI-004265"
- ],
- "MP-1 a 1 (a)": [
- "CCI-000995"
- ],
- "MP-1 a 1": [
- "CCI-000996",
- "CCI-002566"
- ],
- "MP-1 c 1": [
- "CCI-000997",
- "CCI-000998",
- "CCI-004207",
- "CCI-004208"
- ],
- "MP-1 a 2": [
- "CCI-000999",
- "CCI-001000"
- ],
- "MP-1 c 2": [
- "CCI-001001",
- "CCI-001002",
- "CCI-004209",
- "CCI-004210"
- ],
- "MP-2": [
- "CCI-001003",
- "CCI-001004",
- "CCI-001005",
- "CCI-001006"
- ],
- "MP-4 (2)": [
- "CCI-001007",
- "CCI-001008",
- "CCI-004216"
- ],
- "MP-2 (2)": [
- "CCI-001009"
- ],
- "MP-3 a": [
- "CCI-001010",
- "CCI-001633"
- ],
- "MP-3 b": [
- "CCI-001011",
- "CCI-001012",
- "CCI-001013"
- ],
- "MP-4 a": [
- "CCI-001014",
- "CCI-001015",
- "CCI-001016",
- "CCI-001017",
- "CCI-004211",
- "CCI-004212"
- ],
- "MP-4 b": [
- "CCI-001018",
- "CCI-004213",
- "CCI-004214",
- "CCI-004215"
- ],
- "MP-4 (1)": [
- "CCI-001019"
- ],
- "MP-5 a": [
- "CCI-001020",
- "CCI-001021",
- "CCI-001022",
- "CCI-004217",
- "CCI-004218"
- ],
- "MP-5 b": [
- "CCI-001023"
- ],
- "MP-5 d": [
- "CCI-001024"
- ],
- "MP-5 c": [
- "CCI-001025"
- ],
- "MP-5 (3)": [
- "CCI-001026"
- ],
- "MP-5 (4)": [
- "CCI-001027"
- ],
- "MP-6 a": [
- "CCI-001028",
- "CCI-002578",
- "CCI-002579"
- ],
- "MP-6 (1)": [
- "CCI-001029",
- "CCI-002567",
- "CCI-002568",
- "CCI-002569",
- "CCI-002570",
- "CCI-002571",
- "CCI-002572"
- ],
- "MP-6 (2)": [
- "CCI-001030",
- "CCI-001031",
- "CCI-004219",
- "CCI-004220"
- ],
- "MP-6 (3)": [
- "CCI-001032",
- "CCI-001033"
- ],
- "MP-6 (4)": [
- "CCI-001034"
- ],
- "MP-6 (5)": [
- "CCI-001035"
- ],
- "MP-6 (6)": [
- "CCI-001036"
- ],
- "RA-1 a 1 (a)": [
- "CCI-001037",
- "CCI-001038",
- "CCI-002368"
- ],
- "RA-1 c 1": [
- "CCI-001039",
- "CCI-001040",
- "CCI-004610",
- "CCI-004611"
- ],
- "RA-1 a 2": [
- "CCI-001041",
- "CCI-001042",
- "CCI-002369"
- ],
- "RA-1 c 2": [
- "CCI-001043",
- "CCI-001044",
- "CCI-004612",
- "CCI-004613"
- ],
- "RA-2 a": [
- "CCI-001045",
- "CCI-004614",
- "CCI-004615",
- "CCI-004616"
- ],
- "RA-2 b": [
- "CCI-001046"
- ],
- "RA-2 c": [
- "CCI-001047"
- ],
- "RA-3 a 2": [
- "CCI-001048"
- ],
- "RA-3 c": [
- "CCI-001049",
- "CCI-001642"
- ],
- "RA-3 d": [
- "CCI-001050",
- "CCI-001051"
- ],
- "RA-3 f": [
- "CCI-001052",
- "CCI-001053"
- ],
- "RA-5 a": [
- "CCI-001054",
- "CCI-001055",
- "CCI-001056",
- "CCI-001641",
- "CCI-001643"
- ],
- "RA-5 b 1": [
- "CCI-001057"
- ],
- "RA-5 c": [
- "CCI-001058"
- ],
- "RA-5 d": [
- "CCI-001059",
- "CCI-001060"
- ],
- "RA-5 e": [
- "CCI-001061",
- "CCI-002376"
- ],
- "RA-5 (1)": [
- "CCI-001062"
- ],
- "RA-5 (2)": [
- "CCI-001063",
- "CCI-001064"
- ],
- "RA-5 (3)": [
- "CCI-001065",
- "CCI-001644",
- "CCI-002373"
- ],
- "RA-5 (4)": [
- "CCI-001066",
- "CCI-002374",
- "CCI-002375"
- ],
- "RA-5 (5)": [
- "CCI-001067",
- "CCI-001645",
- "CCI-002906"
- ],
- "RA-5 (6)": [
- "CCI-001068",
- "CCI-004637"
- ],
- "RA-5 (7)": [
- "CCI-001069",
- "CCI-001070"
- ],
- "RA-5 (8)": [
- "CCI-001071",
- "CCI-004638",
- "CCI-004639"
- ],
- "RA-5 (9) (a)": [
- "CCI-001072"
- ],
- "RA-5 (9) (b)": [
- "CCI-001073"
- ],
- "SC-1 a 1": [
- "CCI-001074",
- "CCI-001075",
- "CCI-002377",
- "CCI-002378"
- ],
- "SC-1 c 1": [
- "CCI-001076",
- "CCI-001077",
- "CCI-004861",
- "CCI-004862"
- ],
- "SC-1 a 2": [
- "CCI-001078",
- "CCI-001079",
- "CCI-002379",
- "CCI-002380",
- "CCI-004854"
- ],
- "SC-1 c 2": [
- "CCI-001080",
- "CCI-001081",
- "CCI-004863",
- "CCI-004864"
- ],
- "SC-2": [
- "CCI-001082"
- ],
- "SC-2 (1)": [
- "CCI-001083"
- ],
- "SC-3": [
- "CCI-001084",
- "CCI-001656"
- ],
- "SC-3 (1)": [
- "CCI-001085"
- ],
- "SC-3 (2)": [
- "CCI-001086"
- ],
- "SC-3 (3)": [
- "CCI-001087",
- "CCI-002381"
- ],
- "SC-3 (4)": [
- "CCI-001088",
- "CCI-002382"
- ],
- "SC-3 (5)": [
- "CCI-001089"
- ],
- "SC-4": [
- "CCI-001090"
- ],
- "SC-4 (1)": [
- "CCI-001091"
- ],
- "SC-5": [
- "CCI-001092",
- "CCI-002386"
- ],
- "SC-5 a": [
- "CCI-001093",
- "CCI-002385"
- ],
- "SC-5 (1)": [
- "CCI-001094",
- "CCI-002387"
- ],
- "SC-5 (2)": [
- "CCI-001095"
- ],
- "SC-6": [
- "CCI-001096",
- "CCI-002392",
- "CCI-002393",
- "CCI-002394"
- ],
- "SC-7 a": [
- "CCI-001097",
- "CCI-001657",
- "CCI-001658"
- ],
- "SC-7 c": [
- "CCI-001098",
- "CCI-004868"
- ],
- "SC-7 (1)": [
- "CCI-001099"
- ],
- "SC-7 (2)": [
- "CCI-001100",
- "CCI-001659"
- ],
- "SC-7 (3)": [
- "CCI-001101"
- ],
- "SC-7 (4) (a)": [
- "CCI-001102"
- ],
- "SC-7 (4) (b)": [
- "CCI-001103"
- ],
- "SC-7 (4) (c)": [
- "CCI-001104",
- "CCI-002396"
- ],
- "SC-7 (4) (d)": [
- "CCI-001105"
- ],
- "SC-7 (4) (e)": [
- "CCI-001106",
- "CCI-001107",
- "CCI-001108"
- ],
- "SC-7 (5)": [
- "CCI-001109",
- "CCI-004872"
- ],
- "SC-7 (6)": [
- "CCI-001110"
- ],
- "SC-7 (7)": [
- "CCI-001111",
- "CCI-002397",
- "CCI-004873"
- ],
- "SC-7 (8)": [
- "CCI-001112",
- "CCI-001113",
- "CCI-001114"
- ],
- "SC-7 (9)": [
- "CCI-001115"
- ],
- "SC-7 (10) (a)": [
- "CCI-001116"
- ],
- "SC-7 (11)": [
- "CCI-001117",
- "CCI-002401",
- "CCI-002402",
- "CCI-002403"
- ],
- "SC-7 (12)": [
- "CCI-001118",
- "CCI-002404",
- "CCI-002405",
- "CCI-002406"
- ],
- "SC-7 (13)": [
- "CCI-001119",
- "CCI-001120"
- ],
- "SC-7 (14)": [
- "CCI-001121",
- "CCI-001122",
- "CCI-001660",
- "CCI-002407"
- ],
- "SC-7 (15)": [
- "CCI-001123"
- ],
- "SC-7 (16)": [
- "CCI-001124"
- ],
- "SC-7 (17)": [
- "CCI-001125"
- ],
- "SC-7 (18)": [
- "CCI-001126"
- ],
- "SC-8": [
- "CCI-001127",
- "CCI-002418"
- ],
- "SC-8 (1)": [
- "CCI-001128",
- "CCI-002419",
- "CCI-002421"
- ],
- "SC-8 (2)": [
- "CCI-001129",
- "CCI-002420",
- "CCI-002422"
- ],
- "SC-9": [
- "CCI-001130"
- ],
- "SC-9 (1)": [
- "CCI-001131"
- ],
- "SC-9 (2)": [
- "CCI-001132"
- ],
- "SC-10": [
- "CCI-001133",
- "CCI-001134"
- ],
- "SC-11 a": [
- "CCI-001135"
- ],
- "SC-11": [
- "CCI-001136"
- ],
- "SC-12": [
- "CCI-001137",
- "CCI-001138",
- "CCI-002428",
- "CCI-002429",
- "CCI-002430",
- "CCI-002431",
- "CCI-002432",
- "CCI-002433",
- "CCI-002434",
- "CCI-002435",
- "CCI-002436",
- "CCI-002437",
- "CCI-002438",
- "CCI-002439",
- "CCI-002440",
- "CCI-002441",
- "CCI-002442"
- ],
- "SC-12 (1)": [
- "CCI-001139"
- ],
- "SC-12 (2)": [
- "CCI-001140",
- "CCI-002443",
- "CCI-002444",
- "CCI-002445"
- ],
- "SC-12 (3)": [
- "CCI-001141",
- "CCI-002446",
- "CCI-002447",
- "CCI-002448",
- "CCI-004898"
- ],
- "SC-12 (4)": [
- "CCI-001142"
- ],
- "SC-12 (5)": [
- "CCI-001143"
- ],
- "SC-13": [
- "CCI-001144",
- "CCI-002449"
- ],
- "SC-13 (1)": [
- "CCI-001145"
- ],
- "SC-13 (2)": [
- "CCI-001146"
- ],
- "SC-13 (3)": [
- "CCI-001147"
- ],
- "SC-13 (4)": [
- "CCI-001148"
- ],
- "SC-14": [
- "CCI-001149"
- ],
- "SC-15 a": [
- "CCI-001150",
- "CCI-001151"
- ],
- "SC-15 b": [
- "CCI-001152"
- ],
- "SC-15 (1)": [
- "CCI-001153"
- ],
- "SC-15 (2)": [
- "CCI-001154"
- ],
- "SC-15 (3)": [
- "CCI-001155",
- "CCI-001156",
- "CCI-002451"
- ],
- "SC-16": [
- "CCI-001157",
- "CCI-002454",
- "CCI-002455",
- "CCI-004901",
- "CCI-004902",
- "CCI-004903"
- ],
- "SC-16 (1)": [
- "CCI-001158",
- "CCI-004904"
- ],
- "SC-17 a": [
- "CCI-001159",
- "CCI-002456"
- ],
- "SC-18 a": [
- "CCI-001160"
- ],
- "SC-18 b": [
- "CCI-001161",
- "CCI-001162",
- "CCI-001163",
- "CCI-001164",
- "CCI-001165"
- ],
- "SC-18 (1)": [
- "CCI-001166",
- "CCI-001662",
- "CCI-002457",
- "CCI-002458"
- ],
- "SC-18 (2)": [
- "CCI-001167",
- "CCI-001168",
- "CCI-001687",
- "CCI-001688"
- ],
- "SC-18 (3)": [
- "CCI-001169",
- "CCI-001695",
- "CCI-002459"
- ],
- "SC-18 (4)": [
- "CCI-001170",
- "CCI-001171",
- "CCI-001172",
- "CCI-002460"
- ],
- "SC-19 a": [
- "CCI-001173",
- "CCI-001174"
- ],
- "SC-19 b": [
- "CCI-001175",
- "CCI-001176",
- "CCI-001177"
- ],
- "SC-20 a": [
- "CCI-001178",
- "CCI-002462"
- ],
- "SC-20 b": [
- "CCI-001179",
- "CCI-001663"
- ],
- "SC-21": [
- "CCI-001180",
- "CCI-002465",
- "CCI-002466",
- "CCI-002467",
- "CCI-002468"
- ],
- "SC-21 (1)": [
- "CCI-001181"
- ],
- "SC-22": [
- "CCI-001182",
- "CCI-001183"
- ],
- "SC-23": [
- "CCI-001184"
- ],
- "SC-23 (1)": [
- "CCI-001185"
- ],
- "SC-23 (2)": [
- "CCI-001186"
- ],
- "SC-23 (3)": [
- "CCI-001187",
- "CCI-001188",
- "CCI-001189",
- "CCI-001664"
- ],
- "SC-24": [
- "CCI-001190",
- "CCI-001191",
- "CCI-001192",
- "CCI-001193",
- "CCI-001665"
- ],
- "SC-25": [
- "CCI-001194",
- "CCI-002471"
- ],
- "SC-26": [
- "CCI-001195"
- ],
- "SC-35": [
- "CCI-001196"
- ],
- "SC-27": [
- "CCI-001197",
- "CCI-001198"
- ],
- "SC-28": [
- "CCI-001199",
- "CCI-002472"
- ],
- "SC-28 (1)": [
- "CCI-001200",
- "CCI-001666",
- "CCI-002473",
- "CCI-002474",
- "CCI-002475",
- "CCI-002476"
- ],
- "SC-29": [
- "CCI-001201",
- "CCI-002480"
- ],
- "SC-30": [
- "CCI-001202",
- "CCI-002482",
- "CCI-002483",
- "CCI-002484",
- "CCI-002485"
- ],
- "SC-29 (1)": [
- "CCI-001203",
- "CCI-001204",
- "CCI-002481"
- ],
- "SC-30 (2)": [
- "CCI-001205",
- "CCI-002486",
- "CCI-002487",
- "CCI-002488"
- ],
- "SC-31": [
- "CCI-001206"
- ],
- "SC-31 (1)": [
- "CCI-001207"
- ],
- "SC-32": [
- "CCI-001208",
- "CCI-002504",
- "CCI-002505",
- "CCI-002506"
- ],
- "SC-33": [
- "CCI-001209"
- ],
- "SC-34 a": [
- "CCI-001210"
- ],
- "SC-34 b": [
- "CCI-001211",
- "CCI-001213"
- ],
- "SC-34": [
- "CCI-001212"
- ],
- "SC-34 (1)": [
- "CCI-001214",
- "CCI-001215"
- ],
- "SC-34 (2)": [
- "CCI-001216",
- "CCI-002507"
- ],
- "SI-1 a 1 (a)": [
- "CCI-001217"
- ],
- "SI-1 a 1": [
- "CCI-001218"
- ],
- "SI-1 c 1": [
- "CCI-001219",
- "CCI-001223",
- "CCI-004951",
- "CCI-004952"
- ],
- "SI-1 a 2": [
- "CCI-001220",
- "CCI-001221"
- ],
- "SI-1 c 2": [
- "CCI-001222",
- "CCI-001224",
- "CCI-004953",
- "CCI-004954"
- ],
- "SI-2 a": [
- "CCI-001225",
- "CCI-001226",
- "CCI-001227"
- ],
- "SI-2 b": [
- "CCI-001228",
- "CCI-001229",
- "CCI-002602",
- "CCI-002603"
- ],
- "SI-2 d": [
- "CCI-001230"
- ],
- "SI-2 (1)": [
- "CCI-001231",
- "CCI-001232"
- ],
- "SI-2 (2)": [
- "CCI-001233",
- "CCI-001234",
- "CCI-004955",
- "CCI-004956",
- "CCI-004957",
- "CCI-004958",
- "CCI-004959",
- "CCI-004960"
- ],
- "SI-2 (3) (a)": [
- "CCI-001235"
- ],
- "SI-2 (3) (b)": [
- "CCI-001236",
- "CCI-002608"
- ],
- "SI-2 (4)": [
- "CCI-001237",
- "CCI-001238",
- "CCI-004961",
- "CCI-004962"
- ],
- "SI-3 a": [
- "CCI-001239",
- "CCI-001668",
- "CCI-002619",
- "CCI-002620",
- "CCI-002621",
- "CCI-002622",
- "CCI-004963"
- ],
- "SI-3 b": [
- "CCI-001240",
- "CCI-004964",
- "CCI-004965"
- ],
- "SI-3 c 1": [
- "CCI-001241",
- "CCI-001242",
- "CCI-002623",
- "CCI-002624"
- ],
- "SI-3 c 2": [
- "CCI-001243",
- "CCI-001244",
- "CCI-004966"
- ],
- "SI-3 d": [
- "CCI-001245"
- ],
- "SI-3 (1)": [
- "CCI-001246"
- ],
- "SI-3 (2)": [
- "CCI-001247"
- ],
- "SI-3 (3)": [
- "CCI-001248"
- ],
- "SI-3 (4)": [
- "CCI-001249"
- ],
- "SI-3 (5)": [
- "CCI-001250"
- ],
- "SI-3 (6) (a)": [
- "CCI-001251",
- "CCI-001669"
- ],
- "SI-4 a": [
- "CCI-001252"
- ],
- "SI-4 a 1": [
- "CCI-001253",
- "CCI-002641"
- ],
- "SI-4 b": [
- "CCI-001254",
- "CCI-002645",
- "CCI-002646"
- ],
- "SI-4 c 1": [
- "CCI-001255"
- ],
- "SI-4 c 2": [
- "CCI-001256"
- ],
- "SI-4 e": [
- "CCI-001257"
- ],
- "SI-4 f": [
- "CCI-001258"
- ],
- "SI-4 (1)": [
- "CCI-001259",
- "CCI-002655",
- "CCI-002656"
- ],
- "SI-4 (2)": [
- "CCI-001260",
- "CCI-004968"
- ],
- "SI-4 (3)": [
- "CCI-001261",
- "CCI-002657",
- "CCI-002658",
- "CCI-004969",
- "CCI-004970"
- ],
- "SI-4 (4)": [
- "CCI-001262"
- ],
- "SI-4 (5)": [
- "CCI-001263",
- "CCI-001264",
- "CCI-002663",
- "CCI-002664"
- ],
- "SI-4 (6)": [
- "CCI-001265"
- ],
- "SI-4 (7) (a)": [
- "CCI-001266",
- "CCI-001267"
- ],
- "SI-4 (7) (b)": [
- "CCI-001268",
- "CCI-001670"
- ],
- "SI-4 (8)": [
- "CCI-001269"
- ],
- "SI-4 (9)": [
- "CCI-001270",
- "CCI-001271",
- "CCI-004975",
- "CCI-004976"
- ],
- "SI-4 (10)": [
- "CCI-001272",
- "CCI-002665",
- "CCI-002666",
- "CCI-002667",
- "CCI-004977",
- "CCI-004978",
- "CCI-004979"
- ],
- "SI-4 (11)": [
- "CCI-001273",
- "CCI-001671",
- "CCI-002668"
- ],
- "SI-4 (12)": [
- "CCI-001274",
- "CCI-001275",
- "CCI-004980"
- ],
- "SI-4 (13) (a)": [
- "CCI-001276"
- ],
- "SI-4 (13) (b)": [
- "CCI-001277"
- ],
- "SI-4 (13) (c)": [
- "CCI-001278",
- "CCI-001279",
- "CCI-001280",
- "CCI-002669"
- ],
- "SI-4 (14)": [
- "CCI-001281",
- "CCI-001672",
- "CCI-001673"
- ],
- "SI-4 (15)": [
- "CCI-001282"
- ],
- "SI-4 (16)": [
- "CCI-001283",
- "CCI-004981"
- ],
- "SI-4 (17)": [
- "CCI-001284"
- ],
- "SI-5 a": [
- "CCI-001285",
- "CCI-002692"
- ],
- "SI-5 b": [
- "CCI-001286"
- ],
- "SI-5 c": [
- "CCI-001287",
- "CCI-001288",
- "CCI-002693",
- "CCI-002694"
- ],
- "SI-5 d": [
- "CCI-001289"
- ],
- "SI-5 (1)": [
- "CCI-001290",
- "CCI-004983"
- ],
- "SI-6": [
- "CCI-001291",
- "CCI-001292",
- "CCI-001293",
- "CCI-001674",
- "CCI-001676"
- ],
- "SI-6 c": [
- "CCI-001294",
- "CCI-002700",
- "CCI-004989",
- "CCI-004990"
- ],
- "SI-6 (2)": [
- "CCI-001295",
- "CCI-004993"
- ],
- "SI-6 (3)": [
- "CCI-001296",
- "CCI-001675",
- "CCI-004994",
- "CCI-004995"
- ],
- "SI-7": [
- "CCI-001297",
- "CCI-002703"
- ],
- "SI-7 (1)": [
- "CCI-001298",
- "CCI-001299",
- "CCI-002705",
- "CCI-002706",
- "CCI-002707",
- "CCI-002708",
- "CCI-002709",
- "CCI-002710",
- "CCI-002711",
- "CCI-002712"
- ],
- "SI-7 (2)": [
- "CCI-001300",
- "CCI-002713"
- ],
- "SI-7 (3)": [
- "CCI-001301"
- ],
- "SI-7 (4)": [
- "CCI-001302",
- "CCI-001303",
- "CCI-001304"
- ],
- "SI-8 a": [
- "CCI-001305",
- "CCI-001677",
- "CCI-002741",
- "CCI-002742"
- ],
- "SI-8 b": [
- "CCI-001306",
- "CCI-005000",
- "CCI-005001"
- ],
- "SI-8 (1)": [
- "CCI-001307"
- ],
- "SI-8 (2)": [
- "CCI-001308",
- "CCI-005002"
- ],
- "SI-9": [
- "CCI-001309"
- ],
- "SI-10": [
- "CCI-001310",
- "CCI-002744"
- ],
- "SI-11 a": [
- "CCI-001311",
- "CCI-001312"
- ],
- "SI-11 b": [
- "CCI-001313",
- "CCI-001314",
- "CCI-002759"
- ],
- "SI-12": [
- "CCI-001315",
- "CCI-001678"
- ],
- "SI-13 a": [
- "CCI-001316",
- "CCI-001317",
- "CCI-002760",
- "CCI-002761"
- ],
- "SI-13 b": [
- "CCI-001318",
- "CCI-001679",
- "CCI-002762",
- "CCI-002763"
- ],
- "SI-13 (1)": [
- "CCI-001319",
- "CCI-001320"
- ],
- "SI-7 (16)": [
- "CCI-001321",
- "CCI-001322"
- ],
- "SI-13 (3)": [
- "CCI-001323",
- "CCI-001324",
- "CCI-001325",
- "CCI-005009"
- ],
- "SI-13 (4) (a)": [
- "CCI-001326",
- "CCI-001327"
- ],
- "SI-13 (4) (b)": [
- "CCI-001328",
- "CCI-001329",
- "CCI-001689",
- "CCI-005010"
- ],
- "AC-19 (4) (a)": [
- "CCI-001330"
- ],
- "AC-19 (4) (b) (1)": [
- "CCI-001331"
- ],
- "AC-19 (4) (b) (2)": [
- "CCI-001332"
- ],
- "AC-19 (4) (b) (3)": [
- "CCI-001333"
- ],
- "AC-19 (4) (b) (4)": [
- "CCI-001334",
- "CCI-001335",
- "CCI-001458"
- ],
- "AT-4 b": [
- "CCI-001336",
- "CCI-001337"
- ],
- "AU-10 (1)": [
- "CCI-001338"
- ],
- "AU-10 (2)": [
- "CCI-001339"
- ],
- "AU-10 (3)": [
- "CCI-001340"
- ],
- "AU-10 (4) (a)": [
- "CCI-001341",
- "CCI-001907"
- ],
- "AU-10 (5)": [
- "CCI-001342"
- ],
- "AU-5 (4)": [
- "CCI-001343",
- "CCI-001860",
- "CCI-001861",
- "CCI-002907"
- ],
- "AU-6 (7)": [
- "CCI-001344",
- "CCI-001868",
- "CCI-001869"
- ],
- "AU-6 (8)": [
- "CCI-001345",
- "CCI-001346",
- "CCI-001870"
- ],
- "AU-6 (9)": [
- "CCI-001347",
- "CCI-001871"
- ],
- "AU-9 (2)": [
- "CCI-001348",
- "CCI-001349",
- "CCI-001575"
- ],
- "AU-9 (3)": [
- "CCI-001350",
- "CCI-001496"
- ],
- "AU-9 (4)": [
- "CCI-001351",
- "CCI-001894"
- ],
- "AU-9 (4) (b)": [
- "CCI-001352"
- ],
- "AU-12 (2)": [
- "CCI-001353"
- ],
- "AC-2 h": [
- "CCI-001354",
- "CCI-001355",
- "CCI-003623",
- "CCI-003624"
- ],
- "AC-2 (5) (c)": [
- "CCI-001356"
- ],
- "AC-2 (5) (d)": [
- "CCI-001357"
- ],
- "AC-2 (7) (a)": [
- "CCI-001358",
- "CCI-001407"
- ],
- "AC-2 (7) (b)": [
- "CCI-001359",
- "CCI-001360"
- ],
- "AC-3 (4)": [
- "CCI-001362",
- "CCI-001693",
- "CCI-001694",
- "CCI-002163",
- "CCI-002164",
- "CCI-002165"
- ],
- "AC-3 (4) (a)": [
- "CCI-001363",
- "CCI-003638"
- ],
- "AC-3 (6)": [
- "CCI-001366",
- "CCI-001367",
- "CCI-001412",
- "CCI-001413"
- ],
- "AC-4": [
- "CCI-001368",
- "CCI-001414",
- "CCI-001548",
- "CCI-001549",
- "CCI-001550",
- "CCI-001551"
- ],
- "AC-4 (14)": [
- "CCI-001371",
- "CCI-001372"
- ],
- "AC-4 (15)": [
- "CCI-001373",
- "CCI-001374",
- "CCI-002203",
- "CCI-002204"
- ],
- "AC-4 (17) (a)": [
- "CCI-001376",
- "CCI-001377",
- "CCI-001555",
- "CCI-001556"
- ],
- "AC-5 b": [
- "CCI-001380",
- "CCI-002220"
- ],
- "AC-7 (2)": [
- "CCI-001382",
- "CCI-001383",
- "CCI-002239",
- "CCI-002240",
- "CCI-002241",
- "CCI-002242"
- ],
- "AC-8 c 1": [
- "CCI-001384",
- "CCI-002248"
- ],
- "AC-8 c 2": [
- "CCI-001385",
- "CCI-001386",
- "CCI-001387"
- ],
- "AC-8 c 3": [
- "CCI-001388"
- ],
- "AC-9 (2)": [
- "CCI-001389",
- "CCI-001390",
- "CCI-001391",
- "CCI-001392"
- ],
- "AC-9 (3)": [
- "CCI-001393",
- "CCI-001394",
- "CCI-001395"
- ],
- "AC-16": [
- "CCI-001396",
- "CCI-001397",
- "CCI-001398",
- "CCI-001399",
- "CCI-001400",
- "CCI-001401"
- ],
- "AC-17 c": [
- "CCI-001402"
- ],
- "AC-3 (3)": [
- "CCI-001409",
- "CCI-001410",
- "CCI-002153",
- "CCI-003014"
- ],
- "AC-6 (5)": [
- "CCI-001421",
- "CCI-002226",
- "CCI-002227"
- ],
- "AC-6 (6)": [
- "CCI-001422"
- ],
- "AC-16 (1)": [
- "CCI-001424",
- "CCI-002272",
- "CCI-002273",
- "CCI-002274",
- "CCI-002275",
- "CCI-003712",
- "CCI-003713",
- "CCI-003714"
- ],
- "AC-16 (2)": [
- "CCI-001425",
- "CCI-001559",
- "CCI-002276",
- "CCI-002277",
- "CCI-003715",
- "CCI-003716"
- ],
- "AC-16 (3)": [
- "CCI-001426",
- "CCI-002278",
- "CCI-002279",
- "CCI-002280",
- "CCI-002281",
- "CCI-002282",
- "CCI-002283",
- "CCI-002284",
- "CCI-003717",
- "CCI-003718",
- "CCI-003719",
- "CCI-003720",
- "CCI-003721"
- ],
- "AC-16 (4)": [
- "CCI-001427",
- "CCI-001560",
- "CCI-002285",
- "CCI-002286",
- "CCI-002287",
- "CCI-002288",
- "CCI-002289",
- "CCI-002290",
- "CCI-003722",
- "CCI-003723",
- "CCI-003724",
- "CCI-003725",
- "CCI-003726"
- ],
- "AC-16 (5)": [
- "CCI-001428",
- "CCI-001429",
- "CCI-001430",
- "CCI-003727",
- "CCI-003728",
- "CCI-003729"
- ],
- "AC-17 (8)": [
- "CCI-001435",
- "CCI-001436",
- "CCI-001455"
- ],
- "AC-17 (4)": [
- "CCI-001437"
- ],
- "AC-18 a": [
- "CCI-001438",
- "CCI-001439",
- "CCI-002323"
- ],
- "AC-18 b": [
- "CCI-001440",
- "CCI-001441"
- ],
- "AC-18 d": [
- "CCI-001442"
- ],
- "AC-18 (1)": [
- "CCI-001443",
- "CCI-001444"
- ],
- "AC-18 (2)": [
- "CCI-001445",
- "CCI-001446",
- "CCI-001447",
- "CCI-001448",
- "CCI-001563"
- ],
- "AC-18 (3)": [
- "CCI-001449"
- ],
- "AC-18 (4)": [
- "CCI-001450",
- "CCI-002324"
- ],
- "AC-18 (5)": [
- "CCI-001451"
- ],
- "AU-13 a": [
- "CCI-001460",
- "CCI-001461",
- "CCI-001915"
- ],
- "AU-14 (2)": [
- "CCI-001462"
- ],
- "AU-14 b": [
- "CCI-001463",
- "CCI-003847"
- ],
- "AU-14 (1)": [
- "CCI-001464"
- ],
- "AC-21 b": [
- "CCI-001471",
- "CCI-001472"
- ],
- "AC-22 a": [
- "CCI-001473"
- ],
- "AC-22 b": [
- "CCI-001474"
- ],
- "AC-22 c": [
- "CCI-001475"
- ],
- "AC-22 d": [
- "CCI-001476",
- "CCI-001477",
- "CCI-001478"
- ],
- "AT-2 c": [
- "CCI-001479",
- "CCI-003770",
- "CCI-003771",
- "CCI-003772",
- "CCI-003773"
- ],
- "AT-2": [
- "CCI-001480"
- ],
- "AT-3 (1)": [
- "CCI-001481",
- "CCI-001482",
- "CCI-001483",
- "CCI-002050"
- ],
- "AU-3 f": [
- "CCI-001487"
- ],
- "AU-6 (6)": [
- "CCI-001491"
- ],
- "CM-5 (6)": [
- "CCI-001499"
- ],
- "CM-5 (7)": [
- "CCI-001500",
- "CCI-001501"
- ],
- "CM-6 d": [
- "CCI-001502",
- "CCI-001503",
- "CCI-003943",
- "CCI-003944",
- "CCI-003945",
- "CCI-003946"
- ],
- "PS-1 a 1 (a)": [
- "CCI-001504"
- ],
- "PS-1 a 1": [
- "CCI-001505",
- "CCI-003017"
- ],
- "PS-1 c 1": [
- "CCI-001506",
- "CCI-001507",
- "CCI-004505",
- "CCI-004506"
- ],
- "PS-1 c 2": [
- "CCI-001508",
- "CCI-001511",
- "CCI-004507",
- "CCI-004508"
- ],
- "PS-1 a 2": [
- "CCI-001509",
- "CCI-001510",
- "CCI-003018"
- ],
- "PS-2 a": [
- "CCI-001512"
- ],
- "PS-2 b": [
- "CCI-001513"
- ],
- "PS-2 c": [
- "CCI-001514",
- "CCI-001515"
- ],
- "PS-3 a": [
- "CCI-001516"
- ],
- "PS-3 b": [
- "CCI-001517",
- "CCI-001518",
- "CCI-001519"
- ],
- "PS-3 (1)": [
- "CCI-001520"
- ],
- "PS-3 (2)": [
- "CCI-001521"
- ],
- "PS-4 a": [
- "CCI-001522",
- "CCI-003022"
- ],
- "PS-4 c": [
- "CCI-001523",
- "CCI-003024"
- ],
- "PS-4 d": [
- "CCI-001524"
- ],
- "PS-4 e": [
- "CCI-001525",
- "CCI-001526"
- ],
- "PS-5 a": [
- "CCI-001527"
- ],
- "PS-5 b": [
- "CCI-001528",
- "CCI-001529",
- "CCI-001530"
- ],
- "PS-6 c 1": [
- "CCI-001531",
- "CCI-004513",
- "CCI-004514"
- ],
- "PS-6 b": [
- "CCI-001532",
- "CCI-001533"
- ],
- "PS-6 (1) (a)": [
- "CCI-001534"
- ],
- "PS-6 (1) (b)": [
- "CCI-001535"
- ],
- "PS-6 (2) (a)": [
- "CCI-001536"
- ],
- "PS-6 (2) (b)": [
- "CCI-001537"
- ],
- "PS-6 (2) (c)": [
- "CCI-001538"
- ],
- "PS-7 a": [
- "CCI-001539"
- ],
- "PS-7 c": [
- "CCI-001540"
- ],
- "PS-7 e": [
- "CCI-001541"
- ],
- "PS-8 a": [
- "CCI-001542",
- "CCI-004521",
- "CCI-004522"
- ],
- "IA-5 c": [
- "CCI-001544"
- ],
- "AC-4 (17) c": [
- "CCI-001557"
- ],
- "AC-6 (1) (a)": [
- "CCI-001558",
- "CCI-002222",
- "CCI-003685"
- ],
- "AT-3 (2)": [
- "CCI-001566",
- "CCI-001567",
- "CCI-001568",
- "CCI-002051"
- ],
- "CM-1 c 2": [
- "CCI-001584",
- "CCI-003906",
- "CCI-003907",
- "CCI-003908"
- ],
- "CP-1 c 2": [
- "CCI-001596",
- "CCI-001598",
- "CCI-004004",
- "CCI-004005"
- ],
- "IR-2": [
- "CCI-001622",
- "CCI-001623"
- ],
- "MA-4 (4) (b) (1)": [
- "CCI-001632"
- ],
- "PE-2 d": [
- "CCI-001635"
- ],
- "PL-1 c 1": [
- "CCI-001636",
- "CCI-001637",
- "CCI-004276"
- ],
- "SC-11 b": [
- "CCI-001661",
- "CCI-004895"
- ],
- "SI-2 (3)": [
- "CCI-001667"
- ],
- "PM-1 a 2": [
- "CCI-001680",
- "CCI-002986"
- ],
- "CM-10 a": [
- "CCI-001726",
- "CCI-001727",
- "CCI-001728",
- "CCI-001729"
- ],
- "CM-10 b": [
- "CCI-001730",
- "CCI-001731",
- "CCI-001802",
- "CCI-001803"
- ],
- "CM-10 c": [
- "CCI-001732",
- "CCI-001733"
- ],
- "CM-10 (1)": [
- "CCI-001734",
- "CCI-001735"
- ],
- "CM-2 (7) (a)": [
- "CCI-001737",
- "CCI-001738",
- "CCI-001739"
- ],
- "CM-3 (5)": [
- "CCI-001743",
- "CCI-001744"
- ],
- "CM-3 (6)": [
- "CCI-001745",
- "CCI-001746"
- ],
- "CM-7 (1) (b)": [
- "CCI-001761",
- "CCI-001762"
- ],
- "CM-7 (4) (a)": [
- "CCI-001765",
- "CCI-001766"
- ],
- "CM-7 (4) (b)": [
- "CCI-001767"
- ],
- "CM-7 (4) (c)": [
- "CCI-001768",
- "CCI-001769",
- "CCI-001770",
- "CCI-001771"
- ],
- "CM-7 (5) (a)": [
- "CCI-001772",
- "CCI-001773"
- ],
- "CM-7 (5) (b)": [
- "CCI-001774"
- ],
- "CM-7 (5) (c)": [
- "CCI-001775",
- "CCI-001776",
- "CCI-001777",
- "CCI-001778"
- ],
- "CM-8 (7)": [
- "CCI-001785"
- ],
- "CM-8 (8)": [
- "CCI-001786",
- "CCI-003970"
- ],
- "CM-8 (9) (a)": [
- "CCI-001787",
- "CCI-001788"
- ],
- "CM-8 (9) (b)": [
- "CCI-001789"
- ],
- "CM-9 e": [
- "CCI-001799",
- "CCI-001801"
- ],
- "CM-9 d": [
- "CCI-001800",
- "CCI-003977",
- "CCI-003978",
- "CCI-003979"
- ],
- "CM-11 a": [
- "CCI-001804",
- "CCI-001805"
- ],
- "CM-11 b": [
- "CCI-001806",
- "CCI-001807"
- ],
- "CM-11 c": [
- "CCI-001808",
- "CCI-001809"
- ],
- "CM-11 (1)": [
- "CCI-001810",
- "CCI-001811"
- ],
- "CM-11 (2)": [
- "CCI-001812",
- "CCI-003980"
- ],
- "CM-5 (1) (a)": [
- "CCI-001813",
- "CCI-003937"
- ],
- "CM-2 (7) (b)": [
- "CCI-001815",
- "CCI-001816"
- ],
- "CM-1 a 1": [
- "CCI-001820"
- ],
- "AU-1 a 1": [
- "CCI-001831",
- "CCI-001930"
- ],
- "AU-1 b 1": [
- "CCI-001835",
- "CCI-001836",
- "CCI-001837",
- "CCI-001838"
- ],
- "AU-1 b 2": [
- "CCI-001839",
- "CCI-001840",
- "CCI-001841",
- "CCI-001842"
- ],
- "AU-4 (1)": [
- "CCI-001850",
- "CCI-001851"
- ],
- "AU-6 (10)": [
- "CCI-001872",
- "CCI-001873",
- "CCI-001874"
- ],
- "AU-7 a": [
- "CCI-001875",
- "CCI-001876",
- "CCI-001877",
- "CCI-001878",
- "CCI-001879",
- "CCI-001880",
- "CCI-003822",
- "CCI-003823",
- "CCI-003824",
- "CCI-003825",
- "CCI-003826",
- "CCI-003827"
- ],
- "AU-7 b": [
- "CCI-001881",
- "CCI-001882",
- "CCI-003828",
- "CCI-003829"
- ],
- "AU-7 (2)": [
- "CCI-001884",
- "CCI-001885",
- "CCI-001886",
- "CCI-001887"
- ],
- "AU-8 b": [
- "CCI-001888",
- "CCI-001889",
- "CCI-001890"
- ],
- "AU-8 (1) (b)": [
- "CCI-001892",
- "CCI-002046"
- ],
- "AU-8 (2)": [
- "CCI-001893"
- ],
- "AU-9 (5)": [
- "CCI-001895",
- "CCI-001896"
- ],
- "AU-9 (6)": [
- "CCI-001897",
- "CCI-001898"
- ],
- "AU-10 (1) (a)": [
- "CCI-001900",
- "CCI-001901"
- ],
- "AU-10 (1) (b)": [
- "CCI-001902"
- ],
- "AU-10 (2) (a)": [
- "CCI-001903",
- "CCI-001904"
- ],
- "AU-10 (2) (b)": [
- "CCI-001905",
- "CCI-001906"
- ],
- "AU-10 (4) (b)": [
- "CCI-001908",
- "CCI-001909"
- ],
- "AU-12 (3)": [
- "CCI-001911",
- "CCI-001912",
- "CCI-001913",
- "CCI-001914",
- "CCI-002047",
- "CCI-003834"
- ],
- "AU-13 (1)": [
- "CCI-001916",
- "CCI-003841",
- "CCI-003842"
- ],
- "AU-13 (2)": [
- "CCI-001917",
- "CCI-001918"
- ],
- "AU-14 a": [
- "CCI-001919",
- "CCI-003844",
- "CCI-003845",
- "CCI-003846"
- ],
- "AU-14 (3)": [
- "CCI-001920",
- "CCI-003848"
- ],
- "AU-15": [
- "CCI-001921",
- "CCI-001922"
- ],
- "AU-16": [
- "CCI-001923",
- "CCI-001924",
- "CCI-001925"
- ],
- "AU-16 (1)": [
- "CCI-001926"
- ],
- "AU-16 (2)": [
- "CCI-001927",
- "CCI-001928",
- "CCI-001929"
- ],
- "IA-2 (10)": [
- "CCI-001943",
- "CCI-001944",
- "CCI-001945",
- "CCI-001946"
- ],
- "IA-2 (11)": [
- "CCI-001947",
- "CCI-001948",
- "CCI-001949",
- "CCI-001950",
- "CCI-001951",
- "CCI-001952"
- ],
- "IA-2 (12)": [
- "CCI-001953",
- "CCI-001954"
- ],
- "IA-2 (13)": [
- "CCI-001955",
- "CCI-001956",
- "CCI-001957"
- ],
- "IA-3 (3) (a)": [
- "CCI-001960",
- "CCI-001961",
- "CCI-001962",
- "CCI-001963"
- ],
- "IA-3 (4)": [
- "CCI-001964",
- "CCI-001965",
- "CCI-001966",
- "CCI-001968",
- "CCI-001969"
- ],
- "IA-4 (6)": [
- "CCI-001977",
- "CCI-001978"
- ],
- "IA-4 (7)": [
- "CCI-001979"
- ],
- "IA-5 i": [
- "CCI-001990",
- "CCI-002365",
- "CCI-002366"
- ],
- "IA-5 (2) (d)": [
- "CCI-001991"
- ],
- "IA-5 (9)": [
- "CCI-001999",
- "CCI-002000",
- "CCI-004070",
- "CCI-004071"
- ],
- "IA-5 (10)": [
- "CCI-002001",
- "CCI-004072"
- ],
- "IA-5 (11)": [
- "CCI-002002",
- "CCI-002003"
- ],
- "IA-5 (12)": [
- "CCI-002004",
- "CCI-002005"
- ],
- "IA-5 (13)": [
- "CCI-002006",
- "CCI-002007"
- ],
- "IA-5 (14)": [
- "CCI-002008"
- ],
- "IA-8 (1)": [
- "CCI-002009",
- "CCI-002010"
- ],
- "IA-8 (2)": [
- "CCI-002011"
- ],
- "IA-8 (3)": [
- "CCI-002012",
- "CCI-002013"
- ],
- "IA-8 (4)": [
- "CCI-002014",
- "CCI-004085",
- "CCI-004086"
- ],
- "IA-8 (5)": [
- "CCI-002015",
- "CCI-002016",
- "CCI-004087"
- ],
- "IA-9": [
- "CCI-002017",
- "CCI-002018",
- "CCI-002019",
- "CCI-002020",
- "CCI-002021",
- "CCI-002022"
- ],
- "IA-9 (1)": [
- "CCI-002023",
- "CCI-002024",
- "CCI-002025",
- "CCI-002026",
- "CCI-002027",
- "CCI-002028"
- ],
- "IA-9 (2)": [
- "CCI-002029",
- "CCI-002030",
- "CCI-002031",
- "CCI-002032"
- ],
- "IA-10": [
- "CCI-002033",
- "CCI-002034",
- "CCI-002035"
- ],
- "IA-11": [
- "CCI-002036",
- "CCI-002037",
- "CCI-002038",
- "CCI-002039"
- ],
- "IA-5 (1) (f)": [
- "CCI-002041",
- "CCI-004064"
- ],
- "IA-5 (15)": [
- "CCI-002043",
- "CCI-004073"
- ],
- "AU-11 (1)": [
- "CCI-002044",
- "CCI-002045"
- ],
- "AT-3 (3)": [
- "CCI-002052",
- "CCI-003790"
- ],
- "AT-3 (4)": [
- "CCI-002053",
- "CCI-002054"
- ],
- "AT-2 (2)": [
- "CCI-002055"
- ],
- "CM-3 (1) (f)": [
- "CCI-002057",
- "CCI-002058",
- "CCI-003918"
- ],
- "CA-1 a 1": [
- "CCI-002060"
- ],
- "CA-2 (3)": [
- "CCI-002066",
- "CCI-002067",
- "CCI-002068",
- "CCI-002069"
- ],
- "CA-3 (3)": [
- "CCI-002075",
- "CCI-002076",
- "CCI-002077"
- ],
- "CA-3 (4)": [
- "CCI-002078",
- "CCI-002079"
- ],
- "CA-3 (5)": [
- "CCI-002080",
- "CCI-002081",
- "CCI-002082"
- ],
- "CA-7 (3)": [
- "CCI-002086"
- ],
- "CA-7 d": [
- "CCI-002090"
- ],
- "CA-7 e": [
- "CCI-002091"
- ],
- "CA-7 f": [
- "CCI-002092"
- ],
- "CA-8": [
- "CCI-002093",
- "CCI-002094",
- "CCI-002095"
- ],
- "CA-8 (1)": [
- "CCI-002096"
- ],
- "CA-8 (2)": [
- "CCI-002097",
- "CCI-002098",
- "CCI-002099"
- ],
- "CA-9 (1)": [
- "CCI-002100",
- "CCI-003896"
- ],
- "CA-9 (a)": [
- "CCI-002101",
- "CCI-002102"
- ],
- "CA-9 (b)": [
- "CCI-002103",
- "CCI-002104",
- "CCI-002105",
- "CCI-003891"
- ],
- "AC-2 b": [
- "CCI-002112"
- ],
- "AC-2 d": [
- "CCI-002114"
- ],
- "AC-2 d 1": [
- "CCI-002115"
- ],
- "AC-2 d 2": [
- "CCI-002116",
- "CCI-002117"
- ],
- "AC-2 d 3": [
- "CCI-002118",
- "CCI-002119",
- "CCI-003616"
- ],
- "AC-2 h 1": [
- "CCI-002123"
- ],
- "AC-2 h 2": [
- "CCI-002124"
- ],
- "AC-2 h 3": [
- "CCI-002125"
- ],
- "AC-2 i 1": [
- "CCI-002126"
- ],
- "AC-2 i 2": [
- "CCI-002127"
- ],
- "AC-2 i 3": [
- "CCI-002128",
- "CCI-003625"
- ],
- "AC-2 k": [
- "CCI-002129"
- ],
- "AC-2 (7) (c)": [
- "CCI-002136",
- "CCI-003630"
- ],
- "AC-2 (7) (d)": [
- "CCI-002137"
- ],
- "AC-2 (8)": [
- "CCI-002138",
- "CCI-002139",
- "CCI-003631",
- "CCI-003632",
- "CCI-003633",
- "CCI-003634",
- "CCI-003635",
- "CCI-003636"
- ],
- "AC-2 (9)": [
- "CCI-002140",
- "CCI-002141"
- ],
- "AC-2 (10)": [
- "CCI-002142"
- ],
- "AC-2 (11)": [
- "CCI-002143",
- "CCI-002144",
- "CCI-002145"
- ],
- "AC-2 (12) (a)": [
- "CCI-002146",
- "CCI-002147"
- ],
- "AC-2 (12) (b)": [
- "CCI-002148",
- "CCI-002149"
- ],
- "AC-2 (13)": [
- "CCI-002150",
- "CCI-002151",
- "CCI-003637"
- ],
- "AC-3 (3) (b) (1)": [
- "CCI-002155"
- ],
- "AC-3 (3) (b) (2)": [
- "CCI-002156"
- ],
- "AC-3 (3) (b) (3)": [
- "CCI-002157"
- ],
- "AC-3 (3) (b) (4)": [
- "CCI-002158",
- "CCI-002159"
- ],
- "AC-3 (3) (b) (5)": [
- "CCI-002160"
- ],
- "AC-3 (3) (c)": [
- "CCI-002161",
- "CCI-002162",
- "CCI-003015"
- ],
- "AC-3 (7)": [
- "CCI-002166",
- "CCI-002167",
- "CCI-002168",
- "CCI-002169",
- "CCI-002170",
- "CCI-002171",
- "CCI-002172",
- "CCI-002173",
- "CCI-002174",
- "CCI-002175",
- "CCI-002176"
- ],
- "AC-3 (8)": [
- "CCI-002177",
- "CCI-002178",
- "CCI-002179"
- ],
- "AC-3 (9) (a)": [
- "CCI-002180",
- "CCI-002181",
- "CCI-002182"
- ],
- "AC-3 (9) (b)": [
- "CCI-002183",
- "CCI-002184"
- ],
- "AC-3 (10)": [
- "CCI-002185",
- "CCI-002186",
- "CCI-003643"
- ],
- "AC-4 (17)": [
- "CCI-002205",
- "CCI-002206",
- "CCI-002207",
- "CCI-002208"
- ],
- "AC-4 (18)": [
- "CCI-002209",
- "CCI-002210"
- ],
- "AC-4 (19)": [
- "CCI-002211",
- "CCI-003666"
- ],
- "AC-4 (20)": [
- "CCI-002212",
- "CCI-002213",
- "CCI-002214"
- ],
- "AC-4 (21)": [
- "CCI-002215",
- "CCI-002216",
- "CCI-002217"
- ],
- "AC-4 (22)": [
- "CCI-002218"
- ],
- "AC-6 (1) (b)": [
- "CCI-002221",
- "CCI-002223",
- "CCI-003686"
- ],
- "AC-6 (7) (a)": [
- "CCI-002228",
- "CCI-002229",
- "CCI-002230"
- ],
- "AC-6 (7) (b)": [
- "CCI-002231"
- ],
- "AC-6 (8)": [
- "CCI-002232",
- "CCI-002233"
- ],
- "AC-6 (9)": [
- "CCI-002234"
- ],
- "AC-6 (10)": [
- "CCI-002235"
- ],
- "AC-8 a 1": [
- "CCI-002243"
- ],
- "AC-8 a 2": [
- "CCI-002244"
- ],
- "AC-8 a 3": [
- "CCI-002245"
- ],
- "AC-8 a 4": [
- "CCI-002246"
- ],
- "AC-9 (4)": [
- "CCI-002249",
- "CCI-002250",
- "CCI-002251"
- ],
- "AC-12": [
- "CCI-002254",
- "CCI-002360",
- "CCI-002361"
- ],
- "AC-16 a": [
- "CCI-002256",
- "CCI-002257",
- "CCI-002258",
- "CCI-002259",
- "CCI-002260",
- "CCI-002261",
- "CCI-002262",
- "CCI-002263",
- "CCI-002264",
- "CCI-003696",
- "CCI-003697",
- "CCI-003698",
- "CCI-003699",
- "CCI-003700",
- "CCI-003701"
- ],
- "AC-16 b": [
- "CCI-002265",
- "CCI-002266",
- "CCI-003702",
- "CCI-003703"
- ],
- "AC-16 c": [
- "CCI-002267",
- "CCI-002268",
- "CCI-002269",
- "CCI-003704",
- "CCI-003705"
- ],
- "AC-16 d": [
- "CCI-002270",
- "CCI-002271",
- "CCI-003706"
- ],
- "AC-16 (6)": [
- "CCI-002291",
- "CCI-002292",
- "CCI-002293",
- "CCI-002294",
- "CCI-002295",
- "CCI-002296",
- "CCI-002297",
- "CCI-002298",
- "CCI-003730",
- "CCI-003731",
- "CCI-003732",
- "CCI-003733",
- "CCI-003734",
- "CCI-003735",
- "CCI-003736",
- "CCI-003737"
- ],
- "AC-16 (7)": [
- "CCI-002299",
- "CCI-003738"
- ],
- "AC-16 (8)": [
- "CCI-002300",
- "CCI-002301",
- "CCI-002302",
- "CCI-003739",
- "CCI-003740",
- "CCI-003741"
- ],
- "AC-16 (9)": [
- "CCI-002303",
- "CCI-002304",
- "CCI-003742"
- ],
- "AC-16 (10)": [
- "CCI-002305",
- "CCI-002306",
- "CCI-002307",
- "CCI-002308",
- "CCI-002309",
- "CCI-003743",
- "CCI-003744",
- "CCI-003745",
- "CCI-003746"
- ],
- "AC-17 (4) (b)": [
- "CCI-002319",
- "CCI-002320"
- ],
- "AC-17 (9)": [
- "CCI-002321",
- "CCI-002322"
- ],
- "AC-19 (4) (c)": [
- "CCI-002327",
- "CCI-002328"
- ],
- "AC-19 (5)": [
- "CCI-002329",
- "CCI-002330",
- "CCI-002331"
- ],
- "AC-20 a 2": [
- "CCI-002332",
- "CCI-003752",
- "CCI-003753"
- ],
- "AC-20 (3)": [
- "CCI-002338"
- ],
- "AC-20 (4)": [
- "CCI-002339",
- "CCI-002340"
- ],
- "AC-21 (2)": [
- "CCI-002341",
- "CCI-002342"
- ],
- "AC-23": [
- "CCI-002343",
- "CCI-002344",
- "CCI-002345",
- "CCI-002346",
- "CCI-002347"
- ],
- "AC-24": [
- "CCI-002348",
- "CCI-002349"
- ],
- "AC-24 (1)": [
- "CCI-002350",
- "CCI-002351",
- "CCI-002352",
- "CCI-002353"
- ],
- "AC-24 (2)": [
- "CCI-002354",
- "CCI-002355",
- "CCI-003760"
- ],
- "AC-25": [
- "CCI-002356",
- "CCI-002357",
- "CCI-002358",
- "CCI-002359"
- ],
- "AC-12 (1)": [
- "CCI-002362",
- "CCI-002363"
- ],
- "AC-12 (2)": [
- "CCI-002364"
- ],
- "RA-3 e": [
- "CCI-002370",
- "CCI-002371"
- ],
- "RA-5 (10)": [
- "CCI-002372"
- ],
- "SC-4 (2)": [
- "CCI-002383",
- "CCI-002384"
- ],
- "SC-5 (3) (a)": [
- "CCI-002388",
- "CCI-002389"
- ],
- "SC-5 (3) (b)": [
- "CCI-002390",
- "CCI-002391"
- ],
- "SC-7 b": [
- "CCI-002395"
- ],
- "SC-7 (9) (a)": [
- "CCI-002398",
- "CCI-002399"
- ],
- "SC-7 (9) (b)": [
- "CCI-002400"
- ],
- "SC-7 (19)": [
- "CCI-002408",
- "CCI-002409"
- ],
- "SC-7 (20)": [
- "CCI-002410",
- "CCI-002411"
- ],
- "SC-7 (21)": [
- "CCI-002412",
- "CCI-002413",
- "CCI-002414",
- "CCI-002415"
- ],
- "SC-7 (22)": [
- "CCI-002416"
- ],
- "SC-7 (23)": [
- "CCI-002417"
- ],
- "SC-8 (3)": [
- "CCI-002423",
- "CCI-002427"
- ],
- "SC-8 (4)": [
- "CCI-002424",
- "CCI-002425"
- ],
- "SC-11 (1) (a)": [
- "CCI-002426"
- ],
- "SC-13 b": [
- "CCI-002450"
- ],
- "SC-15 (4)": [
- "CCI-002452",
- "CCI-002453"
- ],
- "SC-18 (5)": [
- "CCI-002461"
- ],
- "SC-20 (2)": [
- "CCI-002463",
- "CCI-002464"
- ],
- "SC-23 (5)": [
- "CCI-002469",
- "CCI-002470"
- ],
- "SC-28 (2)": [
- "CCI-002477",
- "CCI-002478",
- "CCI-002479"
- ],
- "SC-30 (3)": [
- "CCI-002489",
- "CCI-002490",
- "CCI-002491",
- "CCI-002492"
- ],
- "SC-30 (4)": [
- "CCI-002493",
- "CCI-002494"
- ],
- "SC-30 (5)": [
- "CCI-002495",
- "CCI-002496",
- "CCI-002497"
- ],
- "SC-31 a": [
- "CCI-002498"
- ],
- "SC-31 b": [
- "CCI-002499"
- ],
- "SC-31 (2)": [
- "CCI-002500",
- "CCI-002501"
- ],
- "SC-31 (3)": [
- "CCI-002502",
- "CCI-002503"
- ],
- "SC-51 a": [
- "CCI-002508",
- "CCI-002509"
- ],
- "SC-51 b": [
- "CCI-002510",
- "CCI-002511",
- "CCI-002512"
- ],
- "SC-36": [
- "CCI-002513",
- "CCI-002514",
- "CCI-002515",
- "CCI-002516"
- ],
- "SC-36 (1) (a)": [
- "CCI-002517",
- "CCI-002518",
- "CCI-002519",
- "CCI-002520"
- ],
- "SC-37": [
- "CCI-002521",
- "CCI-002522",
- "CCI-002524",
- "CCI-003599"
- ],
- "SC-37, SC-37 (1)": [
- "CCI-002523"
- ],
- "SC-37 (1)": [
- "CCI-002525",
- "CCI-002526",
- "CCI-002527"
- ],
- "SC-38": [
- "CCI-002528",
- "CCI-002529"
- ],
- "SC-39": [
- "CCI-002530"
- ],
- "SC-39 (1)": [
- "CCI-002531"
- ],
- "SC-39 (2)": [
- "CCI-002532",
- "CCI-002533"
- ],
- "SC-40": [
- "CCI-002534",
- "CCI-002535",
- "CCI-002536"
- ],
- "SC-40 (1)": [
- "CCI-002537",
- "CCI-002538"
- ],
- "SC-40 (2)": [
- "CCI-002539",
- "CCI-002540"
- ],
- "SC-40 (3)": [
- "CCI-002541"
- ],
- "SC-40 (4)": [
- "CCI-002542",
- "CCI-002543"
- ],
- "SC-41": [
- "CCI-002544",
- "CCI-002545",
- "CCI-002546"
- ],
- "SC-42 a": [
- "CCI-002547",
- "CCI-002548",
- "CCI-002556",
- "CCI-002557"
- ],
- "SC-42 b": [
- "CCI-002549",
- "CCI-002550"
- ],
- "SC-42 (1)": [
- "CCI-002551",
- "CCI-002552"
- ],
- "SC-42 (2)": [
- "CCI-002553",
- "CCI-002554",
- "CCI-002555"
- ],
- "SC-42 (3)": [
- "CCI-002558"
- ],
- "SC-43 a": [
- "CCI-002559",
- "CCI-002560"
- ],
- "SC-43 b": [
- "CCI-002561",
- "CCI-002562",
- "CCI-002563"
- ],
- "SC-44": [
- "CCI-002564",
- "CCI-002565"
- ],
- "MP-6 (7)": [
- "CCI-002573",
- "CCI-002574"
- ],
- "MP-6 (8)": [
- "CCI-002575",
- "CCI-002576",
- "CCI-002577"
- ],
- "MP-6 b": [
- "CCI-002580"
- ],
- "MP-7 (a)": [
- "CCI-002581",
- "CCI-002582",
- "CCI-002583",
- "CCI-002584"
- ],
- "MP-7 (b)": [
- "CCI-002585"
- ],
- "MP-7 (2)": [
- "CCI-002586"
- ],
- "MP-8 (1)": [
- "CCI-002587"
- ],
- "MP-8 (2)": [
- "CCI-002588",
- "CCI-002589",
- "CCI-002590",
- "CCI-002591",
- "CCI-004227",
- "CCI-004228"
- ],
- "MP-8 (3)": [
- "CCI-002592",
- "CCI-002593"
- ],
- "MP-8 (4)": [
- "CCI-002594"
- ],
- "MP-8 a": [
- "CCI-002595",
- "CCI-002596",
- "CCI-002597",
- "CCI-004221",
- "CCI-004222"
- ],
- "MP-8 b": [
- "CCI-002598",
- "CCI-004223",
- "CCI-004224"
- ],
- "MP-8 c": [
- "CCI-002599",
- "CCI-004225",
- "CCI-004226"
- ],
- "MP-8 d": [
- "CCI-002600"
- ],
- "SI-1 a": [
- "CCI-002601"
- ],
- "SI-2 c": [
- "CCI-002604",
- "CCI-002605",
- "CCI-002606",
- "CCI-002607"
- ],
- "SI-2 (5)": [
- "CCI-002609",
- "CCI-002610",
- "CCI-002611",
- "CCI-002612",
- "CCI-002613",
- "CCI-002614"
- ],
- "SI-2 (6)": [
- "CCI-002615",
- "CCI-002616",
- "CCI-002617",
- "CCI-002618"
- ],
- "SI-3 (6) (b)": [
- "CCI-002625",
- "CCI-002626"
- ],
- "SI-3 (7)": [
- "CCI-002627"
- ],
- "SI-3 (8) (a)": [
- "CCI-002628",
- "CCI-002629",
- "CCI-002630"
- ],
- "SI-3 (8) (b)": [
- "CCI-002631"
- ],
- "SI-3 (9)": [
- "CCI-002632",
- "CCI-002633",
- "CCI-002637"
- ],
- "SI-3 (10) (a)": [
- "CCI-002634",
- "CCI-002635",
- "CCI-002636",
- "CCI-002638"
- ],
- "SI-3 (10) (b)": [
- "CCI-002639",
- "CCI-002640"
- ],
- "SI-4 a 2": [
- "CCI-002642",
- "CCI-002643",
- "CCI-002644"
- ],
- "SI-4 d": [
- "CCI-002647",
- "CCI-002648",
- "CCI-002649",
- "CCI-004967"
- ],
- "SI-4 g": [
- "CCI-002650",
- "CCI-002651",
- "CCI-002652",
- "CCI-002654"
- ],
- "SI-4": [
- "CCI-002653"
- ],
- "SI-4 (4) (b)": [
- "CCI-002659",
- "CCI-002660",
- "CCI-002661",
- "CCI-002662",
- "CCI-004973",
- "CCI-004974"
- ],
- "SI-4 (18)": [
- "CCI-002670",
- "CCI-002671",
- "CCI-002672"
- ],
- "SI-4 (19)": [
- "CCI-002673",
- "CCI-002674",
- "CCI-002675"
- ],
- "SI-4 (20)": [
- "CCI-002676",
- "CCI-002677"
- ],
- "SI-4 (21)": [
- "CCI-002678",
- "CCI-002679",
- "CCI-002680"
- ],
- "SI-4 (22) (a)": [
- "CCI-002681",
- "CCI-002682",
- "CCI-002683"
- ],
- "SI-4 (22) (b)": [
- "CCI-002684"
- ],
- "SI-4 (23)": [
- "CCI-002685",
- "CCI-002686",
- "CCI-002687"
- ],
- "SI-4 (24)": [
- "CCI-002688",
- "CCI-002689",
- "CCI-002690",
- "CCI-002691"
- ],
- "SI-6 a": [
- "CCI-002695",
- "CCI-002696",
- "CCI-004984",
- "CCI-004985"
- ],
- "SI-6 b": [
- "CCI-002697",
- "CCI-002698",
- "CCI-002699",
- "CCI-004986",
- "CCI-004987",
- "CCI-004988"
- ],
- "SI-6 d": [
- "CCI-002701",
- "CCI-002702",
- "CCI-004991",
- "CCI-004992"
- ],
- "SI-7 a": [
- "CCI-002704"
- ],
- "SI-7 (5)": [
- "CCI-002714",
- "CCI-002715"
- ],
- "SI-7 (6)": [
- "CCI-002716",
- "CCI-002717",
- "CCI-002718"
- ],
- "SI-7 (7)": [
- "CCI-002719",
- "CCI-002720"
- ],
- "SI-7 (8)": [
- "CCI-002721",
- "CCI-002722",
- "CCI-002723",
- "CCI-002724"
- ],
- "SI-7 (9)": [
- "CCI-002725",
- "CCI-002726"
- ],
- "SI-7 (10)": [
- "CCI-002727",
- "CCI-002728",
- "CCI-002729"
- ],
- "SI-7 (11)": [
- "CCI-002730",
- "CCI-002731"
- ],
- "SI-7 (12)": [
- "CCI-002732",
- "CCI-002733"
- ],
- "SI-7 (13)": [
- "CCI-002734",
- "CCI-002735",
- "CCI-002736"
- ],
- "SI-7 (14) (a)": [
- "CCI-002737"
- ],
- "SI-7 (14) (b)": [
- "CCI-002738"
- ],
- "SI-7 (15)": [
- "CCI-002739",
- "CCI-002740"
- ],
- "SI-8 (3)": [
- "CCI-002743"
- ],
- "SI-10 (1) (a)": [
- "CCI-002745",
- "CCI-002746"
- ],
- "SI-10 (1) (b)": [
- "CCI-002747",
- "CCI-002748"
- ],
- "SI-10 (1) (c)": [
- "CCI-002749"
- ],
- "SI-10 (2)": [
- "CCI-002750",
- "CCI-002751",
- "CCI-002752",
- "CCI-002753"
- ],
- "SI-10 (3)": [
- "CCI-002754"
- ],
- "SI-10 (4)": [
- "CCI-002755"
- ],
- "SI-10 (5)": [
- "CCI-002756",
- "CCI-002757",
- "CCI-002758"
- ],
- "SI-14": [
- "CCI-002764",
- "CCI-002765",
- "CCI-002766",
- "CCI-002767"
- ],
- "SI-14 (1)": [
- "CCI-002768",
- "CCI-002769"
- ],
- "SI-15": [
- "CCI-002770",
- "CCI-002771",
- "CCI-002772"
- ],
- "SI-17": [
- "CCI-002773",
- "CCI-002774",
- "CCI-002775"
- ],
- "IR-2 a 2": [
- "CCI-002779"
- ],
- "IR-3 (2)": [
- "CCI-002780"
- ],
- "IR-4 (6)": [
- "CCI-002782"
- ],
- "IR-4 (7)": [
- "CCI-002783",
- "CCI-002784",
- "CCI-004141",
- "CCI-004142"
- ],
- "IR-4 (8)": [
- "CCI-002785",
- "CCI-002786",
- "CCI-002787"
- ],
- "IR-4 (9)": [
- "CCI-002788",
- "CCI-002789"
- ],
- "IR-4 (10)": [
- "CCI-002790"
- ],
- "IR-6 (3)": [
- "CCI-002793",
- "CCI-004156"
- ],
- "IR-8 a 1": [
- "CCI-002795"
- ],
- "IR-8 a 2": [
- "CCI-002796"
- ],
- "IR-8 a 3": [
- "CCI-002797"
- ],
- "IR-8 a 4": [
- "CCI-002798"
- ],
- "IR-8 a 5": [
- "CCI-002799"
- ],
- "IR-8 a 6": [
- "CCI-002800"
- ],
- "IR-8 a 7": [
- "CCI-002801"
- ],
- "IR-8 e": [
- "CCI-002804"
- ],
- "IR-9 b": [
- "CCI-002805"
- ],
- "IR-9 c": [
- "CCI-002806",
- "CCI-002807"
- ],
- "IR-9 d": [
- "CCI-002808"
- ],
- "IR-9 e": [
- "CCI-002809"
- ],
- "IR-9 f": [
- "CCI-002810"
- ],
- "IR-9 g": [
- "CCI-002811",
- "CCI-002812"
- ],
- "IR-9 (1)": [
- "CCI-002813",
- "CCI-002814",
- "CCI-002815"
- ],
- "IR-9 (2)": [
- "CCI-002816",
- "CCI-002817"
- ],
- "IR-9 (3)": [
- "CCI-002818",
- "CCI-002819"
- ],
- "IR-9 (4)": [
- "CCI-002820",
- "CCI-002821"
- ],
- "IR-10": [
- "CCI-002822"
- ],
- "SI-16": [
- "CCI-002823",
- "CCI-002824"
- ],
- "CP-2 (7)": [
- "CCI-002827"
- ],
- "CP-2 (8)": [
- "CCI-002828",
- "CCI-002829"
- ],
- "CP-2 h": [
- "CCI-002832"
- ],
- "CP-3 a 2": [
- "CCI-002834"
- ],
- "CP-4 (2) (b)": [
- "CCI-002835"
- ],
- "CP-6 b": [
- "CCI-002836"
- ],
- "CP-7 (6)": [
- "CCI-002837",
- "CCI-002838"
- ],
- "CP-8 (4) (b)": [
- "CCI-002842"
- ],
- "CP-8 (4) (c)": [
- "CCI-002843",
- "CCI-002844",
- "CCI-002845",
- "CCI-002846"
- ],
- "CP-8 (5)": [
- "CCI-002847",
- "CCI-002848"
- ],
- "CP-9 (7)": [
- "CCI-002851",
- "CCI-002852"
- ],
- "CP-11": [
- "CCI-002853",
- "CCI-002854"
- ],
- "CP-12": [
- "CCI-002855",
- "CCI-002856",
- "CCI-002857"
- ],
- "CP-13": [
- "CCI-002858",
- "CCI-002859",
- "CCI-002860"
- ],
- "MA-2 (2) (a)": [
- "CCI-002863",
- "CCI-002905",
- "CCI-004182",
- "CCI-004183",
- "CCI-004184"
- ],
- "MA-2 (2) (b)": [
- "CCI-002864",
- "CCI-002865",
- "CCI-004185"
- ],
- "MA-2 f": [
- "CCI-002875",
- "CCI-002876"
- ],
- "MA-3 (3) (a)": [
- "CCI-002877"
- ],
- "MA-3 (3) (b)": [
- "CCI-002878"
- ],
- "MA-3 (3) (c)": [
- "CCI-002879",
- "CCI-002880"
- ],
- "MA-3 (3) (d)": [
- "CCI-002881",
- "CCI-002882"
- ],
- "MA-4 (1) (a)": [
- "CCI-002884",
- "CCI-002885"
- ],
- "MA-4 (1) (b)": [
- "CCI-002886"
- ],
- "MA-5 (1) (b)": [
- "CCI-002892",
- "CCI-004194",
- "CCI-004195",
- "CCI-004196"
- ],
- "MA-5 (5)": [
- "CCI-002893"
- ],
- "MA-5 c": [
- "CCI-002895"
- ],
- "MA-6 (1)": [
- "CCI-002898",
- "CCI-002899",
- "CCI-002900"
- ],
- "MA-6 (2)": [
- "CCI-002901",
- "CCI-002902",
- "CCI-002903"
- ],
- "MA-6 (3)": [
- "CCI-002904",
- "CCI-004197"
- ],
- "PE-3 b": [
- "CCI-002917",
- "CCI-002918"
- ],
- "PE-3 c": [
- "CCI-002919",
- "CCI-002920"
- ],
- "PE-5 (1) (a)": [
- "CCI-002932",
- "CCI-002933"
- ],
- "PE-5 (1) (b)": [
- "CCI-002934"
- ],
- "PE-5 (2) (a)": [
- "CCI-002935"
- ],
- "PE-5 (2) (b)": [
- "CCI-002936"
- ],
- "PE-5 (3)": [
- "CCI-002937",
- "CCI-002938"
- ],
- "PE-6 (3) (a)": [
- "CCI-002946",
- "CCI-002947"
- ],
- "PE-6 (3) (c)": [
- "CCI-002948",
- "CCI-002949"
- ],
- "PE-6 (4)": [
- "CCI-002950",
- "CCI-002951"
- ],
- "PE-11 (2) (a)": [
- "CCI-002956"
- ],
- "PE-11 (2) (b)": [
- "CCI-002957"
- ],
- "PE-11 (2) (c)": [
- "CCI-002958"
- ],
- "PE-13 (2) (a)": [
- "CCI-002965",
- "CCI-002966",
- "CCI-002967"
- ],
- "PE-20": [
- "CCI-002979",
- "CCI-002980",
- "CCI-002981",
- "CCI-002982"
- ],
- "PE-20 b": [
- "CCI-002983"
- ],
- "PM-1 a 3": [
- "CCI-002984",
- "CCI-002987"
- ],
- "PM-4 a 3": [
- "CCI-002992",
- "CCI-004325",
- "CCI-004326",
- "CCI-004327"
- ],
- "PM-4 b": [
- "CCI-002993"
- ],
- "PM-9 c": [
- "CCI-002994",
- "CCI-002995"
- ],
- "PM-12": [
- "CCI-002996"
- ],
- "PM-13": [
- "CCI-002997",
- "CCI-004352"
- ],
- "PM-14 a 1": [
- "CCI-002998",
- "CCI-002999",
- "CCI-003000",
- "CCI-003001",
- "CCI-003002",
- "CCI-003003",
- "CCI-004353",
- "CCI-004354",
- "CCI-004355",
- "CCI-004356",
- "CCI-004357",
- "CCI-004358"
- ],
- "PM-14 a 2": [
- "CCI-003004",
- "CCI-003005",
- "CCI-003006",
- "CCI-004359",
- "CCI-004360",
- "CCI-004361"
- ],
- "PM-14 b": [
- "CCI-003007",
- "CCI-003008",
- "CCI-003009"
- ],
- "PM-15 a": [
- "CCI-003010",
- "CCI-004362"
- ],
- "PM-15 b": [
- "CCI-003011",
- "CCI-004363"
- ],
- "PM-15 c": [
- "CCI-003012",
- "CCI-004364"
- ],
- "PM-16": [
- "CCI-003013"
- ],
- "PS-4 f": [
- "CCI-003016",
- "CCI-003025",
- "CCI-003026"
- ],
- "PS-3 (3) (a)": [
- "CCI-003019"
- ],
- "PS-3 (3) (b)": [
- "CCI-003020",
- "CCI-003021"
- ],
- "PS-4 b": [
- "CCI-003023"
- ],
- "PS-4 (1) (a)": [
- "CCI-003027"
- ],
- "PS-4 (1) (b)": [
- "CCI-003028"
- ],
- "PS-4 (2)": [
- "CCI-003029",
- "CCI-003030",
- "CCI-004512"
- ],
- "PS-5 c": [
- "CCI-003031"
- ],
- "PS-5 d": [
- "CCI-003032",
- "CCI-003033",
- "CCI-003034"
- ],
- "PS-6 a": [
- "CCI-003035"
- ],
- "PS-6 c 2": [
- "CCI-003036",
- "CCI-003037",
- "CCI-004515",
- "CCI-004516",
- "CCI-004517",
- "CCI-004518"
- ],
- "PS-6 (3) (a)": [
- "CCI-003038"
- ],
- "PS-6 (3) (b)": [
- "CCI-003039"
- ],
- "PS-7 b": [
- "CCI-003040",
- "CCI-004519",
- "CCI-004520"
- ],
- "PS-7 d": [
- "CCI-003041",
- "CCI-003042",
- "CCI-003043"
- ],
- "PS-8 b": [
- "CCI-003044",
- "CCI-003045",
- "CCI-003046"
- ],
- "PL-2 a 1": [
- "CCI-003050"
- ],
- "PL-2 a 2": [
- "CCI-003051"
- ],
- "PL-2 a 3": [
- "CCI-003052"
- ],
- "PL-2 a 6": [
- "CCI-003053"
- ],
- "PL-2 a 9": [
- "CCI-003054"
- ],
- "PL-2 a 10": [
- "CCI-003055"
- ],
- "PL-2 a 11": [
- "CCI-003056"
- ],
- "PL-2 a 12": [
- "CCI-003057"
- ],
- "PL-2 b": [
- "CCI-003058",
- "CCI-003059",
- "CCI-003060",
- "CCI-003061",
- "CCI-003062"
- ],
- "PL-2 e": [
- "CCI-003063",
- "CCI-003064"
- ],
- "PL-2 (3)": [
- "CCI-003065",
- "CCI-003066",
- "CCI-003067"
- ],
- "PL-4 c": [
- "CCI-003068",
- "CCI-003069"
- ],
- "PL-4 d": [
- "CCI-003070",
- "CCI-004289"
- ],
- "PL-7 a": [
- "CCI-003071",
- "CCI-004291"
- ],
- "PL-8 a": [
- "CCI-003072",
- "CCI-004292"
- ],
- "PL-8 a 1": [
- "CCI-003073",
- "CCI-004293"
- ],
- "PL-8 a 3": [
- "CCI-003074",
- "CCI-004296"
- ],
- "PL-8 a 4": [
- "CCI-003075",
- "CCI-004297"
- ],
- "PL-8 b": [
- "CCI-003076",
- "CCI-003077"
- ],
- "PL-8 c": [
- "CCI-003078",
- "CCI-003079",
- "CCI-003080",
- "CCI-004298",
- "CCI-004299",
- "CCI-004300"
- ],
- "PL-8 (1) (a)": [
- "CCI-003081",
- "CCI-003082",
- "CCI-003083",
- "CCI-003084",
- "CCI-003085",
- "CCI-003086",
- "CCI-004301",
- "CCI-004302",
- "CCI-004303",
- "CCI-004304",
- "CCI-004305",
- "CCI-004306"
- ],
- "PL-8 (1) (b)": [
- "CCI-003087",
- "CCI-004307"
- ],
- "PL-8 (2)": [
- "CCI-003088",
- "CCI-004308",
- "CCI-004309"
- ],
- "SA-3 d": [
- "CCI-003093",
- "CCI-004678"
- ],
- "SA-4 e": [
- "CCI-003097",
- "CCI-004691"
- ],
- "SA-4 f": [
- "CCI-003098",
- "CCI-004692",
- "CCI-004693"
- ],
- "SA-4 g": [
- "CCI-003099"
- ],
- "SA-4 i": [
- "CCI-003100"
- ],
- "SA-4 (5) (a)": [
- "CCI-003109",
- "CCI-003110"
- ],
- "SA-4 (5) (b)": [
- "CCI-003111"
- ],
- "SA-4 (8)": [
- "CCI-003112",
- "CCI-003113"
- ],
- "SA-4 (9)": [
- "CCI-003114",
- "CCI-003115"
- ],
- "SA-4 (10)": [
- "CCI-003116"
- ],
- "PL-9": [
- "CCI-003117",
- "CCI-003118"
- ],
- "RA-6": [
- "CCI-003119",
- "CCI-003120",
- "CCI-003121",
- "CCI-003122"
- ],
- "SA-5 a 1": [
- "CCI-003124",
- "CCI-003125",
- "CCI-003126"
- ],
- "SA-5 a 2": [
- "CCI-003127",
- "CCI-004708"
- ],
- "SA-5 a 3": [
- "CCI-003128"
- ],
- "SA-5 b 1": [
- "CCI-003129",
- "CCI-004709"
- ],
- "SA-5 b 2": [
- "CCI-003130",
- "CCI-004710"
- ],
- "SA-5 b 3": [
- "CCI-003131",
- "CCI-004711"
- ],
- "SA-5 d": [
- "CCI-003134",
- "CCI-003135",
- "CCI-003136"
- ],
- "SA-9 (2)": [
- "CCI-003143",
- "CCI-003144"
- ],
- "SA-9 (3)": [
- "CCI-003145",
- "CCI-003146",
- "CCI-003147",
- "CCI-003148",
- "CCI-004787",
- "CCI-004788",
- "CCI-004789",
- "CCI-004790"
- ],
- "SA-9 (4)": [
- "CCI-003149",
- "CCI-003150",
- "CCI-003151"
- ],
- "SA-9 (5)": [
- "CCI-003152",
- "CCI-003153",
- "CCI-003154"
- ],
- "SA-10 a": [
- "CCI-003155"
- ],
- "SA-10 b": [
- "CCI-003156",
- "CCI-003157",
- "CCI-003158",
- "CCI-003159"
- ],
- "SA-10 e": [
- "CCI-003161",
- "CCI-003162",
- "CCI-003163",
- "CCI-003164"
- ],
- "SA-10 (3)": [
- "CCI-003165"
- ],
- "SA-10 (4)": [
- "CCI-003166",
- "CCI-003167",
- "CCI-003168"
- ],
- "SA-10 (5)": [
- "CCI-003169"
- ],
- "SA-10 (6)": [
- "CCI-003170"
- ],
- "SA-11 a": [
- "CCI-003171",
- "CCI-003172",
- "CCI-004798",
- "CCI-004799"
- ],
- "SA-11 b": [
- "CCI-003173",
- "CCI-003174",
- "CCI-004800"
- ],
- "SA-11 c": [
- "CCI-003175",
- "CCI-003176"
- ],
- "SA-11 d": [
- "CCI-003177"
- ],
- "SA-11 e": [
- "CCI-003178"
- ],
- "SA-11 (3) (a)": [
- "CCI-003183",
- "CCI-003184",
- "CCI-003185",
- "CCI-004809",
- "CCI-004810",
- "CCI-004811"
- ],
- "SA-11 (3) (b)": [
- "CCI-003186"
- ],
- "SA-11 (4)": [
- "CCI-003187",
- "CCI-003188",
- "CCI-003189"
- ],
- "SA-11 (5)": [
- "CCI-003190"
- ],
- "SA-11 (5) (a)": [
- "CCI-003191",
- "CCI-004812"
- ],
- "SA-11 (5) (b)": [
- "CCI-003192",
- "CCI-004813"
- ],
- "SA-11 (6)": [
- "CCI-003193"
- ],
- "SA-11 (7)": [
- "CCI-003194",
- "CCI-003195"
- ],
- "SA-11 (8)": [
- "CCI-003196",
- "CCI-003197"
- ],
- "SA-12 (8)": [
- "CCI-003205"
- ],
- "SA-12 (9)": [
- "CCI-003206",
- "CCI-003210",
- "CCI-003211"
- ],
- "SA-12 (10)": [
- "CCI-003212",
- "CCI-003213"
- ],
- "SA-12 (11)": [
- "CCI-003214",
- "CCI-003215"
- ],
- "SA-12 (12)": [
- "CCI-003216",
- "CCI-003217"
- ],
- "SA-12 (13)": [
- "CCI-003218",
- "CCI-003219",
- "CCI-003220"
- ],
- "SA-12 (14)": [
- "CCI-003221",
- "CCI-003222",
- "CCI-003223"
- ],
- "SA-12 (15)": [
- "CCI-003224"
- ],
- "SA-13 a": [
- "CCI-003225",
- "CCI-003226"
- ],
- "SA-13 b": [
- "CCI-003227",
- "CCI-003228"
- ],
- "SA-15 a": [
- "CCI-003233"
- ],
- "SA-15 a 1": [
- "CCI-003234",
- "CCI-004816"
- ],
- "SA-15 a 2": [
- "CCI-003235",
- "CCI-003236"
- ],
- "SA-15 a 3": [
- "CCI-003237"
- ],
- "SA-15 a 4": [
- "CCI-003238",
- "CCI-003239",
- "CCI-003240"
- ],
- "SA-15 b": [
- "CCI-003241",
- "CCI-003242",
- "CCI-003243",
- "CCI-003244",
- "CCI-003245",
- "CCI-003246",
- "CCI-004817",
- "CCI-004818",
- "CCI-004819",
- "CCI-004820",
- "CCI-004821",
- "CCI-004822"
- ],
- "SA-15 (1) (a)": [
- "CCI-003247"
- ],
- "SA-15 (1) (b)": [
- "CCI-003248",
- "CCI-003249",
- "CCI-003250"
- ],
- "SA-15 (2)": [
- "CCI-003251",
- "CCI-003252",
- "CCI-004823",
- "CCI-004824"
- ],
- "SA-15 (3)": [
- "CCI-003253"
- ],
- "SA-15 (3) (b)": [
- "CCI-003254",
- "CCI-004826"
- ],
- "SA-15 (3) (a)": [
- "CCI-003255",
- "CCI-004825"
- ],
- "SA-15 (4)": [
- "CCI-003256",
- "CCI-003257",
- "CCI-003258",
- "CCI-003259"
- ],
- "SA-15 (4) (a)": [
- "CCI-003260",
- "CCI-003261",
- "CCI-003262",
- "CCI-003263"
- ],
- "SA-15 (4) (b)": [
- "CCI-003264",
- "CCI-003265",
- "CCI-003266",
- "CCI-003267"
- ],
- "SA-15 (4) (c)": [
- "CCI-003268",
- "CCI-003269",
- "CCI-003270",
- "CCI-003271"
- ],
- "SA-15 (5)": [
- "CCI-003272",
- "CCI-003273"
- ],
- "SA-15 (6)": [
- "CCI-003274"
- ],
- "SA-15 (7) (a)": [
- "CCI-003275",
- "CCI-003276",
- "CCI-004827"
- ],
- "SA-15 (7) (b)": [
- "CCI-003277",
- "CCI-004828"
- ],
- "SA-15 (7) (c)": [
- "CCI-003278",
- "CCI-004829"
- ],
- "SA-15 (7) (d)": [
- "CCI-003279",
- "CCI-003280",
- "CCI-004830"
- ],
- "SA-15 (8)": [
- "CCI-003281",
- "CCI-003282"
- ],
- "SA-15 (9)": [
- "CCI-003283",
- "CCI-003284",
- "CCI-003285",
- "CCI-003286",
- "CCI-003287",
- "CCI-003288"
- ],
- "SA-15 (10)": [
- "CCI-003289",
- "CCI-004831",
- "CCI-004832"
- ],
- "SA-15 (11)": [
- "CCI-003290",
- "CCI-004833"
- ],
- "SA-16": [
- "CCI-003291",
- "CCI-003292",
- "CCI-004835",
- "CCI-004836"
- ],
- "SA-17": [
- "CCI-003293",
- "CCI-004837"
- ],
- "SA-17 a": [
- "CCI-003294",
- "CCI-004838"
- ],
- "SA-17 b": [
- "CCI-003295",
- "CCI-003296",
- "CCI-004839",
- "CCI-004840"
- ],
- "SA-17 c": [
- "CCI-003297",
- "CCI-004841"
- ],
- "SA-17 (1) (a)": [
- "CCI-003298",
- "CCI-003299",
- "CCI-004842",
- "CCI-004843"
- ],
- "SA-17 (1) (b)": [
- "CCI-003300",
- "CCI-004844"
- ],
- "SA-17 (2) (a)": [
- "CCI-003301",
- "CCI-003302",
- "CCI-003303",
- "CCI-003304"
- ],
- "SA-17 (2) (b)": [
- "CCI-003305",
- "CCI-003306",
- "CCI-003307"
- ],
- "SA-17 (3) (a)": [
- "CCI-003308",
- "CCI-003309",
- "CCI-003310"
- ],
- "SA-17 (3) (b)": [
- "CCI-003311"
- ],
- "SA-17 (3) (c)": [
- "CCI-003312",
- "CCI-003313",
- "CCI-003314"
- ],
- "SA-17 (3) (d)": [
- "CCI-003315",
- "CCI-003316",
- "CCI-003317"
- ],
- "SA-17 (3) (e)": [
- "CCI-003318",
- "CCI-003319",
- "CCI-003320"
- ],
- "SA-17 (4) (a)": [
- "CCI-003321",
- "CCI-003322",
- "CCI-003323"
- ],
- "SA-17 (4) (b)": [
- "CCI-003324"
- ],
- "SA-17 (4) (c)": [
- "CCI-003325",
- "CCI-003326",
- "CCI-003327"
- ],
- "SA-17 (4) (d)": [
- "CCI-003328",
- "CCI-003329",
- "CCI-003330"
- ],
- "SA-17 (4) (e)": [
- "CCI-003331",
- "CCI-003332",
- "CCI-003333"
- ],
- "SA-17 (5) (a)": [
- "CCI-003334",
- "CCI-003335",
- "CCI-003336"
- ],
- "SA-17 (5) (b)": [
- "CCI-003337",
- "CCI-003338",
- "CCI-003339"
- ],
- "SA-17 (6)": [
- "CCI-003340",
- "CCI-003341",
- "CCI-003342"
- ],
- "SA-17 (7)": [
- "CCI-003343",
- "CCI-003344",
- "CCI-003345"
- ],
- "SA-18": [
- "CCI-003346"
- ],
- "SA-18 (1)": [
- "CCI-003347",
- "CCI-003348",
- "CCI-003349",
- "CCI-003350",
- "CCI-003351"
- ],
- "SA-18 (2)": [
- "CCI-003352",
- "CCI-003353",
- "CCI-003354",
- "CCI-003355"
- ],
- "SA-19 a": [
- "CCI-003356",
- "CCI-003357",
- "CCI-003358",
- "CCI-003359",
- "CCI-003360",
- "CCI-003361",
- "CCI-003362",
- "CCI-003363"
- ],
- "SA-19 b": [
- "CCI-003364",
- "CCI-003365",
- "CCI-003366"
- ],
- "SA-19 (1)": [
- "CCI-003367",
- "CCI-003368"
- ],
- "SA-19 (2)": [
- "CCI-003369",
- "CCI-003370",
- "CCI-003371"
- ],
- "SA-22 b": [
- "CCI-003372",
- "CCI-003373",
- "CCI-003374",
- "CCI-003375"
- ],
- "SA-22 a": [
- "CCI-003376"
- ],
- "SA-21 (1)": [
- "CCI-003377",
- "CCI-003378",
- "CCI-003379",
- "CCI-003380"
- ],
- "SA-21 b": [
- "CCI-003381",
- "CCI-003382"
- ],
- "SA-21 a": [
- "CCI-003383",
- "CCI-003385"
- ],
- "SA-21": [
- "CCI-003384"
- ],
- "SA-20": [
- "CCI-003386",
- "CCI-003387"
- ],
- "SA-19 (4)": [
- "CCI-003388",
- "CCI-003389"
- ],
- "SA-19 (3)": [
- "CCI-003390",
- "CCI-003391"
- ],
- "AP-1": [
- "CCI-003392",
- "CCI-003393",
- "CCI-003394",
- "CCI-003395"
- ],
- "AP-2": [
- "CCI-003396",
- "CCI-003398",
- "CCI-003399",
- "CCI-003400"
- ],
- "AR-1 a": [
- "CCI-003397"
- ],
- "AR-1 b": [
- "CCI-003401"
- ],
- "AR-1 c": [
- "CCI-003402",
- "CCI-003403",
- "CCI-003404",
- "CCI-003405"
- ],
- "AR-1 d": [
- "CCI-003406"
- ],
- "AR-1 e": [
- "CCI-003407",
- "CCI-003408",
- "CCI-003409",
- "CCI-003410",
- "CCI-003411",
- "CCI-003412"
- ],
- "AR-1 f": [
- "CCI-003413",
- "CCI-003414",
- "CCI-003415",
- "CCI-003416"
- ],
- "AR-2 a": [
- "CCI-003417",
- "CCI-003418",
- "CCI-003419",
- "CCI-003420",
- "CCI-003421",
- "CCI-003422",
- "CCI-003423",
- "CCI-003424"
- ],
- "AR-2 b": [
- "CCI-003425"
- ],
- "AR-3 a": [
- "CCI-003426",
- "CCI-003427",
- "CCI-003428",
- "CCI-003429",
- "CCI-003430",
- "CCI-003431"
- ],
- "AR-3 b": [
- "CCI-003432",
- "CCI-003433"
- ],
- "AR-4": [
- "CCI-003434",
- "CCI-003435",
- "CCI-003436",
- "CCI-003437",
- "CCI-003438",
- "CCI-003439"
- ],
- "AR-5 a": [
- "CCI-003440",
- "CCI-003441",
- "CCI-003442"
- ],
- "AR-5 b": [
- "CCI-003443",
- "CCI-003444",
- "CCI-003445",
- "CCI-003446"
- ],
- "AR-5 c": [
- "CCI-003447",
- "CCI-003448"
- ],
- "AR-6": [
- "CCI-003449",
- "CCI-003450",
- "CCI-003451",
- "CCI-003452",
- "CCI-003453",
- "CCI-003454"
- ],
- "AR-7": [
- "CCI-003455"
- ],
- "AR-8 a (1)": [
- "CCI-003456",
- "CCI-003457",
- "CCI-003458",
- "CCI-003459"
- ],
- "AR-8 a (2)": [
- "CCI-003460"
- ],
- "AR-8 b": [
- "CCI-003461"
- ],
- "AR-8 c": [
- "CCI-003462"
- ],
- "DI-1 a": [
- "CCI-003463",
- "CCI-003464",
- "CCI-003465",
- "CCI-003466"
- ],
- "DI-1 b": [
- "CCI-003467"
- ],
- "DI-1 c": [
- "CCI-003468",
- "CCI-003469"
- ],
- "DI-1 d": [
- "CCI-003470",
- "CCI-003471",
- "CCI-003472",
- "CCI-003473",
- "CCI-003474",
- "CCI-003475",
- "CCI-003476",
- "CCI-003477"
- ],
- "DI-1 (1)": [
- "CCI-003478"
- ],
- "DI-1 (2)": [
- "CCI-003479",
- "CCI-003480"
- ],
- "DI-2 a": [
- "CCI-003481"
- ],
- "DI-2 b": [
- "CCI-003482",
- "CCI-003483",
- "CCI-003484"
- ],
- "DI-2 (1)": [
- "CCI-003485"
- ],
- "DM-1 a": [
- "CCI-003486"
- ],
- "DM-1 b": [
- "CCI-003487",
- "CCI-003488"
- ],
- "DM-1 c": [
- "CCI-003489",
- "CCI-003490",
- "CCI-003491",
- "CCI-003492",
- "CCI-003493",
- "CCI-003494"
- ],
- "DM-1 (1)": [
- "CCI-003495",
- "CCI-003496"
- ],
- "DM-2 a": [
- "CCI-003497",
- "CCI-003498"
- ],
- "DM-2 b": [
- "CCI-003499",
- "CCI-003500"
- ],
- "DM-2 c": [
- "CCI-003501",
- "CCI-003502"
- ],
- "DM-2 (1)": [
- "CCI-003503",
- "CCI-003504",
- "CCI-003505",
- "CCI-003506"
- ],
- "DM-3 a": [
- "CCI-003507",
- "CCI-003508",
- "CCI-003509",
- "CCI-003510",
- "CCI-003511",
- "CCI-003512"
- ],
- "DM-3 b": [
- "CCI-003513",
- "CCI-003514",
- "CCI-003515"
- ],
- "DM-3 (1)": [
- "CCI-003516",
- "CCI-003517",
- "CCI-003518"
- ],
- "IP-1 a": [
- "CCI-003519",
- "CCI-003520",
- "CCI-003521",
- "CCI-003522"
- ],
- "IP-1 b": [
- "CCI-003523",
- "CCI-003524",
- "CCI-003525",
- "CCI-003526"
- ],
- "IP-1 c": [
- "CCI-003527"
- ],
- "IP-1 d": [
- "CCI-003528",
- "CCI-003529"
- ],
- "IP-1 (1)": [
- "CCI-003530"
- ],
- "IP-2 a": [
- "CCI-003531"
- ],
- "IP-2 b": [
- "CCI-003532",
- "CCI-003533"
- ],
- "IP-2 c": [
- "CCI-003534"
- ],
- "IP-2 d": [
- "CCI-003535",
- "CCI-003536"
- ],
- "IP-3 a": [
- "CCI-003537"
- ],
- "IP-3 b": [
- "CCI-003538",
- "CCI-003539"
- ],
- "IP-4": [
- "CCI-003540",
- "CCI-003541"
- ],
- "IP-4 (1)": [
- "CCI-003542",
- "CCI-003543"
- ],
- "SE-1 a": [
- "CCI-003544",
- "CCI-003545",
- "CCI-003546",
- "CCI-003547",
- "CCI-003548",
- "CCI-003549",
- "CCI-003550"
- ],
- "SE-1 b": [
- "CCI-003551",
- "CCI-003552"
- ],
- "SE-2 a": [
- "CCI-003553",
- "CCI-003554"
- ],
- "SE-2 b": [
- "CCI-003555"
- ],
- "TR-1 a": [
- "CCI-003556",
- "CCI-003557",
- "CCI-003558",
- "CCI-003559",
- "CCI-003560",
- "CCI-003561",
- "CCI-003562",
- "CCI-003563",
- "CCI-003564",
- "CCI-003565",
- "CCI-003566",
- "CCI-003567"
- ],
- "TR-1 b": [
- "CCI-003568",
- "CCI-003569",
- "CCI-003570",
- "CCI-003571",
- "CCI-003572",
- "CCI-003573",
- "CCI-003574",
- "CCI-003575",
- "CCI-003576",
- "CCI-003577",
- "CCI-003598"
- ],
- "TR-1 c": [
- "CCI-003578",
- "CCI-003579"
- ],
- "TR-1 (1)": [
- "CCI-003580"
- ],
- "TR-2 a": [
- "CCI-003581"
- ],
- "TR-2 b": [
- "CCI-003582"
- ],
- "TR-2 c": [
- "CCI-003583"
- ],
- "TR-2 (1)": [
- "CCI-003584"
- ],
- "TR-3 a": [
- "CCI-003585",
- "CCI-003586"
- ],
- "TR-3 b": [
- "CCI-003587"
- ],
- "UL-1": [
- "CCI-003588"
- ],
- "UL-2 a": [
- "CCI-003589"
- ],
- "UL-2 b": [
- "CCI-003590",
- "CCI-003591"
- ],
- "UL-2 c": [
- "CCI-003592",
- "CCI-003593",
- "CCI-003594",
- "CCI-003595"
- ],
- "UL-2 d": [
- "CCI-003596",
- "CCI-003597"
- ],
- "AC-1 a 1 (b)": [
- "CCI-003601",
- "CCI-003603"
- ],
- "AC-1 b": [
- "CCI-003605",
- "CCI-003606",
- "CCI-003607"
- ],
- "AC-2 l": [
- "CCI-003626"
- ],
- "AC-2 (3) (a)": [
- "CCI-003627"
- ],
- "AC-2 (3) (b)": [
- "CCI-003628"
- ],
- "AC-2 (3) (c)": [
- "CCI-003629"
- ],
- "AC-3 (4) (d)": [
- "CCI-003641"
- ],
- "AC-3 (4) (e)": [
- "CCI-003642"
- ],
- "AC-3 (11)": [
- "CCI-003644",
- "CCI-003645"
- ],
- "AC-3 (12) (a)": [
- "CCI-003646",
- "CCI-003647"
- ],
- "AC-3 (12) (b)": [
- "CCI-003648"
- ],
- "AC-3 (12) (c)": [
- "CCI-003649"
- ],
- "AC-3 (13)": [
- "CCI-003650",
- "CCI-003651",
- "CCI-003652",
- "CCI-003653"
- ],
- "AC-3 (14)": [
- "CCI-003654",
- "CCI-003655",
- "CCI-003656"
- ],
- "AC-3 (15) (a)": [
- "CCI-003657",
- "CCI-003658"
- ],
- "AC-3 (15) (b)": [
- "CCI-003659",
- "CCI-003660"
- ],
- "AC-4 (8) (b)": [
- "CCI-003664",
- "CCI-003665"
- ],
- "AC-4 (23)": [
- "CCI-003667",
- "CCI-003668"
- ],
- "AC-4 (24)": [
- "CCI-003669",
- "CCI-003670"
- ],
- "AC-4 (25)": [
- "CCI-003671",
- "CCI-003672"
- ],
- "AC-4 (26)": [
- "CCI-003673"
- ],
- "AC-4 (27)": [
- "CCI-003674"
- ],
- "AC-4 (28)": [
- "CCI-003675"
- ],
- "AC-4 (29) (a)": [
- "CCI-003676"
- ],
- "AC-4 (29) (b)": [
- "CCI-003677"
- ],
- "AC-4 (30)": [
- "CCI-003678"
- ],
- "AC-4 (31)": [
- "CCI-003679"
- ],
- "AC-4 (32) (a)": [
- "CCI-003680"
- ],
- "AC-4 (32) (b)": [
- "CCI-003681"
- ],
- "AC-4 (32) (c)": [
- "CCI-003682"
- ],
- "AC-4 (32) (d)": [
- "CCI-003683"
- ],
- "AC-7 (3)": [
- "CCI-003687",
- "CCI-003688"
- ],
- "AC-7 (4) (a)": [
- "CCI-003689",
- "CCI-003690"
- ],
- "AC-7 (4) (b)": [
- "CCI-003691",
- "CCI-003692"
- ],
- "AC-12 (3)": [
- "CCI-003693",
- "CCI-003694"
- ],
- "AC-16 e": [
- "CCI-003707"
- ],
- "AC-16 f": [
- "CCI-003708",
- "CCI-003709",
- "CCI-003710",
- "CCI-003711"
- ],
- "AC-17 (10)": [
- "CCI-003747",
- "CCI-003748",
- "CCI-003749"
- ],
- "AC-20 (5)": [
- "CCI-003759"
- ],
- "AT-1 a 1 (b)": [
- "CCI-003761"
- ],
- "AT-1 b": [
- "CCI-003762",
- "CCI-003763",
- "CCI-003764",
- "CCI-003765"
- ],
- "AT-2 b": [
- "CCI-003767",
- "CCI-003768",
- "CCI-003769"
- ],
- "AT-2 d": [
- "CCI-003774"
- ],
- "AT-2 (3)": [
- "CCI-003775",
- "CCI-003776"
- ],
- "AT-2 (4)": [
- "CCI-003777",
- "CCI-003778"
- ],
- "AT-2 (5)": [
- "CCI-003779"
- ],
- "AT-2 (6) (a)": [
- "CCI-003780"
- ],
- "AT-2 (6) (b)": [
- "CCI-003781"
- ],
- "AT-3 a": [
- "CCI-003782"
- ],
- "AT-3 b": [
- "CCI-003785",
- "CCI-003786",
- "CCI-003787",
- "CCI-003788"
- ],
- "AT-3 (5)": [
- "CCI-003791",
- "CCI-003792",
- "CCI-003793"
- ],
- "AT-6": [
- "CCI-003796",
- "CCI-003797",
- "CCI-003798"
- ],
- "AU-1 a 1 (b)": [
- "CCI-003799"
- ],
- "AU-2 e": [
- "CCI-003810",
- "CCI-003811"
- ],
- "AU-3 (3)": [
- "CCI-003812",
- "CCI-003813"
- ],
- "AU-5 (5)": [
- "CCI-003815",
- "CCI-003816"
- ],
- "AU-6 c": [
- "CCI-003818",
- "CCI-003819"
- ],
- "AU-9 b": [
- "CCI-003831",
- "CCI-003832"
- ],
- "AU-9 (7)": [
- "CCI-003833"
- ],
- "AU-12 (4)": [
- "CCI-003835",
- "CCI-003836"
- ],
- "AU-13 b 1": [
- "CCI-003837",
- "CCI-003838"
- ],
- "AU-13 b 2": [
- "CCI-003839",
- "CCI-003840"
- ],
- "AU-13 (3)": [
- "CCI-003843"
- ],
- "CA-1 a 1 (b)": [
- "CCI-003849"
- ],
- "CA-1 b": [
- "CCI-003851",
- "CCI-003852",
- "CCI-003853",
- "CCI-003854"
- ],
- "CA-2 c": [
- "CCI-003860"
- ],
- "CA-3 (6)": [
- "CCI-003864"
- ],
- "CA-3 (7) (a)": [
- "CCI-003865"
- ],
- "CA-3 (7) (b)": [
- "CCI-003866"
- ],
- "CA-6 b": [
- "CCI-003868"
- ],
- "CA-6 c 1": [
- "CCI-003869"
- ],
- "CA-6 d": [
- "CCI-003870"
- ],
- "CA-6 (1)": [
- "CCI-003871"
- ],
- "CA-6 (2)": [
- "CCI-003872"
- ],
- "CA-7 (4) (a)": [
- "CCI-003881"
- ],
- "CA-7 (4) (b)": [
- "CCI-003882"
- ],
- "CA-7 (4) (c)": [
- "CCI-003883"
- ],
- "CA-7 (5)": [
- "CCI-003884",
- "CCI-003885",
- "CCI-003886"
- ],
- "CA-7 (6)": [
- "CCI-003887",
- "CCI-003888"
- ],
- "CA-8 (3)": [
- "CCI-003889",
- "CCI-003890"
- ],
- "CA-9 (c)": [
- "CCI-003892",
- "CCI-003893"
- ],
- "CA-9 (d)": [
- "CCI-003894",
- "CCI-003895"
- ],
- "CM-1 a 1 (b)": [
- "CCI-003897"
- ],
- "CM-2 b 3": [
- "CCI-003910"
- ],
- "CM-3 (7)": [
- "CCI-003925",
- "CCI-003926",
- "CCI-003927"
- ],
- "CM-3 (8)": [
- "CCI-003928",
- "CCI-003929"
- ],
- "CM-5 (1) (b)": [
- "CCI-003938"
- ],
- "CM-7 (6)": [
- "CCI-003949",
- "CCI-003950"
- ],
- "CM-7 (7) (a)": [
- "CCI-003951",
- "CCI-003952"
- ],
- "CM-7 (7) (b)": [
- "CCI-003953",
- "CCI-003954"
- ],
- "CM-7 (8) (a)": [
- "CCI-003955"
- ],
- "CM-7 (8) (b)": [
- "CCI-003956"
- ],
- "CM-7 (9) (a)": [
- "CCI-003957",
- "CCI-003958"
- ],
- "CM-7 (9) (b)": [
- "CCI-003959"
- ],
- "CM-7 (9) (c)": [
- "CCI-003960",
- "CCI-003961"
- ],
- "CM-11 (3)": [
- "CCI-003981"
- ],
- "CM-12 a": [
- "CCI-003982",
- "CCI-003983",
- "CCI-003984"
- ],
- "CM-12 b": [
- "CCI-003985",
- "CCI-003986"
- ],
- "CM-12 c": [
- "CCI-003987"
- ],
- "CM-12 (1)": [
- "CCI-003988",
- "CCI-003989",
- "CCI-003990"
- ],
- "CM-13": [
- "CCI-003991"
- ],
- "CM-14": [
- "CCI-003992",
- "CCI-003993"
- ],
- "CP-1 a 1 (b)": [
- "CCI-003994",
- "CCI-003995"
- ],
- "CP-1 b": [
- "CCI-003996",
- "CCI-003997",
- "CCI-003998",
- "CCI-003999",
- "CCI-004000",
- "CCI-004001"
- ],
- "CP-2 a 6": [
- "CCI-004008"
- ],
- "CP-2 g": [
- "CCI-004009"
- ],
- "CP-3 b": [
- "CCI-004010",
- "CCI-004011",
- "CCI-004012",
- "CCI-004013"
- ],
- "CP-4 (5)": [
- "CCI-004015",
- "CCI-004016",
- "CCI-004017"
- ],
- "CP-9 (8)": [
- "CCI-004025",
- "CCI-004026",
- "CCI-004027"
- ],
- "IA-1 a 1 (b)": [
- "CCI-004033"
- ],
- "IA-1 b": [
- "CCI-004035",
- "CCI-004036",
- "CCI-004037",
- "CCI-004038",
- "CCI-004039",
- "CCI-004040"
- ],
- "IA-2 (6) (a)": [
- "CCI-004046"
- ],
- "IA-2 (6) (b)": [
- "CCI-004047",
- "CCI-004048"
- ],
- "IA-4 (8)": [
- "CCI-004050"
- ],
- "IA-4 (9)": [
- "CCI-004051",
- "CCI-004052"
- ],
- "IA-5 (1) (g)": [
- "CCI-004065"
- ],
- "IA-5 (1) (h)": [
- "CCI-004066",
- "CCI-004067"
- ],
- "IA-5 (2) (b) (2)": [
- "CCI-004068"
- ],
- "IA-5 (16)": [
- "CCI-004074",
- "CCI-004075",
- "CCI-004076",
- "CCI-004077"
- ],
- "IA-5 (17)": [
- "CCI-004078"
- ],
- "IA-5 (18) (a)": [
- "CCI-004079",
- "CCI-004080"
- ],
- "IA-5 (18) (b)": [
- "CCI-004081",
- "CCI-004082"
- ],
- "IA-8 (2) (a)": [
- "CCI-004083"
- ],
- "IA-8 (2) (b)": [
- "CCI-004084"
- ],
- "IA-8 (6)": [
- "CCI-004088",
- "CCI-004089",
- "CCI-004090",
- "CCI-004091"
- ],
- "IA-12 a": [
- "CCI-004092",
- "CCI-004093"
- ],
- "IA-12 b": [
- "CCI-004094"
- ],
- "IA-12 c": [
- "CCI-004095",
- "CCI-004096",
- "CCI-004097"
- ],
- "IA-12 (1)": [
- "CCI-004098"
- ],
- "IA-12 (2)": [
- "CCI-004099"
- ],
- "IA-12 (3)": [
- "CCI-004100",
- "CCI-004101",
- "CCI-004102",
- "CCI-004103"
- ],
- "IA-12 (4)": [
- "CCI-004104",
- "CCI-004105"
- ],
- "IA-12 (5)": [
- "CCI-004106"
- ],
- "IA-12 (6)": [
- "CCI-004107",
- "CCI-004108"
- ],
- "IR-1 a 1 (b)": [
- "CCI-004109"
- ],
- "IR-1 b": [
- "CCI-004110",
- "CCI-004111",
- "CCI-004112"
- ],
- "IR-2 (3)": [
- "CCI-004118"
- ],
- "IR-3 (3) (a)": [
- "CCI-004120",
- "CCI-004121"
- ],
- "IR-3 (3) (b)": [
- "CCI-004122",
- "CCI-004123"
- ],
- "IR-3 (3) (c)": [
- "CCI-004124",
- "CCI-004125",
- "CCI-004126",
- "CCI-004127",
- "CCI-004128",
- "CCI-004129"
- ],
- "IR-4 d": [
- "CCI-004133",
- "CCI-004134",
- "CCI-004135",
- "CCI-004136"
- ],
- "IR-4 (11)": [
- "CCI-004143",
- "CCI-004144"
- ],
- "IR-4 (12)": [
- "CCI-004145"
- ],
- "IR-4 (13)": [
- "CCI-004146",
- "CCI-004147"
- ],
- "IR-4 (14)": [
- "CCI-004148"
- ],
- "IR-4 (15) (a)": [
- "CCI-004149"
- ],
- "IR-4 (15) (b)": [
- "CCI-004150"
- ],
- "IR-8 a 8": [
- "CCI-004157"
- ],
- "IR-8 a 10": [
- "CCI-004159"
- ],
- "IR-8 (1) (a)": [
- "CCI-004160"
- ],
- "IR-8 (1) (b)": [
- "CCI-004161"
- ],
- "IR-8 (1) (c)": [
- "CCI-004162"
- ],
- "IR-9 a": [
- "CCI-004163",
- "CCI-004164"
- ],
- "MA-1 a 1 (b)": [
- "CCI-004165"
- ],
- "MA-1 b": [
- "CCI-004166",
- "CCI-004167",
- "CCI-004168",
- "CCI-004169"
- ],
- "MA-3 b": [
- "CCI-004186",
- "CCI-004187"
- ],
- "MA-3 (5)": [
- "CCI-004188"
- ],
- "MA-3 (6)": [
- "CCI-004189"
- ],
- "MA-4 (4) (b) (2)": [
- "CCI-004192"
- ],
- "MA-7": [
- "CCI-004198",
- "CCI-004199",
- "CCI-004200"
- ],
- "MP-1 a 1 (b)": [
- "CCI-004201"
- ],
- "MP-1 b": [
- "CCI-004202",
- "CCI-004203",
- "CCI-004204",
- "CCI-004205",
- "CCI-004206"
- ],
- "PE-1 a 1 (b)": [
- "CCI-004229"
- ],
- "PE-1 b": [
- "CCI-004230",
- "CCI-004231",
- "CCI-004232",
- "CCI-004233",
- "CCI-004234",
- "CCI-004235"
- ],
- "PE-3 (7)": [
- "CCI-004244"
- ],
- "PE-3 (8)": [
- "CCI-004245",
- "CCI-004246"
- ],
- "PE-5 (2)": [
- "CCI-004247"
- ],
- "PE-6 (3) (b)": [
- "CCI-004249",
- "CCI-004250"
- ],
- "PE-8 c": [
- "CCI-004251",
- "CCI-004252"
- ],
- "PE-8 (3)": [
- "CCI-004254",
- "CCI-004255"
- ],
- "PE-21": [
- "CCI-004266",
- "CCI-004267",
- "CCI-004268"
- ],
- "PE-22": [
- "CCI-004269",
- "CCI-004270"
- ],
- "PE-23 a": [
- "CCI-004271"
- ],
- "PE-23 b": [
- "CCI-004272"
- ],
- "PL-1 a 1 (b)": [
- "CCI-004273"
- ],
- "PL-1 b": [
- "CCI-004274",
- "CCI-004275"
- ],
- "PL-2 a 4": [
- "CCI-004278"
- ],
- "PL-2 a 5": [
- "CCI-004279"
- ],
- "PL-2 a 7": [
- "CCI-004280"
- ],
- "PL-2 a 8": [
- "CCI-004281"
- ],
- "PL-2 a 13": [
- "CCI-004282"
- ],
- "PL-2 a 14": [
- "CCI-004283"
- ],
- "PL-4 (1) (c)": [
- "CCI-004290"
- ],
- "PL-8 a 2": [
- "CCI-004294",
- "CCI-004295"
- ],
- "PL-10": [
- "CCI-004310"
- ],
- "PL-11": [
- "CCI-004311"
- ],
- "PM-5 (1)": [
- "CCI-004331",
- "CCI-004332",
- "CCI-004333",
- "CCI-004334"
- ],
- "PM-7 (1)": [
- "CCI-004341",
- "CCI-004342"
- ],
- "PM-9 a 2": [
- "CCI-004345"
- ],
- "PM-11 c": [
- "CCI-004350",
- "CCI-004351"
- ],
- "PM-16 (1)": [
- "CCI-004365"
- ],
- "PM-17 a": [
- "CCI-004366",
- "CCI-004367"
- ],
- "PM-17 b": [
- "CCI-004368",
- "CCI-004369",
- "CCI-004370",
- "CCI-004371"
- ],
- "PM-18 a": [
- "CCI-004372",
- "CCI-004373"
- ],
- "PM-18 a 1": [
- "CCI-004374",
- "CCI-004375"
- ],
- "PM-18 a 2": [
- "CCI-004376",
- "CCI-004377",
- "CCI-004378",
- "CCI-004379"
- ],
- "PM-18 a 3": [
- "CCI-004380",
- "CCI-004381"
- ],
- "PM-18 a 4": [
- "CCI-004382",
- "CCI-004383"
- ],
- "PM-18 a 5": [
- "CCI-004384",
- "CCI-004385"
- ],
- "PM-18 a 6": [
- "CCI-004386",
- "CCI-004387",
- "CCI-004388"
- ],
- "PM-18 b": [
- "CCI-004389"
- ],
- "PM-19": [
- "CCI-004390",
- "CCI-004391",
- "CCI-004392",
- "CCI-004393"
- ],
- "PM-20": [
- "CCI-004394"
- ],
- "PM-20 a": [
- "CCI-004395",
- "CCI-004396"
- ],
- "PM-20 b": [
- "CCI-004397"
- ],
- "PM-20 c": [
- "CCI-004398"
- ],
- "PM-20 (1) (a)": [
- "CCI-004399",
- "CCI-004400"
- ],
- "PM-20 (1) (b)": [
- "CCI-004401"
- ],
- "PM-20 (1) (c)": [
- "CCI-004402",
- "CCI-004403"
- ],
- "PM-21 a": [
- "CCI-004404",
- "CCI-004405"
- ],
- "PM-21 a 1": [
- "CCI-004406",
- "CCI-004407"
- ],
- "PM-21 a 2": [
- "CCI-004408",
- "CCI-004409"
- ],
- "PM-21 b": [
- "CCI-004410"
- ],
- "PM-21 c": [
- "CCI-004411"
- ],
- "PM-22 a": [
- "CCI-004412",
- "CCI-004413"
- ],
- "PM-22 b": [
- "CCI-004414",
- "CCI-004415"
- ],
- "PM-22 c": [
- "CCI-004416",
- "CCI-004417"
- ],
- "PM-22 d": [
- "CCI-004418",
- "CCI-004419"
- ],
- "PM-23": [
- "CCI-004420",
- "CCI-004421",
- "CCI-004422"
- ],
- "PM-24 a": [
- "CCI-004423"
- ],
- "PM-24 b": [
- "CCI-004424"
- ],
- "PM-25 a": [
- "CCI-004425",
- "CCI-004426",
- "CCI-004427",
- "CCI-004428"
- ],
- "PM-25 b": [
- "CCI-004429"
- ],
- "PM-25 c": [
- "CCI-004430"
- ],
- "PM-25 d": [
- "CCI-004431",
- "CCI-004432",
- "CCI-004433",
- "CCI-004434"
- ],
- "PM-26": [
- "CCI-004435",
- "CCI-004436"
- ],
- "PM-26 a": [
- "CCI-004437",
- "CCI-004438"
- ],
- "PM-26 b": [
- "CCI-004439"
- ],
- "PM-26 c": [
- "CCI-004440",
- "CCI-004441"
- ],
- "PM-26 d": [
- "CCI-004442",
- "CCI-004443"
- ],
- "PM-26 e": [
- "CCI-004444",
- "CCI-004445"
- ],
- "PM-27": [
- "CCI-004446",
- "CCI-004447"
- ],
- "PM-27 a 1": [
- "CCI-004448"
- ],
- "PM-27 a 2": [
- "CCI-004449",
- "CCI-004450",
- "CCI-004451"
- ],
- "PM-27 b": [
- "CCI-004452",
- "CCI-004453"
- ],
- "PM-28 a 1": [
- "CCI-004454"
- ],
- "PM-28 a 2": [
- "CCI-004455"
- ],
- "PM-28 a 3": [
- "CCI-004456"
- ],
- "PM-28 a 4": [
- "CCI-004457"
- ],
- "PM-28 b": [
- "CCI-004458",
- "CCI-004459"
- ],
- "PM-28 c": [
- "CCI-004460",
- "CCI-004461"
- ],
- "PM-29 a": [
- "CCI-004462",
- "CCI-004463"
- ],
- "PM-29 b": [
- "CCI-004464",
- "CCI-004465"
- ],
- "PM-30 a": [
- "CCI-004466",
- "CCI-004467",
- "CCI-004468",
- "CCI-004469"
- ],
- "PM-30 b": [
- "CCI-004470"
- ],
- "PM-30 c": [
- "CCI-004471",
- "CCI-004472"
- ],
- "PM-31 a": [
- "CCI-004473",
- "CCI-004474",
- "CCI-004475"
- ],
- "PM-31 b": [
- "CCI-004476",
- "CCI-004477",
- "CCI-004478",
- "CCI-004479",
- "CCI-004480",
- "CCI-004481"
- ],
- "PM-31 c": [
- "CCI-004482",
- "CCI-004483"
- ],
- "PM-31 d": [
- "CCI-004484",
- "CCI-004485"
- ],
- "PM-31 e": [
- "CCI-004486",
- "CCI-004487"
- ],
- "PM-31 f": [
- "CCI-004488",
- "CCI-004489",
- "CCI-004490",
- "CCI-004491",
- "CCI-004492",
- "CCI-004493",
- "CCI-004494",
- "CCI-004495"
- ],
- "PM-32": [
- "CCI-004496",
- "CCI-004497"
- ],
- "PS-1 a 1 (b)": [
- "CCI-004498"
- ],
- "PS-1 b": [
- "CCI-004499",
- "CCI-004500",
- "CCI-004501",
- "CCI-004502",
- "CCI-004503",
- "CCI-004504"
- ],
- "PS-3 (4)": [
- "CCI-004509",
- "CCI-004510",
- "CCI-004511"
- ],
- "PS-9": [
- "CCI-004523",
- "CCI-004524"
- ],
- "PT-1 a 1 (a)": [
- "CCI-004525"
- ],
- "PT-1 a": [
- "CCI-004526",
- "CCI-004527"
- ],
- "PT-1 a 1 (b)": [
- "CCI-004528"
- ],
- "PT-1 a 2": [
- "CCI-004529"
- ],
- "PT-1 b": [
- "CCI-004530",
- "CCI-004531",
- "CCI-004532"
- ],
- "PT-1 c 1": [
- "CCI-004533",
- "CCI-004534",
- "CCI-004535"
- ],
- "PT-1 c 2": [
- "CCI-004536",
- "CCI-004537",
- "CCI-004538"
- ],
- "PT-2 a": [
- "CCI-004539",
- "CCI-004540",
- "CCI-004541"
- ],
- "PT-2 b": [
- "CCI-004542",
- "CCI-004543"
- ],
- "PT-2 (1)": [
- "CCI-004544",
- "CCI-004545",
- "CCI-004546"
- ],
- "PT-2 (2)": [
- "CCI-004547",
- "CCI-004548"
- ],
- "PT-3 a": [
- "CCI-004549",
- "CCI-004550"
- ],
- "PT-3 b": [
- "CCI-004551"
- ],
- "PT-3 c": [
- "CCI-004552",
- "CCI-004553"
- ],
- "PT-3 d": [
- "CCI-004554",
- "CCI-004555",
- "CCI-004556",
- "CCI-004557"
- ],
- "PT-3 (1)": [
- "CCI-004558",
- "CCI-004559"
- ],
- "PT-3 (2)": [
- "CCI-004560"
- ],
- "PT-4": [
- "CCI-004561",
- "CCI-004562"
- ],
- "PT-4 (1)": [
- "CCI-004563",
- "CCI-004564"
- ],
- "PT-4 (2)": [
- "CCI-004565",
- "CCI-004566",
- "CCI-004567",
- "CCI-004568"
- ],
- "PT-4 (3)": [
- "CCI-004569",
- "CCI-004570"
- ],
- "PT-5 a": [
- "CCI-004571",
- "CCI-004572"
- ],
- "PT-5 b": [
- "CCI-004573"
- ],
- "PT-5 c": [
- "CCI-004574"
- ],
- "PT-5 d": [
- "CCI-004575"
- ],
- "PT-5 e": [
- "CCI-004576",
- "CCI-004577"
- ],
- "PT-5 (1)": [
- "CCI-004578",
- "CCI-004579"
- ],
- "PT-5 (2)": [
- "CCI-004580"
- ],
- "PT-6 a": [
- "CCI-004581",
- "CCI-004582"
- ],
- "PT-6 b": [
- "CCI-004583"
- ],
- "PT-6 c": [
- "CCI-004584"
- ],
- "PT-6 (1)": [
- "CCI-004585",
- "CCI-004586",
- "CCI-004587"
- ],
- "PT-6 (2)": [
- "CCI-004588",
- "CCI-004589",
- "CCI-004590",
- "CCI-004591"
- ],
- "PT-7": [
- "CCI-004592",
- "CCI-004593"
- ],
- "PT-7 (1) (a)": [
- "CCI-004594"
- ],
- "PT-7 (1) (b)": [
- "CCI-004595"
- ],
- "PT-7 (1) (c)": [
- "CCI-004596"
- ],
- "PT-7 (2)": [
- "CCI-004597"
- ],
- "PT-8 a": [
- "CCI-004598"
- ],
- "PT-8 b": [
- "CCI-004599"
- ],
- "PT-8 c": [
- "CCI-004600"
- ],
- "PT-8 d": [
- "CCI-004601"
- ],
- "PT-8 e": [
- "CCI-004602"
- ],
- "RA-1 a 1 (b)": [
- "CCI-004603",
- "CCI-004604"
- ],
- "RA-1 b": [
- "CCI-004605",
- "CCI-004606",
- "CCI-004607",
- "CCI-004608",
- "CCI-004609"
- ],
- "RA-2 (1)": [
- "CCI-004617"
- ],
- "RA-3 a 1": [
- "CCI-004618",
- "CCI-004619"
- ],
- "RA-3 a 3": [
- "CCI-004620"
- ],
- "RA-3 b": [
- "CCI-004621",
- "CCI-004622",
- "CCI-004623"
- ],
- "RA-3 (1) (a)": [
- "CCI-004624",
- "CCI-004625"
- ],
- "RA-3 (1) (b)": [
- "CCI-004626",
- "CCI-004627"
- ],
- "RA-3 (2)": [
- "CCI-004628"
- ],
- "RA-3 (3)": [
- "CCI-004629",
- "CCI-004630"
- ],
- "RA-3 (4)": [
- "CCI-004631",
- "CCI-004632",
- "CCI-004633"
- ],
- "RA-5 b 2": [
- "CCI-004634"
- ],
- "RA-5 b 3": [
- "CCI-004635"
- ],
- "RA-5 f": [
- "CCI-004636"
- ],
- "RA-5 (11)": [
- "CCI-004640"
- ],
- "RA-7": [
- "CCI-004641",
- "CCI-004642",
- "CCI-004643",
- "CCI-004644"
- ],
- "RA-8 a": [
- "CCI-004645"
- ],
- "RA-8 b 1": [
- "CCI-004646"
- ],
- "RA-8 b 2": [
- "CCI-004647"
- ],
- "RA-9": [
- "CCI-004648",
- "CCI-004649",
- "CCI-004650"
- ],
- "RA-10 a 1": [
- "CCI-004651"
- ],
- "RA-10 a 2": [
- "CCI-004652"
- ],
- "RA-10 b": [
- "CCI-004653",
- "CCI-004654"
- ],
- "SA-1 a 1 (b)": [
- "CCI-004655"
- ],
- "SA-1 b": [
- "CCI-004656",
- "CCI-004657",
- "CCI-004658",
- "CCI-004659",
- "CCI-004660",
- "CCI-004661"
- ],
- "SA-3 (1)": [
- "CCI-004679"
- ],
- "SA-3 (2) (a)": [
- "CCI-004680",
- "CCI-004681",
- "CCI-004682"
- ],
- "SA-3 (2) (b)": [
- "CCI-004683"
- ],
- "SA-3 (3)": [
- "CCI-004684",
- "CCI-004685"
- ],
- "SA-4": [
- "CCI-004686"
- ],
- "SA-4 d": [
- "CCI-004689",
- "CCI-004690"
- ],
- "SA-4 h": [
- "CCI-004694",
- "CCI-004695",
- "CCI-004696"
- ],
- "SA-4 (3) (a)": [
- "CCI-004697",
- "CCI-004698"
- ],
- "SA-4 (3) (b)": [
- "CCI-004699",
- "CCI-004700"
- ],
- "SA-4 (3) (c)": [
- "CCI-004701",
- "CCI-004702"
- ],
- "SA-4 (11)": [
- "CCI-004703",
- "CCI-004704"
- ],
- "SA-4 (12) (a)": [
- "CCI-004705"
- ],
- "SA-4 (12) (b)": [
- "CCI-004706",
- "CCI-004707"
- ],
- "SA-8 (1)": [
- "CCI-004717"
- ],
- "SA-8 (2)": [
- "CCI-004718",
- "CCI-004719"
- ],
- "SA-8 (3)": [
- "CCI-004720",
- "CCI-004721"
- ],
- "SA-8 (4)": [
- "CCI-004722",
- "CCI-004723"
- ],
- "SA-8 (5)": [
- "CCI-004724",
- "CCI-004725"
- ],
- "SA-8 (6)": [
- "CCI-004726",
- "CCI-004727"
- ],
- "SA-8 (7)": [
- "CCI-004728",
- "CCI-004729"
- ],
- "SA-8 (8)": [
- "CCI-004730",
- "CCI-004731"
- ],
- "SA-8 (9)": [
- "CCI-004732",
- "CCI-004733"
- ],
- "SA-8 (10)": [
- "CCI-004734",
- "CCI-004735"
- ],
- "SA-8 (11)": [
- "CCI-004736",
- "CCI-004737"
- ],
- "SA-8 (12)": [
- "CCI-004738",
- "CCI-004739"
- ],
- "SA-8 (13)": [
- "CCI-004740",
- "CCI-004741"
- ],
- "SA-8 (14)": [
- "CCI-004742",
- "CCI-004743"
- ],
- "SA-8 (15)": [
- "CCI-004744",
- "CCI-004745"
- ],
- "SA-8 (16)": [
- "CCI-004746",
- "CCI-004747"
- ],
- "SA-8 (17)": [
- "CCI-004748",
- "CCI-004749"
- ],
- "SA-8 (18)": [
- "CCI-004750",
- "CCI-004751"
- ],
- "SA-8 (19)": [
- "CCI-004752",
- "CCI-004753"
- ],
- "SA-8 (20)": [
- "CCI-004754",
- "CCI-004755"
- ],
- "SA-8 (21)": [
- "CCI-004756",
- "CCI-004757"
- ],
- "SA-8 (22)": [
- "CCI-004758",
- "CCI-004759"
- ],
- "SA-8 (23)": [
- "CCI-004760",
- "CCI-004761"
- ],
- "SA-8 (24)": [
- "CCI-004762",
- "CCI-004763"
- ],
- "SA-8 (25)": [
- "CCI-004764",
- "CCI-004765"
- ],
- "SA-8 (26)": [
- "CCI-004766",
- "CCI-004767"
- ],
- "SA-8 (27)": [
- "CCI-004768",
- "CCI-004769"
- ],
- "SA-8 (28)": [
- "CCI-004770",
- "CCI-004771"
- ],
- "SA-8 (29)": [
- "CCI-004772",
- "CCI-004773"
- ],
- "SA-8 (30)": [
- "CCI-004774",
- "CCI-004775"
- ],
- "SA-8 (31)": [
- "CCI-004776",
- "CCI-004777"
- ],
- "SA-8 (32)": [
- "CCI-004778",
- "CCI-004779"
- ],
- "SA-8 (33)": [
- "CCI-004780",
- "CCI-004781"
- ],
- "SA-9 (6)": [
- "CCI-004791"
- ],
- "SA-9 (7)": [
- "CCI-004792"
- ],
- "SA-9 (8)": [
- "CCI-004793"
- ],
- "SA-10 (7)": [
- "CCI-004795",
- "CCI-004796",
- "CCI-004797"
- ],
- "SA-11 (2) (a)": [
- "CCI-004801",
- "CCI-004802"
- ],
- "SA-11 (2) (b)": [
- "CCI-004803",
- "CCI-004804"
- ],
- "SA-11 (2) (c)": [
- "CCI-004805",
- "CCI-004806"
- ],
- "SA-11 (2) (d)": [
- "CCI-004807",
- "CCI-004808"
- ],
- "SA-11 (9)": [
- "CCI-004814",
- "CCI-004815"
- ],
- "SA-15 (12)": [
- "CCI-004834"
- ],
- "SA-17 (8)": [
- "CCI-004845",
- "CCI-004846",
- "CCI-004847"
- ],
- "SA-17 (9)": [
- "CCI-004848",
- "CCI-004849"
- ],
- "SA-23": [
- "CCI-004850",
- "CCI-004851"
- ],
- "SC-1 a 1 (a)": [
- "CCI-004852"
- ],
- "SC-1 a 1 (b)": [
- "CCI-004853"
- ],
- "SC-1 b": [
- "CCI-004855",
- "CCI-004856",
- "CCI-004857",
- "CCI-004858",
- "CCI-004859",
- "CCI-004860"
- ],
- "SC-2 (2)": [
- "CCI-004865"
- ],
- "SC-5 b": [
- "CCI-004866",
- "CCI-004867"
- ],
- "SC-7 (4) (f)": [
- "CCI-004869"
- ],
- "SC-7 (4) (g)": [
- "CCI-004870"
- ],
- "SC-7 (4) (h)": [
- "CCI-004871"
- ],
- "SC-7 (10) (b)": [
- "CCI-004874",
- "CCI-004875"
- ],
- "SC-7 (24) (a)": [
- "CCI-004876",
- "CCI-004877"
- ],
- "SC-7 (24) (b)": [
- "CCI-004878"
- ],
- "SC-7 (24) (c)": [
- "CCI-004879"
- ],
- "SC-7 (24) (d)": [
- "CCI-004880"
- ],
- "SC-7 (25)": [
- "CCI-004881",
- "CCI-004882",
- "CCI-004883"
- ],
- "SC-7 (26)": [
- "CCI-004884",
- "CCI-004885"
- ],
- "SC-7 (27)": [
- "CCI-004886",
- "CCI-004887",
- "CCI-004888"
- ],
- "SC-7 (28)": [
- "CCI-004889",
- "CCI-004890"
- ],
- "SC-7 (29)": [
- "CCI-004891",
- "CCI-004892"
- ],
- "SC-8 (5)": [
- "CCI-004893",
- "CCI-004894"
- ],
- "SC-11 (1) (b)": [
- "CCI-004896",
- "CCI-004897"
- ],
- "SC-12 (6)": [
- "CCI-004899"
- ],
- "SC-13 a": [
- "CCI-004900"
- ],
- "SC-16 (2)": [
- "CCI-004905"
- ],
- "SC-16 (3)": [
- "CCI-004906",
- "CCI-004907",
- "CCI-004908"
- ],
- "SC-17 b": [
- "CCI-004909"
- ],
- "SC-28 (3)": [
- "CCI-004910",
- "CCI-004911"
- ],
- "SC-32 (1)": [
- "CCI-004912"
- ],
- "SC-36 (1) (b)": [
- "CCI-004913",
- "CCI-004914"
- ],
- "SC-36 (2)": [
- "CCI-004915",
- "CCI-004916"
- ],
- "SC-42 (4)": [
- "CCI-004917",
- "CCI-004918",
- "CCI-004919"
- ],
- "SC-42 (5)": [
- "CCI-004920",
- "CCI-004921"
- ],
- "SC-45": [
- "CCI-004922"
- ],
- "SC-45 (1) (a)": [
- "CCI-004923",
- "CCI-004924",
- "CCI-004925"
- ],
- "SC-45 (1) (b)": [
- "CCI-004926",
- "CCI-004927"
- ],
- "SC-45 (2) (a)": [
- "CCI-004928"
- ],
- "SC-45 (2) (b)": [
- "CCI-004929"
- ],
- "SC-46": [
- "CCI-004930"
- ],
- "SC-47": [
- "CCI-004931"
- ],
- "SC-48": [
- "CCI-004932",
- "CCI-004933",
- "CCI-004934",
- "CCI-004935"
- ],
- "SC-48 (1)": [
- "CCI-004936",
- "CCI-004937",
- "CCI-004938",
- "CCI-004939"
- ],
- "SC-49": [
- "CCI-004940",
- "CCI-004941"
- ],
- "SC-50": [
- "CCI-004942",
- "CCI-004943"
- ],
- "SI-1 a 1 (b)": [
- "CCI-004944"
- ],
- "SI-1 b": [
- "CCI-004945",
- "CCI-004946",
- "CCI-004947",
- "CCI-004948",
- "CCI-004949",
- "CCI-004950"
- ],
- "SI-4 (4) (a)": [
- "CCI-004971",
- "CCI-004972"
- ],
- "SI-4 (25)": [
- "CCI-004982"
- ],
- "SI-7 b": [
- "CCI-004996",
- "CCI-004997"
- ],
- "SI-7 (17)": [
- "CCI-004998",
- "CCI-004999"
- ],
- "SI-10 (6)": [
- "CCI-005003"
- ],
- "SI-12 (1)": [
- "CCI-005004",
- "CCI-005005"
- ],
- "SI-12 (2)": [
- "CCI-005006",
- "CCI-005007"
- ],
- "SI-12 (3)": [
- "CCI-005008"
- ],
- "SI-14 (2) (a)": [
- "CCI-005011",
- "CCI-005012",
- "CCI-005013",
- "CCI-005014"
- ],
- "SI-14 (2) (b)": [
- "CCI-005015"
- ],
- "SI-14 (3)": [
- "CCI-005016",
- "CCI-005017"
- ],
- "SI-18 a": [
- "CCI-005018",
- "CCI-005019"
- ],
- "SI-18 b 1": [
- "CCI-005020"
- ],
- "SI-18 (1)": [
- "CCI-005021",
- "CCI-005022"
- ],
- "SI-18 (2)": [
- "CCI-005023"
- ],
- "SI-18 (3)": [
- "CCI-005024"
- ],
- "SI-18 (4)": [
- "CCI-005025"
- ],
- "SI-18 (5)": [
- "CCI-005026",
- "CCI-005027",
- "CCI-005028"
- ],
- "SI-19 a": [
- "CCI-005029",
- "CCI-005030"
- ],
- "SI-19 b": [
- "CCI-005031",
- "CCI-005032"
- ],
- "SI-19 (1)": [
- "CCI-005033"
- ],
- "SI-19 (2)": [
- "CCI-005034"
- ],
- "SI-19 (3)": [
- "CCI-005035"
- ],
- "SI-19 (4)": [
- "CCI-005036"
- ],
- "SI-19 (5)": [
- "CCI-005037"
- ],
- "SI-19 (6)": [
- "CCI-005038"
- ],
- "SI-19 (7)": [
- "CCI-005039"
- ],
- "SI-19 (8)": [
- "CCI-005040"
- ],
- "SI-20": [
- "CCI-005041",
- "CCI-005042"
- ],
- "SI-21": [
- "CCI-005043",
- "CCI-005044",
- "CCI-005045"
- ],
- "SI-22 a": [
- "CCI-005046",
- "CCI-005047"
- ],
- "SI-22 b": [
- "CCI-005048",
- "CCI-005049"
- ],
- "SI-23 a": [
- "CCI-005050",
- "CCI-005051",
- "CCI-005052"
- ],
- "SI-23 b": [
- "CCI-005053",
- "CCI-005054",
- "CCI-005055"
- ],
- "SR-1 a 1": [
- "CCI-005056"
- ],
- "SR-1 a 1 (a)": [
- "CCI-005057"
- ],
- "SR-1 a 1 (b)": [
- "CCI-005058"
- ],
- "SR-1 a 2": [
- "CCI-005059"
- ],
- "SR-1 b": [
- "CCI-005060",
- "CCI-005061",
- "CCI-005062",
- "CCI-005063"
- ],
- "SR-1 c 1": [
- "CCI-005064",
- "CCI-005065",
- "CCI-005066",
- "CCI-005067"
- ],
- "SR-1 c 2": [
- "CCI-005068",
- "CCI-005069",
- "CCI-005070",
- "CCI-005071"
- ],
- "SR-2 a": [
- "CCI-005072",
- "CCI-005073"
- ],
- "SR-2 b": [
- "CCI-005074",
- "CCI-005075"
- ],
- "SR-2 c": [
- "CCI-005076"
- ],
- "SR-2 (1)": [
- "CCI-005077",
- "CCI-005078",
- "CCI-005079"
- ],
- "SR-3 a": [
- "CCI-005080",
- "CCI-005081",
- "CCI-005082",
- "CCI-005083",
- "CCI-005084",
- "CCI-005085"
- ],
- "SR-3 b": [
- "CCI-005086",
- "CCI-005087",
- "CCI-005088"
- ],
- "SR-3 c": [
- "CCI-005089",
- "CCI-005090"
- ],
- "SR-3 (1)": [
- "CCI-005091",
- "CCI-005092"
- ],
- "SR-3 (2)": [
- "CCI-005093",
- "CCI-005094"
- ],
- "SR-3 (3)": [
- "CCI-005095"
- ],
- "SR-4": [
- "CCI-005096",
- "CCI-005097",
- "CCI-005098",
- "CCI-005099"
- ],
- "SR-4 (1)": [
- "CCI-005100",
- "CCI-005101"
- ],
- "SR-4 (2)": [
- "CCI-005102",
- "CCI-005103"
- ],
- "SR-4 (3)": [
- "CCI-005104",
- "CCI-005105",
- "CCI-005106",
- "CCI-005107"
- ],
- "SR-4 (4)": [
- "CCI-005108",
- "CCI-005109",
- "CCI-005110",
- "CCI-005111"
- ],
- "SR-5": [
- "CCI-005112",
- "CCI-005113"
- ],
- "SR-5 (1)": [
- "CCI-005114",
- "CCI-005115",
- "CCI-005116"
- ],
- "SR-5 (2)": [
- "CCI-005117"
- ],
- "SR-6": [
- "CCI-005118",
- "CCI-005119"
- ],
- "SR-6 (1)": [
- "CCI-005120",
- "CCI-005121"
- ],
- "SR-7": [
- "CCI-005122",
- "CCI-005123"
- ],
- "SR-8": [
- "CCI-005124",
- "CCI-005125"
- ],
- "SR-9": [
- "CCI-005126"
- ],
- "SR-9 (1)": [
- "CCI-005127"
- ],
- "SR-10": [
- "CCI-005128",
- "CCI-005129",
- "CCI-005130",
- "CCI-005131"
- ],
- "SR-11 a": [
- "CCI-005132",
- "CCI-005133"
- ],
- "SR-11 b": [
- "CCI-005134",
- "CCI-005135",
- "CCI-005136"
- ],
- "SR-11 (1)": [
- "CCI-005137",
- "CCI-005138"
- ],
- "SR-11 (2)": [
- "CCI-005139",
- "CCI-005140",
- "CCI-005141"
- ],
- "SR-11 (3)": [
- "CCI-005142",
- "CCI-005143"
- ],
- "SR-12": [
- "CCI-005144",
- "CCI-005145",
- "CCI-005146"
- ],
- "AU-16 (3)": [
- "CCI-005149"
- ],
- "PM-30 (1)": [
- "CCI-005150"
- ]
+ "AC-1": {
+ "a": {
+ "1": {
+ "ccis": [
+ "CCI-000001",
+ "CCI-002106"
+ ],
+ "a": {
+ "ccis": [
+ "CCI-000002",
+ "CCI-002107",
+ "CCI-003602"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003601",
+ "CCI-003603"
+ ]
+ }
+ },
+ "2": {
+ "ccis": [
+ "CCI-000004",
+ "CCI-000005",
+ "CCI-002108",
+ "CCI-002109",
+ "CCI-003604"
+ ]
+ }
+ },
+ "c": {
+ "1": {
+ "ccis": [
+ "CCI-000003",
+ "CCI-001545",
+ "CCI-003608",
+ "CCI-003609"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000006",
+ "CCI-001546",
+ "CCI-003610",
+ "CCI-003611"
+ ]
+ }
+ },
+ "b": {
+ "ccis": [
+ "CCI-003605",
+ "CCI-003606",
+ "CCI-003607"
+ ]
+ }
+ },
+ "AC-2": {
+ "1": {
+ "ccis": [
+ "CCI-000015"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000016",
+ "CCI-001361",
+ "CCI-001365",
+ "CCI-001682"
+ ]
+ },
+ "3": {
+ "d": {
+ "ccis": [
+ "CCI-000017"
+ ]
+ },
+ "ccis": [
+ "CCI-000217"
+ ],
+ "a": {
+ "ccis": [
+ "CCI-003627"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003628"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-003629"
+ ]
+ }
+ },
+ "4": {
+ "ccis": [
+ "CCI-000018",
+ "CCI-001403",
+ "CCI-001404",
+ "CCI-001405",
+ "CCI-001683",
+ "CCI-001684",
+ "CCI-001685",
+ "CCI-001686",
+ "CCI-002130",
+ "CCI-002131",
+ "CCI-002132"
+ ]
+ },
+ "5": {
+ "ccis": [
+ "CCI-000019",
+ "CCI-001406",
+ "CCI-002133"
+ ],
+ "b": {
+ "ccis": [
+ "CCI-000208"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-001356"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-001357"
+ ]
+ }
+ },
+ "6": {
+ "ccis": [
+ "CCI-000020",
+ "CCI-002134",
+ "CCI-002135"
+ ]
+ },
+ "7": {
+ "a": {
+ "ccis": [
+ "CCI-001358",
+ "CCI-001407"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-001359",
+ "CCI-001360"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-002136",
+ "CCI-003630"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-002137"
+ ]
+ }
+ },
+ "8": {
+ "ccis": [
+ "CCI-002138",
+ "CCI-002139",
+ "CCI-003631",
+ "CCI-003632",
+ "CCI-003633",
+ "CCI-003634",
+ "CCI-003635",
+ "CCI-003636"
+ ]
+ },
+ "9": {
+ "ccis": [
+ "CCI-002140",
+ "CCI-002141"
+ ]
+ },
+ "10": {
+ "ccis": [
+ "CCI-002142"
+ ]
+ },
+ "11": {
+ "ccis": [
+ "CCI-002143",
+ "CCI-002144",
+ "CCI-002145"
+ ]
+ },
+ "12": {
+ "a": {
+ "ccis": [
+ "CCI-002146",
+ "CCI-002147"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-002148",
+ "CCI-002149"
+ ]
+ }
+ },
+ "13": {
+ "ccis": [
+ "CCI-002150",
+ "CCI-002151",
+ "CCI-003637"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-000007",
+ "CCI-002110",
+ "CCI-002111",
+ "CCI-003612"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-000008",
+ "CCI-000009",
+ "CCI-002113",
+ "CCI-003613",
+ "CCI-003614",
+ "CCI-003615"
+ ]
+ },
+ "e": {
+ "ccis": [
+ "CCI-000010",
+ "CCI-002120"
+ ]
+ },
+ "f": {
+ "ccis": [
+ "CCI-000011",
+ "CCI-000237",
+ "CCI-002121",
+ "CCI-003617",
+ "CCI-003618",
+ "CCI-003619",
+ "CCI-003620",
+ "CCI-003621",
+ "CCI-003622"
+ ]
+ },
+ "j": {
+ "ccis": [
+ "CCI-000012",
+ "CCI-001547"
+ ]
+ },
+ "g": {
+ "ccis": [
+ "CCI-000013",
+ "CCI-002122"
+ ]
+ },
+ "i": {
+ "1": {
+ "ccis": [
+ "CCI-002126"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-002127"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-002128",
+ "CCI-003625"
+ ]
+ },
+ "ccis": [
+ "CCI-000014"
+ ]
+ },
+ "h": {
+ "1": {
+ "ccis": [
+ "CCI-002123"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-002124"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-002125"
+ ]
+ },
+ "ccis": [
+ "CCI-001354",
+ "CCI-001355",
+ "CCI-003623",
+ "CCI-003624"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-002112"
+ ]
+ },
+ "d": {
+ "1": {
+ "ccis": [
+ "CCI-002115"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-002116",
+ "CCI-002117"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-002118",
+ "CCI-002119",
+ "CCI-003616"
+ ]
+ },
+ "ccis": [
+ "CCI-002114"
+ ]
+ },
+ "k": {
+ "ccis": [
+ "CCI-002129"
+ ]
+ },
+ "l": {
+ "ccis": [
+ "CCI-003626"
+ ]
+ }
+ },
+ "AC-3": {
+ "2": {
+ "ccis": [
+ "CCI-000021",
+ "CCI-001408",
+ "CCI-002152"
+ ]
+ },
+ "3": {
+ "a": {
+ "ccis": [
+ "CCI-000022",
+ "CCI-002154"
+ ]
+ },
+ "ccis": [
+ "CCI-001409",
+ "CCI-001410",
+ "CCI-002153",
+ "CCI-003014"
+ ],
+ "b": {
+ "1": {
+ "ccis": [
+ "CCI-002155"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-002156"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-002157"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-002158",
+ "CCI-002159"
+ ]
+ },
+ "5": {
+ "ccis": [
+ "CCI-002160"
+ ]
+ }
+ },
+ "c": {
+ "ccis": [
+ "CCI-002161",
+ "CCI-002162",
+ "CCI-003015"
+ ]
+ }
+ },
+ "4": {
+ "b": {
+ "ccis": [
+ "CCI-000214",
+ "CCI-003639"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-000215",
+ "CCI-003640"
+ ]
+ },
+ "ccis": [
+ "CCI-001362",
+ "CCI-001693",
+ "CCI-001694",
+ "CCI-002163",
+ "CCI-002164",
+ "CCI-002165"
+ ],
+ "a": {
+ "ccis": [
+ "CCI-001363",
+ "CCI-003638"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-003641"
+ ]
+ },
+ "e": {
+ "ccis": [
+ "CCI-003642"
+ ]
+ }
+ },
+ "5": {
+ "ccis": [
+ "CCI-000024",
+ "CCI-001411"
+ ]
+ },
+ "6": {
+ "ccis": [
+ "CCI-001366",
+ "CCI-001367",
+ "CCI-001412",
+ "CCI-001413"
+ ]
+ },
+ "7": {
+ "ccis": [
+ "CCI-002166",
+ "CCI-002167",
+ "CCI-002168",
+ "CCI-002169",
+ "CCI-002170",
+ "CCI-002171",
+ "CCI-002172",
+ "CCI-002173",
+ "CCI-002174",
+ "CCI-002175",
+ "CCI-002176"
+ ]
+ },
+ "8": {
+ "ccis": [
+ "CCI-002177",
+ "CCI-002178",
+ "CCI-002179"
+ ]
+ },
+ "9": {
+ "a": {
+ "ccis": [
+ "CCI-002180",
+ "CCI-002181",
+ "CCI-002182"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-002183",
+ "CCI-002184"
+ ]
+ }
+ },
+ "10": {
+ "ccis": [
+ "CCI-002185",
+ "CCI-002186",
+ "CCI-003643"
+ ]
+ },
+ "11": {
+ "ccis": [
+ "CCI-003644",
+ "CCI-003645"
+ ]
+ },
+ "12": {
+ "a": {
+ "ccis": [
+ "CCI-003646",
+ "CCI-003647"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003648"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-003649"
+ ]
+ }
+ },
+ "13": {
+ "ccis": [
+ "CCI-003650",
+ "CCI-003651",
+ "CCI-003652",
+ "CCI-003653"
+ ]
+ },
+ "14": {
+ "ccis": [
+ "CCI-003654",
+ "CCI-003655",
+ "CCI-003656"
+ ]
+ },
+ "15": {
+ "a": {
+ "ccis": [
+ "CCI-003657",
+ "CCI-003658"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003659",
+ "CCI-003660"
+ ]
+ }
+ },
+ "ccis": [
+ "CCI-000213"
+ ]
+ },
+ "PM-1": {
+ "a": {
+ "1": {
+ "ccis": [
+ "CCI-000073",
+ "CCI-002985"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-001680",
+ "CCI-002986"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-002984",
+ "CCI-002987"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-000074",
+ "CCI-002988"
+ ]
+ },
+ "ccis": [
+ "CCI-000023",
+ "CCI-001543"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000075",
+ "CCI-000076",
+ "CCI-004312",
+ "CCI-004313"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-000077",
+ "CCI-002989",
+ "CCI-002990"
+ ]
+ }
+ },
+ "AC-4": {
+ "1": {
+ "ccis": [
+ "CCI-000025",
+ "CCI-002187",
+ "CCI-002188",
+ "CCI-002189",
+ "CCI-002190",
+ "CCI-003661"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000026",
+ "CCI-002191"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-000027",
+ "CCI-001552",
+ "CCI-002192"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-000028",
+ "CCI-002193",
+ "CCI-003662"
+ ]
+ },
+ "5": {
+ "ccis": [
+ "CCI-000029",
+ "CCI-001415"
+ ]
+ },
+ "6": {
+ "ccis": [
+ "CCI-000030",
+ "CCI-002194"
+ ]
+ },
+ "7": {
+ "ccis": [
+ "CCI-000031",
+ "CCI-001416"
+ ]
+ },
+ "8": {
+ "a": {
+ "ccis": [
+ "CCI-000032",
+ "CCI-001417",
+ "CCI-002195",
+ "CCI-003663"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003664",
+ "CCI-003665"
+ ]
+ }
+ },
+ "9": {
+ "ccis": [
+ "CCI-000033",
+ "CCI-001418",
+ "CCI-002196",
+ "CCI-002197",
+ "CCI-002198"
+ ]
+ },
+ "10": {
+ "ccis": [
+ "CCI-000034",
+ "CCI-001553",
+ "CCI-002199"
+ ]
+ },
+ "11": {
+ "ccis": [
+ "CCI-000035",
+ "CCI-001554"
+ ]
+ },
+ "12": {
+ "ccis": [
+ "CCI-000218",
+ "CCI-002200",
+ "CCI-002201"
+ ]
+ },
+ "13": {
+ "ccis": [
+ "CCI-000219",
+ "CCI-002202"
+ ]
+ },
+ "14": {
+ "ccis": [
+ "CCI-001371",
+ "CCI-001372"
+ ]
+ },
+ "15": {
+ "ccis": [
+ "CCI-001373",
+ "CCI-001374",
+ "CCI-002203",
+ "CCI-002204"
+ ]
+ },
+ "16": {
+ "ccis": [
+ "CCI-000221"
+ ]
+ },
+ "17": {
+ "b": {
+ "ccis": [
+ "CCI-000223"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-001557"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-001376",
+ "CCI-001377",
+ "CCI-001555",
+ "CCI-001556"
+ ]
+ },
+ "ccis": [
+ "CCI-002205",
+ "CCI-002206",
+ "CCI-002207",
+ "CCI-002208"
+ ]
+ },
+ "18": {
+ "ccis": [
+ "CCI-002209",
+ "CCI-002210"
+ ]
+ },
+ "19": {
+ "ccis": [
+ "CCI-002211",
+ "CCI-003666"
+ ]
+ },
+ "20": {
+ "ccis": [
+ "CCI-002212",
+ "CCI-002213",
+ "CCI-002214"
+ ]
+ },
+ "21": {
+ "ccis": [
+ "CCI-002215",
+ "CCI-002216",
+ "CCI-002217"
+ ]
+ },
+ "22": {
+ "ccis": [
+ "CCI-002218"
+ ]
+ },
+ "23": {
+ "ccis": [
+ "CCI-003667",
+ "CCI-003668"
+ ]
+ },
+ "24": {
+ "ccis": [
+ "CCI-003669",
+ "CCI-003670"
+ ]
+ },
+ "25": {
+ "ccis": [
+ "CCI-003671",
+ "CCI-003672"
+ ]
+ },
+ "26": {
+ "ccis": [
+ "CCI-003673"
+ ]
+ },
+ "27": {
+ "ccis": [
+ "CCI-003674"
+ ]
+ },
+ "28": {
+ "ccis": [
+ "CCI-003675"
+ ]
+ },
+ "29": {
+ "a": {
+ "ccis": [
+ "CCI-003676"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003677"
+ ]
+ }
+ },
+ "30": {
+ "ccis": [
+ "CCI-003678"
+ ]
+ },
+ "31": {
+ "ccis": [
+ "CCI-003679"
+ ]
+ },
+ "32": {
+ "a": {
+ "ccis": [
+ "CCI-003680"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003681"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-003682"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-003683"
+ ]
+ }
+ },
+ "ccis": [
+ "CCI-001368",
+ "CCI-001414",
+ "CCI-001548",
+ "CCI-001549",
+ "CCI-001550",
+ "CCI-001551"
+ ]
+ },
+ "AC-5": {
+ "a": {
+ "ccis": [
+ "CCI-000036",
+ "CCI-002219",
+ "CCI-003684"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-000037"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-001380",
+ "CCI-002220"
+ ]
+ }
+ },
+ "AC-6": {
+ "1": {
+ "ccis": [
+ "CCI-000038"
+ ],
+ "a": {
+ "ccis": [
+ "CCI-001558",
+ "CCI-002222",
+ "CCI-003685"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-002221",
+ "CCI-002223",
+ "CCI-003686"
+ ]
+ }
+ },
+ "2": {
+ "ccis": [
+ "CCI-000039",
+ "CCI-000040",
+ "CCI-001419"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-000041",
+ "CCI-000042",
+ "CCI-001420",
+ "CCI-002224"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-000226",
+ "CCI-002225"
+ ]
+ },
+ "5": {
+ "ccis": [
+ "CCI-001421",
+ "CCI-002226",
+ "CCI-002227"
+ ]
+ },
+ "6": {
+ "ccis": [
+ "CCI-001422"
+ ]
+ },
+ "7": {
+ "a": {
+ "ccis": [
+ "CCI-002228",
+ "CCI-002229",
+ "CCI-002230"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-002231"
+ ]
+ }
+ },
+ "8": {
+ "ccis": [
+ "CCI-002232",
+ "CCI-002233"
+ ]
+ },
+ "9": {
+ "ccis": [
+ "CCI-002234"
+ ]
+ },
+ "10": {
+ "ccis": [
+ "CCI-002235"
+ ]
+ },
+ "ccis": [
+ "CCI-000225"
+ ]
+ },
+ "AC-7": {
+ "2": {
+ "ccis": [
+ "CCI-001382",
+ "CCI-001383",
+ "CCI-002239",
+ "CCI-002240",
+ "CCI-002241",
+ "CCI-002242"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-003687",
+ "CCI-003688"
+ ]
+ },
+ "4": {
+ "a": {
+ "ccis": [
+ "CCI-003689",
+ "CCI-003690"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003691",
+ "CCI-003692"
+ ]
+ }
+ },
+ "a": {
+ "ccis": [
+ "CCI-000043",
+ "CCI-000044",
+ "CCI-001423",
+ "CCI-001452"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000045",
+ "CCI-000046",
+ "CCI-000047",
+ "CCI-002236",
+ "CCI-002237",
+ "CCI-002238"
+ ]
+ }
+ },
+ "AC-8": {
+ "a": {
+ "1": {
+ "ccis": [
+ "CCI-002243"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-002244"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-002245"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-002246"
+ ]
+ },
+ "ccis": [
+ "CCI-000048",
+ "CCI-000049",
+ "CCI-000051",
+ "CCI-002247"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000050"
+ ]
+ },
+ "c": {
+ "1": {
+ "ccis": [
+ "CCI-001384",
+ "CCI-002248"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-001385",
+ "CCI-001386",
+ "CCI-001387"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-001388"
+ ]
+ }
+ }
+ },
+ "AC-9": {
+ "1": {
+ "ccis": [
+ "CCI-000053"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-001389",
+ "CCI-001390",
+ "CCI-001391",
+ "CCI-001392"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-001393",
+ "CCI-001394",
+ "CCI-001395"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-002249",
+ "CCI-002250",
+ "CCI-002251"
+ ]
+ },
+ "ccis": [
+ "CCI-000052"
+ ]
+ },
+ "AC-10": {
+ "ccis": [
+ "CCI-000054",
+ "CCI-000055",
+ "CCI-002252",
+ "CCI-002253"
+ ]
+ },
+ "AC-11": {
+ "1": {
+ "ccis": [
+ "CCI-000060"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000056"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-000057",
+ "CCI-000058",
+ "CCI-000059"
+ ]
+ }
+ },
+ "AC-14": {
+ "1": {
+ "ccis": [
+ "CCI-000062"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-000061",
+ "CCI-002255",
+ "CCI-003695"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000232"
+ ]
+ }
+ },
+ "AC-17": {
+ "1": {
+ "ccis": [
+ "CCI-000067",
+ "CCI-002313",
+ "CCI-002314"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000068",
+ "CCI-001453"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-000069",
+ "CCI-001561",
+ "CCI-002315"
+ ]
+ },
+ "4": {
+ "a": {
+ "ccis": [
+ "CCI-000070",
+ "CCI-002316",
+ "CCI-002317",
+ "CCI-002318"
+ ]
+ },
+ "ccis": [
+ "CCI-001437"
+ ],
+ "b": {
+ "ccis": [
+ "CCI-002319",
+ "CCI-002320"
+ ]
+ }
+ },
+ "5": {
+ "ccis": [
+ "CCI-000071",
+ "CCI-001431",
+ "CCI-001432",
+ "CCI-001562"
+ ]
+ },
+ "6": {
+ "ccis": [
+ "CCI-000072"
+ ]
+ },
+ "7": {
+ "ccis": [
+ "CCI-000079",
+ "CCI-001433",
+ "CCI-001434",
+ "CCI-001454"
+ ]
+ },
+ "8": {
+ "ccis": [
+ "CCI-001435",
+ "CCI-001436",
+ "CCI-001455"
+ ]
+ },
+ "9": {
+ "ccis": [
+ "CCI-002321",
+ "CCI-002322"
+ ]
+ },
+ "10": {
+ "ccis": [
+ "CCI-003747",
+ "CCI-003748",
+ "CCI-003749"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-000063",
+ "CCI-002310",
+ "CCI-002311",
+ "CCI-002312"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000064",
+ "CCI-000065"
+ ]
+ },
+ "e": {
+ "ccis": [
+ "CCI-000066"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-001402"
+ ]
+ }
+ },
+ "PM-2": {
+ "ccis": [
+ "CCI-000078"
+ ]
+ },
+ "PM-3": {
+ "a": {
+ "ccis": [
+ "CCI-000080",
+ "CCI-004314",
+ "CCI-004315"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000081",
+ "CCI-004316",
+ "CCI-004317"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-000141",
+ "CCI-004318"
+ ]
+ }
+ },
+ "AC-19": {
+ "1": {
+ "ccis": [
+ "CCI-000090"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000091"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-000092"
+ ]
+ },
+ "4": {
+ "a": {
+ "ccis": [
+ "CCI-001330"
+ ]
+ },
+ "b": {
+ "1": {
+ "ccis": [
+ "CCI-001331"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-001332"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-001333"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-001334",
+ "CCI-001335",
+ "CCI-001458"
+ ]
+ }
+ },
+ "c": {
+ "ccis": [
+ "CCI-002327",
+ "CCI-002328"
+ ]
+ }
+ },
+ "5": {
+ "ccis": [
+ "CCI-002329",
+ "CCI-002330",
+ "CCI-002331"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-000082",
+ "CCI-000083",
+ "CCI-002325",
+ "CCI-002326"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000084"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-000085"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-000086"
+ ]
+ },
+ "e": {
+ "ccis": [
+ "CCI-000087"
+ ]
+ },
+ "f": {
+ "ccis": [
+ "CCI-000088",
+ "CCI-001456"
+ ]
+ },
+ "g": {
+ "ccis": [
+ "CCI-000089",
+ "CCI-001457"
+ ]
+ }
+ },
+ "AC-20": {
+ "1": {
+ "a": {
+ "ccis": [
+ "CCI-000095",
+ "CCI-001467",
+ "CCI-001468",
+ "CCI-001469",
+ "CCI-002333",
+ "CCI-002334",
+ "CCI-002335",
+ "CCI-002336",
+ "CCI-003756",
+ "CCI-003757"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000096",
+ "CCI-002337"
+ ]
+ }
+ },
+ "2": {
+ "ccis": [
+ "CCI-000097",
+ "CCI-003758"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-002338"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-002339",
+ "CCI-002340"
+ ]
+ },
+ "5": {
+ "ccis": [
+ "CCI-003759"
+ ]
+ },
+ "a": {
+ "1": {
+ "ccis": [
+ "CCI-000093",
+ "CCI-003750",
+ "CCI-003751"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-002332",
+ "CCI-003752",
+ "CCI-003753"
+ ]
+ }
+ },
+ "b": {
+ "ccis": [
+ "CCI-000094",
+ "CCI-001465",
+ "CCI-001466",
+ "CCI-003754",
+ "CCI-003755"
+ ]
+ }
+ },
+ "AC-21": {
+ "1": {
+ "ccis": [
+ "CCI-000099"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-002341",
+ "CCI-002342"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-000098",
+ "CCI-001470"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-001471",
+ "CCI-001472"
+ ]
+ }
+ },
+ "AT-1": {
+ "a": {
+ "1": {
+ "a": {
+ "ccis": [
+ "CCI-000100",
+ "CCI-000101",
+ "CCI-002048"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003761"
+ ]
+ }
+ },
+ "2": {
+ "ccis": [
+ "CCI-000103",
+ "CCI-000104",
+ "CCI-002049"
+ ]
+ }
+ },
+ "c": {
+ "1": {
+ "ccis": [
+ "CCI-000102",
+ "CCI-001564"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000105",
+ "CCI-001565"
+ ]
+ }
+ },
+ "b": {
+ "ccis": [
+ "CCI-003762",
+ "CCI-003763",
+ "CCI-003764",
+ "CCI-003765"
+ ]
+ }
+ },
+ "AT-2": {
+ "1": {
+ "ccis": [
+ "CCI-000107"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-002055"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-003775",
+ "CCI-003776"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-003777",
+ "CCI-003778"
+ ]
+ },
+ "5": {
+ "ccis": [
+ "CCI-003779"
+ ]
+ },
+ "6": {
+ "a": {
+ "ccis": [
+ "CCI-003780"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003781"
+ ]
+ }
+ },
+ "a": {
+ "1": {
+ "ccis": [
+ "CCI-000106",
+ "CCI-005147"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000112",
+ "CCI-003766"
+ ]
+ }
+ },
+ "c": {
+ "ccis": [
+ "CCI-001479",
+ "CCI-003770",
+ "CCI-003771",
+ "CCI-003772",
+ "CCI-003773"
+ ]
+ },
+ "ccis": [
+ "CCI-001480"
+ ],
+ "b": {
+ "ccis": [
+ "CCI-003767",
+ "CCI-003768",
+ "CCI-003769"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-003774"
+ ]
+ }
+ },
+ "AT-3": {
+ "1": {
+ "ccis": [
+ "CCI-001481",
+ "CCI-001482",
+ "CCI-001483",
+ "CCI-002050"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-001566",
+ "CCI-001567",
+ "CCI-001568",
+ "CCI-002051"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-002052",
+ "CCI-003790"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-002053",
+ "CCI-002054"
+ ]
+ },
+ "5": {
+ "ccis": [
+ "CCI-003791",
+ "CCI-003792",
+ "CCI-003793"
+ ]
+ },
+ "a": {
+ "1": {
+ "ccis": [
+ "CCI-000108",
+ "CCI-003783"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000109",
+ "CCI-003784"
+ ]
+ },
+ "ccis": [
+ "CCI-003782"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-000110",
+ "CCI-000111",
+ "CCI-003789"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003785",
+ "CCI-003786",
+ "CCI-003787",
+ "CCI-003788"
+ ]
+ }
+ },
+ "AT-4": {
+ "a": {
+ "ccis": [
+ "CCI-000113",
+ "CCI-000114",
+ "CCI-003794",
+ "CCI-003795"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-001336",
+ "CCI-001337"
+ ]
+ }
+ },
+ "AT-5": {
+ "ccis": [
+ "CCI-000115",
+ "CCI-000116"
+ ]
+ },
+ "AU-1": {
+ "a": {
+ "1": {
+ "a": {
+ "ccis": [
+ "CCI-000117",
+ "CCI-001832"
+ ]
+ },
+ "ccis": [
+ "CCI-001831",
+ "CCI-001930"
+ ],
+ "b": {
+ "ccis": [
+ "CCI-003799"
+ ]
+ }
+ },
+ "2": {
+ "ccis": [
+ "CCI-000120",
+ "CCI-001833",
+ "CCI-001834",
+ "CCI-001931"
+ ]
+ },
+ "ccis": [
+ "CCI-000118"
+ ]
+ },
+ "c": {
+ "1": {
+ "ccis": [
+ "CCI-000119",
+ "CCI-001569",
+ "CCI-003806",
+ "CCI-003807"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000122",
+ "CCI-001570",
+ "CCI-003808",
+ "CCI-003809"
+ ]
+ }
+ },
+ "b": {
+ "1": {
+ "ccis": [
+ "CCI-001835",
+ "CCI-001836",
+ "CCI-001837",
+ "CCI-001838"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-001839",
+ "CCI-001840",
+ "CCI-001841",
+ "CCI-001842"
+ ]
+ },
+ "ccis": [
+ "CCI-000121",
+ "CCI-003800",
+ "CCI-003801",
+ "CCI-003802",
+ "CCI-003803",
+ "CCI-003804",
+ "CCI-003805"
+ ]
+ }
+ },
+ "AU-2": {
+ "3": {
+ "ccis": [
+ "CCI-000127",
+ "CCI-001486",
+ "CCI-001843"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-000128"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-000123",
+ "CCI-000129",
+ "CCI-001571"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000124"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-000125"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-000126",
+ "CCI-001484",
+ "CCI-001485"
+ ]
+ },
+ "e": {
+ "ccis": [
+ "CCI-003810",
+ "CCI-003811"
+ ]
+ }
+ },
+ "AU-3": {
+ "1": {
+ "ccis": [
+ "CCI-000135",
+ "CCI-001488"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000136",
+ "CCI-001489",
+ "CCI-001844",
+ "CCI-001845",
+ "CCI-001846",
+ "CCI-001847"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-003812",
+ "CCI-003813"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-000130"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000131"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-000132"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-000133"
+ ]
+ },
+ "e": {
+ "ccis": [
+ "CCI-000134"
+ ]
+ },
+ "f": {
+ "ccis": [
+ "CCI-001487"
+ ]
+ }
+ },
+ "AU-4": {
+ "1": {
+ "ccis": [
+ "CCI-001850",
+ "CCI-001851"
+ ]
+ },
+ "ccis": [
+ "CCI-000137",
+ "CCI-000138",
+ "CCI-001848",
+ "CCI-001849"
+ ]
+ },
+ "AU-5": {
+ "1": {
+ "ccis": [
+ "CCI-000143",
+ "CCI-000146",
+ "CCI-001852",
+ "CCI-001853",
+ "CCI-001854",
+ "CCI-001855"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000144",
+ "CCI-000147",
+ "CCI-001856",
+ "CCI-001857",
+ "CCI-001858"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-000145",
+ "CCI-001573",
+ "CCI-001574",
+ "CCI-001859"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-001343",
+ "CCI-001860",
+ "CCI-001861",
+ "CCI-002907"
+ ]
+ },
+ "5": {
+ "ccis": [
+ "CCI-003815",
+ "CCI-003816"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-000139",
+ "CCI-001572",
+ "CCI-003814"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000140",
+ "CCI-001490"
+ ]
+ }
+ },
+ "PM-4": {
+ "a": {
+ "1": {
+ "ccis": [
+ "CCI-000142",
+ "CCI-002991",
+ "CCI-004319",
+ "CCI-004320",
+ "CCI-004321",
+ "CCI-004322"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000170",
+ "CCI-004323",
+ "CCI-004324"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-002992",
+ "CCI-004325",
+ "CCI-004326",
+ "CCI-004327"
+ ]
+ }
+ },
+ "b": {
+ "ccis": [
+ "CCI-002993"
+ ]
+ }
+ },
+ "AU-6": {
+ "1": {
+ "ccis": [
+ "CCI-000152",
+ "CCI-001864",
+ "CCI-001865",
+ "CCI-003820"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-000153"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-000154",
+ "CCI-003821"
+ ]
+ },
+ "5": {
+ "ccis": [
+ "CCI-000155",
+ "CCI-001866",
+ "CCI-001867"
+ ]
+ },
+ "6": {
+ "ccis": [
+ "CCI-001491"
+ ]
+ },
+ "7": {
+ "ccis": [
+ "CCI-001344",
+ "CCI-001868",
+ "CCI-001869"
+ ]
+ },
+ "8": {
+ "ccis": [
+ "CCI-001345",
+ "CCI-001346",
+ "CCI-001870"
+ ]
+ },
+ "9": {
+ "ccis": [
+ "CCI-001347",
+ "CCI-001871"
+ ]
+ },
+ "10": {
+ "ccis": [
+ "CCI-001872",
+ "CCI-001873",
+ "CCI-001874"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-000148",
+ "CCI-000151",
+ "CCI-001862",
+ "CCI-003817"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000149",
+ "CCI-000150",
+ "CCI-001863"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-003818",
+ "CCI-003819"
+ ]
+ }
+ },
+ "AU-7": {
+ "1": {
+ "ccis": [
+ "CCI-000158",
+ "CCI-001883",
+ "CCI-003830"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-001884",
+ "CCI-001885",
+ "CCI-001886",
+ "CCI-001887"
+ ]
+ },
+ "ccis": [
+ "CCI-000156",
+ "CCI-000157"
+ ],
+ "a": {
+ "ccis": [
+ "CCI-001875",
+ "CCI-001876",
+ "CCI-001877",
+ "CCI-001878",
+ "CCI-001879",
+ "CCI-001880",
+ "CCI-003822",
+ "CCI-003823",
+ "CCI-003824",
+ "CCI-003825",
+ "CCI-003826",
+ "CCI-003827"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-001881",
+ "CCI-001882",
+ "CCI-003828",
+ "CCI-003829"
+ ]
+ }
+ },
+ "AU-8": {
+ "1": {
+ "ccis": [
+ "CCI-000160"
+ ],
+ "a": {
+ "ccis": [
+ "CCI-000161",
+ "CCI-001492",
+ "CCI-001891"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-001892",
+ "CCI-002046"
+ ]
+ }
+ },
+ "2": {
+ "ccis": [
+ "CCI-001893"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-000159"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-001888",
+ "CCI-001889",
+ "CCI-001890"
+ ]
+ }
+ },
+ "AU-9": {
+ "1": {
+ "ccis": [
+ "CCI-000165"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-001348",
+ "CCI-001349",
+ "CCI-001575"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-001350",
+ "CCI-001496"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-001351",
+ "CCI-001894"
+ ],
+ "b": {
+ "ccis": [
+ "CCI-001352"
+ ]
+ }
+ },
+ "5": {
+ "ccis": [
+ "CCI-001895",
+ "CCI-001896"
+ ]
+ },
+ "6": {
+ "ccis": [
+ "CCI-001897",
+ "CCI-001898"
+ ]
+ },
+ "7": {
+ "ccis": [
+ "CCI-003833"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-000162",
+ "CCI-000163",
+ "CCI-000164",
+ "CCI-001493",
+ "CCI-001494",
+ "CCI-001495"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003831",
+ "CCI-003832"
+ ]
+ }
+ },
+ "AU-10": {
+ "1": {
+ "ccis": [
+ "CCI-001338"
+ ],
+ "a": {
+ "ccis": [
+ "CCI-001900",
+ "CCI-001901"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-001902"
+ ]
+ }
+ },
+ "2": {
+ "ccis": [
+ "CCI-001339"
+ ],
+ "a": {
+ "ccis": [
+ "CCI-001903",
+ "CCI-001904"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-001905",
+ "CCI-001906"
+ ]
+ }
+ },
+ "3": {
+ "ccis": [
+ "CCI-001340"
+ ]
+ },
+ "4": {
+ "a": {
+ "ccis": [
+ "CCI-001341",
+ "CCI-001907"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-001908",
+ "CCI-001909"
+ ]
+ }
+ },
+ "5": {
+ "ccis": [
+ "CCI-001342"
+ ]
+ },
+ "ccis": [
+ "CCI-000166",
+ "CCI-001899"
+ ]
+ },
+ "AU-11": {
+ "1": {
+ "ccis": [
+ "CCI-002044",
+ "CCI-002045"
+ ]
+ },
+ "ccis": [
+ "CCI-000167",
+ "CCI-000168"
+ ]
+ },
+ "AU-12": {
+ "1": {
+ "ccis": [
+ "CCI-000173",
+ "CCI-000174",
+ "CCI-001576",
+ "CCI-001577"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-001353"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-001911",
+ "CCI-001912",
+ "CCI-001913",
+ "CCI-001914",
+ "CCI-002047",
+ "CCI-003834"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-003835",
+ "CCI-003836"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-000169",
+ "CCI-001459"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000171",
+ "CCI-001910"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-000172"
+ ]
+ }
+ },
+ "IA-5": {
+ "1": {
+ "a": {
+ "ccis": [
+ "CCI-000191",
+ "CCI-000192",
+ "CCI-000193",
+ "CCI-000194",
+ "CCI-000205",
+ "CCI-001611",
+ "CCI-001612",
+ "CCI-001613",
+ "CCI-001614",
+ "CCI-001619",
+ "CCI-004057",
+ "CCI-004058",
+ "CCI-004059",
+ "CCI-004060"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000195",
+ "CCI-001615",
+ "CCI-004061"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-000196",
+ "CCI-000197"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-000198",
+ "CCI-000199",
+ "CCI-001616",
+ "CCI-001617",
+ "CCI-004062"
+ ]
+ },
+ "e": {
+ "ccis": [
+ "CCI-000200",
+ "CCI-001618",
+ "CCI-004063"
+ ]
+ },
+ "f": {
+ "ccis": [
+ "CCI-002041",
+ "CCI-004064"
+ ]
+ },
+ "g": {
+ "ccis": [
+ "CCI-004065"
+ ]
+ },
+ "h": {
+ "ccis": [
+ "CCI-004066",
+ "CCI-004067"
+ ]
+ }
+ },
+ "2": {
+ "b": {
+ "1": {
+ "ccis": [
+ "CCI-000185"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-004068"
+ ]
+ }
+ },
+ "a": {
+ "1": {
+ "ccis": [
+ "CCI-000186"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000187"
+ ]
+ }
+ },
+ "d": {
+ "ccis": [
+ "CCI-001991"
+ ]
+ }
+ },
+ "3": {
+ "ccis": [
+ "CCI-000188",
+ "CCI-001620",
+ "CCI-001992",
+ "CCI-001993",
+ "CCI-001994",
+ "CCI-001995"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-000189",
+ "CCI-001996",
+ "CCI-001997"
+ ]
+ },
+ "5": {
+ "ccis": [
+ "CCI-000190",
+ "CCI-001998"
+ ]
+ },
+ "6": {
+ "ccis": [
+ "CCI-000201"
+ ]
+ },
+ "7": {
+ "ccis": [
+ "CCI-000202",
+ "CCI-000203",
+ "CCI-002367",
+ "CCI-004069"
+ ]
+ },
+ "8": {
+ "ccis": [
+ "CCI-000204",
+ "CCI-001621"
+ ]
+ },
+ "9": {
+ "ccis": [
+ "CCI-001999",
+ "CCI-002000",
+ "CCI-004070",
+ "CCI-004071"
+ ]
+ },
+ "10": {
+ "ccis": [
+ "CCI-002001",
+ "CCI-004072"
+ ]
+ },
+ "11": {
+ "ccis": [
+ "CCI-002002",
+ "CCI-002003"
+ ]
+ },
+ "12": {
+ "ccis": [
+ "CCI-002004",
+ "CCI-002005"
+ ]
+ },
+ "13": {
+ "ccis": [
+ "CCI-002006",
+ "CCI-002007"
+ ]
+ },
+ "14": {
+ "ccis": [
+ "CCI-002008"
+ ]
+ },
+ "15": {
+ "ccis": [
+ "CCI-002043",
+ "CCI-004073"
+ ]
+ },
+ "16": {
+ "ccis": [
+ "CCI-004074",
+ "CCI-004075",
+ "CCI-004076",
+ "CCI-004077"
+ ]
+ },
+ "17": {
+ "ccis": [
+ "CCI-004078"
+ ]
+ },
+ "18": {
+ "a": {
+ "ccis": [
+ "CCI-004079",
+ "CCI-004080"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-004081",
+ "CCI-004082"
+ ]
+ }
+ },
+ "a": {
+ "ccis": [
+ "CCI-000175",
+ "CCI-001980"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000176"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-000177",
+ "CCI-001981",
+ "CCI-001982",
+ "CCI-001983",
+ "CCI-001984",
+ "CCI-001985",
+ "CCI-001986",
+ "CCI-001987",
+ "CCI-001988",
+ "CCI-004053",
+ "CCI-004054"
+ ]
+ },
+ "e": {
+ "ccis": [
+ "CCI-000178",
+ "CCI-001989",
+ "CCI-004055"
+ ]
+ },
+ "f": {
+ "ccis": [
+ "CCI-000179",
+ "CCI-000180",
+ "CCI-000181",
+ "CCI-000182",
+ "CCI-001610",
+ "CCI-004056"
+ ]
+ },
+ "g": {
+ "ccis": [
+ "CCI-000183",
+ "CCI-002042"
+ ]
+ },
+ "h": {
+ "ccis": [
+ "CCI-000184"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-001544"
+ ]
+ },
+ "i": {
+ "ccis": [
+ "CCI-001990",
+ "CCI-002365",
+ "CCI-002366"
+ ]
+ }
+ },
+ "IA-6": {
+ "ccis": [
+ "CCI-000206"
+ ]
+ },
+ "PM-5": {
+ "1": {
+ "ccis": [
+ "CCI-004331",
+ "CCI-004332",
+ "CCI-004333",
+ "CCI-004334"
+ ]
+ },
+ "ccis": [
+ "CCI-000207",
+ "CCI-004328",
+ "CCI-004329",
+ "CCI-004330"
+ ]
+ },
+ "PM-6": {
+ "ccis": [
+ "CCI-000209",
+ "CCI-000210",
+ "CCI-000211",
+ "CCI-004335",
+ "CCI-004336",
+ "CCI-004337"
+ ]
+ },
+ "PM-7": {
+ "1": {
+ "ccis": [
+ "CCI-004341",
+ "CCI-004342"
+ ]
+ },
+ "ccis": [
+ "CCI-000212",
+ "CCI-004338",
+ "CCI-004339",
+ "CCI-004340"
+ ]
+ },
+ "PM-8": {
+ "ccis": [
+ "CCI-000216",
+ "CCI-001640",
+ "CCI-004343",
+ "CCI-004344"
+ ]
+ },
+ "PM-9": {
+ "a": {
+ "1": {
+ "ccis": [
+ "CCI-000227"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-004345"
+ ]
+ }
+ },
+ "b": {
+ "ccis": [
+ "CCI-000228"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-002994",
+ "CCI-002995"
+ ]
+ }
+ },
+ "PM-10": {
+ "a": {
+ "ccis": [
+ "CCI-000229",
+ "CCI-000230",
+ "CCI-000231",
+ "CCI-004346",
+ "CCI-004347"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000233"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-000234"
+ ]
+ }
+ },
+ "PM-11": {
+ "a": {
+ "ccis": [
+ "CCI-000235",
+ "CCI-004348"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000236",
+ "CCI-004349"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-004350",
+ "CCI-004351"
+ ]
+ }
+ },
+ "CA-1": {
+ "c": {
+ "1": {
+ "ccis": [
+ "CCI-000238",
+ "CCI-000241",
+ "CCI-003855",
+ "CCI-003856"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000244",
+ "CCI-001578",
+ "CCI-003857",
+ "CCI-003858"
+ ]
+ }
+ },
+ "a": {
+ "1": {
+ "a": {
+ "ccis": [
+ "CCI-000239",
+ "CCI-000240",
+ "CCI-002061"
+ ]
+ },
+ "ccis": [
+ "CCI-002060"
+ ],
+ "b": {
+ "ccis": [
+ "CCI-003849"
+ ]
+ }
+ },
+ "2": {
+ "ccis": [
+ "CCI-000242",
+ "CCI-000243",
+ "CCI-002062",
+ "CCI-003850"
+ ]
+ }
+ },
+ "b": {
+ "ccis": [
+ "CCI-003851",
+ "CCI-003852",
+ "CCI-003853",
+ "CCI-003854"
+ ]
+ }
+ },
+ "CA-2": {
+ "1": {
+ "ccis": [
+ "CCI-000255",
+ "CCI-002063"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000256",
+ "CCI-001579",
+ "CCI-001582",
+ "CCI-001583",
+ "CCI-001681",
+ "CCI-002064",
+ "CCI-002065"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-002066",
+ "CCI-002067",
+ "CCI-002068",
+ "CCI-002069"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-000245",
+ "CCI-000249",
+ "CCI-000250",
+ "CCI-003859"
+ ]
+ },
+ "b": {
+ "1": {
+ "ccis": [
+ "CCI-000246"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000247"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-000248",
+ "CCI-002070"
+ ]
+ }
+ },
+ "d": {
+ "ccis": [
+ "CCI-000251",
+ "CCI-000252",
+ "CCI-003861"
+ ]
+ },
+ "e": {
+ "ccis": [
+ "CCI-000253"
+ ]
+ },
+ "f": {
+ "ccis": [
+ "CCI-000254",
+ "CCI-002071"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-003860"
+ ]
+ }
+ },
+ "CA-3": {
+ "1": {
+ "ccis": [
+ "CCI-000262",
+ "CCI-002072",
+ "CCI-002073"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000263",
+ "CCI-002074"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-002075",
+ "CCI-002076",
+ "CCI-002077"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-002078",
+ "CCI-002079"
+ ]
+ },
+ "5": {
+ "ccis": [
+ "CCI-002080",
+ "CCI-002081",
+ "CCI-002082"
+ ]
+ },
+ "6": {
+ "ccis": [
+ "CCI-003864"
+ ]
+ },
+ "7": {
+ "a": {
+ "ccis": [
+ "CCI-003865"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003866"
+ ]
+ }
+ },
+ "a": {
+ "ccis": [
+ "CCI-000257",
+ "CCI-003862"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000258",
+ "CCI-000259",
+ "CCI-000260",
+ "CCI-001580",
+ "CCI-003863"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-000261",
+ "CCI-002083",
+ "CCI-002084"
+ ]
+ }
+ },
+ "CA-5": {
+ "1": {
+ "ccis": [
+ "CCI-000267",
+ "CCI-000268",
+ "CCI-000269",
+ "CCI-003867"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-000264"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000265",
+ "CCI-000266"
+ ]
+ }
+ },
+ "CA-6": {
+ "1": {
+ "ccis": [
+ "CCI-003871"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-003872"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-000270"
+ ]
+ },
+ "c": {
+ "1": {
+ "ccis": [
+ "CCI-003869"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000271"
+ ]
+ }
+ },
+ "e": {
+ "ccis": [
+ "CCI-000272",
+ "CCI-000273"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003868"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-003870"
+ ]
+ }
+ },
+ "CA-7": {
+ "1": {
+ "ccis": [
+ "CCI-000282",
+ "CCI-002085"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000283",
+ "CCI-000284",
+ "CCI-000285"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-002086"
+ ]
+ },
+ "4": {
+ "a": {
+ "ccis": [
+ "CCI-003881"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003882"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-003883"
+ ]
+ }
+ },
+ "5": {
+ "ccis": [
+ "CCI-003884",
+ "CCI-003885",
+ "CCI-003886"
+ ]
+ },
+ "6": {
+ "ccis": [
+ "CCI-003887",
+ "CCI-003888"
+ ]
+ },
+ "ccis": [
+ "CCI-000274",
+ "CCI-003873"
+ ],
+ "a": {
+ "ccis": [
+ "CCI-000275",
+ "CCI-000276",
+ "CCI-002087",
+ "CCI-003874"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000277",
+ "CCI-000278",
+ "CCI-002088",
+ "CCI-002089",
+ "CCI-003875",
+ "CCI-003876",
+ "CCI-003877"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-000279",
+ "CCI-003878"
+ ]
+ },
+ "g": {
+ "ccis": [
+ "CCI-000280",
+ "CCI-000281",
+ "CCI-001581",
+ "CCI-003879",
+ "CCI-003880"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-002090"
+ ]
+ },
+ "e": {
+ "ccis": [
+ "CCI-002091"
+ ]
+ },
+ "f": {
+ "ccis": [
+ "CCI-002092"
+ ]
+ }
+ },
+ "CM-1": {
+ "c": {
+ "1": {
+ "ccis": [
+ "CCI-000286",
+ "CCI-000289",
+ "CCI-003904",
+ "CCI-003905"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-001584",
+ "CCI-003906",
+ "CCI-003907",
+ "CCI-003908"
+ ]
+ }
+ },
+ "a": {
+ "1": {
+ "a": {
+ "ccis": [
+ "CCI-000287",
+ "CCI-001821",
+ "CCI-001822"
+ ]
+ },
+ "ccis": [
+ "CCI-001820"
+ ],
+ "b": {
+ "ccis": [
+ "CCI-003897"
+ ]
+ }
+ },
+ "2": {
+ "ccis": [
+ "CCI-000290",
+ "CCI-000292",
+ "CCI-001823",
+ "CCI-001824",
+ "CCI-001825"
+ ]
+ },
+ "ccis": [
+ "CCI-000288"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000291",
+ "CCI-003898",
+ "CCI-003899",
+ "CCI-003900",
+ "CCI-003901",
+ "CCI-003902",
+ "CCI-003903"
+ ]
+ }
+ },
+ "CM-2": {
+ "1": {
+ "c": {
+ "ccis": [
+ "CCI-000298",
+ "CCI-000299"
+ ]
+ }
+ },
+ "2": {
+ "ccis": [
+ "CCI-000300",
+ "CCI-000301",
+ "CCI-000302",
+ "CCI-000303",
+ "CCI-003911"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-000304",
+ "CCI-001736"
+ ]
+ },
+ "4": {
+ "a": {
+ "ccis": [
+ "CCI-000305",
+ "CCI-000306"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000307"
+ ]
+ }
+ },
+ "5": {
+ "a": {
+ "ccis": [
+ "CCI-000308",
+ "CCI-000309"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000310"
+ ]
+ }
+ },
+ "6": {
+ "ccis": [
+ "CCI-000311",
+ "CCI-000312"
+ ]
+ },
+ "7": {
+ "a": {
+ "ccis": [
+ "CCI-001737",
+ "CCI-001738",
+ "CCI-001739"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-001815",
+ "CCI-001816"
+ ]
+ }
+ },
+ "ccis": [
+ "CCI-000293",
+ "CCI-000294"
+ ],
+ "a": {
+ "ccis": [
+ "CCI-000295",
+ "CCI-003909"
+ ]
+ },
+ "b": {
+ "1": {
+ "ccis": [
+ "CCI-000296",
+ "CCI-001497"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000297",
+ "CCI-001585"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-003910"
+ ]
+ }
+ }
+ },
+ "CM-3": {
+ "1": {
+ "a": {
+ "ccis": [
+ "CCI-000322",
+ "CCI-003913"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000323",
+ "CCI-001742",
+ "CCI-003914"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-000324",
+ "CCI-001498",
+ "CCI-003915"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-000325",
+ "CCI-003916"
+ ]
+ },
+ "e": {
+ "ccis": [
+ "CCI-000326",
+ "CCI-003917"
+ ]
+ },
+ "f": {
+ "ccis": [
+ "CCI-002057",
+ "CCI-002058",
+ "CCI-003918"
+ ]
+ }
+ },
+ "2": {
+ "ccis": [
+ "CCI-000327",
+ "CCI-000328",
+ "CCI-000329"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-000330",
+ "CCI-000331",
+ "CCI-003919",
+ "CCI-003920"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-000332",
+ "CCI-003921",
+ "CCI-003922",
+ "CCI-003923",
+ "CCI-003924"
+ ]
+ },
+ "5": {
+ "ccis": [
+ "CCI-001743",
+ "CCI-001744"
+ ]
+ },
+ "6": {
+ "ccis": [
+ "CCI-001745",
+ "CCI-001746"
+ ]
+ },
+ "7": {
+ "ccis": [
+ "CCI-003925",
+ "CCI-003926",
+ "CCI-003927"
+ ]
+ },
+ "8": {
+ "ccis": [
+ "CCI-003928",
+ "CCI-003929"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-000313"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000314",
+ "CCI-001740",
+ "CCI-003912"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-000315",
+ "CCI-001741"
+ ]
+ },
+ "e": {
+ "ccis": [
+ "CCI-000316"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-000317",
+ "CCI-001819",
+ "CCI-002056"
+ ]
+ },
+ "f": {
+ "ccis": [
+ "CCI-000318"
+ ]
+ },
+ "g": {
+ "ccis": [
+ "CCI-000319",
+ "CCI-000320",
+ "CCI-000321",
+ "CCI-001586"
+ ]
+ }
+ },
+ "CM-4": {
+ "1": {
+ "ccis": [
+ "CCI-000334",
+ "CCI-001587",
+ "CCI-001817",
+ "CCI-001818",
+ "CCI-003931"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000335",
+ "CCI-000336",
+ "CCI-000337",
+ "CCI-003932",
+ "CCI-003933",
+ "CCI-003934"
+ ]
+ },
+ "ccis": [
+ "CCI-000333",
+ "CCI-003930"
+ ]
+ },
+ "CM-5": {
+ "1": {
+ "ccis": [
+ "CCI-000346",
+ "CCI-000347",
+ "CCI-001814"
+ ],
+ "a": {
+ "ccis": [
+ "CCI-001813",
+ "CCI-003937"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003938"
+ ]
+ }
+ },
+ "2": {
+ "ccis": [
+ "CCI-000348",
+ "CCI-000349",
+ "CCI-000350",
+ "CCI-001826"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-000351",
+ "CCI-000352",
+ "CCI-001747",
+ "CCI-001748",
+ "CCI-001749",
+ "CCI-001750"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-000353",
+ "CCI-000354",
+ "CCI-001751",
+ "CCI-001752"
+ ]
+ },
+ "5": {
+ "a": {
+ "ccis": [
+ "CCI-000355",
+ "CCI-000356",
+ "CCI-000357",
+ "CCI-000358",
+ "CCI-001753",
+ "CCI-001754"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000359",
+ "CCI-000360",
+ "CCI-000361",
+ "CCI-000362",
+ "CCI-001827",
+ "CCI-001828",
+ "CCI-001829",
+ "CCI-001830",
+ "CCI-003939",
+ "CCI-003940"
+ ]
+ }
+ },
+ "6": {
+ "ccis": [
+ "CCI-001499"
+ ]
+ },
+ "7": {
+ "ccis": [
+ "CCI-001500",
+ "CCI-001501"
+ ]
+ },
+ "ccis": [
+ "CCI-000338",
+ "CCI-000339",
+ "CCI-000340",
+ "CCI-000341",
+ "CCI-000342",
+ "CCI-000343",
+ "CCI-000344",
+ "CCI-000345",
+ "CCI-003935",
+ "CCI-003936"
+ ]
+ },
+ "CM-6": {
+ "1": {
+ "ccis": [
+ "CCI-000370",
+ "CCI-000371",
+ "CCI-000372",
+ "CCI-002059",
+ "CCI-003947"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000373",
+ "CCI-000374",
+ "CCI-001757",
+ "CCI-001758",
+ "CCI-001759"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-000375",
+ "CCI-000376",
+ "CCI-000377",
+ "CCI-000378",
+ "CCI-001589"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-000379"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-000363",
+ "CCI-000364",
+ "CCI-000365",
+ "CCI-001588",
+ "CCI-003941",
+ "CCI-003942"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000366"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-000367",
+ "CCI-000368",
+ "CCI-000369",
+ "CCI-001755",
+ "CCI-001756"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-001502",
+ "CCI-001503",
+ "CCI-003943",
+ "CCI-003944",
+ "CCI-003945",
+ "CCI-003946"
+ ]
+ }
+ },
+ "CM-7": {
+ "1": {
+ "ccis": [
+ "CCI-000383",
+ "CCI-000385"
+ ],
+ "a": {
+ "ccis": [
+ "CCI-000384",
+ "CCI-001760"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-001761",
+ "CCI-001762"
+ ]
+ }
+ },
+ "2": {
+ "ccis": [
+ "CCI-000386",
+ "CCI-001590",
+ "CCI-001591",
+ "CCI-001592",
+ "CCI-001593",
+ "CCI-001594",
+ "CCI-001595",
+ "CCI-001763",
+ "CCI-001764"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-000387",
+ "CCI-000388"
+ ]
+ },
+ "4": {
+ "a": {
+ "ccis": [
+ "CCI-001765",
+ "CCI-001766"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-001767"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-001768",
+ "CCI-001769",
+ "CCI-001770",
+ "CCI-001771"
+ ]
+ }
+ },
+ "5": {
+ "a": {
+ "ccis": [
+ "CCI-001772",
+ "CCI-001773"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-001774"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-001775",
+ "CCI-001776",
+ "CCI-001777",
+ "CCI-001778"
+ ]
+ }
+ },
+ "6": {
+ "ccis": [
+ "CCI-003949",
+ "CCI-003950"
+ ]
+ },
+ "7": {
+ "a": {
+ "ccis": [
+ "CCI-003951",
+ "CCI-003952"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003953",
+ "CCI-003954"
+ ]
+ }
+ },
+ "8": {
+ "a": {
+ "ccis": [
+ "CCI-003955"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003956"
+ ]
+ }
+ },
+ "9": {
+ "a": {
+ "ccis": [
+ "CCI-003957",
+ "CCI-003958"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003959"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-003960",
+ "CCI-003961"
+ ]
+ }
+ },
+ "b": {
+ "ccis": [
+ "CCI-000380",
+ "CCI-000382"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-000381",
+ "CCI-003948"
+ ]
+ }
+ },
+ "CM-8": {
+ "1": {
+ "ccis": [
+ "CCI-000408",
+ "CCI-000409",
+ "CCI-000410"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000411",
+ "CCI-000412",
+ "CCI-000413",
+ "CCI-000414",
+ "CCI-003968"
+ ]
+ },
+ "3": {
+ "a": {
+ "ccis": [
+ "CCI-000415",
+ "CCI-000416",
+ "CCI-003969"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000417",
+ "CCI-001783",
+ "CCI-001784"
+ ]
+ }
+ },
+ "4": {
+ "ccis": [
+ "CCI-000418"
+ ]
+ },
+ "5": {
+ "ccis": [
+ "CCI-000419"
+ ]
+ },
+ "6": {
+ "ccis": [
+ "CCI-000420"
+ ]
+ },
+ "7": {
+ "ccis": [
+ "CCI-001785"
+ ]
+ },
+ "8": {
+ "ccis": [
+ "CCI-001786",
+ "CCI-003970"
+ ]
+ },
+ "9": {
+ "a": {
+ "ccis": [
+ "CCI-001787",
+ "CCI-001788"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-001789"
+ ]
+ }
+ },
+ "a": {
+ "1": {
+ "ccis": [
+ "CCI-000389",
+ "CCI-000390",
+ "CCI-003962"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000392",
+ "CCI-000393",
+ "CCI-003963"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-000395",
+ "CCI-000396",
+ "CCI-003964"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-000399",
+ "CCI-000400",
+ "CCI-003965",
+ "CCI-003966"
+ ]
+ },
+ "5": {
+ "ccis": [
+ "CCI-000398",
+ "CCI-003967"
+ ]
+ },
+ "ccis": [
+ "CCI-000391"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000394",
+ "CCI-001779",
+ "CCI-001780",
+ "CCI-001781",
+ "CCI-001782"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-000397"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-000401"
+ ]
+ },
+ "e": {
+ "ccis": [
+ "CCI-000402",
+ "CCI-000403",
+ "CCI-000404",
+ "CCI-000405",
+ "CCI-000406",
+ "CCI-000407"
+ ]
+ }
+ },
+ "CM-9": {
+ "1": {
+ "ccis": [
+ "CCI-000436"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-000421",
+ "CCI-000422",
+ "CCI-000423",
+ "CCI-003971",
+ "CCI-003972"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-000424",
+ "CCI-000425",
+ "CCI-000426",
+ "CCI-000430",
+ "CCI-000431",
+ "CCI-000432",
+ "CCI-000433",
+ "CCI-000434",
+ "CCI-000435",
+ "CCI-001796",
+ "CCI-001797",
+ "CCI-001798",
+ "CCI-003975",
+ "CCI-003976"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000427",
+ "CCI-000428",
+ "CCI-000429",
+ "CCI-001790",
+ "CCI-001791",
+ "CCI-001792",
+ "CCI-001793",
+ "CCI-001794",
+ "CCI-001795",
+ "CCI-003973",
+ "CCI-003974"
+ ]
+ },
+ "e": {
+ "ccis": [
+ "CCI-001799",
+ "CCI-001801"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-001800",
+ "CCI-003977",
+ "CCI-003978",
+ "CCI-003979"
+ ]
+ }
+ },
+ "CP-1": {
+ "c": {
+ "1": {
+ "ccis": [
+ "CCI-000437",
+ "CCI-000440",
+ "CCI-004002",
+ "CCI-004003"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-001596",
+ "CCI-001598",
+ "CCI-004004",
+ "CCI-004005"
+ ]
+ }
+ },
+ "a": {
+ "1": {
+ "a": {
+ "ccis": [
+ "CCI-000438",
+ "CCI-000439",
+ "CCI-002825"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003994",
+ "CCI-003995"
+ ]
+ }
+ },
+ "2": {
+ "ccis": [
+ "CCI-000441",
+ "CCI-001597",
+ "CCI-002826"
+ ]
+ }
+ },
+ "b": {
+ "ccis": [
+ "CCI-003996",
+ "CCI-003997",
+ "CCI-003998",
+ "CCI-003999",
+ "CCI-004000",
+ "CCI-004001"
+ ]
+ }
+ },
+ "CP-2": {
+ "1": {
+ "ccis": [
+ "CCI-000469"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000470",
+ "CCI-000471",
+ "CCI-000472"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-000473",
+ "CCI-000474",
+ "CCI-000475",
+ "CCI-000476"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-000477",
+ "CCI-000478",
+ "CCI-000479",
+ "CCI-000480"
+ ]
+ },
+ "5": {
+ "ccis": [
+ "CCI-000481",
+ "CCI-000482",
+ "CCI-001599",
+ "CCI-001600"
+ ]
+ },
+ "6": {
+ "ccis": [
+ "CCI-000483",
+ "CCI-000484",
+ "CCI-001601",
+ "CCI-001602"
+ ]
+ },
+ "7": {
+ "ccis": [
+ "CCI-002827"
+ ]
+ },
+ "8": {
+ "ccis": [
+ "CCI-002828",
+ "CCI-002829"
+ ]
+ },
+ "a": {
+ "1": {
+ "ccis": [
+ "CCI-000443",
+ "CCI-000444",
+ "CCI-000445"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000446",
+ "CCI-000447",
+ "CCI-000448"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-000449"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-000450",
+ "CCI-000451",
+ "CCI-000452",
+ "CCI-000453",
+ "CCI-000454",
+ "CCI-000455",
+ "CCI-004006",
+ "CCI-004007"
+ ]
+ },
+ "5": {
+ "ccis": [
+ "CCI-000456"
+ ]
+ },
+ "6": {
+ "ccis": [
+ "CCI-004008"
+ ]
+ },
+ "7": {
+ "ccis": [
+ "CCI-000457",
+ "CCI-002830"
+ ]
+ }
+ },
+ "b": {
+ "ccis": [
+ "CCI-000458",
+ "CCI-000459"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-000460"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-000461",
+ "CCI-000462"
+ ]
+ },
+ "e": {
+ "ccis": [
+ "CCI-000463",
+ "CCI-000464",
+ "CCI-000465",
+ "CCI-000466"
+ ]
+ },
+ "f": {
+ "ccis": [
+ "CCI-000468",
+ "CCI-002831"
+ ]
+ },
+ "h": {
+ "ccis": [
+ "CCI-002832"
+ ]
+ },
+ "g": {
+ "ccis": [
+ "CCI-004009"
+ ]
+ }
+ },
+ "CP-3": {
+ "1": {
+ "ccis": [
+ "CCI-000488"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000489"
+ ]
+ },
+ "a": {
+ "1": {
+ "ccis": [
+ "CCI-000486",
+ "CCI-002833"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-002834"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-000485",
+ "CCI-000487"
+ ]
+ }
+ },
+ "b": {
+ "ccis": [
+ "CCI-004010",
+ "CCI-004011",
+ "CCI-004012",
+ "CCI-004013"
+ ]
+ }
+ },
+ "CP-4": {
+ "1": {
+ "ccis": [
+ "CCI-000498",
+ "CCI-000499"
+ ]
+ },
+ "2": {
+ "a": {
+ "ccis": [
+ "CCI-000500"
+ ]
+ },
+ "ccis": [
+ "CCI-000501"
+ ],
+ "b": {
+ "ccis": [
+ "CCI-002835"
+ ]
+ }
+ },
+ "3": {
+ "ccis": [
+ "CCI-000502",
+ "CCI-000503",
+ "CCI-004014"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-000504"
+ ]
+ },
+ "5": {
+ "ccis": [
+ "CCI-004015",
+ "CCI-004016",
+ "CCI-004017"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-000490",
+ "CCI-000492",
+ "CCI-000494",
+ "CCI-000495"
+ ]
+ },
+ "ccis": [
+ "CCI-000491",
+ "CCI-000493"
+ ],
+ "b": {
+ "ccis": [
+ "CCI-000496"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-000497"
+ ]
+ }
+ },
+ "CP-6": {
+ "1": {
+ "ccis": [
+ "CCI-000507",
+ "CCI-001603"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000508"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-000509",
+ "CCI-001604"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-000505",
+ "CCI-004018"
+ ]
+ },
+ "ccis": [
+ "CCI-000506"
+ ],
+ "b": {
+ "ccis": [
+ "CCI-002836"
+ ]
+ }
+ },
+ "CP-7": {
+ "1": {
+ "ccis": [
+ "CCI-000516",
+ "CCI-001605"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000517",
+ "CCI-001606"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-000518"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-000519",
+ "CCI-000520"
+ ]
+ },
+ "6": {
+ "ccis": [
+ "CCI-002837",
+ "CCI-002838"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-000510",
+ "CCI-000512",
+ "CCI-000513",
+ "CCI-000514",
+ "CCI-002839"
+ ]
+ },
+ "ccis": [
+ "CCI-000511"
+ ],
+ "b": {
+ "ccis": [
+ "CCI-000515"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-000521"
+ ]
+ }
+ },
+ "CP-8": {
+ "1": {
+ "a": {
+ "ccis": [
+ "CCI-000526",
+ "CCI-000527"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000528",
+ "CCI-000529",
+ "CCI-004019"
+ ]
+ }
+ },
+ "2": {
+ "ccis": [
+ "CCI-000530",
+ "CCI-001607"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-000531",
+ "CCI-001608"
+ ]
+ },
+ "4": {
+ "a": {
+ "ccis": [
+ "CCI-000532",
+ "CCI-000533"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-002842"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-002843",
+ "CCI-002844",
+ "CCI-002845",
+ "CCI-002846"
+ ]
+ }
+ },
+ "5": {
+ "ccis": [
+ "CCI-002847",
+ "CCI-002848"
+ ]
+ },
+ "ccis": [
+ "CCI-000522",
+ "CCI-000523",
+ "CCI-000524",
+ "CCI-000525",
+ "CCI-002840",
+ "CCI-002841"
+ ]
+ },
+ "CP-9": {
+ "1": {
+ "ccis": [
+ "CCI-000541",
+ "CCI-000542"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000543"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-000544",
+ "CCI-000545",
+ "CCI-000546",
+ "CCI-002849",
+ "CCI-002850"
+ ]
+ },
+ "5": {
+ "ccis": [
+ "CCI-000547",
+ "CCI-000548"
+ ]
+ },
+ "6": {
+ "ccis": [
+ "CCI-000549",
+ "CCI-001609"
+ ]
+ },
+ "7": {
+ "ccis": [
+ "CCI-002851",
+ "CCI-002852"
+ ]
+ },
+ "8": {
+ "ccis": [
+ "CCI-004025",
+ "CCI-004026",
+ "CCI-004027"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-000534",
+ "CCI-000535",
+ "CCI-004020"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000536",
+ "CCI-000537"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-000538",
+ "CCI-000539",
+ "CCI-004021"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-000540",
+ "CCI-004022",
+ "CCI-004023",
+ "CCI-004024"
+ ]
+ }
+ },
+ "CP-10": {
+ "2": {
+ "ccis": [
+ "CCI-000553"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-000554",
+ "CCI-000555"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-000556",
+ "CCI-000557"
+ ]
+ },
+ "6": {
+ "ccis": [
+ "CCI-000560",
+ "CCI-000561",
+ "CCI-000562",
+ "CCI-004030"
+ ]
+ },
+ "ccis": [
+ "CCI-000550",
+ "CCI-000551",
+ "CCI-000552",
+ "CCI-004028",
+ "CCI-004029"
+ ]
+ },
+ "SI-13": {
+ "1": {
+ "ccis": [
+ "CCI-001319",
+ "CCI-001320"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-001323",
+ "CCI-001324",
+ "CCI-001325",
+ "CCI-005009"
+ ]
+ },
+ "4": {
+ "a": {
+ "ccis": [
+ "CCI-001326",
+ "CCI-001327"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-001328",
+ "CCI-001329",
+ "CCI-001689",
+ "CCI-005010"
+ ]
+ }
+ },
+ "5": {
+ "ccis": [
+ "CCI-000558",
+ "CCI-000559"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-001316",
+ "CCI-001317",
+ "CCI-002760",
+ "CCI-002761"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-001318",
+ "CCI-001679",
+ "CCI-002762",
+ "CCI-002763"
+ ]
+ }
+ },
+ "PL-1": {
+ "a": {
+ "1": {
+ "a": {
+ "ccis": [
+ "CCI-000563",
+ "CCI-000564",
+ "CCI-003047"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-004273"
+ ]
+ }
+ },
+ "2": {
+ "ccis": [
+ "CCI-000566",
+ "CCI-000567",
+ "CCI-003048"
+ ]
+ },
+ "ccis": [
+ "CCI-000565"
+ ]
+ },
+ "c": {
+ "1": {
+ "ccis": [
+ "CCI-001636",
+ "CCI-001637",
+ "CCI-004276"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000568",
+ "CCI-001638",
+ "CCI-004277"
+ ]
+ }
+ },
+ "b": {
+ "ccis": [
+ "CCI-004274",
+ "CCI-004275"
+ ]
+ }
+ },
+ "PL-2": {
+ "1": {
+ "a": {
+ "ccis": [
+ "CCI-000576"
+ ]
+ }
+ },
+ "2": {
+ "a": {
+ "ccis": [
+ "CCI-000580",
+ "CCI-000581",
+ "CCI-000582"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000583",
+ "CCI-000584"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-000585"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-000586",
+ "CCI-000587",
+ "CCI-000588",
+ "CCI-000589"
+ ]
+ },
+ "e": {
+ "ccis": [
+ "CCI-000590",
+ "CCI-000591"
+ ]
+ }
+ },
+ "3": {
+ "ccis": [
+ "CCI-003065",
+ "CCI-003066",
+ "CCI-003067"
+ ]
+ },
+ "a": {
+ "1": {
+ "ccis": [
+ "CCI-003050"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-003051"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-003052"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-004278"
+ ]
+ },
+ "5": {
+ "ccis": [
+ "CCI-004279"
+ ]
+ },
+ "6": {
+ "ccis": [
+ "CCI-003053"
+ ]
+ },
+ "7": {
+ "ccis": [
+ "CCI-004280"
+ ]
+ },
+ "8": {
+ "ccis": [
+ "CCI-004281"
+ ]
+ },
+ "9": {
+ "ccis": [
+ "CCI-003054"
+ ]
+ },
+ "10": {
+ "ccis": [
+ "CCI-003055"
+ ]
+ },
+ "11": {
+ "ccis": [
+ "CCI-003056"
+ ]
+ },
+ "12": {
+ "ccis": [
+ "CCI-003057"
+ ]
+ },
+ "13": {
+ "ccis": [
+ "CCI-004282"
+ ]
+ },
+ "14": {
+ "ccis": [
+ "CCI-004283"
+ ]
+ },
+ "15": {
+ "ccis": [
+ "CCI-000571"
+ ]
+ },
+ "ccis": [
+ "CCI-000570",
+ "CCI-003049"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-000572",
+ "CCI-000573"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-000574"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003058",
+ "CCI-003059",
+ "CCI-003060",
+ "CCI-003061",
+ "CCI-003062"
+ ]
+ },
+ "e": {
+ "ccis": [
+ "CCI-003063",
+ "CCI-003064"
+ ]
+ }
+ },
+ "PL-7": {
+ "b": {
+ "ccis": [
+ "CCI-000577",
+ "CCI-000578"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-003071",
+ "CCI-004291"
+ ]
+ }
+ },
+ "PL-4": {
+ "1": {
+ "a": {
+ "ccis": [
+ "CCI-000594"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000595"
+ ]
+ },
+ "ccis": [
+ "CCI-000596"
+ ],
+ "c": {
+ "ccis": [
+ "CCI-004290"
+ ]
+ }
+ },
+ "a": {
+ "ccis": [
+ "CCI-000592",
+ "CCI-001639",
+ "CCI-004284",
+ "CCI-004285",
+ "CCI-004286",
+ "CCI-004287",
+ "CCI-004288"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000593"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-003068",
+ "CCI-003069"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-003070",
+ "CCI-004289"
+ ]
+ }
+ },
+ "PL-5": {
+ "ccis": [
+ "CCI-000597"
+ ]
+ },
+ "PL-6": {
+ "ccis": [
+ "CCI-000598",
+ "CCI-000599",
+ "CCI-000600"
+ ]
+ },
+ "SA-1": {
+ "c": {
+ "1": {
+ "ccis": [
+ "CCI-000601",
+ "CCI-000604",
+ "CCI-004662",
+ "CCI-004663"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000607",
+ "CCI-001646",
+ "CCI-004664",
+ "CCI-004665"
+ ]
+ }
+ },
+ "a": {
+ "1": {
+ "a": {
+ "ccis": [
+ "CCI-000602",
+ "CCI-003089"
+ ]
+ },
+ "ccis": [
+ "CCI-000603"
+ ],
+ "b": {
+ "ccis": [
+ "CCI-004655"
+ ]
+ }
+ },
+ "2": {
+ "ccis": [
+ "CCI-000605",
+ "CCI-000606",
+ "CCI-003090"
+ ]
+ }
+ },
+ "b": {
+ "ccis": [
+ "CCI-004656",
+ "CCI-004657",
+ "CCI-004658",
+ "CCI-004659",
+ "CCI-004660",
+ "CCI-004661"
+ ]
+ }
+ },
+ "SA-2": {
+ "a": {
+ "ccis": [
+ "CCI-000608",
+ "CCI-000609",
+ "CCI-003091",
+ "CCI-004666"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000610",
+ "CCI-000611",
+ "CCI-000612"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-000613",
+ "CCI-000614",
+ "CCI-004667",
+ "CCI-004668"
+ ]
+ }
+ },
+ "SA-3": {
+ "1": {
+ "ccis": [
+ "CCI-004679"
+ ]
+ },
+ "2": {
+ "a": {
+ "ccis": [
+ "CCI-004680",
+ "CCI-004681",
+ "CCI-004682"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-004683"
+ ]
+ }
+ },
+ "3": {
+ "ccis": [
+ "CCI-004684",
+ "CCI-004685"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-000615",
+ "CCI-003092",
+ "CCI-004669",
+ "CCI-004670",
+ "CCI-004671",
+ "CCI-004672",
+ "CCI-004673",
+ "CCI-004674",
+ "CCI-004675"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000616",
+ "CCI-000617",
+ "CCI-004676"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-000618",
+ "CCI-004677"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-003093",
+ "CCI-004678"
+ ]
+ }
+ },
+ "SA-4": {
+ "1": {
+ "ccis": [
+ "CCI-000623"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000624",
+ "CCI-000625",
+ "CCI-003101",
+ "CCI-003102",
+ "CCI-003103",
+ "CCI-003104",
+ "CCI-003105",
+ "CCI-003106"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-000626",
+ "CCI-000627",
+ "CCI-000628",
+ "CCI-003107",
+ "CCI-003108"
+ ],
+ "a": {
+ "ccis": [
+ "CCI-004697",
+ "CCI-004698"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-004699",
+ "CCI-004700"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-004701",
+ "CCI-004702"
+ ]
+ }
+ },
+ "4": {
+ "ccis": [
+ "CCI-000629"
+ ]
+ },
+ "5": {
+ "ccis": [
+ "CCI-000630"
+ ],
+ "a": {
+ "ccis": [
+ "CCI-003109",
+ "CCI-003110"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003111"
+ ]
+ }
+ },
+ "6": {
+ "a": {
+ "ccis": [
+ "CCI-000631",
+ "CCI-000632"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000633"
+ ]
+ }
+ },
+ "7": {
+ "a": {
+ "ccis": [
+ "CCI-000634"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000635",
+ "CCI-001647"
+ ]
+ }
+ },
+ "8": {
+ "ccis": [
+ "CCI-003112",
+ "CCI-003113"
+ ]
+ },
+ "9": {
+ "ccis": [
+ "CCI-003114",
+ "CCI-003115"
+ ]
+ },
+ "10": {
+ "ccis": [
+ "CCI-003116"
+ ]
+ },
+ "11": {
+ "ccis": [
+ "CCI-004703",
+ "CCI-004704"
+ ]
+ },
+ "12": {
+ "a": {
+ "ccis": [
+ "CCI-004705"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-004706",
+ "CCI-004707"
+ ]
+ }
+ },
+ "a": {
+ "ccis": [
+ "CCI-000619",
+ "CCI-003094",
+ "CCI-004687"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000620",
+ "CCI-003095"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-000621",
+ "CCI-003096",
+ "CCI-004688"
+ ]
+ },
+ "e": {
+ "ccis": [
+ "CCI-003097",
+ "CCI-004691"
+ ]
+ },
+ "f": {
+ "ccis": [
+ "CCI-003098",
+ "CCI-004692",
+ "CCI-004693"
+ ]
+ },
+ "g": {
+ "ccis": [
+ "CCI-003099"
+ ]
+ },
+ "i": {
+ "ccis": [
+ "CCI-003100"
+ ]
+ },
+ "ccis": [
+ "CCI-004686"
+ ],
+ "d": {
+ "ccis": [
+ "CCI-004689",
+ "CCI-004690"
+ ]
+ },
+ "h": {
+ "ccis": [
+ "CCI-004694",
+ "CCI-004695",
+ "CCI-004696"
+ ]
+ }
+ },
+ "SA-5": {
+ "1": {
+ "ccis": [
+ "CCI-000643",
+ "CCI-000644",
+ "CCI-001690",
+ "CCI-001691"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000645",
+ "CCI-000646"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-000647",
+ "CCI-000648"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-000650",
+ "CCI-000651",
+ "CCI-001692"
+ ]
+ },
+ "5": {
+ "ccis": [
+ "CCI-000653",
+ "CCI-000654",
+ "CCI-001648"
+ ]
+ },
+ "a": {
+ "1": {
+ "ccis": [
+ "CCI-003124",
+ "CCI-003125",
+ "CCI-003126"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-003127",
+ "CCI-004708"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-003128"
+ ]
+ },
+ "ccis": [
+ "CCI-000636",
+ "CCI-000637",
+ "CCI-000638"
+ ]
+ },
+ "b": {
+ "1": {
+ "ccis": [
+ "CCI-003129",
+ "CCI-004709"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-003130",
+ "CCI-004710"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-003131",
+ "CCI-004711"
+ ]
+ },
+ "ccis": [
+ "CCI-000639",
+ "CCI-000640",
+ "CCI-000641"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-000642",
+ "CCI-003132",
+ "CCI-003133"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-003134",
+ "CCI-003135",
+ "CCI-003136"
+ ]
+ }
+ },
+ "SA-6": {
+ "1": {
+ "a": {
+ "ccis": [
+ "CCI-000659",
+ "CCI-000660"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000661",
+ "CCI-000662"
+ ]
+ }
+ },
+ "a": {
+ "ccis": [
+ "CCI-000655"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000656"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-000657",
+ "CCI-000658"
+ ]
+ }
+ },
+ "SA-7": {
+ "ccis": [
+ "CCI-000663",
+ "CCI-001649"
+ ]
+ },
+ "SA-8": {
+ "1": {
+ "ccis": [
+ "CCI-004717"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-004718",
+ "CCI-004719"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-004720",
+ "CCI-004721"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-004722",
+ "CCI-004723"
+ ]
+ },
+ "5": {
+ "ccis": [
+ "CCI-004724",
+ "CCI-004725"
+ ]
+ },
+ "6": {
+ "ccis": [
+ "CCI-004726",
+ "CCI-004727"
+ ]
+ },
+ "7": {
+ "ccis": [
+ "CCI-004728",
+ "CCI-004729"
+ ]
+ },
+ "8": {
+ "ccis": [
+ "CCI-004730",
+ "CCI-004731"
+ ]
+ },
+ "9": {
+ "ccis": [
+ "CCI-004732",
+ "CCI-004733"
+ ]
+ },
+ "10": {
+ "ccis": [
+ "CCI-004734",
+ "CCI-004735"
+ ]
+ },
+ "11": {
+ "ccis": [
+ "CCI-004736",
+ "CCI-004737"
+ ]
+ },
+ "12": {
+ "ccis": [
+ "CCI-004738",
+ "CCI-004739"
+ ]
+ },
+ "13": {
+ "ccis": [
+ "CCI-004740",
+ "CCI-004741"
+ ]
+ },
+ "14": {
+ "ccis": [
+ "CCI-004742",
+ "CCI-004743"
+ ]
+ },
+ "15": {
+ "ccis": [
+ "CCI-004744",
+ "CCI-004745"
+ ]
+ },
+ "16": {
+ "ccis": [
+ "CCI-004746",
+ "CCI-004747"
+ ]
+ },
+ "17": {
+ "ccis": [
+ "CCI-004748",
+ "CCI-004749"
+ ]
+ },
+ "18": {
+ "ccis": [
+ "CCI-004750",
+ "CCI-004751"
+ ]
+ },
+ "19": {
+ "ccis": [
+ "CCI-004752",
+ "CCI-004753"
+ ]
+ },
+ "20": {
+ "ccis": [
+ "CCI-004754",
+ "CCI-004755"
+ ]
+ },
+ "21": {
+ "ccis": [
+ "CCI-004756",
+ "CCI-004757"
+ ]
+ },
+ "22": {
+ "ccis": [
+ "CCI-004758",
+ "CCI-004759"
+ ]
+ },
+ "23": {
+ "ccis": [
+ "CCI-004760",
+ "CCI-004761"
+ ]
+ },
+ "24": {
+ "ccis": [
+ "CCI-004762",
+ "CCI-004763"
+ ]
+ },
+ "25": {
+ "ccis": [
+ "CCI-004764",
+ "CCI-004765"
+ ]
+ },
+ "26": {
+ "ccis": [
+ "CCI-004766",
+ "CCI-004767"
+ ]
+ },
+ "27": {
+ "ccis": [
+ "CCI-004768",
+ "CCI-004769"
+ ]
+ },
+ "28": {
+ "ccis": [
+ "CCI-004770",
+ "CCI-004771"
+ ]
+ },
+ "29": {
+ "ccis": [
+ "CCI-004772",
+ "CCI-004773"
+ ]
+ },
+ "30": {
+ "ccis": [
+ "CCI-004774",
+ "CCI-004775"
+ ]
+ },
+ "31": {
+ "ccis": [
+ "CCI-004776",
+ "CCI-004777"
+ ]
+ },
+ "32": {
+ "ccis": [
+ "CCI-004778",
+ "CCI-004779"
+ ]
+ },
+ "33": {
+ "ccis": [
+ "CCI-004780",
+ "CCI-004781"
+ ]
+ },
+ "ccis": [
+ "CCI-000664",
+ "CCI-000665",
+ "CCI-000666",
+ "CCI-000667",
+ "CCI-000668",
+ "CCI-004712",
+ "CCI-004713",
+ "CCI-004714",
+ "CCI-004715",
+ "CCI-004716"
+ ]
+ },
+ "SA-9": {
+ "1": {
+ "a": {
+ "ccis": [
+ "CCI-000676",
+ "CCI-000677",
+ "CCI-003140"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000678",
+ "CCI-000679",
+ "CCI-000680",
+ "CCI-000681",
+ "CCI-003141",
+ "CCI-003142"
+ ]
+ }
+ },
+ "2": {
+ "ccis": [
+ "CCI-003143",
+ "CCI-003144"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-003145",
+ "CCI-003146",
+ "CCI-003147",
+ "CCI-003148",
+ "CCI-004787",
+ "CCI-004788",
+ "CCI-004789",
+ "CCI-004790"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-003149",
+ "CCI-003150",
+ "CCI-003151"
+ ]
+ },
+ "5": {
+ "ccis": [
+ "CCI-003152",
+ "CCI-003153",
+ "CCI-003154"
+ ]
+ },
+ "6": {
+ "ccis": [
+ "CCI-004791"
+ ]
+ },
+ "7": {
+ "ccis": [
+ "CCI-004792"
+ ]
+ },
+ "8": {
+ "ccis": [
+ "CCI-004793"
+ ]
+ },
+ "ccis": [
+ "CCI-000669"
+ ],
+ "a": {
+ "ccis": [
+ "CCI-000670",
+ "CCI-003137",
+ "CCI-004782",
+ "CCI-004783",
+ "CCI-004784"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000671",
+ "CCI-000672",
+ "CCI-000673",
+ "CCI-000674",
+ "CCI-004785",
+ "CCI-004786"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-000675",
+ "CCI-003138",
+ "CCI-003139"
+ ]
+ }
+ },
+ "SA-10": {
+ "1": {
+ "ccis": [
+ "CCI-000698",
+ "CCI-000699"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000700",
+ "CCI-000701"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-003165"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-003166",
+ "CCI-003167",
+ "CCI-003168"
+ ]
+ },
+ "5": {
+ "ccis": [
+ "CCI-003169"
+ ]
+ },
+ "6": {
+ "ccis": [
+ "CCI-003170"
+ ]
+ },
+ "7": {
+ "ccis": [
+ "CCI-004795",
+ "CCI-004796",
+ "CCI-004797"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-003155"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003156",
+ "CCI-003157",
+ "CCI-003158",
+ "CCI-003159"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-000693"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-000695"
+ ]
+ },
+ "e": {
+ "ccis": [
+ "CCI-003161",
+ "CCI-003162",
+ "CCI-003163",
+ "CCI-003164"
+ ]
+ }
+ },
+ "SA-11": {
+ "1": {
+ "ccis": [
+ "CCI-000712",
+ "CCI-000713",
+ "CCI-003179",
+ "CCI-003180"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000714",
+ "CCI-000715",
+ "CCI-000716",
+ "CCI-000717",
+ "CCI-000718",
+ "CCI-000719",
+ "CCI-003181",
+ "CCI-003182"
+ ],
+ "a": {
+ "ccis": [
+ "CCI-004801",
+ "CCI-004802"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-004803",
+ "CCI-004804"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-004805",
+ "CCI-004806"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-004807",
+ "CCI-004808"
+ ]
+ }
+ },
+ "3": {
+ "ccis": [
+ "CCI-000720",
+ "CCI-000721"
+ ],
+ "a": {
+ "ccis": [
+ "CCI-003183",
+ "CCI-003184",
+ "CCI-003185",
+ "CCI-004809",
+ "CCI-004810",
+ "CCI-004811"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003186"
+ ]
+ }
+ },
+ "4": {
+ "ccis": [
+ "CCI-003187",
+ "CCI-003188",
+ "CCI-003189"
+ ]
+ },
+ "5": {
+ "ccis": [
+ "CCI-003190"
+ ],
+ "a": {
+ "ccis": [
+ "CCI-003191",
+ "CCI-004812"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003192",
+ "CCI-004813"
+ ]
+ }
+ },
+ "6": {
+ "ccis": [
+ "CCI-003193"
+ ]
+ },
+ "7": {
+ "ccis": [
+ "CCI-003194",
+ "CCI-003195"
+ ]
+ },
+ "8": {
+ "ccis": [
+ "CCI-003196",
+ "CCI-003197"
+ ]
+ },
+ "9": {
+ "ccis": [
+ "CCI-004814",
+ "CCI-004815"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-003171",
+ "CCI-003172",
+ "CCI-004798",
+ "CCI-004799"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003173",
+ "CCI-003174",
+ "CCI-004800"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-003175",
+ "CCI-003176"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-003177"
+ ]
+ },
+ "e": {
+ "ccis": [
+ "CCI-003178"
+ ]
+ }
+ },
+ "SA-12": {
+ "1": {
+ "ccis": [
+ "CCI-000724",
+ "CCI-003198",
+ "CCI-003199",
+ "CCI-003207",
+ "CCI-003208",
+ "CCI-003209"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000725",
+ "CCI-000726",
+ "CCI-000727",
+ "CCI-000728",
+ "CCI-003200"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-000729",
+ "CCI-000730",
+ "CCI-000731",
+ "CCI-000732",
+ "CCI-000733",
+ "CCI-000734"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-000735",
+ "CCI-000736",
+ "CCI-000737",
+ "CCI-000738"
+ ]
+ },
+ "5": {
+ "ccis": [
+ "CCI-000739",
+ "CCI-000740",
+ "CCI-000741",
+ "CCI-003201",
+ "CCI-003202"
+ ]
+ },
+ "6": {
+ "ccis": [
+ "CCI-000742",
+ "CCI-000743",
+ "CCI-000744"
+ ]
+ },
+ "7": {
+ "ccis": [
+ "CCI-000745",
+ "CCI-000746",
+ "CCI-000747",
+ "CCI-003203",
+ "CCI-003204"
+ ]
+ },
+ "8": {
+ "ccis": [
+ "CCI-003205"
+ ]
+ },
+ "9": {
+ "ccis": [
+ "CCI-003206",
+ "CCI-003210",
+ "CCI-003211"
+ ]
+ },
+ "10": {
+ "ccis": [
+ "CCI-003212",
+ "CCI-003213"
+ ]
+ },
+ "11": {
+ "ccis": [
+ "CCI-003214",
+ "CCI-003215"
+ ]
+ },
+ "12": {
+ "ccis": [
+ "CCI-003216",
+ "CCI-003217"
+ ]
+ },
+ "13": {
+ "ccis": [
+ "CCI-003218",
+ "CCI-003219",
+ "CCI-003220"
+ ]
+ },
+ "14": {
+ "ccis": [
+ "CCI-003221",
+ "CCI-003222",
+ "CCI-003223"
+ ]
+ },
+ "15": {
+ "ccis": [
+ "CCI-003224"
+ ]
+ },
+ "ccis": [
+ "CCI-000722",
+ "CCI-000723"
+ ]
+ },
+ "SA-13": {
+ "ccis": [
+ "CCI-000748",
+ "CCI-000749"
+ ],
+ "a": {
+ "ccis": [
+ "CCI-003225",
+ "CCI-003226"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003227",
+ "CCI-003228"
+ ]
+ }
+ },
+ "SA-14": {
+ "1": {
+ "a": {
+ "ccis": [
+ "CCI-000753"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000754",
+ "CCI-000755"
+ ]
+ }
+ },
+ "ccis": [
+ "CCI-000750",
+ "CCI-003229",
+ "CCI-003230",
+ "CCI-003231",
+ "CCI-003232"
+ ],
+ "a": {
+ "ccis": [
+ "CCI-000751"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000752"
+ ]
+ }
+ },
+ "IA-1": {
+ "a": {
+ "1": {
+ "ccis": [
+ "CCI-000756",
+ "CCI-001932",
+ "CCI-001933",
+ "CCI-004031"
+ ],
+ "a": {
+ "ccis": [
+ "CCI-000757",
+ "CCI-004032"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-004033"
+ ]
+ }
+ },
+ "2": {
+ "ccis": [
+ "CCI-000760",
+ "CCI-000761",
+ "CCI-001934",
+ "CCI-004034"
+ ]
+ }
+ },
+ "c": {
+ "1": {
+ "ccis": [
+ "CCI-000758",
+ "CCI-000759",
+ "CCI-004041",
+ "CCI-004042"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000762",
+ "CCI-000763",
+ "CCI-004043",
+ "CCI-004044"
+ ]
+ }
+ },
+ "b": {
+ "ccis": [
+ "CCI-004035",
+ "CCI-004036",
+ "CCI-004037",
+ "CCI-004038",
+ "CCI-004039",
+ "CCI-004040"
+ ]
+ }
+ },
+ "IA-2": {
+ "1": {
+ "ccis": [
+ "CCI-000765"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000766"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-000767"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-000768"
+ ]
+ },
+ "5": {
+ "a": {
+ "ccis": [
+ "CCI-000769"
+ ]
+ },
+ "ccis": [
+ "CCI-000770",
+ "CCI-004045"
+ ]
+ },
+ "6": {
+ "ccis": [
+ "CCI-000771",
+ "CCI-001935",
+ "CCI-001936",
+ "CCI-001937"
+ ],
+ "a": {
+ "ccis": [
+ "CCI-004046"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-004047",
+ "CCI-004048"
+ ]
+ }
+ },
+ "7": {
+ "ccis": [
+ "CCI-000772",
+ "CCI-001938",
+ "CCI-001939",
+ "CCI-001940"
+ ]
+ },
+ "8": {
+ "ccis": [
+ "CCI-000773",
+ "CCI-000774",
+ "CCI-001941"
+ ]
+ },
+ "9": {
+ "ccis": [
+ "CCI-000775",
+ "CCI-000776",
+ "CCI-001942"
+ ]
+ },
+ "10": {
+ "ccis": [
+ "CCI-001943",
+ "CCI-001944",
+ "CCI-001945",
+ "CCI-001946"
+ ]
+ },
+ "11": {
+ "ccis": [
+ "CCI-001947",
+ "CCI-001948",
+ "CCI-001949",
+ "CCI-001950",
+ "CCI-001951",
+ "CCI-001952"
+ ]
+ },
+ "12": {
+ "ccis": [
+ "CCI-001953",
+ "CCI-001954"
+ ]
+ },
+ "13": {
+ "ccis": [
+ "CCI-001955",
+ "CCI-001956",
+ "CCI-001957"
+ ]
+ },
+ "ccis": [
+ "CCI-000764"
+ ]
+ },
+ "IA-3": {
+ "1": {
+ "ccis": [
+ "CCI-000779",
+ "CCI-000780",
+ "CCI-001959",
+ "CCI-001967"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000781"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-000782"
+ ],
+ "b": {
+ "ccis": [
+ "CCI-000783"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-001960",
+ "CCI-001961",
+ "CCI-001962",
+ "CCI-001963"
+ ]
+ }
+ },
+ "4": {
+ "ccis": [
+ "CCI-001964",
+ "CCI-001965",
+ "CCI-001966",
+ "CCI-001968",
+ "CCI-001969"
+ ]
+ },
+ "ccis": [
+ "CCI-000777",
+ "CCI-000778",
+ "CCI-001958"
+ ]
+ },
+ "IA-4": {
+ "1": {
+ "ccis": [
+ "CCI-000796"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000797",
+ "CCI-000798",
+ "CCI-002040"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-000799"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-000800",
+ "CCI-000801"
+ ]
+ },
+ "5": {
+ "ccis": [
+ "CCI-000802",
+ "CCI-001976",
+ "CCI-004049"
+ ]
+ },
+ "6": {
+ "ccis": [
+ "CCI-001977",
+ "CCI-001978"
+ ]
+ },
+ "7": {
+ "ccis": [
+ "CCI-001979"
+ ]
+ },
+ "8": {
+ "ccis": [
+ "CCI-004050"
+ ]
+ },
+ "9": {
+ "ccis": [
+ "CCI-004051",
+ "CCI-004052"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-000784",
+ "CCI-000785",
+ "CCI-001970",
+ "CCI-001971"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000786",
+ "CCI-000787",
+ "CCI-001972"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-000788",
+ "CCI-000789",
+ "CCI-001973"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-000790",
+ "CCI-000791",
+ "CCI-000792",
+ "CCI-000793",
+ "CCI-001974",
+ "CCI-001975"
+ ]
+ },
+ "e": {
+ "ccis": [
+ "CCI-000794",
+ "CCI-000795"
+ ]
+ }
+ },
+ "IA-7": {
+ "ccis": [
+ "CCI-000803"
+ ]
+ },
+ "IA-8": {
+ "1": {
+ "ccis": [
+ "CCI-002009",
+ "CCI-002010"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-002011"
+ ],
+ "a": {
+ "ccis": [
+ "CCI-004083"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-004084"
+ ]
+ }
+ },
+ "3": {
+ "ccis": [
+ "CCI-002012",
+ "CCI-002013"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-002014",
+ "CCI-004085",
+ "CCI-004086"
+ ]
+ },
+ "5": {
+ "ccis": [
+ "CCI-002015",
+ "CCI-002016",
+ "CCI-004087"
+ ]
+ },
+ "6": {
+ "ccis": [
+ "CCI-004088",
+ "CCI-004089",
+ "CCI-004090",
+ "CCI-004091"
+ ]
+ },
+ "ccis": [
+ "CCI-000804"
+ ]
+ },
+ "IR-1": {
+ "a": {
+ "1": {
+ "a": {
+ "ccis": [
+ "CCI-000805",
+ "CCI-000806",
+ "CCI-002776"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-004109"
+ ]
+ }
+ },
+ "2": {
+ "ccis": [
+ "CCI-000809",
+ "CCI-000810",
+ "CCI-002777"
+ ]
+ }
+ },
+ "c": {
+ "1": {
+ "ccis": [
+ "CCI-000807",
+ "CCI-000808",
+ "CCI-004113",
+ "CCI-004114"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000811",
+ "CCI-000812",
+ "CCI-004115",
+ "CCI-004116"
+ ]
+ }
+ },
+ "b": {
+ "ccis": [
+ "CCI-004110",
+ "CCI-004111",
+ "CCI-004112"
+ ]
+ }
+ },
+ "IR-2": {
+ "1": {
+ "ccis": [
+ "CCI-000816"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000817",
+ "CCI-004117"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-004118"
+ ]
+ },
+ "a": {
+ "1": {
+ "ccis": [
+ "CCI-000813",
+ "CCI-002778"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-002779"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-000814"
+ ]
+ }
+ },
+ "c": {
+ "ccis": [
+ "CCI-000815"
+ ]
+ },
+ "ccis": [
+ "CCI-001622",
+ "CCI-001623"
+ ]
+ },
+ "IR-3": {
+ "1": {
+ "ccis": [
+ "CCI-000821",
+ "CCI-004119"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-002780"
+ ]
+ },
+ "3": {
+ "a": {
+ "ccis": [
+ "CCI-004120",
+ "CCI-004121"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-004122",
+ "CCI-004123"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-004124",
+ "CCI-004125",
+ "CCI-004126",
+ "CCI-004127",
+ "CCI-004128",
+ "CCI-004129"
+ ]
+ }
+ },
+ "ccis": [
+ "CCI-000818",
+ "CCI-000819",
+ "CCI-000820",
+ "CCI-001624"
+ ]
+ },
+ "IR-4": {
+ "1": {
+ "ccis": [
+ "CCI-000825",
+ "CCI-004137"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000826",
+ "CCI-002781",
+ "CCI-004138"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-000827",
+ "CCI-000828",
+ "CCI-004139",
+ "CCI-004140"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-000829"
+ ]
+ },
+ "5": {
+ "ccis": [
+ "CCI-000830",
+ "CCI-000831"
+ ]
+ },
+ "6": {
+ "ccis": [
+ "CCI-002782"
+ ]
+ },
+ "7": {
+ "ccis": [
+ "CCI-002783",
+ "CCI-002784",
+ "CCI-004141",
+ "CCI-004142"
+ ]
+ },
+ "8": {
+ "ccis": [
+ "CCI-002785",
+ "CCI-002786",
+ "CCI-002787"
+ ]
+ },
+ "9": {
+ "ccis": [
+ "CCI-002788",
+ "CCI-002789"
+ ]
+ },
+ "10": {
+ "ccis": [
+ "CCI-002790"
+ ]
+ },
+ "11": {
+ "ccis": [
+ "CCI-004143",
+ "CCI-004144"
+ ]
+ },
+ "12": {
+ "ccis": [
+ "CCI-004145"
+ ]
+ },
+ "13": {
+ "ccis": [
+ "CCI-004146",
+ "CCI-004147"
+ ]
+ },
+ "14": {
+ "ccis": [
+ "CCI-004148"
+ ]
+ },
+ "15": {
+ "a": {
+ "ccis": [
+ "CCI-004149"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-004150"
+ ]
+ }
+ },
+ "a": {
+ "ccis": [
+ "CCI-000822"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000823"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-000824",
+ "CCI-001625",
+ "CCI-004130",
+ "CCI-004131",
+ "CCI-004132"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-004133",
+ "CCI-004134",
+ "CCI-004135",
+ "CCI-004136"
+ ]
+ }
+ },
+ "IR-5": {
+ "1": {
+ "ccis": [
+ "CCI-000833",
+ "CCI-001626",
+ "CCI-001627",
+ "CCI-004151",
+ "CCI-004152",
+ "CCI-004153",
+ "CCI-004154"
+ ]
+ },
+ "ccis": [
+ "CCI-000832"
+ ]
+ },
+ "IR-6": {
+ "1": {
+ "ccis": [
+ "CCI-000837",
+ "CCI-004155"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000838",
+ "CCI-002792"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-002793",
+ "CCI-004156"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-000834",
+ "CCI-000835"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000836",
+ "CCI-002791"
+ ]
+ }
+ },
+ "IR-7": {
+ "1": {
+ "ccis": [
+ "CCI-000840"
+ ]
+ },
+ "2": {
+ "a": {
+ "ccis": [
+ "CCI-000841"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000842"
+ ]
+ }
+ },
+ "ccis": [
+ "CCI-000839"
+ ]
+ },
+ "IR-8": {
+ "1": {
+ "a": {
+ "ccis": [
+ "CCI-004160"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-004161"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-004162"
+ ]
+ }
+ },
+ "a": {
+ "1": {
+ "ccis": [
+ "CCI-002795"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-002796"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-002797"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-002798"
+ ]
+ },
+ "5": {
+ "ccis": [
+ "CCI-002799"
+ ]
+ },
+ "6": {
+ "ccis": [
+ "CCI-002800"
+ ]
+ },
+ "7": {
+ "ccis": [
+ "CCI-002801"
+ ]
+ },
+ "8": {
+ "ccis": [
+ "CCI-004157"
+ ]
+ },
+ "9": {
+ "ccis": [
+ "CCI-000844",
+ "CCI-002802",
+ "CCI-004158"
+ ]
+ },
+ "10": {
+ "ccis": [
+ "CCI-004159"
+ ]
+ },
+ "ccis": [
+ "CCI-000843",
+ "CCI-002794"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000845",
+ "CCI-000846"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-000847",
+ "CCI-000848",
+ "CCI-000849"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-000850",
+ "CCI-002803"
+ ]
+ },
+ "e": {
+ "ccis": [
+ "CCI-002804"
+ ]
+ }
+ },
+ "MA-1": {
+ "c": {
+ "1": {
+ "ccis": [
+ "CCI-000851",
+ "CCI-000854",
+ "CCI-004170",
+ "CCI-004171"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000857",
+ "CCI-001628",
+ "CCI-004172",
+ "CCI-004173"
+ ]
+ }
+ },
+ "a": {
+ "1": {
+ "a": {
+ "ccis": [
+ "CCI-000852",
+ "CCI-002861"
+ ]
+ },
+ "ccis": [
+ "CCI-000853"
+ ],
+ "b": {
+ "ccis": [
+ "CCI-004165"
+ ]
+ }
+ },
+ "2": {
+ "ccis": [
+ "CCI-000855",
+ "CCI-000856",
+ "CCI-002862"
+ ]
+ }
+ },
+ "b": {
+ "ccis": [
+ "CCI-004166",
+ "CCI-004167",
+ "CCI-004168",
+ "CCI-004169"
+ ]
+ }
+ },
+ "MA-2": {
+ "1": {
+ "abcde": {
+ "ccis": [
+ "CCI-000863"
+ ]
+ }
+ },
+ "2": {
+ "ccis": [
+ "CCI-000864",
+ "CCI-001629"
+ ],
+ "a": {
+ "ccis": [
+ "CCI-002863",
+ "CCI-002905",
+ "CCI-004182",
+ "CCI-004183",
+ "CCI-004184"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-002864",
+ "CCI-002865",
+ "CCI-004185"
+ ]
+ }
+ },
+ "a": {
+ "ccis": [
+ "CCI-000858",
+ "CCI-002866",
+ "CCI-002867",
+ "CCI-002868",
+ "CCI-002869",
+ "CCI-002870",
+ "CCI-002871",
+ "CCI-002872",
+ "CCI-002873",
+ "CCI-004174",
+ "CCI-004175",
+ "CCI-004176"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000859",
+ "CCI-004177",
+ "CCI-004178",
+ "CCI-004179",
+ "CCI-004180"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-000860",
+ "CCI-002874"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-000861",
+ "CCI-004181"
+ ]
+ },
+ "e": {
+ "ccis": [
+ "CCI-000862"
+ ]
+ },
+ "f": {
+ "ccis": [
+ "CCI-002875",
+ "CCI-002876"
+ ]
+ }
+ },
+ "MA-3": {
+ "1": {
+ "ccis": [
+ "CCI-000869"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000870"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-000871"
+ ],
+ "a": {
+ "ccis": [
+ "CCI-002877"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-002878"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-002879",
+ "CCI-002880"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-002881",
+ "CCI-002882"
+ ]
+ }
+ },
+ "4": {
+ "ccis": [
+ "CCI-000872",
+ "CCI-002883"
+ ]
+ },
+ "5": {
+ "ccis": [
+ "CCI-004188"
+ ]
+ },
+ "6": {
+ "ccis": [
+ "CCI-004189"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-000865",
+ "CCI-000866",
+ "CCI-000867"
+ ]
+ },
+ "ccis": [
+ "CCI-000868"
+ ],
+ "b": {
+ "ccis": [
+ "CCI-004186",
+ "CCI-004187"
+ ]
+ }
+ },
+ "MA-4": {
+ "1": {
+ "ccis": [
+ "CCI-000880",
+ "CCI-001630"
+ ],
+ "a": {
+ "ccis": [
+ "CCI-002884",
+ "CCI-002885"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-002886"
+ ]
+ }
+ },
+ "2": {
+ "ccis": [
+ "CCI-000881"
+ ]
+ },
+ "3": {
+ "a": {
+ "ccis": [
+ "CCI-000882"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000883",
+ "CCI-001631"
+ ]
+ }
+ },
+ "4": {
+ "a": {
+ "ccis": [
+ "CCI-000884",
+ "CCI-002887"
+ ]
+ },
+ "b": {
+ "1": {
+ "ccis": [
+ "CCI-001632"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-004192"
+ ]
+ }
+ }
+ },
+ "5": {
+ "a": {
+ "ccis": [
+ "CCI-000885",
+ "CCI-000887",
+ "CCI-002888"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000886",
+ "CCI-002889"
+ ]
+ }
+ },
+ "6": {
+ "ccis": [
+ "CCI-000888",
+ "CCI-002890",
+ "CCI-003123",
+ "CCI-004193"
+ ]
+ },
+ "7": {
+ "ccis": [
+ "CCI-000889",
+ "CCI-002891"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-000873",
+ "CCI-000874",
+ "CCI-000875"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000876"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-000877"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-000878"
+ ]
+ },
+ "e": {
+ "ccis": [
+ "CCI-000879",
+ "CCI-004190",
+ "CCI-004191"
+ ]
+ }
+ },
+ "MA-5": {
+ "1": {
+ "a": {
+ "1": {
+ "ccis": [
+ "CCI-000894"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000895"
+ ]
+ },
+ "ccis": [
+ "CCI-000893"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-000896"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-002892",
+ "CCI-004194",
+ "CCI-004195",
+ "CCI-004196"
+ ]
+ }
+ },
+ "2": {
+ "ccis": [
+ "CCI-000897"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-000898"
+ ]
+ },
+ "4": {
+ "a": {
+ "ccis": [
+ "CCI-000899"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000900"
+ ]
+ }
+ },
+ "5": {
+ "ccis": [
+ "CCI-002893"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-000890",
+ "CCI-000891"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000892",
+ "CCI-002894"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-002895"
+ ]
+ }
+ },
+ "MA-6": {
+ "1": {
+ "ccis": [
+ "CCI-002898",
+ "CCI-002899",
+ "CCI-002900"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-002901",
+ "CCI-002902",
+ "CCI-002903"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-002904",
+ "CCI-004197"
+ ]
+ },
+ "ccis": [
+ "CCI-000901",
+ "CCI-000902",
+ "CCI-000903",
+ "CCI-002896",
+ "CCI-002897"
+ ]
+ },
+ "PE-1": {
+ "a": {
+ "1": {
+ "a": {
+ "ccis": [
+ "CCI-000904"
+ ]
+ },
+ "ccis": [
+ "CCI-000905",
+ "CCI-002908"
+ ],
+ "b": {
+ "ccis": [
+ "CCI-004229"
+ ]
+ }
+ },
+ "2": {
+ "ccis": [
+ "CCI-000908",
+ "CCI-000909",
+ "CCI-002909"
+ ]
+ }
+ },
+ "c": {
+ "1": {
+ "ccis": [
+ "CCI-000906",
+ "CCI-000907",
+ "CCI-004236",
+ "CCI-004237"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000910",
+ "CCI-000911",
+ "CCI-004238",
+ "CCI-004239"
+ ]
+ }
+ },
+ "b": {
+ "ccis": [
+ "CCI-004230",
+ "CCI-004231",
+ "CCI-004232",
+ "CCI-004233",
+ "CCI-004234",
+ "CCI-004235"
+ ]
+ }
+ },
+ "PE-2": {
+ "1": {
+ "ccis": [
+ "CCI-000916"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000917",
+ "CCI-002912"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-000918",
+ "CCI-001634",
+ "CCI-002913",
+ "CCI-002914"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-000912",
+ "CCI-002910",
+ "CCI-002911"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000913"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-000914",
+ "CCI-000915"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-001635"
+ ]
+ }
+ },
+ "PE-3": {
+ "1": {
+ "ccis": [
+ "CCI-000928",
+ "CCI-002926"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000929",
+ "CCI-002927"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-000930"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-000931",
+ "CCI-000932"
+ ]
+ },
+ "5": {
+ "ccis": [
+ "CCI-000933",
+ "CCI-002928",
+ "CCI-002929"
+ ]
+ },
+ "6": {
+ "ccis": [
+ "CCI-000934",
+ "CCI-000935"
+ ]
+ },
+ "7": {
+ "ccis": [
+ "CCI-004244"
+ ]
+ },
+ "8": {
+ "ccis": [
+ "CCI-004245",
+ "CCI-004246"
+ ]
+ },
+ "a": {
+ "1": {
+ "ccis": [
+ "CCI-000920"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000921",
+ "CCI-002916",
+ "CCI-004242",
+ "CCI-004243"
+ ]
+ },
+ "ccis": [
+ "CCI-000919",
+ "CCI-002915",
+ "CCI-004240",
+ "CCI-004241"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-000922",
+ "CCI-002921",
+ "CCI-002922",
+ "CCI-002923",
+ "CCI-002924"
+ ]
+ },
+ "e": {
+ "ccis": [
+ "CCI-000923"
+ ]
+ },
+ "f": {
+ "ccis": [
+ "CCI-000924",
+ "CCI-000925",
+ "CCI-002925"
+ ]
+ },
+ "g": {
+ "ccis": [
+ "CCI-000926",
+ "CCI-000927"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-002917",
+ "CCI-002918"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-002919",
+ "CCI-002920"
+ ]
+ }
+ },
+ "PE-4": {
+ "ccis": [
+ "CCI-000936",
+ "CCI-002930",
+ "CCI-002931"
+ ]
+ },
+ "PE-5": {
+ "1": {
+ "a": {
+ "ccis": [
+ "CCI-002932",
+ "CCI-002933"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-002934"
+ ]
+ }
+ },
+ "2": {
+ "a": {
+ "ccis": [
+ "CCI-002935"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-002936"
+ ]
+ },
+ "ccis": [
+ "CCI-004247"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-002937",
+ "CCI-002938"
+ ]
+ },
+ "ccis": [
+ "CCI-000937"
+ ]
+ },
+ "PE-6": {
+ "1": {
+ "ccis": [
+ "CCI-000942"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000943",
+ "CCI-002942",
+ "CCI-002943",
+ "CCI-002944",
+ "CCI-002945",
+ "CCI-004248"
+ ]
+ },
+ "3": {
+ "a": {
+ "ccis": [
+ "CCI-002946",
+ "CCI-002947"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-002948",
+ "CCI-002949"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-004249",
+ "CCI-004250"
+ ]
+ }
+ },
+ "4": {
+ "ccis": [
+ "CCI-002950",
+ "CCI-002951"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-000938",
+ "CCI-002939"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000939",
+ "CCI-000940",
+ "CCI-002940",
+ "CCI-002941"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-000941"
+ ]
+ }
+ },
+ "PE-7": {
+ "1": {
+ "ccis": [
+ "CCI-000945"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000946"
+ ]
+ },
+ "ccis": [
+ "CCI-000944"
+ ]
+ },
+ "PE-8": {
+ "1": {
+ "ccis": [
+ "CCI-000950",
+ "CCI-004253"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000951"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-004254",
+ "CCI-004255"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-000947",
+ "CCI-002952"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000948",
+ "CCI-000949"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-004251",
+ "CCI-004252"
+ ]
+ }
+ },
+ "PE-9": {
+ "1": {
+ "ccis": [
+ "CCI-000953",
+ "CCI-002953",
+ "CCI-002954"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000954",
+ "CCI-000955"
+ ]
+ },
+ "ccis": [
+ "CCI-000952"
+ ]
+ },
+ "PE-10": {
+ "a": {
+ "ccis": [
+ "CCI-000956",
+ "CCI-004256"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000957",
+ "CCI-000958"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-000959"
+ ]
+ }
+ },
+ "PE-11": {
+ "1": {
+ "ccis": [
+ "CCI-000961"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000962"
+ ],
+ "a": {
+ "ccis": [
+ "CCI-002956"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-002957"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-002958"
+ ]
+ }
+ },
+ "ccis": [
+ "CCI-000960",
+ "CCI-002955"
+ ]
+ },
+ "PE-12": {
+ "1": {
+ "ccis": [
+ "CCI-000964",
+ "CCI-002959",
+ "CCI-002960"
+ ]
+ },
+ "ccis": [
+ "CCI-000963"
+ ]
+ },
+ "PE-13": {
+ "1": {
+ "ccis": [
+ "CCI-000966",
+ "CCI-002961",
+ "CCI-002962",
+ "CCI-002963",
+ "CCI-002964"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000967"
+ ],
+ "b": {
+ "ccis": [
+ "CCI-000968"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-002965",
+ "CCI-002966",
+ "CCI-002967"
+ ]
+ }
+ },
+ "4": {
+ "ccis": [
+ "CCI-000969",
+ "CCI-000970",
+ "CCI-002968",
+ "CCI-002969",
+ "CCI-002970",
+ "CCI-002971"
+ ]
+ },
+ "ccis": [
+ "CCI-000965"
+ ]
+ },
+ "PE-14": {
+ "1": {
+ "ccis": [
+ "CCI-000975",
+ "CCI-004257"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-000976",
+ "CCI-004258"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-000971",
+ "CCI-000972"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-000973",
+ "CCI-000974"
+ ]
+ }
+ },
+ "PE-15": {
+ "1": {
+ "ccis": [
+ "CCI-000980",
+ "CCI-002972",
+ "CCI-002973",
+ "CCI-004259",
+ "CCI-004260",
+ "CCI-004261"
+ ]
+ },
+ "ccis": [
+ "CCI-000977",
+ "CCI-000978",
+ "CCI-000979"
+ ]
+ },
+ "PE-16": {
+ "a": {
+ "ccis": [
+ "CCI-000981",
+ "CCI-000983",
+ "CCI-002974"
+ ]
+ },
+ "ccis": [
+ "CCI-000982"
+ ],
+ "b": {
+ "ccis": [
+ "CCI-000984"
+ ]
+ }
+ },
+ "PE-17": {
+ "b": {
+ "ccis": [
+ "CCI-000985",
+ "CCI-002975"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-000986",
+ "CCI-004262"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-000987"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-000988",
+ "CCI-004263"
+ ]
+ }
+ },
+ "PE-18": {
+ "1": {
+ "ccis": [
+ "CCI-000992",
+ "CCI-002977",
+ "CCI-002978"
+ ]
+ },
+ "ccis": [
+ "CCI-000989",
+ "CCI-000990",
+ "CCI-000991",
+ "CCI-002976"
+ ]
+ },
+ "PE-19": {
+ "1": {
+ "ccis": [
+ "CCI-000994",
+ "CCI-004264",
+ "CCI-004265"
+ ]
+ },
+ "ccis": [
+ "CCI-000993"
+ ]
+ },
+ "MP-1": {
+ "a": {
+ "1": {
+ "a": {
+ "ccis": [
+ "CCI-000995"
+ ]
+ },
+ "ccis": [
+ "CCI-000996",
+ "CCI-002566"
+ ],
+ "b": {
+ "ccis": [
+ "CCI-004201"
+ ]
+ }
+ },
+ "2": {
+ "ccis": [
+ "CCI-000999",
+ "CCI-001000"
+ ]
+ }
+ },
+ "c": {
+ "1": {
+ "ccis": [
+ "CCI-000997",
+ "CCI-000998",
+ "CCI-004207",
+ "CCI-004208"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-001001",
+ "CCI-001002",
+ "CCI-004209",
+ "CCI-004210"
+ ]
+ }
+ },
+ "b": {
+ "ccis": [
+ "CCI-004202",
+ "CCI-004203",
+ "CCI-004204",
+ "CCI-004205",
+ "CCI-004206"
+ ]
+ }
+ },
+ "MP-2": {
+ "2": {
+ "ccis": [
+ "CCI-001009"
+ ]
+ },
+ "ccis": [
+ "CCI-001003",
+ "CCI-001004",
+ "CCI-001005",
+ "CCI-001006"
+ ]
+ },
+ "MP-4": {
+ "1": {
+ "ccis": [
+ "CCI-001019"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-001007",
+ "CCI-001008",
+ "CCI-004216"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-001014",
+ "CCI-001015",
+ "CCI-001016",
+ "CCI-001017",
+ "CCI-004211",
+ "CCI-004212"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-001018",
+ "CCI-004213",
+ "CCI-004214",
+ "CCI-004215"
+ ]
+ }
+ },
+ "MP-3": {
+ "a": {
+ "ccis": [
+ "CCI-001010",
+ "CCI-001633"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-001011",
+ "CCI-001012",
+ "CCI-001013"
+ ]
+ }
+ },
+ "MP-5": {
+ "3": {
+ "ccis": [
+ "CCI-001026"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-001027"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-001020",
+ "CCI-001021",
+ "CCI-001022",
+ "CCI-004217",
+ "CCI-004218"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-001023"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-001024"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-001025"
+ ]
+ }
+ },
+ "MP-6": {
+ "1": {
+ "ccis": [
+ "CCI-001029",
+ "CCI-002567",
+ "CCI-002568",
+ "CCI-002569",
+ "CCI-002570",
+ "CCI-002571",
+ "CCI-002572"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-001030",
+ "CCI-001031",
+ "CCI-004219",
+ "CCI-004220"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-001032",
+ "CCI-001033"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-001034"
+ ]
+ },
+ "5": {
+ "ccis": [
+ "CCI-001035"
+ ]
+ },
+ "6": {
+ "ccis": [
+ "CCI-001036"
+ ]
+ },
+ "7": {
+ "ccis": [
+ "CCI-002573",
+ "CCI-002574"
+ ]
+ },
+ "8": {
+ "ccis": [
+ "CCI-002575",
+ "CCI-002576",
+ "CCI-002577"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-001028",
+ "CCI-002578",
+ "CCI-002579"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-002580"
+ ]
+ }
+ },
+ "RA-1": {
+ "a": {
+ "1": {
+ "a": {
+ "ccis": [
+ "CCI-001037",
+ "CCI-001038",
+ "CCI-002368"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-004603",
+ "CCI-004604"
+ ]
+ }
+ },
+ "2": {
+ "ccis": [
+ "CCI-001041",
+ "CCI-001042",
+ "CCI-002369"
+ ]
+ }
+ },
+ "c": {
+ "1": {
+ "ccis": [
+ "CCI-001039",
+ "CCI-001040",
+ "CCI-004610",
+ "CCI-004611"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-001043",
+ "CCI-001044",
+ "CCI-004612",
+ "CCI-004613"
+ ]
+ }
+ },
+ "b": {
+ "ccis": [
+ "CCI-004605",
+ "CCI-004606",
+ "CCI-004607",
+ "CCI-004608",
+ "CCI-004609"
+ ]
+ }
+ },
+ "RA-2": {
+ "1": {
+ "ccis": [
+ "CCI-004617"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-001045",
+ "CCI-004614",
+ "CCI-004615",
+ "CCI-004616"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-001046"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-001047"
+ ]
+ }
+ },
+ "RA-3": {
+ "1": {
+ "a": {
+ "ccis": [
+ "CCI-004624",
+ "CCI-004625"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-004626",
+ "CCI-004627"
+ ]
+ }
+ },
+ "2": {
+ "ccis": [
+ "CCI-004628"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-004629",
+ "CCI-004630"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-004631",
+ "CCI-004632",
+ "CCI-004633"
+ ]
+ },
+ "a": {
+ "1": {
+ "ccis": [
+ "CCI-004618",
+ "CCI-004619"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-001048"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-004620"
+ ]
+ }
+ },
+ "c": {
+ "ccis": [
+ "CCI-001049",
+ "CCI-001642"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-001050",
+ "CCI-001051"
+ ]
+ },
+ "f": {
+ "ccis": [
+ "CCI-001052",
+ "CCI-001053"
+ ]
+ },
+ "e": {
+ "ccis": [
+ "CCI-002370",
+ "CCI-002371"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-004621",
+ "CCI-004622",
+ "CCI-004623"
+ ]
+ }
+ },
+ "RA-5": {
+ "1": {
+ "ccis": [
+ "CCI-001062"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-001063",
+ "CCI-001064"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-001065",
+ "CCI-001644",
+ "CCI-002373"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-001066",
+ "CCI-002374",
+ "CCI-002375"
+ ]
+ },
+ "5": {
+ "ccis": [
+ "CCI-001067",
+ "CCI-001645",
+ "CCI-002906"
+ ]
+ },
+ "6": {
+ "ccis": [
+ "CCI-001068",
+ "CCI-004637"
+ ]
+ },
+ "7": {
+ "ccis": [
+ "CCI-001069",
+ "CCI-001070"
+ ]
+ },
+ "8": {
+ "ccis": [
+ "CCI-001071",
+ "CCI-004638",
+ "CCI-004639"
+ ]
+ },
+ "9": {
+ "a": {
+ "ccis": [
+ "CCI-001072"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-001073"
+ ]
+ }
+ },
+ "10": {
+ "ccis": [
+ "CCI-002372"
+ ]
+ },
+ "11": {
+ "ccis": [
+ "CCI-004640"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-001054",
+ "CCI-001055",
+ "CCI-001056",
+ "CCI-001641",
+ "CCI-001643"
+ ]
+ },
+ "b": {
+ "1": {
+ "ccis": [
+ "CCI-001057"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-004634"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-004635"
+ ]
+ }
+ },
+ "c": {
+ "ccis": [
+ "CCI-001058"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-001059",
+ "CCI-001060"
+ ]
+ },
+ "e": {
+ "ccis": [
+ "CCI-001061",
+ "CCI-002376"
+ ]
+ },
+ "f": {
+ "ccis": [
+ "CCI-004636"
+ ]
+ }
+ },
+ "SC-1": {
+ "a": {
+ "1": {
+ "ccis": [
+ "CCI-001074",
+ "CCI-001075",
+ "CCI-002377",
+ "CCI-002378"
+ ],
+ "a": {
+ "ccis": [
+ "CCI-004852"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-004853"
+ ]
+ }
+ },
+ "2": {
+ "ccis": [
+ "CCI-001078",
+ "CCI-001079",
+ "CCI-002379",
+ "CCI-002380",
+ "CCI-004854"
+ ]
+ }
+ },
+ "c": {
+ "1": {
+ "ccis": [
+ "CCI-001076",
+ "CCI-001077",
+ "CCI-004861",
+ "CCI-004862"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-001080",
+ "CCI-001081",
+ "CCI-004863",
+ "CCI-004864"
+ ]
+ }
+ },
+ "b": {
+ "ccis": [
+ "CCI-004855",
+ "CCI-004856",
+ "CCI-004857",
+ "CCI-004858",
+ "CCI-004859",
+ "CCI-004860"
+ ]
+ }
+ },
+ "SC-2": {
+ "1": {
+ "ccis": [
+ "CCI-001083"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-004865"
+ ]
+ },
+ "ccis": [
+ "CCI-001082"
+ ]
+ },
+ "SC-3": {
+ "1": {
+ "ccis": [
+ "CCI-001085"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-001086"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-001087",
+ "CCI-002381"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-001088",
+ "CCI-002382"
+ ]
+ },
+ "5": {
+ "ccis": [
+ "CCI-001089"
+ ]
+ },
+ "ccis": [
+ "CCI-001084",
+ "CCI-001656"
+ ]
+ },
+ "SC-4": {
+ "1": {
+ "ccis": [
+ "CCI-001091"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-002383",
+ "CCI-002384"
+ ]
+ },
+ "ccis": [
+ "CCI-001090"
+ ]
+ },
+ "SC-5": {
+ "1": {
+ "ccis": [
+ "CCI-001094",
+ "CCI-002387"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-001095"
+ ]
+ },
+ "3": {
+ "a": {
+ "ccis": [
+ "CCI-002388",
+ "CCI-002389"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-002390",
+ "CCI-002391"
+ ]
+ }
+ },
+ "ccis": [
+ "CCI-001092",
+ "CCI-002386"
+ ],
+ "a": {
+ "ccis": [
+ "CCI-001093",
+ "CCI-002385"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-004866",
+ "CCI-004867"
+ ]
+ }
+ },
+ "SC-6": {
+ "ccis": [
+ "CCI-001096",
+ "CCI-002392",
+ "CCI-002393",
+ "CCI-002394"
+ ]
+ },
+ "SC-7": {
+ "1": {
+ "ccis": [
+ "CCI-001099"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-001100",
+ "CCI-001659"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-001101"
+ ]
+ },
+ "4": {
+ "a": {
+ "ccis": [
+ "CCI-001102"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-001103"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-001104",
+ "CCI-002396"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-001105"
+ ]
+ },
+ "e": {
+ "ccis": [
+ "CCI-001106",
+ "CCI-001107",
+ "CCI-001108"
+ ]
+ },
+ "f": {
+ "ccis": [
+ "CCI-004869"
+ ]
+ },
+ "g": {
+ "ccis": [
+ "CCI-004870"
+ ]
+ },
+ "h": {
+ "ccis": [
+ "CCI-004871"
+ ]
+ }
+ },
+ "5": {
+ "ccis": [
+ "CCI-001109",
+ "CCI-004872"
+ ]
+ },
+ "6": {
+ "ccis": [
+ "CCI-001110"
+ ]
+ },
+ "7": {
+ "ccis": [
+ "CCI-001111",
+ "CCI-002397",
+ "CCI-004873"
+ ]
+ },
+ "8": {
+ "ccis": [
+ "CCI-001112",
+ "CCI-001113",
+ "CCI-001114"
+ ]
+ },
+ "9": {
+ "ccis": [
+ "CCI-001115"
+ ],
+ "a": {
+ "ccis": [
+ "CCI-002398",
+ "CCI-002399"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-002400"
+ ]
+ }
+ },
+ "10": {
+ "a": {
+ "ccis": [
+ "CCI-001116"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-004874",
+ "CCI-004875"
+ ]
+ }
+ },
+ "11": {
+ "ccis": [
+ "CCI-001117",
+ "CCI-002401",
+ "CCI-002402",
+ "CCI-002403"
+ ]
+ },
+ "12": {
+ "ccis": [
+ "CCI-001118",
+ "CCI-002404",
+ "CCI-002405",
+ "CCI-002406"
+ ]
+ },
+ "13": {
+ "ccis": [
+ "CCI-001119",
+ "CCI-001120"
+ ]
+ },
+ "14": {
+ "ccis": [
+ "CCI-001121",
+ "CCI-001122",
+ "CCI-001660",
+ "CCI-002407"
+ ]
+ },
+ "15": {
+ "ccis": [
+ "CCI-001123"
+ ]
+ },
+ "16": {
+ "ccis": [
+ "CCI-001124"
+ ]
+ },
+ "17": {
+ "ccis": [
+ "CCI-001125"
+ ]
+ },
+ "18": {
+ "ccis": [
+ "CCI-001126"
+ ]
+ },
+ "19": {
+ "ccis": [
+ "CCI-002408",
+ "CCI-002409"
+ ]
+ },
+ "20": {
+ "ccis": [
+ "CCI-002410",
+ "CCI-002411"
+ ]
+ },
+ "21": {
+ "ccis": [
+ "CCI-002412",
+ "CCI-002413",
+ "CCI-002414",
+ "CCI-002415"
+ ]
+ },
+ "22": {
+ "ccis": [
+ "CCI-002416"
+ ]
+ },
+ "23": {
+ "ccis": [
+ "CCI-002417"
+ ]
+ },
+ "24": {
+ "a": {
+ "ccis": [
+ "CCI-004876",
+ "CCI-004877"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-004878"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-004879"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-004880"
+ ]
+ }
+ },
+ "25": {
+ "ccis": [
+ "CCI-004881",
+ "CCI-004882",
+ "CCI-004883"
+ ]
+ },
+ "26": {
+ "ccis": [
+ "CCI-004884",
+ "CCI-004885"
+ ]
+ },
+ "27": {
+ "ccis": [
+ "CCI-004886",
+ "CCI-004887",
+ "CCI-004888"
+ ]
+ },
+ "28": {
+ "ccis": [
+ "CCI-004889",
+ "CCI-004890"
+ ]
+ },
+ "29": {
+ "ccis": [
+ "CCI-004891",
+ "CCI-004892"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-001097",
+ "CCI-001657",
+ "CCI-001658"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-001098",
+ "CCI-004868"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-002395"
+ ]
+ }
+ },
+ "SC-8": {
+ "1": {
+ "ccis": [
+ "CCI-001128",
+ "CCI-002419",
+ "CCI-002421"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-001129",
+ "CCI-002420",
+ "CCI-002422"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-002423",
+ "CCI-002427"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-002424",
+ "CCI-002425"
+ ]
+ },
+ "5": {
+ "ccis": [
+ "CCI-004893",
+ "CCI-004894"
+ ]
+ },
+ "ccis": [
+ "CCI-001127",
+ "CCI-002418"
+ ]
+ },
+ "SC-9": {
+ "1": {
+ "ccis": [
+ "CCI-001131"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-001132"
+ ]
+ },
+ "ccis": [
+ "CCI-001130"
+ ]
+ },
+ "SC-10": {
+ "ccis": [
+ "CCI-001133",
+ "CCI-001134"
+ ]
+ },
+ "SC-11": {
+ "1": {
+ "a": {
+ "ccis": [
+ "CCI-002426"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-004896",
+ "CCI-004897"
+ ]
+ }
+ },
+ "a": {
+ "ccis": [
+ "CCI-001135"
+ ]
+ },
+ "ccis": [
+ "CCI-001136"
+ ],
+ "b": {
+ "ccis": [
+ "CCI-001661",
+ "CCI-004895"
+ ]
+ }
+ },
+ "SC-12": {
+ "1": {
+ "ccis": [
+ "CCI-001139"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-001140",
+ "CCI-002443",
+ "CCI-002444",
+ "CCI-002445"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-001141",
+ "CCI-002446",
+ "CCI-002447",
+ "CCI-002448",
+ "CCI-004898"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-001142"
+ ]
+ },
+ "5": {
+ "ccis": [
+ "CCI-001143"
+ ]
+ },
+ "6": {
+ "ccis": [
+ "CCI-004899"
+ ]
+ },
+ "ccis": [
+ "CCI-001137",
+ "CCI-001138",
+ "CCI-002428",
+ "CCI-002429",
+ "CCI-002430",
+ "CCI-002431",
+ "CCI-002432",
+ "CCI-002433",
+ "CCI-002434",
+ "CCI-002435",
+ "CCI-002436",
+ "CCI-002437",
+ "CCI-002438",
+ "CCI-002439",
+ "CCI-002440",
+ "CCI-002441",
+ "CCI-002442"
+ ]
+ },
+ "SC-13": {
+ "1": {
+ "ccis": [
+ "CCI-001145"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-001146"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-001147"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-001148"
+ ]
+ },
+ "ccis": [
+ "CCI-001144",
+ "CCI-002449"
+ ],
+ "b": {
+ "ccis": [
+ "CCI-002450"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-004900"
+ ]
+ }
+ },
+ "SC-14": {
+ "ccis": [
+ "CCI-001149"
+ ]
+ },
+ "SC-15": {
+ "1": {
+ "ccis": [
+ "CCI-001153"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-001154"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-001155",
+ "CCI-001156",
+ "CCI-002451"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-002452",
+ "CCI-002453"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-001150",
+ "CCI-001151"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-001152"
+ ]
+ }
+ },
+ "SC-16": {
+ "1": {
+ "ccis": [
+ "CCI-001158",
+ "CCI-004904"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-004905"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-004906",
+ "CCI-004907",
+ "CCI-004908"
+ ]
+ },
+ "ccis": [
+ "CCI-001157",
+ "CCI-002454",
+ "CCI-002455",
+ "CCI-004901",
+ "CCI-004902",
+ "CCI-004903"
+ ]
+ },
+ "SC-17": {
+ "a": {
+ "ccis": [
+ "CCI-001159",
+ "CCI-002456"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-004909"
+ ]
+ }
+ },
+ "SC-18": {
+ "1": {
+ "ccis": [
+ "CCI-001166",
+ "CCI-001662",
+ "CCI-002457",
+ "CCI-002458"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-001167",
+ "CCI-001168",
+ "CCI-001687",
+ "CCI-001688"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-001169",
+ "CCI-001695",
+ "CCI-002459"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-001170",
+ "CCI-001171",
+ "CCI-001172",
+ "CCI-002460"
+ ]
+ },
+ "5": {
+ "ccis": [
+ "CCI-002461"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-001160"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-001161",
+ "CCI-001162",
+ "CCI-001163",
+ "CCI-001164",
+ "CCI-001165"
+ ]
+ }
+ },
+ "SC-19": {
+ "a": {
+ "ccis": [
+ "CCI-001173",
+ "CCI-001174"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-001175",
+ "CCI-001176",
+ "CCI-001177"
+ ]
+ }
+ },
+ "SC-20": {
+ "2": {
+ "ccis": [
+ "CCI-002463",
+ "CCI-002464"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-001178",
+ "CCI-002462"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-001179",
+ "CCI-001663"
+ ]
+ }
+ },
+ "SC-21": {
+ "1": {
+ "ccis": [
+ "CCI-001181"
+ ]
+ },
+ "ccis": [
+ "CCI-001180",
+ "CCI-002465",
+ "CCI-002466",
+ "CCI-002467",
+ "CCI-002468"
+ ]
+ },
+ "SC-22": {
+ "ccis": [
+ "CCI-001182",
+ "CCI-001183"
+ ]
+ },
+ "SC-23": {
+ "1": {
+ "ccis": [
+ "CCI-001185"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-001186"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-001187",
+ "CCI-001188",
+ "CCI-001189",
+ "CCI-001664"
+ ]
+ },
+ "5": {
+ "ccis": [
+ "CCI-002469",
+ "CCI-002470"
+ ]
+ },
+ "ccis": [
+ "CCI-001184"
+ ]
+ },
+ "SC-24": {
+ "ccis": [
+ "CCI-001190",
+ "CCI-001191",
+ "CCI-001192",
+ "CCI-001193",
+ "CCI-001665"
+ ]
+ },
+ "SC-25": {
+ "ccis": [
+ "CCI-001194",
+ "CCI-002471"
+ ]
+ },
+ "SC-26": {
+ "ccis": [
+ "CCI-001195"
+ ]
+ },
+ "SC-35": {
+ "ccis": [
+ "CCI-001196"
+ ]
+ },
+ "SC-27": {
+ "ccis": [
+ "CCI-001197",
+ "CCI-001198"
+ ]
+ },
+ "SC-28": {
+ "1": {
+ "ccis": [
+ "CCI-001200",
+ "CCI-001666",
+ "CCI-002473",
+ "CCI-002474",
+ "CCI-002475",
+ "CCI-002476"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-002477",
+ "CCI-002478",
+ "CCI-002479"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-004910",
+ "CCI-004911"
+ ]
+ },
+ "ccis": [
+ "CCI-001199",
+ "CCI-002472"
+ ]
+ },
+ "SC-29": {
+ "1": {
+ "ccis": [
+ "CCI-001203",
+ "CCI-001204",
+ "CCI-002481"
+ ]
+ },
+ "ccis": [
+ "CCI-001201",
+ "CCI-002480"
+ ]
+ },
+ "SC-30": {
+ "2": {
+ "ccis": [
+ "CCI-001205",
+ "CCI-002486",
+ "CCI-002487",
+ "CCI-002488"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-002489",
+ "CCI-002490",
+ "CCI-002491",
+ "CCI-002492"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-002493",
+ "CCI-002494"
+ ]
+ },
+ "5": {
+ "ccis": [
+ "CCI-002495",
+ "CCI-002496",
+ "CCI-002497"
+ ]
+ },
+ "ccis": [
+ "CCI-001202",
+ "CCI-002482",
+ "CCI-002483",
+ "CCI-002484",
+ "CCI-002485"
+ ]
+ },
+ "SC-31": {
+ "1": {
+ "ccis": [
+ "CCI-001207"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-002500",
+ "CCI-002501"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-002502",
+ "CCI-002503"
+ ]
+ },
+ "ccis": [
+ "CCI-001206"
+ ],
+ "a": {
+ "ccis": [
+ "CCI-002498"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-002499"
+ ]
+ }
+ },
+ "SC-32": {
+ "1": {
+ "ccis": [
+ "CCI-004912"
+ ]
+ },
+ "ccis": [
+ "CCI-001208",
+ "CCI-002504",
+ "CCI-002505",
+ "CCI-002506"
+ ]
+ },
+ "SC-33": {
+ "ccis": [
+ "CCI-001209"
+ ]
+ },
+ "SC-34": {
+ "1": {
+ "ccis": [
+ "CCI-001214",
+ "CCI-001215"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-001216",
+ "CCI-002507"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-001210"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-001211",
+ "CCI-001213"
+ ]
+ },
+ "ccis": [
+ "CCI-001212"
+ ]
+ },
+ "SI-1": {
+ "a": {
+ "1": {
+ "a": {
+ "ccis": [
+ "CCI-001217"
+ ]
+ },
+ "ccis": [
+ "CCI-001218"
+ ],
+ "b": {
+ "ccis": [
+ "CCI-004944"
+ ]
+ }
+ },
+ "2": {
+ "ccis": [
+ "CCI-001220",
+ "CCI-001221"
+ ]
+ },
+ "ccis": [
+ "CCI-002601"
+ ]
+ },
+ "c": {
+ "1": {
+ "ccis": [
+ "CCI-001219",
+ "CCI-001223",
+ "CCI-004951",
+ "CCI-004952"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-001222",
+ "CCI-001224",
+ "CCI-004953",
+ "CCI-004954"
+ ]
+ }
+ },
+ "b": {
+ "ccis": [
+ "CCI-004945",
+ "CCI-004946",
+ "CCI-004947",
+ "CCI-004948",
+ "CCI-004949",
+ "CCI-004950"
+ ]
+ }
+ },
+ "SI-2": {
+ "1": {
+ "ccis": [
+ "CCI-001231",
+ "CCI-001232"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-001233",
+ "CCI-001234",
+ "CCI-004955",
+ "CCI-004956",
+ "CCI-004957",
+ "CCI-004958",
+ "CCI-004959",
+ "CCI-004960"
+ ]
+ },
+ "3": {
+ "a": {
+ "ccis": [
+ "CCI-001235"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-001236",
+ "CCI-002608"
+ ]
+ },
+ "ccis": [
+ "CCI-001667"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-001237",
+ "CCI-001238",
+ "CCI-004961",
+ "CCI-004962"
+ ]
+ },
+ "5": {
+ "ccis": [
+ "CCI-002609",
+ "CCI-002610",
+ "CCI-002611",
+ "CCI-002612",
+ "CCI-002613",
+ "CCI-002614"
+ ]
+ },
+ "6": {
+ "ccis": [
+ "CCI-002615",
+ "CCI-002616",
+ "CCI-002617",
+ "CCI-002618"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-001225",
+ "CCI-001226",
+ "CCI-001227"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-001228",
+ "CCI-001229",
+ "CCI-002602",
+ "CCI-002603"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-001230"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-002604",
+ "CCI-002605",
+ "CCI-002606",
+ "CCI-002607"
+ ]
+ }
+ },
+ "SI-3": {
+ "1": {
+ "ccis": [
+ "CCI-001246"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-001247"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-001248"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-001249"
+ ]
+ },
+ "5": {
+ "ccis": [
+ "CCI-001250"
+ ]
+ },
+ "6": {
+ "a": {
+ "ccis": [
+ "CCI-001251",
+ "CCI-001669"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-002625",
+ "CCI-002626"
+ ]
+ }
+ },
+ "7": {
+ "ccis": [
+ "CCI-002627"
+ ]
+ },
+ "8": {
+ "a": {
+ "ccis": [
+ "CCI-002628",
+ "CCI-002629",
+ "CCI-002630"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-002631"
+ ]
+ }
+ },
+ "9": {
+ "ccis": [
+ "CCI-002632",
+ "CCI-002633",
+ "CCI-002637"
+ ]
+ },
+ "10": {
+ "a": {
+ "ccis": [
+ "CCI-002634",
+ "CCI-002635",
+ "CCI-002636",
+ "CCI-002638"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-002639",
+ "CCI-002640"
+ ]
+ }
+ },
+ "a": {
+ "ccis": [
+ "CCI-001239",
+ "CCI-001668",
+ "CCI-002619",
+ "CCI-002620",
+ "CCI-002621",
+ "CCI-002622",
+ "CCI-004963"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-001240",
+ "CCI-004964",
+ "CCI-004965"
+ ]
+ },
+ "c": {
+ "1": {
+ "ccis": [
+ "CCI-001241",
+ "CCI-001242",
+ "CCI-002623",
+ "CCI-002624"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-001243",
+ "CCI-001244",
+ "CCI-004966"
+ ]
+ }
+ },
+ "d": {
+ "ccis": [
+ "CCI-001245"
+ ]
+ }
+ },
+ "SI-4": {
+ "1": {
+ "ccis": [
+ "CCI-001259",
+ "CCI-002655",
+ "CCI-002656"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-001260",
+ "CCI-004968"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-001261",
+ "CCI-002657",
+ "CCI-002658",
+ "CCI-004969",
+ "CCI-004970"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-001262"
+ ],
+ "b": {
+ "ccis": [
+ "CCI-002659",
+ "CCI-002660",
+ "CCI-002661",
+ "CCI-002662",
+ "CCI-004973",
+ "CCI-004974"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-004971",
+ "CCI-004972"
+ ]
+ }
+ },
+ "5": {
+ "ccis": [
+ "CCI-001263",
+ "CCI-001264",
+ "CCI-002663",
+ "CCI-002664"
+ ]
+ },
+ "6": {
+ "ccis": [
+ "CCI-001265"
+ ]
+ },
+ "7": {
+ "a": {
+ "ccis": [
+ "CCI-001266",
+ "CCI-001267"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-001268",
+ "CCI-001670"
+ ]
+ }
+ },
+ "8": {
+ "ccis": [
+ "CCI-001269"
+ ]
+ },
+ "9": {
+ "ccis": [
+ "CCI-001270",
+ "CCI-001271",
+ "CCI-004975",
+ "CCI-004976"
+ ]
+ },
+ "10": {
+ "ccis": [
+ "CCI-001272",
+ "CCI-002665",
+ "CCI-002666",
+ "CCI-002667",
+ "CCI-004977",
+ "CCI-004978",
+ "CCI-004979"
+ ]
+ },
+ "11": {
+ "ccis": [
+ "CCI-001273",
+ "CCI-001671",
+ "CCI-002668"
+ ]
+ },
+ "12": {
+ "ccis": [
+ "CCI-001274",
+ "CCI-001275",
+ "CCI-004980"
+ ]
+ },
+ "13": {
+ "a": {
+ "ccis": [
+ "CCI-001276"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-001277"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-001278",
+ "CCI-001279",
+ "CCI-001280",
+ "CCI-002669"
+ ]
+ }
+ },
+ "14": {
+ "ccis": [
+ "CCI-001281",
+ "CCI-001672",
+ "CCI-001673"
+ ]
+ },
+ "15": {
+ "ccis": [
+ "CCI-001282"
+ ]
+ },
+ "16": {
+ "ccis": [
+ "CCI-001283",
+ "CCI-004981"
+ ]
+ },
+ "17": {
+ "ccis": [
+ "CCI-001284"
+ ]
+ },
+ "18": {
+ "ccis": [
+ "CCI-002670",
+ "CCI-002671",
+ "CCI-002672"
+ ]
+ },
+ "19": {
+ "ccis": [
+ "CCI-002673",
+ "CCI-002674",
+ "CCI-002675"
+ ]
+ },
+ "20": {
+ "ccis": [
+ "CCI-002676",
+ "CCI-002677"
+ ]
+ },
+ "21": {
+ "ccis": [
+ "CCI-002678",
+ "CCI-002679",
+ "CCI-002680"
+ ]
+ },
+ "22": {
+ "a": {
+ "ccis": [
+ "CCI-002681",
+ "CCI-002682",
+ "CCI-002683"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-002684"
+ ]
+ }
+ },
+ "23": {
+ "ccis": [
+ "CCI-002685",
+ "CCI-002686",
+ "CCI-002687"
+ ]
+ },
+ "24": {
+ "ccis": [
+ "CCI-002688",
+ "CCI-002689",
+ "CCI-002690",
+ "CCI-002691"
+ ]
+ },
+ "25": {
+ "ccis": [
+ "CCI-004982"
+ ]
+ },
+ "a": {
+ "1": {
+ "ccis": [
+ "CCI-001253",
+ "CCI-002641"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-002642",
+ "CCI-002643",
+ "CCI-002644"
+ ]
+ },
+ "ccis": [
+ "CCI-001252"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-001254",
+ "CCI-002645",
+ "CCI-002646"
+ ]
+ },
+ "c": {
+ "1": {
+ "ccis": [
+ "CCI-001255"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-001256"
+ ]
+ }
+ },
+ "e": {
+ "ccis": [
+ "CCI-001257"
+ ]
+ },
+ "f": {
+ "ccis": [
+ "CCI-001258"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-002647",
+ "CCI-002648",
+ "CCI-002649",
+ "CCI-004967"
+ ]
+ },
+ "g": {
+ "ccis": [
+ "CCI-002650",
+ "CCI-002651",
+ "CCI-002652",
+ "CCI-002654"
+ ]
+ },
+ "ccis": [
+ "CCI-002653"
+ ]
+ },
+ "SI-5": {
+ "1": {
+ "ccis": [
+ "CCI-001290",
+ "CCI-004983"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-001285",
+ "CCI-002692"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-001286"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-001287",
+ "CCI-001288",
+ "CCI-002693",
+ "CCI-002694"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-001289"
+ ]
+ }
+ },
+ "SI-6": {
+ "2": {
+ "ccis": [
+ "CCI-001295",
+ "CCI-004993"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-001296",
+ "CCI-001675",
+ "CCI-004994",
+ "CCI-004995"
+ ]
+ },
+ "ccis": [
+ "CCI-001291",
+ "CCI-001292",
+ "CCI-001293",
+ "CCI-001674",
+ "CCI-001676"
+ ],
+ "c": {
+ "ccis": [
+ "CCI-001294",
+ "CCI-002700",
+ "CCI-004989",
+ "CCI-004990"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-002695",
+ "CCI-002696",
+ "CCI-004984",
+ "CCI-004985"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-002697",
+ "CCI-002698",
+ "CCI-002699",
+ "CCI-004986",
+ "CCI-004987",
+ "CCI-004988"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-002701",
+ "CCI-002702",
+ "CCI-004991",
+ "CCI-004992"
+ ]
+ }
+ },
+ "SI-7": {
+ "1": {
+ "ccis": [
+ "CCI-001298",
+ "CCI-001299",
+ "CCI-002705",
+ "CCI-002706",
+ "CCI-002707",
+ "CCI-002708",
+ "CCI-002709",
+ "CCI-002710",
+ "CCI-002711",
+ "CCI-002712"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-001300",
+ "CCI-002713"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-001301"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-001302",
+ "CCI-001303",
+ "CCI-001304"
+ ]
+ },
+ "5": {
+ "ccis": [
+ "CCI-002714",
+ "CCI-002715"
+ ]
+ },
+ "6": {
+ "ccis": [
+ "CCI-002716",
+ "CCI-002717",
+ "CCI-002718"
+ ]
+ },
+ "7": {
+ "ccis": [
+ "CCI-002719",
+ "CCI-002720"
+ ]
+ },
+ "8": {
+ "ccis": [
+ "CCI-002721",
+ "CCI-002722",
+ "CCI-002723",
+ "CCI-002724"
+ ]
+ },
+ "9": {
+ "ccis": [
+ "CCI-002725",
+ "CCI-002726"
+ ]
+ },
+ "10": {
+ "ccis": [
+ "CCI-002727",
+ "CCI-002728",
+ "CCI-002729"
+ ]
+ },
+ "11": {
+ "ccis": [
+ "CCI-002730",
+ "CCI-002731"
+ ]
+ },
+ "12": {
+ "ccis": [
+ "CCI-002732",
+ "CCI-002733"
+ ]
+ },
+ "13": {
+ "ccis": [
+ "CCI-002734",
+ "CCI-002735",
+ "CCI-002736"
+ ]
+ },
+ "14": {
+ "a": {
+ "ccis": [
+ "CCI-002737"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-002738"
+ ]
+ }
+ },
+ "15": {
+ "ccis": [
+ "CCI-002739",
+ "CCI-002740"
+ ]
+ },
+ "16": {
+ "ccis": [
+ "CCI-001321",
+ "CCI-001322"
+ ]
+ },
+ "17": {
+ "ccis": [
+ "CCI-004998",
+ "CCI-004999"
+ ]
+ },
+ "ccis": [
+ "CCI-001297",
+ "CCI-002703"
+ ],
+ "a": {
+ "ccis": [
+ "CCI-002704"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-004996",
+ "CCI-004997"
+ ]
+ }
+ },
+ "SI-8": {
+ "1": {
+ "ccis": [
+ "CCI-001307"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-001308",
+ "CCI-005002"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-002743"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-001305",
+ "CCI-001677",
+ "CCI-002741",
+ "CCI-002742"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-001306",
+ "CCI-005000",
+ "CCI-005001"
+ ]
+ }
+ },
+ "SI-9": {
+ "ccis": [
+ "CCI-001309"
+ ]
+ },
+ "SI-10": {
+ "1": {
+ "a": {
+ "ccis": [
+ "CCI-002745",
+ "CCI-002746"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-002747",
+ "CCI-002748"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-002749"
+ ]
+ }
+ },
+ "2": {
+ "ccis": [
+ "CCI-002750",
+ "CCI-002751",
+ "CCI-002752",
+ "CCI-002753"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-002754"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-002755"
+ ]
+ },
+ "5": {
+ "ccis": [
+ "CCI-002756",
+ "CCI-002757",
+ "CCI-002758"
+ ]
+ },
+ "6": {
+ "ccis": [
+ "CCI-005003"
+ ]
+ },
+ "ccis": [
+ "CCI-001310",
+ "CCI-002744"
+ ]
+ },
+ "SI-11": {
+ "a": {
+ "ccis": [
+ "CCI-001311",
+ "CCI-001312"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-001313",
+ "CCI-001314",
+ "CCI-002759"
+ ]
+ }
+ },
+ "SI-12": {
+ "1": {
+ "ccis": [
+ "CCI-005004",
+ "CCI-005005"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-005006",
+ "CCI-005007"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-005008"
+ ]
+ },
+ "ccis": [
+ "CCI-001315",
+ "CCI-001678"
+ ]
+ },
+ "AC-16": {
+ "1": {
+ "ccis": [
+ "CCI-001424",
+ "CCI-002272",
+ "CCI-002273",
+ "CCI-002274",
+ "CCI-002275",
+ "CCI-003712",
+ "CCI-003713",
+ "CCI-003714"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-001425",
+ "CCI-001559",
+ "CCI-002276",
+ "CCI-002277",
+ "CCI-003715",
+ "CCI-003716"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-001426",
+ "CCI-002278",
+ "CCI-002279",
+ "CCI-002280",
+ "CCI-002281",
+ "CCI-002282",
+ "CCI-002283",
+ "CCI-002284",
+ "CCI-003717",
+ "CCI-003718",
+ "CCI-003719",
+ "CCI-003720",
+ "CCI-003721"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-001427",
+ "CCI-001560",
+ "CCI-002285",
+ "CCI-002286",
+ "CCI-002287",
+ "CCI-002288",
+ "CCI-002289",
+ "CCI-002290",
+ "CCI-003722",
+ "CCI-003723",
+ "CCI-003724",
+ "CCI-003725",
+ "CCI-003726"
+ ]
+ },
+ "5": {
+ "ccis": [
+ "CCI-001428",
+ "CCI-001429",
+ "CCI-001430",
+ "CCI-003727",
+ "CCI-003728",
+ "CCI-003729"
+ ]
+ },
+ "6": {
+ "ccis": [
+ "CCI-002291",
+ "CCI-002292",
+ "CCI-002293",
+ "CCI-002294",
+ "CCI-002295",
+ "CCI-002296",
+ "CCI-002297",
+ "CCI-002298",
+ "CCI-003730",
+ "CCI-003731",
+ "CCI-003732",
+ "CCI-003733",
+ "CCI-003734",
+ "CCI-003735",
+ "CCI-003736",
+ "CCI-003737"
+ ]
+ },
+ "7": {
+ "ccis": [
+ "CCI-002299",
+ "CCI-003738"
+ ]
+ },
+ "8": {
+ "ccis": [
+ "CCI-002300",
+ "CCI-002301",
+ "CCI-002302",
+ "CCI-003739",
+ "CCI-003740",
+ "CCI-003741"
+ ]
+ },
+ "9": {
+ "ccis": [
+ "CCI-002303",
+ "CCI-002304",
+ "CCI-003742"
+ ]
+ },
+ "10": {
+ "ccis": [
+ "CCI-002305",
+ "CCI-002306",
+ "CCI-002307",
+ "CCI-002308",
+ "CCI-002309",
+ "CCI-003743",
+ "CCI-003744",
+ "CCI-003745",
+ "CCI-003746"
+ ]
+ },
+ "ccis": [
+ "CCI-001396",
+ "CCI-001397",
+ "CCI-001398",
+ "CCI-001399",
+ "CCI-001400",
+ "CCI-001401"
+ ],
+ "a": {
+ "ccis": [
+ "CCI-002256",
+ "CCI-002257",
+ "CCI-002258",
+ "CCI-002259",
+ "CCI-002260",
+ "CCI-002261",
+ "CCI-002262",
+ "CCI-002263",
+ "CCI-002264",
+ "CCI-003696",
+ "CCI-003697",
+ "CCI-003698",
+ "CCI-003699",
+ "CCI-003700",
+ "CCI-003701"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-002265",
+ "CCI-002266",
+ "CCI-003702",
+ "CCI-003703"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-002267",
+ "CCI-002268",
+ "CCI-002269",
+ "CCI-003704",
+ "CCI-003705"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-002270",
+ "CCI-002271",
+ "CCI-003706"
+ ]
+ },
+ "e": {
+ "ccis": [
+ "CCI-003707"
+ ]
+ },
+ "f": {
+ "ccis": [
+ "CCI-003708",
+ "CCI-003709",
+ "CCI-003710",
+ "CCI-003711"
+ ]
+ }
+ },
+ "AC-18": {
+ "1": {
+ "ccis": [
+ "CCI-001443",
+ "CCI-001444"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-001445",
+ "CCI-001446",
+ "CCI-001447",
+ "CCI-001448",
+ "CCI-001563"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-001449"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-001450",
+ "CCI-002324"
+ ]
+ },
+ "5": {
+ "ccis": [
+ "CCI-001451"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-001438",
+ "CCI-001439",
+ "CCI-002323"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-001440",
+ "CCI-001441"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-001442"
+ ]
+ }
+ },
+ "AU-13": {
+ "1": {
+ "ccis": [
+ "CCI-001916",
+ "CCI-003841",
+ "CCI-003842"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-001917",
+ "CCI-001918"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-003843"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-001460",
+ "CCI-001461",
+ "CCI-001915"
+ ]
+ },
+ "b": {
+ "1": {
+ "ccis": [
+ "CCI-003837",
+ "CCI-003838"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-003839",
+ "CCI-003840"
+ ]
+ }
+ }
+ },
+ "AU-14": {
+ "1": {
+ "ccis": [
+ "CCI-001464"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-001462"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-001920",
+ "CCI-003848"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-001463",
+ "CCI-003847"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-001919",
+ "CCI-003844",
+ "CCI-003845",
+ "CCI-003846"
+ ]
+ }
+ },
+ "AC-22": {
+ "a": {
+ "ccis": [
+ "CCI-001473"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-001474"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-001475"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-001476",
+ "CCI-001477",
+ "CCI-001478"
+ ]
+ }
+ },
+ "PS-1": {
+ "a": {
+ "1": {
+ "a": {
+ "ccis": [
+ "CCI-001504"
+ ]
+ },
+ "ccis": [
+ "CCI-001505",
+ "CCI-003017"
+ ],
+ "b": {
+ "ccis": [
+ "CCI-004498"
+ ]
+ }
+ },
+ "2": {
+ "ccis": [
+ "CCI-001509",
+ "CCI-001510",
+ "CCI-003018"
+ ]
+ }
+ },
+ "c": {
+ "1": {
+ "ccis": [
+ "CCI-001506",
+ "CCI-001507",
+ "CCI-004505",
+ "CCI-004506"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-001508",
+ "CCI-001511",
+ "CCI-004507",
+ "CCI-004508"
+ ]
+ }
+ },
+ "b": {
+ "ccis": [
+ "CCI-004499",
+ "CCI-004500",
+ "CCI-004501",
+ "CCI-004502",
+ "CCI-004503",
+ "CCI-004504"
+ ]
+ }
+ },
+ "PS-2": {
+ "a": {
+ "ccis": [
+ "CCI-001512"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-001513"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-001514",
+ "CCI-001515"
+ ]
+ }
+ },
+ "PS-3": {
+ "1": {
+ "ccis": [
+ "CCI-001520"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-001521"
+ ]
+ },
+ "3": {
+ "a": {
+ "ccis": [
+ "CCI-003019"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003020",
+ "CCI-003021"
+ ]
+ }
+ },
+ "4": {
+ "ccis": [
+ "CCI-004509",
+ "CCI-004510",
+ "CCI-004511"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-001516"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-001517",
+ "CCI-001518",
+ "CCI-001519"
+ ]
+ }
+ },
+ "PS-4": {
+ "1": {
+ "a": {
+ "ccis": [
+ "CCI-003027"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003028"
+ ]
+ }
+ },
+ "2": {
+ "ccis": [
+ "CCI-003029",
+ "CCI-003030",
+ "CCI-004512"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-001522",
+ "CCI-003022"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-001523",
+ "CCI-003024"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-001524"
+ ]
+ },
+ "e": {
+ "ccis": [
+ "CCI-001525",
+ "CCI-001526"
+ ]
+ },
+ "f": {
+ "ccis": [
+ "CCI-003016",
+ "CCI-003025",
+ "CCI-003026"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003023"
+ ]
+ }
+ },
+ "PS-5": {
+ "a": {
+ "ccis": [
+ "CCI-001527"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-001528",
+ "CCI-001529",
+ "CCI-001530"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-003031"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-003032",
+ "CCI-003033",
+ "CCI-003034"
+ ]
+ }
+ },
+ "PS-6": {
+ "1": {
+ "a": {
+ "ccis": [
+ "CCI-001534"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-001535"
+ ]
+ }
+ },
+ "2": {
+ "a": {
+ "ccis": [
+ "CCI-001536"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-001537"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-001538"
+ ]
+ }
+ },
+ "3": {
+ "a": {
+ "ccis": [
+ "CCI-003038"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003039"
+ ]
+ }
+ },
+ "c": {
+ "1": {
+ "ccis": [
+ "CCI-001531",
+ "CCI-004513",
+ "CCI-004514"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-003036",
+ "CCI-003037",
+ "CCI-004515",
+ "CCI-004516",
+ "CCI-004517",
+ "CCI-004518"
+ ]
+ }
+ },
+ "b": {
+ "ccis": [
+ "CCI-001532",
+ "CCI-001533"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-003035"
+ ]
+ }
+ },
+ "PS-7": {
+ "a": {
+ "ccis": [
+ "CCI-001539"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-001540"
+ ]
+ },
+ "e": {
+ "ccis": [
+ "CCI-001541"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003040",
+ "CCI-004519",
+ "CCI-004520"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-003041",
+ "CCI-003042",
+ "CCI-003043"
+ ]
+ }
+ },
+ "PS-8": {
+ "a": {
+ "ccis": [
+ "CCI-001542",
+ "CCI-004521",
+ "CCI-004522"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003044",
+ "CCI-003045",
+ "CCI-003046"
+ ]
+ }
+ },
+ "CM-10": {
+ "1": {
+ "ccis": [
+ "CCI-001734",
+ "CCI-001735"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-001726",
+ "CCI-001727",
+ "CCI-001728",
+ "CCI-001729"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-001730",
+ "CCI-001731",
+ "CCI-001802",
+ "CCI-001803"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-001732",
+ "CCI-001733"
+ ]
+ }
+ },
+ "CM-11": {
+ "1": {
+ "ccis": [
+ "CCI-001810",
+ "CCI-001811"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-001812",
+ "CCI-003980"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-003981"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-001804",
+ "CCI-001805"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-001806",
+ "CCI-001807"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-001808",
+ "CCI-001809"
+ ]
+ }
+ },
+ "AU-15": {
+ "ccis": [
+ "CCI-001921",
+ "CCI-001922"
+ ]
+ },
+ "AU-16": {
+ "1": {
+ "ccis": [
+ "CCI-001926"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-001927",
+ "CCI-001928",
+ "CCI-001929"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-005149"
+ ]
+ },
+ "ccis": [
+ "CCI-001923",
+ "CCI-001924",
+ "CCI-001925"
+ ]
+ },
+ "IA-9": {
+ "1": {
+ "ccis": [
+ "CCI-002023",
+ "CCI-002024",
+ "CCI-002025",
+ "CCI-002026",
+ "CCI-002027",
+ "CCI-002028"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-002029",
+ "CCI-002030",
+ "CCI-002031",
+ "CCI-002032"
+ ]
+ },
+ "ccis": [
+ "CCI-002017",
+ "CCI-002018",
+ "CCI-002019",
+ "CCI-002020",
+ "CCI-002021",
+ "CCI-002022"
+ ]
+ },
+ "IA-10": {
+ "ccis": [
+ "CCI-002033",
+ "CCI-002034",
+ "CCI-002035"
+ ]
+ },
+ "IA-11": {
+ "ccis": [
+ "CCI-002036",
+ "CCI-002037",
+ "CCI-002038",
+ "CCI-002039"
+ ]
+ },
+ "CA-8": {
+ "1": {
+ "ccis": [
+ "CCI-002096"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-002097",
+ "CCI-002098",
+ "CCI-002099"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-003889",
+ "CCI-003890"
+ ]
+ },
+ "ccis": [
+ "CCI-002093",
+ "CCI-002094",
+ "CCI-002095"
+ ]
+ },
+ "CA-9": {
+ "1": {
+ "ccis": [
+ "CCI-002100",
+ "CCI-003896"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-002101",
+ "CCI-002102"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-002103",
+ "CCI-002104",
+ "CCI-002105",
+ "CCI-003891"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-003892",
+ "CCI-003893"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-003894",
+ "CCI-003895"
+ ]
+ }
+ },
+ "AC-12": {
+ "1": {
+ "ccis": [
+ "CCI-002362",
+ "CCI-002363"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-002364"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-003693",
+ "CCI-003694"
+ ]
+ },
+ "ccis": [
+ "CCI-002254",
+ "CCI-002360",
+ "CCI-002361"
+ ]
+ },
+ "AC-23": {
+ "ccis": [
+ "CCI-002343",
+ "CCI-002344",
+ "CCI-002345",
+ "CCI-002346",
+ "CCI-002347"
+ ]
+ },
+ "AC-24": {
+ "1": {
+ "ccis": [
+ "CCI-002350",
+ "CCI-002351",
+ "CCI-002352",
+ "CCI-002353"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-002354",
+ "CCI-002355",
+ "CCI-003760"
+ ]
+ },
+ "ccis": [
+ "CCI-002348",
+ "CCI-002349"
+ ]
+ },
+ "AC-25": {
+ "ccis": [
+ "CCI-002356",
+ "CCI-002357",
+ "CCI-002358",
+ "CCI-002359"
+ ]
+ },
+ "SC-51": {
+ "a": {
+ "ccis": [
+ "CCI-002508",
+ "CCI-002509"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-002510",
+ "CCI-002511",
+ "CCI-002512"
+ ]
+ }
+ },
+ "SC-36": {
+ "1": {
+ "a": {
+ "ccis": [
+ "CCI-002517",
+ "CCI-002518",
+ "CCI-002519",
+ "CCI-002520"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-004913",
+ "CCI-004914"
+ ]
+ }
+ },
+ "2": {
+ "ccis": [
+ "CCI-004915",
+ "CCI-004916"
+ ]
+ },
+ "ccis": [
+ "CCI-002513",
+ "CCI-002514",
+ "CCI-002515",
+ "CCI-002516"
+ ]
+ },
+ "SC-37": {
+ "1": {
+ "ccis": [
+ "CCI-002525",
+ "CCI-002526",
+ "CCI-002527"
+ ]
+ },
+ "ccis": [
+ "CCI-002521",
+ "CCI-002522",
+ "CCI-002524",
+ "CCI-003599"
+ ]
+ },
+ "SC-37,": {
+ "SC-37": {
+ "1": {
+ "ccis": [
+ "CCI-002523"
+ ]
+ }
+ }
+ },
+ "SC-38": {
+ "ccis": [
+ "CCI-002528",
+ "CCI-002529"
+ ]
+ },
+ "SC-39": {
+ "1": {
+ "ccis": [
+ "CCI-002531"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-002532",
+ "CCI-002533"
+ ]
+ },
+ "ccis": [
+ "CCI-002530"
+ ]
+ },
+ "SC-40": {
+ "1": {
+ "ccis": [
+ "CCI-002537",
+ "CCI-002538"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-002539",
+ "CCI-002540"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-002541"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-002542",
+ "CCI-002543"
+ ]
+ },
+ "ccis": [
+ "CCI-002534",
+ "CCI-002535",
+ "CCI-002536"
+ ]
+ },
+ "SC-41": {
+ "ccis": [
+ "CCI-002544",
+ "CCI-002545",
+ "CCI-002546"
+ ]
+ },
+ "SC-42": {
+ "1": {
+ "ccis": [
+ "CCI-002551",
+ "CCI-002552"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-002553",
+ "CCI-002554",
+ "CCI-002555"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-002558"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-004917",
+ "CCI-004918",
+ "CCI-004919"
+ ]
+ },
+ "5": {
+ "ccis": [
+ "CCI-004920",
+ "CCI-004921"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-002547",
+ "CCI-002548",
+ "CCI-002556",
+ "CCI-002557"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-002549",
+ "CCI-002550"
+ ]
+ }
+ },
+ "SC-43": {
+ "a": {
+ "ccis": [
+ "CCI-002559",
+ "CCI-002560"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-002561",
+ "CCI-002562",
+ "CCI-002563"
+ ]
+ }
+ },
+ "SC-44": {
+ "ccis": [
+ "CCI-002564",
+ "CCI-002565"
+ ]
+ },
+ "MP-7": {
+ "2": {
+ "ccis": [
+ "CCI-002586"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-002581",
+ "CCI-002582",
+ "CCI-002583",
+ "CCI-002584"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-002585"
+ ]
+ }
+ },
+ "MP-8": {
+ "1": {
+ "ccis": [
+ "CCI-002587"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-002588",
+ "CCI-002589",
+ "CCI-002590",
+ "CCI-002591",
+ "CCI-004227",
+ "CCI-004228"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-002592",
+ "CCI-002593"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-002594"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-002595",
+ "CCI-002596",
+ "CCI-002597",
+ "CCI-004221",
+ "CCI-004222"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-002598",
+ "CCI-004223",
+ "CCI-004224"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-002599",
+ "CCI-004225",
+ "CCI-004226"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-002600"
+ ]
+ }
+ },
+ "SI-14": {
+ "1": {
+ "ccis": [
+ "CCI-002768",
+ "CCI-002769"
+ ]
+ },
+ "2": {
+ "a": {
+ "ccis": [
+ "CCI-005011",
+ "CCI-005012",
+ "CCI-005013",
+ "CCI-005014"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-005015"
+ ]
+ }
+ },
+ "3": {
+ "ccis": [
+ "CCI-005016",
+ "CCI-005017"
+ ]
+ },
+ "ccis": [
+ "CCI-002764",
+ "CCI-002765",
+ "CCI-002766",
+ "CCI-002767"
+ ]
+ },
+ "SI-15": {
+ "ccis": [
+ "CCI-002770",
+ "CCI-002771",
+ "CCI-002772"
+ ]
+ },
+ "SI-17": {
+ "ccis": [
+ "CCI-002773",
+ "CCI-002774",
+ "CCI-002775"
+ ]
+ },
+ "IR-9": {
+ "1": {
+ "ccis": [
+ "CCI-002813",
+ "CCI-002814",
+ "CCI-002815"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-002816",
+ "CCI-002817"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-002818",
+ "CCI-002819"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-002820",
+ "CCI-002821"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-002805"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-002806",
+ "CCI-002807"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-002808"
+ ]
+ },
+ "e": {
+ "ccis": [
+ "CCI-002809"
+ ]
+ },
+ "f": {
+ "ccis": [
+ "CCI-002810"
+ ]
+ },
+ "g": {
+ "ccis": [
+ "CCI-002811",
+ "CCI-002812"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-004163",
+ "CCI-004164"
+ ]
+ }
+ },
+ "IR-10": {
+ "ccis": [
+ "CCI-002822"
+ ]
+ },
+ "SI-16": {
+ "ccis": [
+ "CCI-002823",
+ "CCI-002824"
+ ]
+ },
+ "CP-11": {
+ "ccis": [
+ "CCI-002853",
+ "CCI-002854"
+ ]
+ },
+ "CP-12": {
+ "ccis": [
+ "CCI-002855",
+ "CCI-002856",
+ "CCI-002857"
+ ]
+ },
+ "CP-13": {
+ "ccis": [
+ "CCI-002858",
+ "CCI-002859",
+ "CCI-002860"
+ ]
+ },
+ "PE-20": {
+ "ccis": [
+ "CCI-002979",
+ "CCI-002980",
+ "CCI-002981",
+ "CCI-002982"
+ ],
+ "b": {
+ "ccis": [
+ "CCI-002983"
+ ]
+ }
+ },
+ "PM-12": {
+ "ccis": [
+ "CCI-002996"
+ ]
+ },
+ "PM-13": {
+ "ccis": [
+ "CCI-002997",
+ "CCI-004352"
+ ]
+ },
+ "PM-14": {
+ "a": {
+ "1": {
+ "ccis": [
+ "CCI-002998",
+ "CCI-002999",
+ "CCI-003000",
+ "CCI-003001",
+ "CCI-003002",
+ "CCI-003003",
+ "CCI-004353",
+ "CCI-004354",
+ "CCI-004355",
+ "CCI-004356",
+ "CCI-004357",
+ "CCI-004358"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-003004",
+ "CCI-003005",
+ "CCI-003006",
+ "CCI-004359",
+ "CCI-004360",
+ "CCI-004361"
+ ]
+ }
+ },
+ "b": {
+ "ccis": [
+ "CCI-003007",
+ "CCI-003008",
+ "CCI-003009"
+ ]
+ }
+ },
+ "PM-15": {
+ "a": {
+ "ccis": [
+ "CCI-003010",
+ "CCI-004362"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003011",
+ "CCI-004363"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-003012",
+ "CCI-004364"
+ ]
+ }
+ },
+ "PM-16": {
+ "1": {
+ "ccis": [
+ "CCI-004365"
+ ]
+ },
+ "ccis": [
+ "CCI-003013"
+ ]
+ },
+ "PL-8": {
+ "1": {
+ "a": {
+ "ccis": [
+ "CCI-003081",
+ "CCI-003082",
+ "CCI-003083",
+ "CCI-003084",
+ "CCI-003085",
+ "CCI-003086",
+ "CCI-004301",
+ "CCI-004302",
+ "CCI-004303",
+ "CCI-004304",
+ "CCI-004305",
+ "CCI-004306"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003087",
+ "CCI-004307"
+ ]
+ }
+ },
+ "2": {
+ "ccis": [
+ "CCI-003088",
+ "CCI-004308",
+ "CCI-004309"
+ ]
+ },
+ "a": {
+ "1": {
+ "ccis": [
+ "CCI-003073",
+ "CCI-004293"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-004294",
+ "CCI-004295"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-003074",
+ "CCI-004296"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-003075",
+ "CCI-004297"
+ ]
+ },
+ "ccis": [
+ "CCI-003072",
+ "CCI-004292"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003076",
+ "CCI-003077"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-003078",
+ "CCI-003079",
+ "CCI-003080",
+ "CCI-004298",
+ "CCI-004299",
+ "CCI-004300"
+ ]
+ }
+ },
+ "PL-9": {
+ "ccis": [
+ "CCI-003117",
+ "CCI-003118"
+ ]
+ },
+ "RA-6": {
+ "ccis": [
+ "CCI-003119",
+ "CCI-003120",
+ "CCI-003121",
+ "CCI-003122"
+ ]
+ },
+ "SA-15": {
+ "1": {
+ "a": {
+ "ccis": [
+ "CCI-003247"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003248",
+ "CCI-003249",
+ "CCI-003250"
+ ]
+ }
+ },
+ "2": {
+ "ccis": [
+ "CCI-003251",
+ "CCI-003252",
+ "CCI-004823",
+ "CCI-004824"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-003253"
+ ],
+ "b": {
+ "ccis": [
+ "CCI-003254",
+ "CCI-004826"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-003255",
+ "CCI-004825"
+ ]
+ }
+ },
+ "4": {
+ "ccis": [
+ "CCI-003256",
+ "CCI-003257",
+ "CCI-003258",
+ "CCI-003259"
+ ],
+ "a": {
+ "ccis": [
+ "CCI-003260",
+ "CCI-003261",
+ "CCI-003262",
+ "CCI-003263"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003264",
+ "CCI-003265",
+ "CCI-003266",
+ "CCI-003267"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-003268",
+ "CCI-003269",
+ "CCI-003270",
+ "CCI-003271"
+ ]
+ }
+ },
+ "5": {
+ "ccis": [
+ "CCI-003272",
+ "CCI-003273"
+ ]
+ },
+ "6": {
+ "ccis": [
+ "CCI-003274"
+ ]
+ },
+ "7": {
+ "a": {
+ "ccis": [
+ "CCI-003275",
+ "CCI-003276",
+ "CCI-004827"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003277",
+ "CCI-004828"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-003278",
+ "CCI-004829"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-003279",
+ "CCI-003280",
+ "CCI-004830"
+ ]
+ }
+ },
+ "8": {
+ "ccis": [
+ "CCI-003281",
+ "CCI-003282"
+ ]
+ },
+ "9": {
+ "ccis": [
+ "CCI-003283",
+ "CCI-003284",
+ "CCI-003285",
+ "CCI-003286",
+ "CCI-003287",
+ "CCI-003288"
+ ]
+ },
+ "10": {
+ "ccis": [
+ "CCI-003289",
+ "CCI-004831",
+ "CCI-004832"
+ ]
+ },
+ "11": {
+ "ccis": [
+ "CCI-003290",
+ "CCI-004833"
+ ]
+ },
+ "12": {
+ "ccis": [
+ "CCI-004834"
+ ]
+ },
+ "a": {
+ "1": {
+ "ccis": [
+ "CCI-003234",
+ "CCI-004816"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-003235",
+ "CCI-003236"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-003237"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-003238",
+ "CCI-003239",
+ "CCI-003240"
+ ]
+ },
+ "ccis": [
+ "CCI-003233"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003241",
+ "CCI-003242",
+ "CCI-003243",
+ "CCI-003244",
+ "CCI-003245",
+ "CCI-003246",
+ "CCI-004817",
+ "CCI-004818",
+ "CCI-004819",
+ "CCI-004820",
+ "CCI-004821",
+ "CCI-004822"
+ ]
+ }
+ },
+ "SA-16": {
+ "ccis": [
+ "CCI-003291",
+ "CCI-003292",
+ "CCI-004835",
+ "CCI-004836"
+ ]
+ },
+ "SA-17": {
+ "1": {
+ "a": {
+ "ccis": [
+ "CCI-003298",
+ "CCI-003299",
+ "CCI-004842",
+ "CCI-004843"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003300",
+ "CCI-004844"
+ ]
+ }
+ },
+ "2": {
+ "a": {
+ "ccis": [
+ "CCI-003301",
+ "CCI-003302",
+ "CCI-003303",
+ "CCI-003304"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003305",
+ "CCI-003306",
+ "CCI-003307"
+ ]
+ }
+ },
+ "3": {
+ "a": {
+ "ccis": [
+ "CCI-003308",
+ "CCI-003309",
+ "CCI-003310"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003311"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-003312",
+ "CCI-003313",
+ "CCI-003314"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-003315",
+ "CCI-003316",
+ "CCI-003317"
+ ]
+ },
+ "e": {
+ "ccis": [
+ "CCI-003318",
+ "CCI-003319",
+ "CCI-003320"
+ ]
+ }
+ },
+ "4": {
+ "a": {
+ "ccis": [
+ "CCI-003321",
+ "CCI-003322",
+ "CCI-003323"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003324"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-003325",
+ "CCI-003326",
+ "CCI-003327"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-003328",
+ "CCI-003329",
+ "CCI-003330"
+ ]
+ },
+ "e": {
+ "ccis": [
+ "CCI-003331",
+ "CCI-003332",
+ "CCI-003333"
+ ]
+ }
+ },
+ "5": {
+ "a": {
+ "ccis": [
+ "CCI-003334",
+ "CCI-003335",
+ "CCI-003336"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003337",
+ "CCI-003338",
+ "CCI-003339"
+ ]
+ }
+ },
+ "6": {
+ "ccis": [
+ "CCI-003340",
+ "CCI-003341",
+ "CCI-003342"
+ ]
+ },
+ "7": {
+ "ccis": [
+ "CCI-003343",
+ "CCI-003344",
+ "CCI-003345"
+ ]
+ },
+ "8": {
+ "ccis": [
+ "CCI-004845",
+ "CCI-004846",
+ "CCI-004847"
+ ]
+ },
+ "9": {
+ "ccis": [
+ "CCI-004848",
+ "CCI-004849"
+ ]
+ },
+ "ccis": [
+ "CCI-003293",
+ "CCI-004837"
+ ],
+ "a": {
+ "ccis": [
+ "CCI-003294",
+ "CCI-004838"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003295",
+ "CCI-003296",
+ "CCI-004839",
+ "CCI-004840"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-003297",
+ "CCI-004841"
+ ]
+ }
+ },
+ "SA-18": {
+ "1": {
+ "ccis": [
+ "CCI-003347",
+ "CCI-003348",
+ "CCI-003349",
+ "CCI-003350",
+ "CCI-003351"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-003352",
+ "CCI-003353",
+ "CCI-003354",
+ "CCI-003355"
+ ]
+ },
+ "ccis": [
+ "CCI-003346"
+ ]
+ },
+ "SA-19": {
+ "1": {
+ "ccis": [
+ "CCI-003367",
+ "CCI-003368"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-003369",
+ "CCI-003370",
+ "CCI-003371"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-003390",
+ "CCI-003391"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-003388",
+ "CCI-003389"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-003356",
+ "CCI-003357",
+ "CCI-003358",
+ "CCI-003359",
+ "CCI-003360",
+ "CCI-003361",
+ "CCI-003362",
+ "CCI-003363"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003364",
+ "CCI-003365",
+ "CCI-003366"
+ ]
+ }
+ },
+ "SA-22": {
+ "b": {
+ "ccis": [
+ "CCI-003372",
+ "CCI-003373",
+ "CCI-003374",
+ "CCI-003375"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-003376"
+ ]
+ }
+ },
+ "SA-21": {
+ "1": {
+ "ccis": [
+ "CCI-003377",
+ "CCI-003378",
+ "CCI-003379",
+ "CCI-003380"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003381",
+ "CCI-003382"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-003383",
+ "CCI-003385"
+ ]
+ },
+ "ccis": [
+ "CCI-003384"
+ ]
+ },
+ "SA-20": {
+ "ccis": [
+ "CCI-003386",
+ "CCI-003387"
+ ]
+ },
+ "AP-1": {
+ "ccis": [
+ "CCI-003392",
+ "CCI-003393",
+ "CCI-003394",
+ "CCI-003395"
+ ]
+ },
+ "AP-2": {
+ "ccis": [
+ "CCI-003396",
+ "CCI-003398",
+ "CCI-003399",
+ "CCI-003400"
+ ]
+ },
+ "AR-1": {
+ "a": {
+ "ccis": [
+ "CCI-003397"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003401"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-003402",
+ "CCI-003403",
+ "CCI-003404",
+ "CCI-003405"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-003406"
+ ]
+ },
+ "e": {
+ "ccis": [
+ "CCI-003407",
+ "CCI-003408",
+ "CCI-003409",
+ "CCI-003410",
+ "CCI-003411",
+ "CCI-003412"
+ ]
+ },
+ "f": {
+ "ccis": [
+ "CCI-003413",
+ "CCI-003414",
+ "CCI-003415",
+ "CCI-003416"
+ ]
+ }
+ },
+ "AR-2": {
+ "a": {
+ "ccis": [
+ "CCI-003417",
+ "CCI-003418",
+ "CCI-003419",
+ "CCI-003420",
+ "CCI-003421",
+ "CCI-003422",
+ "CCI-003423",
+ "CCI-003424"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003425"
+ ]
+ }
+ },
+ "AR-3": {
+ "a": {
+ "ccis": [
+ "CCI-003426",
+ "CCI-003427",
+ "CCI-003428",
+ "CCI-003429",
+ "CCI-003430",
+ "CCI-003431"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003432",
+ "CCI-003433"
+ ]
+ }
+ },
+ "AR-4": {
+ "ccis": [
+ "CCI-003434",
+ "CCI-003435",
+ "CCI-003436",
+ "CCI-003437",
+ "CCI-003438",
+ "CCI-003439"
+ ]
+ },
+ "AR-5": {
+ "a": {
+ "ccis": [
+ "CCI-003440",
+ "CCI-003441",
+ "CCI-003442"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003443",
+ "CCI-003444",
+ "CCI-003445",
+ "CCI-003446"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-003447",
+ "CCI-003448"
+ ]
+ }
+ },
+ "AR-6": {
+ "ccis": [
+ "CCI-003449",
+ "CCI-003450",
+ "CCI-003451",
+ "CCI-003452",
+ "CCI-003453",
+ "CCI-003454"
+ ]
+ },
+ "AR-7": {
+ "ccis": [
+ "CCI-003455"
+ ]
+ },
+ "AR-8": {
+ "a": {
+ "1": {
+ "ccis": [
+ "CCI-003456",
+ "CCI-003457",
+ "CCI-003458",
+ "CCI-003459"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-003460"
+ ]
+ }
+ },
+ "b": {
+ "ccis": [
+ "CCI-003461"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-003462"
+ ]
+ }
+ },
+ "DI-1": {
+ "1": {
+ "ccis": [
+ "CCI-003478"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-003479",
+ "CCI-003480"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-003463",
+ "CCI-003464",
+ "CCI-003465",
+ "CCI-003466"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003467"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-003468",
+ "CCI-003469"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-003470",
+ "CCI-003471",
+ "CCI-003472",
+ "CCI-003473",
+ "CCI-003474",
+ "CCI-003475",
+ "CCI-003476",
+ "CCI-003477"
+ ]
+ }
+ },
+ "DI-2": {
+ "1": {
+ "ccis": [
+ "CCI-003485"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-003481"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003482",
+ "CCI-003483",
+ "CCI-003484"
+ ]
+ }
+ },
+ "DM-1": {
+ "1": {
+ "ccis": [
+ "CCI-003495",
+ "CCI-003496"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-003486"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003487",
+ "CCI-003488"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-003489",
+ "CCI-003490",
+ "CCI-003491",
+ "CCI-003492",
+ "CCI-003493",
+ "CCI-003494"
+ ]
+ }
+ },
+ "DM-2": {
+ "1": {
+ "ccis": [
+ "CCI-003503",
+ "CCI-003504",
+ "CCI-003505",
+ "CCI-003506"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-003497",
+ "CCI-003498"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003499",
+ "CCI-003500"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-003501",
+ "CCI-003502"
+ ]
+ }
+ },
+ "DM-3": {
+ "1": {
+ "ccis": [
+ "CCI-003516",
+ "CCI-003517",
+ "CCI-003518"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-003507",
+ "CCI-003508",
+ "CCI-003509",
+ "CCI-003510",
+ "CCI-003511",
+ "CCI-003512"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003513",
+ "CCI-003514",
+ "CCI-003515"
+ ]
+ }
+ },
+ "IP-1": {
+ "1": {
+ "ccis": [
+ "CCI-003530"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-003519",
+ "CCI-003520",
+ "CCI-003521",
+ "CCI-003522"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003523",
+ "CCI-003524",
+ "CCI-003525",
+ "CCI-003526"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-003527"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-003528",
+ "CCI-003529"
+ ]
+ }
+ },
+ "IP-2": {
+ "a": {
+ "ccis": [
+ "CCI-003531"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003532",
+ "CCI-003533"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-003534"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-003535",
+ "CCI-003536"
+ ]
+ }
+ },
+ "IP-3": {
+ "a": {
+ "ccis": [
+ "CCI-003537"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003538",
+ "CCI-003539"
+ ]
+ }
+ },
+ "IP-4": {
+ "1": {
+ "ccis": [
+ "CCI-003542",
+ "CCI-003543"
+ ]
+ },
+ "ccis": [
+ "CCI-003540",
+ "CCI-003541"
+ ]
+ },
+ "SE-1": {
+ "a": {
+ "ccis": [
+ "CCI-003544",
+ "CCI-003545",
+ "CCI-003546",
+ "CCI-003547",
+ "CCI-003548",
+ "CCI-003549",
+ "CCI-003550"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003551",
+ "CCI-003552"
+ ]
+ }
+ },
+ "SE-2": {
+ "a": {
+ "ccis": [
+ "CCI-003553",
+ "CCI-003554"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003555"
+ ]
+ }
+ },
+ "TR-1": {
+ "1": {
+ "ccis": [
+ "CCI-003580"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-003556",
+ "CCI-003557",
+ "CCI-003558",
+ "CCI-003559",
+ "CCI-003560",
+ "CCI-003561",
+ "CCI-003562",
+ "CCI-003563",
+ "CCI-003564",
+ "CCI-003565",
+ "CCI-003566",
+ "CCI-003567"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003568",
+ "CCI-003569",
+ "CCI-003570",
+ "CCI-003571",
+ "CCI-003572",
+ "CCI-003573",
+ "CCI-003574",
+ "CCI-003575",
+ "CCI-003576",
+ "CCI-003577",
+ "CCI-003598"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-003578",
+ "CCI-003579"
+ ]
+ }
+ },
+ "TR-2": {
+ "1": {
+ "ccis": [
+ "CCI-003584"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-003581"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003582"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-003583"
+ ]
+ }
+ },
+ "TR-3": {
+ "a": {
+ "ccis": [
+ "CCI-003585",
+ "CCI-003586"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003587"
+ ]
+ }
+ },
+ "UL-1": {
+ "ccis": [
+ "CCI-003588"
+ ]
+ },
+ "UL-2": {
+ "a": {
+ "ccis": [
+ "CCI-003589"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003590",
+ "CCI-003591"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-003592",
+ "CCI-003593",
+ "CCI-003594",
+ "CCI-003595"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-003596",
+ "CCI-003597"
+ ]
+ }
+ },
+ "AT-6": {
+ "ccis": [
+ "CCI-003796",
+ "CCI-003797",
+ "CCI-003798"
+ ]
+ },
+ "CM-12": {
+ "1": {
+ "ccis": [
+ "CCI-003988",
+ "CCI-003989",
+ "CCI-003990"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-003982",
+ "CCI-003983",
+ "CCI-003984"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-003985",
+ "CCI-003986"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-003987"
+ ]
+ }
+ },
+ "CM-13": {
+ "ccis": [
+ "CCI-003991"
+ ]
+ },
+ "CM-14": {
+ "ccis": [
+ "CCI-003992",
+ "CCI-003993"
+ ]
+ },
+ "IA-12": {
+ "1": {
+ "ccis": [
+ "CCI-004098"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-004099"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-004100",
+ "CCI-004101",
+ "CCI-004102",
+ "CCI-004103"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-004104",
+ "CCI-004105"
+ ]
+ },
+ "5": {
+ "ccis": [
+ "CCI-004106"
+ ]
+ },
+ "6": {
+ "ccis": [
+ "CCI-004107",
+ "CCI-004108"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-004092",
+ "CCI-004093"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-004094"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-004095",
+ "CCI-004096",
+ "CCI-004097"
+ ]
+ }
+ },
+ "MA-7": {
+ "ccis": [
+ "CCI-004198",
+ "CCI-004199",
+ "CCI-004200"
+ ]
+ },
+ "PE-21": {
+ "ccis": [
+ "CCI-004266",
+ "CCI-004267",
+ "CCI-004268"
+ ]
+ },
+ "PE-22": {
+ "ccis": [
+ "CCI-004269",
+ "CCI-004270"
+ ]
+ },
+ "PE-23": {
+ "a": {
+ "ccis": [
+ "CCI-004271"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-004272"
+ ]
+ }
+ },
+ "PL-10": {
+ "ccis": [
+ "CCI-004310"
+ ]
+ },
+ "PL-11": {
+ "ccis": [
+ "CCI-004311"
+ ]
+ },
+ "PM-17": {
+ "a": {
+ "ccis": [
+ "CCI-004366",
+ "CCI-004367"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-004368",
+ "CCI-004369",
+ "CCI-004370",
+ "CCI-004371"
+ ]
+ }
+ },
+ "PM-18": {
+ "a": {
+ "1": {
+ "ccis": [
+ "CCI-004374",
+ "CCI-004375"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-004376",
+ "CCI-004377",
+ "CCI-004378",
+ "CCI-004379"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-004380",
+ "CCI-004381"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-004382",
+ "CCI-004383"
+ ]
+ },
+ "5": {
+ "ccis": [
+ "CCI-004384",
+ "CCI-004385"
+ ]
+ },
+ "6": {
+ "ccis": [
+ "CCI-004386",
+ "CCI-004387",
+ "CCI-004388"
+ ]
+ },
+ "ccis": [
+ "CCI-004372",
+ "CCI-004373"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-004389"
+ ]
+ }
+ },
+ "PM-19": {
+ "ccis": [
+ "CCI-004390",
+ "CCI-004391",
+ "CCI-004392",
+ "CCI-004393"
+ ]
+ },
+ "PM-20": {
+ "1": {
+ "a": {
+ "ccis": [
+ "CCI-004399",
+ "CCI-004400"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-004401"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-004402",
+ "CCI-004403"
+ ]
+ }
+ },
+ "ccis": [
+ "CCI-004394"
+ ],
+ "a": {
+ "ccis": [
+ "CCI-004395",
+ "CCI-004396"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-004397"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-004398"
+ ]
+ }
+ },
+ "PM-21": {
+ "a": {
+ "1": {
+ "ccis": [
+ "CCI-004406",
+ "CCI-004407"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-004408",
+ "CCI-004409"
+ ]
+ },
+ "ccis": [
+ "CCI-004404",
+ "CCI-004405"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-004410"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-004411"
+ ]
+ }
+ },
+ "PM-22": {
+ "a": {
+ "ccis": [
+ "CCI-004412",
+ "CCI-004413"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-004414",
+ "CCI-004415"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-004416",
+ "CCI-004417"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-004418",
+ "CCI-004419"
+ ]
+ }
+ },
+ "PM-23": {
+ "ccis": [
+ "CCI-004420",
+ "CCI-004421",
+ "CCI-004422"
+ ]
+ },
+ "PM-24": {
+ "a": {
+ "ccis": [
+ "CCI-004423"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-004424"
+ ]
+ }
+ },
+ "PM-25": {
+ "a": {
+ "ccis": [
+ "CCI-004425",
+ "CCI-004426",
+ "CCI-004427",
+ "CCI-004428"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-004429"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-004430"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-004431",
+ "CCI-004432",
+ "CCI-004433",
+ "CCI-004434"
+ ]
+ }
+ },
+ "PM-26": {
+ "ccis": [
+ "CCI-004435",
+ "CCI-004436"
+ ],
+ "a": {
+ "ccis": [
+ "CCI-004437",
+ "CCI-004438"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-004439"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-004440",
+ "CCI-004441"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-004442",
+ "CCI-004443"
+ ]
+ },
+ "e": {
+ "ccis": [
+ "CCI-004444",
+ "CCI-004445"
+ ]
+ }
+ },
+ "PM-27": {
+ "ccis": [
+ "CCI-004446",
+ "CCI-004447"
+ ],
+ "a": {
+ "1": {
+ "ccis": [
+ "CCI-004448"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-004449",
+ "CCI-004450",
+ "CCI-004451"
+ ]
+ }
+ },
+ "b": {
+ "ccis": [
+ "CCI-004452",
+ "CCI-004453"
+ ]
+ }
+ },
+ "PM-28": {
+ "a": {
+ "1": {
+ "ccis": [
+ "CCI-004454"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-004455"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-004456"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-004457"
+ ]
+ }
+ },
+ "b": {
+ "ccis": [
+ "CCI-004458",
+ "CCI-004459"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-004460",
+ "CCI-004461"
+ ]
+ }
+ },
+ "PM-29": {
+ "a": {
+ "ccis": [
+ "CCI-004462",
+ "CCI-004463"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-004464",
+ "CCI-004465"
+ ]
+ }
+ },
+ "PM-30": {
+ "1": {
+ "ccis": [
+ "CCI-005150"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-004466",
+ "CCI-004467",
+ "CCI-004468",
+ "CCI-004469"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-004470"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-004471",
+ "CCI-004472"
+ ]
+ }
+ },
+ "PM-31": {
+ "a": {
+ "ccis": [
+ "CCI-004473",
+ "CCI-004474",
+ "CCI-004475"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-004476",
+ "CCI-004477",
+ "CCI-004478",
+ "CCI-004479",
+ "CCI-004480",
+ "CCI-004481"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-004482",
+ "CCI-004483"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-004484",
+ "CCI-004485"
+ ]
+ },
+ "e": {
+ "ccis": [
+ "CCI-004486",
+ "CCI-004487"
+ ]
+ },
+ "f": {
+ "ccis": [
+ "CCI-004488",
+ "CCI-004489",
+ "CCI-004490",
+ "CCI-004491",
+ "CCI-004492",
+ "CCI-004493",
+ "CCI-004494",
+ "CCI-004495"
+ ]
+ }
+ },
+ "PM-32": {
+ "ccis": [
+ "CCI-004496",
+ "CCI-004497"
+ ]
+ },
+ "PS-9": {
+ "ccis": [
+ "CCI-004523",
+ "CCI-004524"
+ ]
+ },
+ "PT-1": {
+ "a": {
+ "1": {
+ "a": {
+ "ccis": [
+ "CCI-004525"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-004528"
+ ]
+ }
+ },
+ "2": {
+ "ccis": [
+ "CCI-004529"
+ ]
+ },
+ "ccis": [
+ "CCI-004526",
+ "CCI-004527"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-004530",
+ "CCI-004531",
+ "CCI-004532"
+ ]
+ },
+ "c": {
+ "1": {
+ "ccis": [
+ "CCI-004533",
+ "CCI-004534",
+ "CCI-004535"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-004536",
+ "CCI-004537",
+ "CCI-004538"
+ ]
+ }
+ }
+ },
+ "PT-2": {
+ "1": {
+ "ccis": [
+ "CCI-004544",
+ "CCI-004545",
+ "CCI-004546"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-004547",
+ "CCI-004548"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-004539",
+ "CCI-004540",
+ "CCI-004541"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-004542",
+ "CCI-004543"
+ ]
+ }
+ },
+ "PT-3": {
+ "1": {
+ "ccis": [
+ "CCI-004558",
+ "CCI-004559"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-004560"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-004549",
+ "CCI-004550"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-004551"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-004552",
+ "CCI-004553"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-004554",
+ "CCI-004555",
+ "CCI-004556",
+ "CCI-004557"
+ ]
+ }
+ },
+ "PT-4": {
+ "1": {
+ "ccis": [
+ "CCI-004563",
+ "CCI-004564"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-004565",
+ "CCI-004566",
+ "CCI-004567",
+ "CCI-004568"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-004569",
+ "CCI-004570"
+ ]
+ },
+ "ccis": [
+ "CCI-004561",
+ "CCI-004562"
+ ]
+ },
+ "PT-5": {
+ "1": {
+ "ccis": [
+ "CCI-004578",
+ "CCI-004579"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-004580"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-004571",
+ "CCI-004572"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-004573"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-004574"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-004575"
+ ]
+ },
+ "e": {
+ "ccis": [
+ "CCI-004576",
+ "CCI-004577"
+ ]
+ }
+ },
+ "PT-6": {
+ "1": {
+ "ccis": [
+ "CCI-004585",
+ "CCI-004586",
+ "CCI-004587"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-004588",
+ "CCI-004589",
+ "CCI-004590",
+ "CCI-004591"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-004581",
+ "CCI-004582"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-004583"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-004584"
+ ]
+ }
+ },
+ "PT-7": {
+ "1": {
+ "a": {
+ "ccis": [
+ "CCI-004594"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-004595"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-004596"
+ ]
+ }
+ },
+ "2": {
+ "ccis": [
+ "CCI-004597"
+ ]
+ },
+ "ccis": [
+ "CCI-004592",
+ "CCI-004593"
+ ]
+ },
+ "PT-8": {
+ "a": {
+ "ccis": [
+ "CCI-004598"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-004599"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-004600"
+ ]
+ },
+ "d": {
+ "ccis": [
+ "CCI-004601"
+ ]
+ },
+ "e": {
+ "ccis": [
+ "CCI-004602"
+ ]
+ }
+ },
+ "RA-7": {
+ "ccis": [
+ "CCI-004641",
+ "CCI-004642",
+ "CCI-004643",
+ "CCI-004644"
+ ]
+ },
+ "RA-8": {
+ "a": {
+ "ccis": [
+ "CCI-004645"
+ ]
+ },
+ "b": {
+ "1": {
+ "ccis": [
+ "CCI-004646"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-004647"
+ ]
+ }
+ }
+ },
+ "RA-9": {
+ "ccis": [
+ "CCI-004648",
+ "CCI-004649",
+ "CCI-004650"
+ ]
+ },
+ "RA-10": {
+ "a": {
+ "1": {
+ "ccis": [
+ "CCI-004651"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-004652"
+ ]
+ }
+ },
+ "b": {
+ "ccis": [
+ "CCI-004653",
+ "CCI-004654"
+ ]
+ }
+ },
+ "SA-23": {
+ "ccis": [
+ "CCI-004850",
+ "CCI-004851"
+ ]
+ },
+ "SC-45": {
+ "1": {
+ "a": {
+ "ccis": [
+ "CCI-004923",
+ "CCI-004924",
+ "CCI-004925"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-004926",
+ "CCI-004927"
+ ]
+ }
+ },
+ "2": {
+ "a": {
+ "ccis": [
+ "CCI-004928"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-004929"
+ ]
+ }
+ },
+ "ccis": [
+ "CCI-004922"
+ ]
+ },
+ "SC-46": {
+ "ccis": [
+ "CCI-004930"
+ ]
+ },
+ "SC-47": {
+ "ccis": [
+ "CCI-004931"
+ ]
+ },
+ "SC-48": {
+ "1": {
+ "ccis": [
+ "CCI-004936",
+ "CCI-004937",
+ "CCI-004938",
+ "CCI-004939"
+ ]
+ },
+ "ccis": [
+ "CCI-004932",
+ "CCI-004933",
+ "CCI-004934",
+ "CCI-004935"
+ ]
+ },
+ "SC-49": {
+ "ccis": [
+ "CCI-004940",
+ "CCI-004941"
+ ]
+ },
+ "SC-50": {
+ "ccis": [
+ "CCI-004942",
+ "CCI-004943"
+ ]
+ },
+ "SI-18": {
+ "1": {
+ "ccis": [
+ "CCI-005021",
+ "CCI-005022"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-005023"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-005024"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-005025"
+ ]
+ },
+ "5": {
+ "ccis": [
+ "CCI-005026",
+ "CCI-005027",
+ "CCI-005028"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-005018",
+ "CCI-005019"
+ ]
+ },
+ "b": {
+ "1": {
+ "ccis": [
+ "CCI-005020"
+ ]
+ }
+ }
+ },
+ "SI-19": {
+ "1": {
+ "ccis": [
+ "CCI-005033"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-005034"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-005035"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-005036"
+ ]
+ },
+ "5": {
+ "ccis": [
+ "CCI-005037"
+ ]
+ },
+ "6": {
+ "ccis": [
+ "CCI-005038"
+ ]
+ },
+ "7": {
+ "ccis": [
+ "CCI-005039"
+ ]
+ },
+ "8": {
+ "ccis": [
+ "CCI-005040"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-005029",
+ "CCI-005030"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-005031",
+ "CCI-005032"
+ ]
+ }
+ },
+ "SI-20": {
+ "ccis": [
+ "CCI-005041",
+ "CCI-005042"
+ ]
+ },
+ "SI-21": {
+ "ccis": [
+ "CCI-005043",
+ "CCI-005044",
+ "CCI-005045"
+ ]
+ },
+ "SI-22": {
+ "a": {
+ "ccis": [
+ "CCI-005046",
+ "CCI-005047"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-005048",
+ "CCI-005049"
+ ]
+ }
+ },
+ "SI-23": {
+ "a": {
+ "ccis": [
+ "CCI-005050",
+ "CCI-005051",
+ "CCI-005052"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-005053",
+ "CCI-005054",
+ "CCI-005055"
+ ]
+ }
+ },
+ "SR-1": {
+ "a": {
+ "1": {
+ "ccis": [
+ "CCI-005056"
+ ],
+ "a": {
+ "ccis": [
+ "CCI-005057"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-005058"
+ ]
+ }
+ },
+ "2": {
+ "ccis": [
+ "CCI-005059"
+ ]
+ }
+ },
+ "b": {
+ "ccis": [
+ "CCI-005060",
+ "CCI-005061",
+ "CCI-005062",
+ "CCI-005063"
+ ]
+ },
+ "c": {
+ "1": {
+ "ccis": [
+ "CCI-005064",
+ "CCI-005065",
+ "CCI-005066",
+ "CCI-005067"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-005068",
+ "CCI-005069",
+ "CCI-005070",
+ "CCI-005071"
+ ]
+ }
+ }
+ },
+ "SR-2": {
+ "1": {
+ "ccis": [
+ "CCI-005077",
+ "CCI-005078",
+ "CCI-005079"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-005072",
+ "CCI-005073"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-005074",
+ "CCI-005075"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-005076"
+ ]
+ }
+ },
+ "SR-3": {
+ "1": {
+ "ccis": [
+ "CCI-005091",
+ "CCI-005092"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-005093",
+ "CCI-005094"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-005095"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-005080",
+ "CCI-005081",
+ "CCI-005082",
+ "CCI-005083",
+ "CCI-005084",
+ "CCI-005085"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-005086",
+ "CCI-005087",
+ "CCI-005088"
+ ]
+ },
+ "c": {
+ "ccis": [
+ "CCI-005089",
+ "CCI-005090"
+ ]
+ }
+ },
+ "SR-4": {
+ "1": {
+ "ccis": [
+ "CCI-005100",
+ "CCI-005101"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-005102",
+ "CCI-005103"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-005104",
+ "CCI-005105",
+ "CCI-005106",
+ "CCI-005107"
+ ]
+ },
+ "4": {
+ "ccis": [
+ "CCI-005108",
+ "CCI-005109",
+ "CCI-005110",
+ "CCI-005111"
+ ]
+ },
+ "ccis": [
+ "CCI-005096",
+ "CCI-005097",
+ "CCI-005098",
+ "CCI-005099"
+ ]
+ },
+ "SR-5": {
+ "1": {
+ "ccis": [
+ "CCI-005114",
+ "CCI-005115",
+ "CCI-005116"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-005117"
+ ]
+ },
+ "ccis": [
+ "CCI-005112",
+ "CCI-005113"
+ ]
+ },
+ "SR-6": {
+ "1": {
+ "ccis": [
+ "CCI-005120",
+ "CCI-005121"
+ ]
+ },
+ "ccis": [
+ "CCI-005118",
+ "CCI-005119"
+ ]
+ },
+ "SR-7": {
+ "ccis": [
+ "CCI-005122",
+ "CCI-005123"
+ ]
+ },
+ "SR-8": {
+ "ccis": [
+ "CCI-005124",
+ "CCI-005125"
+ ]
+ },
+ "SR-9": {
+ "1": {
+ "ccis": [
+ "CCI-005127"
+ ]
+ },
+ "ccis": [
+ "CCI-005126"
+ ]
+ },
+ "SR-10": {
+ "ccis": [
+ "CCI-005128",
+ "CCI-005129",
+ "CCI-005130",
+ "CCI-005131"
+ ]
+ },
+ "SR-11": {
+ "1": {
+ "ccis": [
+ "CCI-005137",
+ "CCI-005138"
+ ]
+ },
+ "2": {
+ "ccis": [
+ "CCI-005139",
+ "CCI-005140",
+ "CCI-005141"
+ ]
+ },
+ "3": {
+ "ccis": [
+ "CCI-005142",
+ "CCI-005143"
+ ]
+ },
+ "a": {
+ "ccis": [
+ "CCI-005132",
+ "CCI-005133"
+ ]
+ },
+ "b": {
+ "ccis": [
+ "CCI-005134",
+ "CCI-005135",
+ "CCI-005136"
+ ]
+ }
+ },
+ "SR-12": {
+ "ccis": [
+ "CCI-005144",
+ "CCI-005145",
+ "CCI-005146"
+ ]
+ }
}
\ No newline at end of file
diff --git a/libs/hdf-converters/src/msft-secure-score-mapper.ts b/libs/hdf-converters/src/msft-secure-score-mapper.ts
index f10faf3a3b..67eff3be67 100644
--- a/libs/hdf-converters/src/msft-secure-score-mapper.ts
+++ b/libs/hdf-converters/src/msft-secure-score-mapper.ts
@@ -7,10 +7,8 @@ import {ExecJSON} from 'inspecjs';
import {version as HeimdallToolsVersion} from '../package.json';
import {BaseConverter, ILookupPath, MappedTransform} from './base-converter';
import * as _ from 'lodash';
-import {
- conditionallyProvideAttribute,
- DEFAULT_STATIC_CODE_ANALYSIS_NIST_TAGS
-} from './utils/global';
+import {conditionallyProvideAttribute} from './utils/global';
+import {DEFAULT_STATIC_CODE_ANALYSIS_NIST_TAGS} from './mappings/CciNistMappingData';
export type ProfileResponse = {
'@odata.context': string;
diff --git a/libs/hdf-converters/src/nessus-mapper.ts b/libs/hdf-converters/src/nessus-mapper.ts
index e5faae4844..9d7ea27f8f 100644
--- a/libs/hdf-converters/src/nessus-mapper.ts
+++ b/libs/hdf-converters/src/nessus-mapper.ts
@@ -9,8 +9,8 @@ import {
parseHtml,
parseXml
} from './base-converter';
-import {CciNistMapping} from './mappings/CciNistMapping';
import {NessusPluginsNistMapping} from './mappings/NessusPluginsNistMapping';
+import {CCI2NIST} from './mappings/CciNistMapping';
// Constants
const IMPACT_MAPPING: Map<string, number> = new Map([
@@ -31,7 +31,6 @@ const COMPLIANCE_RESULT = 'compliance-result';
const COMPLIANCE_ACTUAL_VALUE = 'compliance-actual-value';
const NA_PLUGIN_OUTPUT = 'This Nessus Plugin does not provide output message.';
const NESSUS_PLUGINS_NIST_MAPPING = new NessusPluginsNistMapping();
-const CCI_NIST_MAPPING = new CciNistMapping();
const DEFAULT_NIST_TAG: string[] = [];
let policyName: string;
@@ -82,7 +81,7 @@ function pluginNistTag(item: unknown): string[] {
}
function cciNistTag(input: string): string[] {
const identifiers: string[] = parseRef(input, 'CCI');
- return CCI_NIST_MAPPING.nistFilter(identifiers, DEFAULT_NIST_TAG, false);
+ return CCI2NIST(identifiers, DEFAULT_NIST_TAG, false);
}
function parseRef(input: string, key: string): string[] {
diff --git a/libs/hdf-converters/src/netsparker-mapper.ts b/libs/hdf-converters/src/netsparker-mapper.ts
index ebc8c98876..1b85ccd54f 100644
--- a/libs/hdf-converters/src/netsparker-mapper.ts
+++ b/libs/hdf-converters/src/netsparker-mapper.ts
@@ -11,8 +11,8 @@ import {
} from './base-converter';
import {CweNistMapping} from './mappings/CweNistMapping';
import {OwaspNistMapping} from './mappings/OwaspNistMapping';
-import {DEFAULT_STATIC_CODE_ANALYSIS_NIST_TAGS} from './utils/global';
-import {getCCIsForNISTTags} from './mappings/CciNistMapping';
+import {DEFAULT_STATIC_CODE_ANALYSIS_NIST_TAGS} from './mappings/CciNistMappingData';
+import {NIST2CCI} from './mappings/CciNistMapping';
const IMPACT_MAPPING: Map<string, number> = new Map([
['critical', 1.0],
@@ -180,7 +180,7 @@ export class NetsparkerMapper extends BaseConverter {
cci: {
path: 'classification',
transformer: (data: Record<string, unknown>) =>
- getCCIsForNISTTags(nistTag(data))
+ NIST2CCI(nistTag(data))
},
nist: {path: 'classification', transformer: nistTag}
},
diff --git a/libs/hdf-converters/src/neuvector-mapper.ts b/libs/hdf-converters/src/neuvector-mapper.ts
index 49b1b4c16f..de7c0ed7fd 100644
--- a/libs/hdf-converters/src/neuvector-mapper.ts
+++ b/libs/hdf-converters/src/neuvector-mapper.ts
@@ -3,7 +3,6 @@ import _ from 'lodash';
import {version as HeimdallToolsVersion} from '../package.json';
import {BaseConverter, ILookupPath, MappedTransform} from './base-converter';
import {CweNistMapping} from './mappings/CweNistMapping';
-import {DEFAULT_UPDATE_REMEDIATION_NIST_TAGS} from './utils/global';
import {
NeuVectorScanJson,
RESTModuleCve,
@@ -11,6 +10,7 @@ import {
RESTScanRepoReport,
RESTVulnerability
} from '../types/neuvector-types';
+import {DEFAULT_UPDATE_REMEDIATION_NIST_TAGS} from './mappings/CciNistMappingData';
const CWE_NIST_MAPPING = new CweNistMapping();
diff --git a/libs/hdf-converters/src/nikto-mapper.ts b/libs/hdf-converters/src/nikto-mapper.ts
index 98ad8795aa..ddc1588b65 100644
--- a/libs/hdf-converters/src/nikto-mapper.ts
+++ b/libs/hdf-converters/src/nikto-mapper.ts
@@ -3,7 +3,7 @@ import * as _ from 'lodash';
import {version as HeimdallToolsVersion} from '../package.json';
import {BaseConverter, ILookupPath, MappedTransform} from './base-converter';
import {NiktoNistMapping} from './mappings/NiktoNistMapping';
-import {getCCIsForNISTTags} from './mappings/CciNistMapping';
+import {NIST2CCI} from './mappings/CciNistMapping';
const NIKTO_NIST_MAPPING = new NiktoNistMapping();
@@ -59,9 +59,9 @@ export class NiktoMapper extends BaseConverter {
nist: {path: 'id', transformer: nistTag},
cci: {
path: 'id',
- transformer: (id: string) => getCCIsForNISTTags(nistTag(id))
+ transformer: (id: string) => NIST2CCI(nistTag(id))
},
- ösvdb: {path: 'OSVDB'}
+ osvdb: {path: 'OSVDB'}
},
refs: [],
source_location: {},
diff --git a/libs/hdf-converters/src/prisma-mapper.ts b/libs/hdf-converters/src/prisma-mapper.ts
index 9a1c45cdf1..892cfc8b11 100644
--- a/libs/hdf-converters/src/prisma-mapper.ts
+++ b/libs/hdf-converters/src/prisma-mapper.ts
@@ -7,11 +7,11 @@ import {
MappedTransform,
parseCsv
} from './base-converter';
+import {NIST2CCI} from './mappings/CciNistMapping';
import {
DEFAULT_STATIC_CODE_ANALYSIS_NIST_TAGS,
DEFAULT_UPDATE_REMEDIATION_NIST_TAGS
-} from './utils/global';
-import {getCCIsForNISTTags} from './mappings/CciNistMapping';
+} from './mappings/CciNistMappingData';
export type PrismaControl = {
Packages: string;
@@ -76,7 +76,7 @@ export class PrismaControlMapper extends BaseConverter {
tags: {
cci: {
path: 'CVE ID',
- transformer: (cve: string) => getCCIsForNISTTags(nistTag(cve))
+ transformer: (cve: string) => NIST2CCI(nistTag(cve))
},
nist: {
path: 'CVE ID',
diff --git a/libs/hdf-converters/src/sarif-mapper.ts b/libs/hdf-converters/src/sarif-mapper.ts
index 56262aee05..2a42457d38 100644
--- a/libs/hdf-converters/src/sarif-mapper.ts
+++ b/libs/hdf-converters/src/sarif-mapper.ts
@@ -3,8 +3,8 @@ import * as _ from 'lodash';
import {version as HeimdallToolsVersion} from '../package.json';
import {BaseConverter, ILookupPath, MappedTransform} from './base-converter';
import {CweNistMapping} from './mappings/CweNistMapping';
-import {DEFAULT_STATIC_CODE_ANALYSIS_NIST_TAGS} from './utils/global';
-import {getCCIsForNISTTags} from './mappings/CciNistMapping';
+import {DEFAULT_STATIC_CODE_ANALYSIS_NIST_TAGS} from './mappings/CciNistMappingData';
+import {NIST2CCI} from './mappings/CciNistMapping';
const IMPACT_MAPPING: Map<string, number> = new Map([
['error', 0.7],
@@ -74,8 +74,8 @@ export class SarifMapper extends BaseConverter {
key: 'id',
tags: {
cci: {
- path: 'vulnerabilityClassifications',
- transformer: (data: string) => getCCIsForNISTTags(nistTag(data))
+ path: MESSAGE_TEXT,
+ transformer: (data: string) => NIST2CCI(nistTag(data))
},
nist: {path: MESSAGE_TEXT, transformer: nistTag},
cwe: {
diff --git a/libs/hdf-converters/src/scoutsuite-mapper.ts b/libs/hdf-converters/src/scoutsuite-mapper.ts
index 87096776be..399040cbfa 100644
--- a/libs/hdf-converters/src/scoutsuite-mapper.ts
+++ b/libs/hdf-converters/src/scoutsuite-mapper.ts
@@ -8,7 +8,7 @@ import {
MappedTransform
} from './base-converter';
import {ScoutsuiteNistMapping} from './mappings/ScoutsuiteNistMapping';
-import {getCCIsForNISTTags} from './mappings/CciNistMapping';
+import {NIST2CCI} from './mappings/CciNistMapping';
const INSPEC_INPUTS_MAPPING = {
string: 'String',
@@ -234,7 +234,7 @@ export class ScoutsuiteMapper extends BaseConverter {
nist: {path: '[0]', transformer: nistTag},
cci: {
path: '[0]',
- transformer: (data: string) => getCCIsForNISTTags(nistTag(data))
+ transformer: (data: string) => NIST2CCI(nistTag(data))
}
},
refs: [
diff --git a/libs/hdf-converters/src/snyk-mapper.ts b/libs/hdf-converters/src/snyk-mapper.ts
index e9333321b4..7c815c8922 100644
--- a/libs/hdf-converters/src/snyk-mapper.ts
+++ b/libs/hdf-converters/src/snyk-mapper.ts
@@ -8,8 +8,8 @@ import {
MappedTransform
} from './base-converter';
import {CweNistMapping} from './mappings/CweNistMapping';
-import {DEFAULT_STATIC_CODE_ANALYSIS_NIST_TAGS} from './utils/global';
-import {getCCIsForNISTTags} from './mappings/CciNistMapping';
+import {DEFAULT_STATIC_CODE_ANALYSIS_NIST_TAGS} from './mappings/CciNistMappingData';
+import {NIST2CCI} from './mappings/CciNistMapping';
const IMPACT_MAPPING: Map<string, number> = new Map([
['high', 0.7],
@@ -115,8 +115,7 @@ export class SnykMapper extends BaseConverter {
tags: {
cci: {
path: CWE_PATH,
- transformer: (cwe: unknown[]) =>
- getCCIsForNISTTags(nistTag(cwe))
+ transformer: (cwe: unknown[]) => NIST2CCI(nistTag(cwe))
},
nist: {path: CWE_PATH, transformer: nistTag},
cweid: {path: CWE_PATH, transformer: parseIdentifier},
diff --git a/libs/hdf-converters/src/sonarqube-mapper.ts b/libs/hdf-converters/src/sonarqube-mapper.ts
index 9950c387d6..1ad2d9ad6c 100644
--- a/libs/hdf-converters/src/sonarqube-mapper.ts
+++ b/libs/hdf-converters/src/sonarqube-mapper.ts
@@ -9,7 +9,7 @@ import {
} from './base-converter';
import {CweNistMapping} from './mappings/CweNistMapping';
import {OwaspNistMapping} from './mappings/OwaspNistMapping';
-import {getCCIsForNISTTags} from './mappings/CciNistMapping';
+import {NIST2CCI} from './mappings/CciNistMapping';
// eslint-disable-next-line @typescript-eslint/naming-convention
export type Issue = {
@@ -252,8 +252,7 @@ function createSonarqubeMappings(
code: null,
tags: {
cci: {
- transformer: (issue: Issue) =>
- getCCIsForNISTTags(parseNistTags(issue))
+ transformer: (issue: Issue) => NIST2CCI(parseNistTags(issue))
},
nist: {transformer: parseNistTags}
},
diff --git a/libs/hdf-converters/src/twistlock-mapper.ts b/libs/hdf-converters/src/twistlock-mapper.ts
index 9335c5a1c0..a4e73a5179 100644
--- a/libs/hdf-converters/src/twistlock-mapper.ts
+++ b/libs/hdf-converters/src/twistlock-mapper.ts
@@ -7,8 +7,8 @@ import {
impactMapping,
MappedTransform
} from './base-converter';
-import {DEFAULT_UPDATE_REMEDIATION_NIST_TAGS} from './utils/global';
-import {getCCIsForNISTTags} from './mappings/CciNistMapping';
+import {NIST2CCI} from './mappings/CciNistMapping';
+import {DEFAULT_UPDATE_REMEDIATION_NIST_TAGS} from './mappings/CciNistMappingData';
const IMPACT_MAPPING: Map<string, number> = new Map([
['critical', 0.9],
@@ -94,7 +94,7 @@ export class TwistlockMapper extends BaseConverter {
pathTransform: (value) => (Array.isArray(value) ? value : []),
tags: {
nist: DEFAULT_UPDATE_REMEDIATION_NIST_TAGS,
- cci: getCCIsForNISTTags(DEFAULT_UPDATE_REMEDIATION_NIST_TAGS),
+ cci: NIST2CCI(DEFAULT_UPDATE_REMEDIATION_NIST_TAGS),
cveid: {path: 'id'}
},
refs: [],
diff --git a/libs/hdf-converters/src/utils/CCI_List.ts b/libs/hdf-converters/src/utils/CCI_List.ts
deleted file mode 100644
index d3c4697224..0000000000
--- a/libs/hdf-converters/src/utils/CCI_List.ts
+++ /dev/null
@@ -1,56255 +0,0 @@
-export const CCI_List = `<?xml version="1.0" encoding="UTF-8"?>
-<?xml-stylesheet type='text/xsl' href='cci2html.xsl'?>
-<cci_list xmlns="http://iase.disa.mil/cci">
- <metadata>
- <version>2023-06-07</version>
- <publishdate>2023-06-07</publishdate>
- </metadata>
- <cci_items>
- <cci_item id="CCI-000001">
- <status>draft</status>
- <publishdate>2009-05-13</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops an access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-1 a 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-1.1 (i and ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000002">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminate the organization-level; mission/business process-level; and/or system-level access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance to organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-1 a 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-1.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-1 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-1 a 1 (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000003">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current access control policy for organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-1 c 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-1 b 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-1.2 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000004">
- <status>draft</status>
- <publishdate>2009-05-13</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops procedures to facilitate the implementation of the access control policy and associated access controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-1.1 (iv and v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000005">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminate procedures to facilitate the implementation of the organization-level; mission/business process-level; and/or system-level access control policy and associated access controls to the organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-1.1 (vi)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-1 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-1 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-000006">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current access control procedures for organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-1 b 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-1.2 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-1 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-1 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-000007">
- <status>draft</status>
- <publishdate>2009-05-13</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization manages information system accounts by identifying account types (i.e., individual, group, system, application, guest/anonymous, and temporary).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-2.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000008">
- <status>draft</status>
- <publishdate>2009-09-14</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization establishes conditions for group membership.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-2.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-2 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000009">
- <status>draft</status>
- <publishdate>2009-05-13</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization manages information system accounts by identifying authorized users of the information system and specifying access privileges.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-2.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-2 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-000010">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require approvals by organization-defined personnel or roles for requests to create accounts.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 e" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-2.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-2 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-000011">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Create, enable, modify, disable, and remove system accounts in accordance with organization-defined procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 f" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 f" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-2.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-2 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-000012">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review accounts for compliance with account management requirements per organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 j" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-2.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-2 j" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 j" />
- </references>
- </cci_item>
- <cci_item id="CCI-000013">
- <status>draft</status>
- <publishdate>2009-09-14</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization manages information system accounts by notifying account managers when temporary accounts are no longer required and when information system users are terminated, transferred, or information system usage or need-to-know/need-to-share changes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-2.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-2 g" />
- </references>
- </cci_item>
- <cci_item id="CCI-000014">
- <status>draft</status>
- <publishdate>2009-09-14</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization manages information system accounts by granting access to the system based on a valid access authorization; intended system usage; and other attributes as required by the organization or associated missions/business functions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-2.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-2 i" />
- </references>
- </cci_item>
- <cci_item id="CCI-000015">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Support the management of system accounts using (organization-defined automated mechanisms).</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-2 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-2 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000016">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Automatically remove or disable temporary and emergency accounts after an organization-defined time-period for each type of account.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-2 (2).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-2 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000017">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disable accounts when the accounts have been inactive for the organization-defined time-period.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-2 (3).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-2 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 (3) (d)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000018">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Automatically audit account creation actions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 (4)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-2 (4).1 (i and ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-2 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000019">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require that users log out in accordance with the organization-defined time-period of expected inactivity or description of when to log out.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 (5)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-2 (5).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-2 (5) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000020">
- <status>draft</status>
- <publishdate>2009-09-14</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system dynamically manages user privileges and associated access authorizations.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-2 (6).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-2 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000021">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce dual authorization for organization-defined privileged commands and/or other organization-defined actions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-3 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-3 (2).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-3 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000022">
- <status>draft</status>
- <publishdate>2009-05-13</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system enforces one or more organization-defined nondiscretionary access control policies over an organization-defined set of users and resources.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-3 (3).1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-3 (3) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000023">
- <status>draft</status>
- <publishdate>2009-11-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops an organization-wide information security program plan that provides sufficient information about the program management controls and common controls (including specification of parameters for any assignment and selection operations either explicitly or by reference) to enable an implementation that is unambiguously compliant with the intent of the plan, and a determination of the risk to be incurred if the plan is implemented as intended.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PM-1.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PM-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000024">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Prevent access to organization-defined security-relevant information except during secure, non-operable system states.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-3 (5)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-3 (5).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-3 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000025">
- <status>draft</status>
- <publishdate>2009-09-14</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system enforces information flow control using explicit security attributes on information, source, and destination objects as a basis for flow control decisions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-4 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-4 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000026">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Use protected processing domains to enforce organization-defined information flow control policies as a basis for flow control decisions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-4 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-4 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000027">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce organization-defined information flow control policies.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-4 (3).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-4 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000028">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Prevent encrypted information from bypassing organization-defined flow control mechanisms by employing organization-defined procedures or methods.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4 (4)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-4 (4).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-4 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000029">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce organization-defined limitations on embedding data types within other data types.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4 (5)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-4 (5).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-4 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000030">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce information flow control based on organization-defined metadata.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (6)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4 (6)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-4 (6).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-4 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000031">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce one-way information flows using hardware-based flow control mechanisms.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4 (7)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-4 (7).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-4 (7)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000032">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce information flow control using organization-defined security policy filters as a basis for flow control decisions for organization-defined information flows.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4 (8)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-4 (8).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-4 (8)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (8) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000033">
- <status>draft</status>
- <publishdate>2009-05-13</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system enforces the use of human review for organization-defined security policy filters when the system is not capable of making an information flow control decision.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-4 (9).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-4 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000034">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide the capability for privileged administrators to enable and disable organization-defined security or privacy filters under organization-defined conditions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4 (10)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-4 (1).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-4 (10)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (10)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000035">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide the capability for privileged administrators to configure the organization-defined security or privacy policy filters to support different security or privacy policies.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4 (11)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-4 (11).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-4 (11)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (11)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000036">
- <status>draft</status>
- <publishdate>2009-05-19</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization separates organization-defined duties of individuals.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-5 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-5.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-5 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000037">
- <status>draft</status>
- <publishdate>2009-09-14</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization implements separation of duties through assigned information system access authorizations.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-5.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-5 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-000038">
- <status>draft</status>
- <publishdate>2009-05-19</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization explicitly authorizes access to organization-defined security functions and security-relevant information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-6 (1).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-6 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000039">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require that users of system accounts, or roles, with access to organization-defined security functions or security-relevant information, use non-privileged accounts or roles, when accessing nonsecurity functions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-6 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-6 (2).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-6 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-6 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000040">
- <status>draft</status>
- <publishdate>2009-09-14</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization audits any use of privileged accounts, or roles, with access to organization-defined security functions or security-relevant information, when accessing other system functions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-6 (2).1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-6 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000041">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Authorize network access to organization-defined privileged commands only for organization-defined compelling operational needs.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-6 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-6 (3).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-6 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-6 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000042">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Document the rationale for authorized network access to organization-defined privileged commands in the security plan for the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-6 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-6 (3).1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-6 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-6 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000043">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the maximum number of consecutive invalid logon attempts to the information system by a user during an organization-defined time period.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-7 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-7" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-7.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-7" />
- </references>
- </cci_item>
- <cci_item id="CCI-000044">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-7 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-7 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-7.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-7 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000045">
- <status>draft</status>
- <publishdate>2009-09-14</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines in the security plan, explicitly or by reference, the time period for lock out mode or delay period.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-7.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-7 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000046">
- <status>draft</status>
- <publishdate>2009-09-14</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization selects either a lock out mode for the organization-defined time period or delays the next login prompt for the organization-defined delay period for information system responses to consecutive invalid access attempts.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-7.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-7 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000047">
- <status>draft</status>
- <publishdate>2009-09-14</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system delays next login prompt according to the organization-defined delay algorithm, when the maximum number of unsuccessful attempts is exceeded, automatically locks the account/node for an organization-defined time period or locks the account/node until released by an Administrator IAW organizational policy.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-7.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-7 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000048">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Display an organization-defined system use notification message or banner to users before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidelines.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-8 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-8 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-8.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-8 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000049">
- <status>draft</status>
- <publishdate>2009-05-19</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines a system use notification message or banner displayed before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that: (i) users are accessing a U.S. Government information system; (ii) system usage may be monitored, recorded, and subject to audit; (iii) unauthorized use of the system is prohibited and subject to criminal and civil penalties; and (iv) use of the system indicates consent to monitoring and recording.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-8.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-8 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000050">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-8 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-8 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-8.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-8 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000051">
- <status>draft</status>
- <publishdate>2009-05-19</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization approves the information system use notification message before its use.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-8.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-8 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000052">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Notify the user, upon successful logon (access) to the system, of the date and time of the last logon (access).</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-9" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-9" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-9.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-9" />
- </references>
- </cci_item>
- <cci_item id="CCI-000053">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Notify the user, upon successful logon/access, of the number of unsuccessful logon/access attempts since the last successful logon/access.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-9 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-9 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-9 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-9 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000054">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Limit the number of concurrent sessions for each organization-defined account and/or account type to an organization-defined number.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-10" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-10" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-10.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-10" />
- </references>
- </cci_item>
- <cci_item id="CCI-000055">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the maximum number of concurrent sessions to be allowed for each organization-defined account and/or account type.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-10" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-10" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-10.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-10" />
- </references>
- </cci_item>
- <cci_item id="CCI-000056">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Retain the device lock until the user reestablishes access using established identification and authentication procedures.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-11 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-11 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-11.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-11 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000057">
- <status>draft</status>
- <publishdate>2009-05-19</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system initiates a session lock after the organization-defined time period of inactivity.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-11 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-11 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-11.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-11 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000058">
- <status>draft</status>
- <publishdate>2009-05-19</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system provides the capability for users to directly initiate session lock mechanisms.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-11 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-11" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-11 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000059">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the time-period of inactivity after which the system initiates a device lock.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-11 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-11 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-11.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-11 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000060">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Conceal, via the device lock, information previously visible on the display with a publicly viewable image.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-11 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-11 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-11 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-11 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000061">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Identify organization-defined user actions that can be performed on the system without identification or authentication consistent with organizational missions/business functions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-14 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-14 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-14.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-14 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000062">
- <status>draft</status>
- <publishdate>2009-05-19</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization permits actions to be performed without identification and authentication only to the extent necessary to accomplish mission/business objectives.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-14 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-14 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000063">
- <status>draft</status>
- <publishdate>2009-09-14</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines allowed methods of remote access to the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-17 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-17.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-17 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000064">
- <status>draft</status>
- <publishdate>2009-05-19</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization establishes usage restrictions and implementation guidance for each allowed remote access method.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-17.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-17 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000065">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Authorize remote access to the system prior to allowing such connections.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-17 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-17.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-17 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-17 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000066">
- <status>draft</status>
- <publishdate>2009-09-14</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization enforces requirements for remote connections to the information system.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-17.1 (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-17 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-000067">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ automated mechanisms to monitor remote access methods.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-17 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-17 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-17 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-17 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000068">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement cryptographic mechanisms to protect the confidentiality of remote access sessions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-17 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-17 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-17 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-17 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000069">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Route all remote accesses through authorized and managed network access control points.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-17 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-17 (3).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-17 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-17 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000070">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Authorize the execution of privileged commands via remote access only in a format that provides assessable evidence for organization-defined needs.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-17 (4) (a)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-17 (4).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-17 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-17 (4) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000071">
- <status>draft</status>
- <publishdate>2009-05-19</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization monitors for unauthorized remote connections to the information system on an organization-defined frequency.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-17 (5).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-17 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000072">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Protect information about remote access mechanisms from unauthorized use and disclosure.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-17 (6)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-17 (6).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-17 (6)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-17 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000073">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop an organization-wide information security program plan that provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-1 a 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-1 a 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PM-1.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PM-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000074">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop an organization-wide information security program plan that is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-1 a 4" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-1 a 4" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PM-1.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PM-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000075">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the organization-wide information security program plan on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-1 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-1 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PM-1.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PM-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000076">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency with which to review and update the organization-wide information security program plan.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-1 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-1 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PM-1.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PM-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000077">
- <status>draft</status>
- <publishdate>2009-11-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization updates the plan to address organizational changes and problems identified during plan implementation or security control assessments.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-1 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PM-1.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PM-1 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-000078">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Appoint a Senior Information Security Officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PM-2.1 (i and ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PM-2" />
- </references>
- </cci_item>
- <cci_item id="CCI-000079">
- <status>draft</status>
- <publishdate>2009-09-14</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization ensures that remote sessions for accessing an organization-defined list of security functions and security-relevant information employ organization-defined additional security measures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-17 (7).1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-17 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000080">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Include the resources needed to implement the information security programs in capital planning and investment requests and document all exceptions to this requirement.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-3 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-3 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PM-3.1 (i and ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PM-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000081">
- <status>draft</status>
- <publishdate>2009-11-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs a business case/Exhibit 300/Exhibit 53 to record the resources required.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-3 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PM-3.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PM-3 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000082">
- <status>draft</status>
- <publishdate>2009-05-19</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization establishes usage restrictions for organization-controlled mobile devices.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-19 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-19.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-19 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000083">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-19 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-19 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-19.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-19 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000084">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Authorize connection of mobile devices to organizational systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-19 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-19 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-19.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-19 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000085">
- <status>draft</status>
- <publishdate>2009-05-19</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization monitors for unauthorized connections of mobile devices to organizational information systems.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-19.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-19 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-000086">
- <status>draft</status>
- <publishdate>2009-05-19</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization enforces requirements for the connection of mobile devices to organizational information systems.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-19.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-19 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-000087">
- <status>draft</status>
- <publishdate>2009-05-19</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization disables information system functionality that provides the capability for automatic execution of code on mobile devices without user direction.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-19.1 (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-19 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-000088">
- <status>draft</status>
- <publishdate>2009-09-14</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization issues specially configured mobile devices to individuals traveling to locations that the organization deems to be of significant risk in accordance with organizational policies and procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-19.1 (vi)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-19 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-000089">
- <status>draft</status>
- <publishdate>2009-09-14</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization applies organization-defined inspection and preventative measures to mobile devices returning from locations that the organization deems to be of significant risk in accordance with organizational policies and procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-19.1 (viii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-19 g" />
- </references>
- </cci_item>
- <cci_item id="CCI-000090">
- <status>draft</status>
- <publishdate>2009-05-19</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization restricts the use of writable, removable media in organizational information systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-19 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-19 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000091">
- <status>draft</status>
- <publishdate>2009-05-19</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization prohibits the use of personally-owned, removable media in organizational information systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-19 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-19 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000092">
- <status>draft</status>
- <publishdate>2009-05-19</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization prohibits the use of removable media in organizational information systems when the media has no identifiable owner.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-19 (3).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-19 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000093">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish organization-defined terms and conditions, and/or identify organization-defined controls asserted to be implemented on external systems, consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to access the system from the external systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-20 a 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-20 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-20.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-20 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000094">
- <status>draft</status>
- <publishdate>2009-05-19</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to process organization-controlled information using the external information systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-20.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-20 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000095">
- <status>draft</status>
- <publishdate>2009-05-19</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization prohibits authorized individuals from using an external information system to access the information system except in situations where the organization can verify the implementation of required security controls on the external system as specified in the organization's information security policy and security plan.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-20 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-20 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000096">
- <status>draft</status>
- <publishdate>2009-05-19</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization prohibits authorized individuals from using an external information system to access the information system or to process, store, or transmit organization-controlled information except in situations where the organization has approved information system connection or processing agreements with the organizational entity hosting the external information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-20 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-20 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000097">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organization-defined restrictions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-20 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-20 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-20 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-20 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000098">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enable authorized users to determine whether access authorizations assigned to the sharing partner match the information's access and use restrictions for organization-defined information sharing circumstances where user discretion is required.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-21 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-21 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-21.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-21 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000099">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ organization-defined automated mechanisms to enforce information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-21 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-21 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-21 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-21 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000100">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document an organization level, mission/business process-level, or system-level awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-1 a 1 (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AT-1 a 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AT-1.1 (i and ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AT-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000101">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminate an organization level, mission/business process-level, or system-level awareness and training policy to organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AT-1 a 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AT-1.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AT-1 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-1 a 1 (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000102">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current security awareness and training policy in accordance with organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AT-1 b 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AT-1.2 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AT-1 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-1 c 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-000103">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document procedures to facilitate the implementation of the awareness and training policy and associated awareness and training controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AT-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AT-1.1 (iv and v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AT-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000104">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminate organization-level; mission/business process-level; or system-level awareness and training procedures to organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AT-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AT-1.1 (vi)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AT-1 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-1 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-000105">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current security awareness and training procedures in accordance with an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-1 c 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AT-1 b 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AT-1.2 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AT-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000106">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide basic security literacy training to system users (including managers, senior executives, and contractors) as part of initial training for new users.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-2 a 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AT-2 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AT-2.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AT-2" />
- </references>
- </cci_item>
- <cci_item id="CCI-000107">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide practical exercises in literacy training that simulate events and incidents.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-2 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AT-2 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AT-2 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AT-2 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000108">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide role-based security training to personnel with organization-defined roles and responsibilities before authorizing access to the system, information, or performing assigned duties.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AT-3 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AT-3.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AT-3" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-3 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-000109">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide role-based security training to personnel with organization-defined roles and responsibilities when required by system changes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-3 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AT-3 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AT-3.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AT-3" />
- </references>
- </cci_item>
- <cci_item id="CCI-000110">
- <status>draft</status>
- <publishdate>2009-05-20</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization provides refresher role-based security training to personnel with assigned security roles and responsibilities in accordance with organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AT-3 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AT-3.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AT-3" />
- </references>
- </cci_item>
- <cci_item id="CCI-000111">
- <status>draft</status>
- <publishdate>2009-05-20</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines a frequency for providing refresher role-based security training.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AT-3 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AT-3.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AT-3" />
- </references>
- </cci_item>
- <cci_item id="CCI-000112">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide basic security awareness training to system users (including managers, senior executives, and contractors) when required by system changes or following organization-defined events.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-2 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AT-2 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AT-2.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AT-2" />
- </references>
- </cci_item>
- <cci_item id="CCI-000113">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Document individual security training activities, including security awareness training and specific system security training.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-4 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AT-4 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AT-4.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AT-4 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000114">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Monitor individual information security training activities, including security awareness training and specific security training.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-4 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AT-4 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AT-4.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AT-4 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000115">
- <status>draft</status>
- <publishdate>2009-09-14</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization establishes contact with selected groups and associations within the security community to facilitate ongoing security education and training; to stay up to date with the latest recommended security practices, techniques, and technologies; and to share current security-related information including threats, vulnerabilities, and incidents.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AT-5.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AT-5" />
- </references>
- </cci_item>
- <cci_item id="CCI-000116">
- <status>draft</status>
- <publishdate>2009-09-14</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization institutionalizes contact with selected groups and associations within the security community to facilitate ongoing security education and training; to stay up to date with the latest recommended security practices, techniques, and technologies; and to share current security-related information including threats, vulnerabilities, and incidents.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AT-5.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AT-5" />
- </references>
- </cci_item>
- <cci_item id="CCI-000117">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document an organization-level; mission/business process-level; and/or system-level audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-1 a 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-1.1 (I and ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-1 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-1 a 1 (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000118">
- <status>draft</status>
- <publishdate>2009-05-20</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization disseminates a formal, documented, audit and accountability policy to elements within the organization having associated audit and accountability roles and responsibilities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-1.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000119">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current audit and accountability policy on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-1 c 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-1 b 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-1.2 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000120">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-1.1 (iv and v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-1 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-1 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-000121">
- <status>draft</status>
- <publishdate>2009-05-20</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization disseminates formal, documented, procedures to elements within the organization having associated audit and accountability roles and responsibilities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-1.1 (vi)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000122">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current audit and accountability procedures on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-1 b 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-1.2 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-1 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-1 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-000123">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Identify the organization-defined event types that the system is capable of logging in support of the audit function.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-2 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-2 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-2.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000124">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-2 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-2.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-2 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-2 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000125">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide a rationale for why the event types selected for logging are deemed to be adequate for support after-the-fact investigations of incidents.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-2 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-2.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-2 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-2 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-000126">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Specify the organization-defined event types (subset of the event types defined in AU-2a) along with the frequency of (or situation requiring logging for each identified event type.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-2 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-2 d" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-2.1 (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-2 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-000127">
- <status>draft</status>
- <publishdate>2009-05-20</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization reviews and updates the list of organization-defined audited events on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-2 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-2 (3).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-2 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000128">
- <status>draft</status>
- <publishdate>2009-05-20</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization includes execution of privileged functions in the list of events to be audited by the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-2 (4).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-2 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000129">
- <status>draft</status>
- <publishdate>2009-09-15</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines in the auditable events that the information system must be capable of auditing based on a risk assessment and mission/business needs.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-2.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000130">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Ensure that audit records containing information that establishes what type of event occurred.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-3 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-3" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-3.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-3" />
- </references>
- </cci_item>
- <cci_item id="CCI-000131">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Ensure that audit records containing information that establishes when the event occurred.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-3 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-3" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-3.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-3" />
- </references>
- </cci_item>
- <cci_item id="CCI-000132">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Ensure that audit records containing information that establishes where the event occurred.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-3 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-3" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-3.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-3" />
- </references>
- </cci_item>
- <cci_item id="CCI-000133">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Ensure that audit records containing information that establishes the source of the event.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-3 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-3" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-3.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-3" />
- </references>
- </cci_item>
- <cci_item id="CCI-000134">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Ensure that audit records containing information that establishes the outcome of the event.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-3 e" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-3" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-3.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-3" />
- </references>
- </cci_item>
- <cci_item id="CCI-000135">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Generate audit records containing the organization-defined additional information that is to be included in the audit records.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-3 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-3 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-3 (1).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-3 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000136">
- <status>draft</status>
- <publishdate>2009-05-20</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization centrally manages the content of audit records generated by organization-defined information system components.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-3 (2).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-3 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000137">
- <status>draft</status>
- <publishdate>2009-05-20</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization allocates audit record storage capacity.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-4.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-4" />
- </references>
- </cci_item>
- <cci_item id="CCI-000138">
- <status>draft</status>
- <publishdate>2009-05-20</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization configures auditing to reduce the likelihood of storage capacity being exceeded.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-4.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-4" />
- </references>
- </cci_item>
- <cci_item id="CCI-000139">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Alert organization-defined personnel or roles within an organization-defined time period in the event of an audit logging process failure.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-5 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-5.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-5 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-5 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000140">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Take organization-defined actions upon audit failure include, shutting down the system, overwriting oldest audit records, and stopping the generation of audit records.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-5 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-5 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-5.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-5 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000141">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Make available for expenditure, the planned information security resources.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-3 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-3 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PM-3.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PM-3 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-000142">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a process to ensure that plans of action and milestones for the information security program and the associated organizational systems are maintained.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-4 a 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-4 a 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PM-4.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PM-4" />
- </references>
- </cci_item>
- <cci_item id="CCI-000143">
- <status>draft</status>
- <publishdate>2009-05-20</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system provides a warning when allocated audit record storage volume reaches an organization-defined percentage of maximum audit record storage capacity.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-5 (1).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-5 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000144">
- <status>draft</status>
- <publishdate>2009-05-20</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system provides a real-time alert when organization-defined audit failure events occur.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-5 (2).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-5 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000145">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce configurable network communications traffic volume thresholds reflecting limits on audit log storage capacity by delaying or rejecting network traffic above those organization-defined thresholds.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-5 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-5 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-5 (3).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-5 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000146">
- <status>draft</status>
- <publishdate>2009-05-20</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the percentage of maximum audit record storage capacity that when exceeded, a warning is provided.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-5 (1).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-5 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000147">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the audit logging failure events requiring real-time alerts.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-5 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-5 (2).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-5 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-5 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000148">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and analyze system audit records on an organization-defined frequency for indications of organization-defined inappropriate or unusual activity.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-6 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-6 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-6.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-6 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000149">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Report any findings to organization-defined personnel or roles for indications of organization-defined inappropriate or unusual activity.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-6 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-6 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-6.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-6 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000150">
- <status>draft</status>
- <publishdate>2009-09-15</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization adjusts the level of audit review, analysis, and reporting within the information system when there is a change in risk to organizational operations, organizational assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-6.2" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-6 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000151">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency for the review and analysis of system audit records for organization-defined inappropriate or unusual activity.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-6 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-6 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-6.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-6 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000152">
- <status>draft</status>
- <publishdate>2009-05-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system integrates audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-6 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-6 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000153">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Analyze and correlate audit records across different repositories to gain organization-wide situational awareness.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-6 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-6 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-6 (3).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-6 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000154">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide the capability to centrally review and analyze audit records from multiple components within the system.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-6 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-6 (4)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-6 (4).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-6 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000155">
- <status>draft</status>
- <publishdate>2009-09-15</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization integrates analysis of audit records with analysis of vulnerability scanning information, performance data, and network monitoring information to further enhance the ability to identify inappropriate or unusual activity.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-6 (5).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-6 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000156">
- <status>draft</status>
- <publishdate>2009-05-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system provides an audit reduction capability.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-7.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-7" />
- </references>
- </cci_item>
- <cci_item id="CCI-000157">
- <status>draft</status>
- <publishdate>2009-05-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system provides a report generation capability.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-7.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-7" />
- </references>
- </cci_item>
- <cci_item id="CCI-000158">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide the capability to process, sort, and search audit records for events of interest based on organization-defined audit fields within audit records.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-7 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-7 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-7 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-7 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000159">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Use internal system clocks to generate time stamps for audit records.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-8 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-8 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-8.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-8" />
- </references>
- </cci_item>
- <cci_item id="CCI-000160">
- <status>draft</status>
- <publishdate>2009-05-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system synchronizes internal information system clocks on an organization-defined frequency with an organization-defined authoritative time source.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-8 (1).1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-8 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000161">
- <status>draft</status>
- <publishdate>2009-05-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the frequency for the synchronization of internal information system clocks.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-8 (1) (a)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-8 (1).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-8 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000162">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Protect audit information from unauthorized access.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-9" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-9.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-9" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-9 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000163">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Protect audit information from unauthorized modification.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-9 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-9" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-9.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-9" />
- </references>
- </cci_item>
- <cci_item id="CCI-000164">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Protect audit information from unauthorized deletion.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-9" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-9.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-9" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-9 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000165">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Write audit records to hardware-enforced, write-once media.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-9 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-9 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-9 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-9 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000166">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide irrefutable evidence that an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-10" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-10" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-10.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-10" />
- </references>
- </cci_item>
- <cci_item id="CCI-000167">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Retain audit records for an organization-defined time period to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-11" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-11" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-11.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-11" />
- </references>
- </cci_item>
- <cci_item id="CCI-000168">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the time period for retention of audit records, which is consistent with its records retention policy, to provide support for after-the-fact investigations of incidents and meet regulatory and organizational information retention requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-11" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-11" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-11.1 (i and ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-11" />
- </references>
- </cci_item>
- <cci_item id="CCI-000169">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2 a. on organization-defined information system components.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-12 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-12 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-12.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-12 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000170">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a process to ensure that plans of action and milestones for the security program and associated organizational systems document the remedial information security actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-4 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-4 a 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PM-4.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PM-4" />
- </references>
- </cci_item>
- <cci_item id="CCI-000171">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Allow organization-defined personnel or roles to select the event types that are to be logged by specific components of the system.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-12 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-12 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-12.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-12 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000172">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Generate audit records for the event types defined in AU-2 c that include the audit record content defined in AU-3.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-12 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-12.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-12 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-12 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-000173">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the level of tolerance for relationship between time stamps of individual records in the audit trail that will be used for correlation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-12 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-12 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-12 (1).1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-12 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000174">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Compile audit records from organization-defined information system components into a system-wide (logical or physical) audit trail that is time-correlated to within an organization-defined level of tolerance for relationship between time stamps of individual records in the audit trail.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-12 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-12 (1).1 (iii and v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-12 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-12 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000175">
- <status>draft</status>
- <publishdate>2009-05-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization manages information system authenticators for users and devices by verifying, as part of the initial authenticator distribution, the identity of the individual and/or device receiving the authenticator.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-5.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-5 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000176">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Manage system authenticators by establishing initial authenticator content for authenticators issued by the organization.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-5.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-5 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000177">
- <status>draft</status>
- <publishdate>2009-05-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization manages information system authenticators for users and devices by establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised, or damaged authenticators, and for revoking authenticators.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-5.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-5 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-000178">
- <status>draft</status>
- <publishdate>2009-05-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization manages information system authenticators for users and devices by changing default content of authenticators upon information system installation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-5.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-5 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-000179">
- <status>draft</status>
- <publishdate>2009-05-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization manages information system authenticators by establishing minimum lifetime restrictions for authenticators.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 f" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-5.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-5 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-000180">
- <status>draft</status>
- <publishdate>2009-05-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization manages information system authenticators by establishing maximum lifetime restrictions for authenticators.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 f" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-5.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-5 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-000181">
- <status>draft</status>
- <publishdate>2009-05-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization manages information system authenticators by establishing reuse conditions for authenticators.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 f" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-5.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-5 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-000182">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Manage system authenticators by changing or refreshing authenticators in accordance with the organization-defined time period by authenticator type or when organization-defined events occur.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 g" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-5.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-5 g" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-000183">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Manage system authenticators by protecting authenticator content from unauthorized disclosure.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 h" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-5.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-5 h" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 g" />
- </references>
- </cci_item>
- <cci_item id="CCI-000184">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Manages system authenticators by requiring individuals to take, and having devices implement, specific security controls to protect authenticators.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 i" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-5.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-5 i" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 h" />
- </references>
- </cci_item>
- <cci_item id="CCI-000185">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>For public key-based authentication, validate certificates by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 (2) (b) (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 (2) (a)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-5 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-5 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000186">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>For public key-based authentication, enforce authorized access to the corresponding private key.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 (2) (b)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-5 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-5 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 (2) (a) (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000187">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>For public key-based authentication, map the authenticated identity to the account of the individual or group.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 (2) (c)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-5 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-5 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 (2) (a) (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000188">
- <status>draft</status>
- <publishdate>2009-09-15</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires that the registration process to receive an organizational-defined type of authenticator be carried out in person before a designated registration authority with authorization by a designated organizational official (e.g., a supervisor).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-5 (3).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-5 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000189">
- <status>draft</status>
- <publishdate>2009-09-15</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs automated tools to determine if authenticators are sufficiently strong to resist attacks intended to discover or otherwise compromise the authenticators.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-5 (4).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-5 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000190">
- <status>draft</status>
- <publishdate>2009-09-15</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires vendors/manufacturers of information system components to provide unique authenticators or change default authenticators prior to delivery.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-5 (5).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-5 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000191">
- <status>deprecated</status>
- <publishdate>2009-09-15</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization enforces password complexity by the number of special characters used.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-5 (1).1 (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-5 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000192">
- <status>draft</status>
- <publishdate>2009-09-15</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system enforces password complexity by the minimum number of upper case characters used.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 (1) (a)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-5 (1).1 (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-5 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000193">
- <status>draft</status>
- <publishdate>2009-09-15</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system enforces password complexity by the minimum number of lower case characters used.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 (1) (a)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-5 (1).1 (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-5 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000194">
- <status>draft</status>
- <publishdate>2009-09-15</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system enforces password complexity by the minimum number of numeric characters used.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 (1) (a)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-5 (1).1 (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-5 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000195">
- <status>draft</status>
- <publishdate>2009-09-15</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system, for password-based authentication, when new passwords are created, enforces that at least an organization-defined number of characters are changed.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 (1) (b)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-5 (1).1 (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-5 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000196">
- <status>draft</status>
- <publishdate>2009-09-15</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system, for password-based authentication, stores only cryptographically-protected passwords.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 (1) (c)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-5 (1).1 (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-5 (1) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000197">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>For password-based authentication, transmit passwords only cryptographically-protected channels.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 (1) (c)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-5 (1).1 (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-5 (1) (c)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 (1) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000198">
- <status>draft</status>
- <publishdate>2009-09-15</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system enforces minimum password lifetime restrictions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 (1) (d)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-5 (1).1 (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-5 (1) (d)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000199">
- <status>draft</status>
- <publishdate>2009-09-15</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system enforces maximum password lifetime restrictions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 (1) (d)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-5 (1).1 (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-5 (1) (d)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000200">
- <status>draft</status>
- <publishdate>2009-05-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system prohibits password reuse for the organization-defined number of generations.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 (1) (e)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-5 (1).1 (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-5 (1) (e)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000201">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Protect authenticators commensurate with the security category of the information to which use of the authenticator permits access.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 (6)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-5 (6).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-5 (6)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000202">
- <status>draft</status>
- <publishdate>2009-05-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization ensures unencrypted static authenticators are not embedded in access scripts.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 (7)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-5 (7).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-5 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000203">
- <status>draft</status>
- <publishdate>2009-05-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization ensures unencrypted static authenticators are not stored on function keys.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 (7)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-5 (7).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-5 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000204">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the security controls required to manage the risk of compromise due to individuals having accounts on multiple information systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 (8)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 (8)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-5 (8).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-5 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000205">
- <status>draft</status>
- <publishdate>2009-05-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system enforces minimum password length.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 (1) (a)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-5 (1).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-5 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000206">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-6" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-6" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-6.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-6" />
- </references>
- </cci_item>
- <cci_item id="CCI-000207">
- <status>draft</status>
- <publishdate>2009-11-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops and maintains an inventory of its information systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-5" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PM-5.1 (i and ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PM-5" />
- </references>
- </cci_item>
- <cci_item id="CCI-000208">
- <status>draft</status>
- <publishdate>2009-09-14</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization determines normal time-of-day and duration usage for information system accounts.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-2 (5).1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-2 (5) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000209">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop the results of information security measures of performance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-6" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-6" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PM-6.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PM-6" />
- </references>
- </cci_item>
- <cci_item id="CCI-000210">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Monitor the results of information security measures of performance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-6" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-6" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PM-6.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PM-6" />
- </references>
- </cci_item>
- <cci_item id="CCI-000211">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Report on the results of information security measures of performance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-6" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-6" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PM-6.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PM-6" />
- </references>
- </cci_item>
- <cci_item id="CCI-000212">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop an enterprise architecture with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-7" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-7" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PM-7.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PM-7" />
- </references>
- </cci_item>
- <cci_item id="CCI-000213">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-3" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-3.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-3" />
- </references>
- </cci_item>
- <cci_item id="CCI-000214">
- <status>draft</status>
- <publishdate>2009-09-14</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization establishes a Discretionary Access Control (DAC) policy that limits propagation of access rights.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-3 (4).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-3 (4) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000215">
- <status>draft</status>
- <publishdate>2009-09-14</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization establishes a Discretionary Access Control (DAC) policy that includes or excludes access to the granularity of a single user.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-3 (4).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-3 (4) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000216">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Address information security issues in the development and documentation of a critical infrastructure and key resources protection plan.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-8" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-8" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PM-8.1 (I and iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PM-8" />
- </references>
- </cci_item>
- <cci_item id="CCI-000217">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines a time period after which inactive accounts are automatically disabled.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-2 (3).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-2 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000218">
- <status>draft</status>
- <publishdate>2009-09-14</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system, when transferring information between different security domains, identifies information flows by data type specification and usage.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-4 (12).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-4 (12)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000219">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>When transferring information between different security domains, decompose information into organization-defined policy-relevant subcomponents for submission to policy enforcement mechanisms.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4 (13)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-4 (13).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-4 (13)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (13)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000221">
- <status>draft</status>
- <publishdate>2009-09-14</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system enforces security policies regarding information on interconnected systems.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-4 (16).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-4 (16)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000223">
- <status>draft</status>
- <publishdate>2009-09-14</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system binds security attributes to information to facilitate information flow policy enforcement.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-4 (17).1 (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-4 (17) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000224">
- <status>draft</status>
- <publishdate>2009-09-14</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system tracks problems associated with the security attribute binding.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-4 (17).1 (vi)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-4 (17) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000225">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned organizational tasks.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-6" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-6.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-6" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-6" />
- </references>
- </cci_item>
- <cci_item id="CCI-000226">
- <status>draft</status>
- <publishdate>2009-09-14</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system provides the capability for a privileged administrator to configure organization-defined security policy filters to support different security policies.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-6 (4).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-6 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000227">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop a comprehensive strategy to manage security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-9 a 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-9 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PM-9.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PM-9 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000228">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement the risk management strategy consistently across the organization.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-9 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-9 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PM-9.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PM-9 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000229">
- <status>draft</status>
- <publishdate>2009-11-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization documents the security state of organizational information systems and the environments in which those systems operate through security authorization processes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-10 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PM-10.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PM-10 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000230">
- <status>draft</status>
- <publishdate>2009-11-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization tracks the security state of organizational information systems and the environments in which those systems operate through security authorization processes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-10 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PM-10.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PM-10 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000231">
- <status>draft</status>
- <publishdate>2009-11-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization reports the security state of organizational information systems and the environments in which those systems operate through security authorization processes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-10 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PM-10.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PM-10 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000232">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Document and provide supporting rationale in the security plan for the system, user actions not requiring identification and authentication.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-14 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-14 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-14.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-14 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000233">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate individuals to fulfill specific roles and responsibilities within the organizational risk management process.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-10 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-10 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PM-10.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PM-10 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000234">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Integrate the authorization processes into an organization-wide risk management program.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-10 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-10 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PM-10.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PM-10 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-000235">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Define organizational mission and business processes with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-11 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-11 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PM-11.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PM-11 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000236">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Determine information protection needs arising from the defined mission and business processes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-11 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-11 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PM-11.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PM-11 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000237">
- <status>draft</status>
- <publishdate>2009-06-23</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization manages information system accounts by specifically authorizing and monitoring the use of guest/anonymous accounts and temporary accounts.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-2.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-2 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-000238">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency to review and update the current assessment, authorization, and monitoring policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-1 c 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-1 b 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-1.2 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-1" />
- </references>
- </cci_item>
- <cci_item id="CCI-000239">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document an organization-level; mission/business process; system-level assessment, authorization, and monitoring policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-1 a 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-1.1 (i and ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-1 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-1 a 1 (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000240">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminates to organization-defined personnel or roles an organization-level; mission/business process; system-level assessment, authorization, and monitoring policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-1 a 1 (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-1 a 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-1.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000241">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current assessment, authorization, and monitoring policy on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-1 b 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-1.2 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-1 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-1 c 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-000242">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and associated assessment, authorization, and monitoring controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-1.1 (iv and v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-1 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-1 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-000243">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminate to organization-defined personnel or roles procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and associated assessment, authorization, and monitoring controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-1.1 (vi)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-1 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-1 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-000244">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current assessment, authorization, and monitoring procedures on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-1 b 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-1.2 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-1 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-1 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-000245">
- <status>draft</status>
- <publishdate>2009-09-15</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops a security assessment plan for the information system and its environment of operation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-2 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-2.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000246">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop a control assessment plan that describes the scope of the assessment including controls and control enhancements under assessment.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-2 b 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-2 a 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-2.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000247">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop a control assessment plan that describes the scope of the assessment including assessment procedures to be used to determine control effectiveness.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-2 a 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-2.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-2 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-2 b 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-000248">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop a control assessment plan that describes the scope of the assessment including assessment environment.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-2 b 3" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-2 a 3" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-2.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000249">
- <status>draft</status>
- <publishdate>2009-09-15</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organizations security assessment plan describes the assessment team.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-2.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000250">
- <status>draft</status>
- <publishdate>2009-09-15</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization's security assessment plan describes assessment roles and responsibilities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-2.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000251">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Assess the controls in the systems and its environment of operation on an organization-defined frequency, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-2 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-2.2 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-2 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-2 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-000252">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency on which the security controls in the system and its environment of operation are assessed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-2 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-2 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-2.2 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-2 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000253">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Produce a control assessment report that document the results of the assessment.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-2 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-2.2 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-2 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-2 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-000254">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide the results of the control assessment to organization-defined individuals or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-2 f" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-2 d" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-2.2 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-2 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-000255">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ independent assessors or assessment teams to conduct control assessments.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-2 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-2 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-2 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-2 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000256">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Include as part of the control assessments, announced or unannounced, on an organization-defined frequency, in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment; and/or organization-defined other forms of assessment.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-2 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-2 (2).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-2 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-2 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000257">
- <status>draft</status>
- <publishdate>2009-09-15</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-3 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-3.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000258">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Document, as part of each exchange agreement, the interface characteristics.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-3 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-3.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-3 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-3 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000259">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Document, as part of each exchange agreement,, the security requirements, controls and responsibilities for each system, and the impact level of the information communicated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-3 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-3 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-3.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-3 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000260">
- <status>draft</status>
- <publishdate>2009-09-15</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization documents, for each interconnection, the nature of the information communicated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-3 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-3.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-3 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000261">
- <status>draft</status>
- <publishdate>2009-09-15</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization monitors the information system connections on an ongoing basis to verify enforcement of security requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-3.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-3 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-000262">
- <status>draft</status>
- <publishdate>2009-09-15</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization prohibits the direct connection of an organization-defined unclassified, national security system to an external network without the use of an organization-defined boundary protection device.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-3 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-3 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-3 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000263">
- <status>draft</status>
- <publishdate>2009-09-15</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization prohibits the direct connection of a classified, national security system to an external network without the use of organization-defined boundary protection device.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-3 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-3 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-3 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000264">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-5 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-5 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-5-1 (i) and (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-5 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000265">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency with which to update the existing plan of action and milestones for the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-5 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-5 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-5-1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-5 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000266">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Update, on an organization-defined frequency, the existing plan of action and milestones based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-5 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-5 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-5-1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-5 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000267">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Ensure the accuracy of the plan of action and milestones for the system using organization-defined automated mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-5 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-5 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-5 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-5 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000268">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Ensure the currency of the plan of action and milestones for the system using organization-defined automated mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-5 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-5 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-5 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-5 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000269">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Ensure the availability of the plan of action and milestones for the system using organization-defined automated mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-5 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-5 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-5 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-5 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000270">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Assign a senior official as the authorizing official for the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-6 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-6 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-6.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-6 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000271">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Ensure the authorizing official for the system authorizes the system to operate before commencing operations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-6 c 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-6 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-6.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-6 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000272">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Update the authorization on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-6 e" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-6 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-6.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-6 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-000273">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency with which to update the authorizations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-6 e" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-6 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-6.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-6 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-000274">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop a continuous monitoring strategy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-7" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-7.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-7" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-7" />
- </references>
- </cci_item>
- <cci_item id="CCI-000275">
- <status>draft</status>
- <publishdate>2009-09-15</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization implements a continuous monitoring program that includes a configuration management process for the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-7.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-7 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000276">
- <status>draft</status>
- <publishdate>2009-09-15</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization implements a continuous monitoring program that includes a configuration management process for the information system constituent components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-7.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-7 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000277">
- <status>draft</status>
- <publishdate>2009-09-15</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization implements a continuous monitoring program that includes a determination of the security impact of changes to the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-7.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-7 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000278">
- <status>draft</status>
- <publishdate>2009-09-15</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization implements a continuous monitoring program that includes a determination of the security impact of changes to the environment of operation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-7.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-7 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000279">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement ongoing control assessments in accordance with the continuous monitoring strategy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-7 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-7 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-7.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-7 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-000280">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a continuous monitoring program that includes reporting the security status to organization-defined personnel or roles on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-7 g" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-7.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-7 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-7 g" />
- </references>
- </cci_item>
- <cci_item id="CCI-000281">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency with which to report the security status to organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-7 g" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-7.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-7 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-7 g" />
- </references>
- </cci_item>
- <cci_item id="CCI-000282">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ independent assessors or assessment teams to monitor the controls in the system on an ongoing basis.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-7 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-7 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-7 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-7 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000283">
- <status>draft</status>
- <publishdate>2009-09-15</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization plans announced or unannounced assessments (in-depth monitoring, malicious user testing, penetration testing, red team exercises, or other organization-defined forms of security assessment), on an organization-defined frequency, to ensure compliance with all vulnerability mitigation procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-7 (2).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-7 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000284">
- <status>draft</status>
- <publishdate>2009-09-15</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization schedules announced or unannounced assessments (in-depth monitoring, malicious user testing, penetration testing, red team exercises, or other organization-defined forms of security assessment), on an organization-defined frequency, to ensure compliance with all vulnerability mitigation procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-7 (2).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-7 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000285">
- <status>draft</status>
- <publishdate>2009-09-15</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization conducts announced or unannounced assessments (in-depth monitoring, malicious user testing, penetration testing, red team exercises, or other organization-defined forms of security assessment), on an organization-defined frequency, to ensure compliance with all vulnerability mitigation procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-7 (2).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-7 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000286">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency with which to review and update the configuration management policies.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-1 c 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-1 b 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-1.2 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-1" />
- </references>
- </cci_item>
- <cci_item id="CCI-000287">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document an organization-level; mission/business process-level; and/or system-level configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-1 a 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-1.1 (i) (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-1 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-1 a 1 (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000288">
- <status>draft</status>
- <publishdate>2009-09-17</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization disseminates formal, documented configuration management policy to elements within the organization having associated configuration management roles and responsibilities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-1.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000289">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update, on an organization-defined frequency, the configuration management policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-1 c 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-1 b 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-1.2 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000290">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document procedures to facilitate the implementation of the organization-level; mission/business process-level; and/or system-level configuration management policy and the associated configuration management controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-1.1 (iv) (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-1 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-1 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-000291">
- <status>draft</status>
- <publishdate>2009-09-17</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization disseminates formal, documented procedures to facilitate the implementation of the configuration management policy and associated configuration management controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-1.1 (vi)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000292">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update, on an organization-defined frequency, the procedures to facilitate the implementation of the organization-level; mission/business process-level; and/or system-level configuration management policy and associated configuration management controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-1 b 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-1.2 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-1 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-1 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-000293">
- <status>draft</status>
- <publishdate>2009-09-17</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops a current baseline configuration of the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-2.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-2" />
- </references>
- </cci_item>
- <cci_item id="CCI-000294">
- <status>draft</status>
- <publishdate>2009-09-17</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization documents a baseline configuration of the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-2.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-2" />
- </references>
- </cci_item>
- <cci_item id="CCI-000295">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Maintain, under configuration control, a current baseline configuration of the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-2 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-2.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-2" />
- </references>
- </cci_item>
- <cci_item id="CCI-000296">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the baseline configuration of the system on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-2 (1) (a)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-2 (1).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-2 (1) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-2 b 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-000297">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the baseline configuration of the system when required due to organization-defined circumstances.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-2 b 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-2 (1) (b)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-2 (1).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-2 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000298">
- <status>draft</status>
- <publishdate>2009-09-17</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization reviews and updates the baseline configuration of the information system as an integral part of information system component installations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-2 (1) (c)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-2 (1).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-2 (1) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000299">
- <status>draft</status>
- <publishdate>2009-09-17</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization reviews and updates the baseline configuration of the information system as an integral part of information system component upgrades.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-2 (1) (c)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-2 (1).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-2 (1) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000300">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Maintain complete configuration of the system using organization-defined automated mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-2 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-2 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-2 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-2 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000301">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Maintain current configuration of the system using organization-defined automated mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-2 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-2 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-2 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-2 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000302">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Maintain accurate configuration of the system using organization-defined automated mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-2 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-2 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-2 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-2 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000303">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Maintain available configuration of the system using organization-defined automated mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-2 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-2 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-2 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-2 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000304">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Retain organization-defined number of previous versions of baseline configurations of the system to support rollback.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-2 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-2 (3).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-2 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-2 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000305">
- <status>draft</status>
- <publishdate>2009-09-17</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops a list of software programs not authorized to execute on the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-7 (2).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-7 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-2 (4).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-2 (4) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000306">
- <status>draft</status>
- <publishdate>2009-09-17</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization maintains the list of software programs not authorized to execute on the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-7 (2).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-7 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-2 (4).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-2 (4) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000307">
- <status>draft</status>
- <publishdate>2009-09-17</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs an allow-all, deny-by-exception authorization policy to identify software allowed to execute on the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-2 (4).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-2 (4) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000308">
- <status>draft</status>
- <publishdate>2009-09-17</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops the list of software programs authorized to execute on the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-7 (2).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-7 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-2 (5).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-2 (5) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000309">
- <status>draft</status>
- <publishdate>2009-09-17</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization maintains the list of software programs authorized to execute on the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-7 (2).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-7 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-2 (5).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-2 (5) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000310">
- <status>draft</status>
- <publishdate>2009-09-17</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs a deny-all, permit-by-exception authorization policy to identify software allowed to execute on the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-2 (5).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-2 (5) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000311">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Maintain a baseline configuration for system development environments that is managed separately from the operational baseline configuration.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-2 (6)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-2 (6).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-2 (6)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-2 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000312">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Maintain a baseline configuration for system test environments that is managed separately from the operational baseline configuration.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-2 (6)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-2 (6)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-2 (6).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-2 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000313">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Determine and document the types of changes to the system that are configuration-controlled.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-3 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-3.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-3 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000314">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Approve or disapprove configuration-controlled changes to the system, with explicit consideration for security impact analyses.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-3 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-3.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-3 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-3 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000315">
- <status>draft</status>
- <publishdate>2009-09-17</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization documents approved configuration-controlled changes to the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-3.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-3 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-000316">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Retain records of configuration-controlled changes to the system for an organization-defined time period.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-3 e" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-3 e" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-3.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-3 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-000317">
- <status>draft</status>
- <publishdate>2009-09-17</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization reviews records of configuration-controlled changes to the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-3.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-3 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-000318">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Monitor and review activities associated with configuration-controlled changes to the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-3 f" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-3.1 (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-3 e" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-3 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-000319">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Coordinate and provides oversight for configuration change control activities through an organization-defined configuration change control element that convenes at the organization-defined frequency, and/or for any organization-defined configuration change conditions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-3 g" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-3.1 (vii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-3 f" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-3 g" />
- </references>
- </cci_item>
- <cci_item id="CCI-000320">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency with which to convene the configuration change control element.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-3 g" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-3 g" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-3.1 (vi)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-3 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-000321">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines configuration change conditions that prompt the configuration change control element to convene.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-3 g" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-3.1 (vi)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-3 f" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-3 g" />
- </references>
- </cci_item>
- <cci_item id="CCI-000322">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Use organization-defined automated mechanisms to document proposed changes to the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-3 (1) (a)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-3 (1).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-3 (1) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-3 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000323">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Use organization-defined automated mechanisms to notify organization-defined approval authorities of proposed changes to the system and request change approval.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-3 (1) (b)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-3 (1).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-3 (1) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-3 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000324">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Use organization-defined automated mechanisms to highlight proposed changes to the system that have not been approved or disapproved by an organization-defined time period.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-3 (1) (c)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-3 (1).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-3 (1) (c)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-3 (1) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000325">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Use organization-defined automated mechanisms to prohibit changes to the system until designated approvals are received.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-3 (1) (d)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-3 (1).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-3 (1) (d)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-3 (1) (d)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000326">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Use organization-defined automated mechanisms to document all changes to the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-3 (1) (e)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-3 (1).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-3 (1) (e)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-3 (1) (e)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000327">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Tests changes to the system before finalizing the implementation of the changes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-3 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-3 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-3 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-3 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000328">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Validate changes to the system before finalizing the implementation of the changes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-3 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-3 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-3 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-3 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000329">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Document changes to the system before finalizing the implementation of the changes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-3 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-3 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-3 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-3 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000330">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement changes to the current system baseline using organization-defined automated mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-3 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-3 (3).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-3 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-3 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000331">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Deploy the updated system baseline across the installed base using organization-defined automated mechanism.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-3 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-3 (3).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-3 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-3 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000332">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require an organization-defined security representative to be a member of the organization-defined configuration change control element.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-3 (4)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-3 (3).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-3 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-3 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000333">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Analyze changes to the system to determine potential security impacts prior to change implementation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-4" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-4" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-4.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-4" />
- </references>
- </cci_item>
- <cci_item id="CCI-000334">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization analyzes new software in a separate test environment before installation in an operational environment.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-4 (1).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-4 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000335">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>After system changes, verify that the impacted controls are implemented correctly, meeting the security requirements for the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-4 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-4 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-4 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-4 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000336">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>After system changes, verify that the impacted controls are operating as intended, meeting the security requirements for the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-4 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-4 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-4 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-4 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000337">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>After system changes, verify that the impacted controls are producing the desired outcome with regard to meeting the security requirements for the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-4 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-4 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-4 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-4 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000338">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines physical access restrictions associated with changes to the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-5" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-5.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-5" />
- </references>
- </cci_item>
- <cci_item id="CCI-000339">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization documents physical access restrictions associated with changes to the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-5" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-5.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-5" />
- </references>
- </cci_item>
- <cci_item id="CCI-000340">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Approve physical access restrictions associated with changes to the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-5" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-5" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-5.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-5" />
- </references>
- </cci_item>
- <cci_item id="CCI-000341">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce physical access restrictions associated with changes to the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-5" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-5" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-5.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-5" />
- </references>
- </cci_item>
- <cci_item id="CCI-000342">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines logical access restrictions associated with changes to the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-5" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-5.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-5" />
- </references>
- </cci_item>
- <cci_item id="CCI-000343">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization documents logical access restrictions associated with changes to the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-5" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-5.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-5" />
- </references>
- </cci_item>
- <cci_item id="CCI-000344">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Approve logical access restrictions associated with changes to the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-5" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-5" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-5.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-5" />
- </references>
- </cci_item>
- <cci_item id="CCI-000345">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce logical access restrictions associated with changes to the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-5" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-5" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-5.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-5" />
- </references>
- </cci_item>
- <cci_item id="CCI-000346">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs automated mechanisms to enforce access restrictions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-5 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-5 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000347">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs automated mechanisms to support auditing of the enforcement actions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-5 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-5 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000348">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines a frequency with which to conduct reviews of information system changes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-5 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-5 (2).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-5 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000349">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization reviews information system changes per organization-defined frequency to determine whether unauthorized changes have occurred.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-5 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-5 (2).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-5 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000350">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization reviews information system changes upon organization-defined circumstances to determine whether unauthorized changes have occurred.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-5 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-5 (2).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-5 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000351">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines critical software programs that the information system will prevent from being installed if such software programs are not signed with a recognized and approved certificate.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-5 (3).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-5 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000352">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system prevents the installation of organization-defined critical software programs that are not signed with a certificate that is recognized and approved by the organization.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-5 (3).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-5 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000353">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines system components requiring enforcement of a dual authorization for system changes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-5 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-5 (4)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-5 (4).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-5 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000354">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce dual authorization for implementing changes to organization-defined system components.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-5 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-5 (4)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-5 (4).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-5 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000355">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization limits information system developer/integrator privileges to change hardware components directly within a production environment.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-5 (5).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-5 (5) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000356">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization limits information system developer/integrator privileges to change software components directly within a production environment.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-5 (5).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-5 (5) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000357">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization limits information system developer/integrator privileges to change firmware components directly within a production environment.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-5 (5).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-5 (5) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000358">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization limits information system developer/integrator privileges to change system information directly within a production environment.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-5 (5).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-5 (5) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000359">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the frequency to review information system developer/integrator privileges.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-5 (5).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-5 (5) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000360">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the frequency to reevaluate information system developer/integrator privileges.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-5 (5).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-5 (5) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000361">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization reviews information system developer/integrator privileges per organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-5 (5).1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-5 (5) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000362">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization reevaluates information system developer/integrator privileges per organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-5 (5).1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-5 (5) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000363">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines security configuration checklists to be used to establish and document configuration settings for the information system technology products employed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-6 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-6.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-6 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000364">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization establishes configuration settings for information technology products employed within the information system using organization-defined security configuration checklists.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-6 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-6.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-6 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000365">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization documents configuration settings for information technology products employed within the information system using organization-defined security configuration checklists that reflect the most restrictive mode consistent with operational requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-6 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-6.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-6 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000366">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement the security configuration settings.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-6 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-6 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-6.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-6 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000367">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Identify any deviations from the established configuration settings for organization-defined system components based on organization-defined operational requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-6 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-6.1 (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-6 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-6 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-000368">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Document any deviations from the established configuration settings for organization-defined system components based on organization-defined operational requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-6 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-6.1 (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-6 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-6 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-000369">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Approve any deviations from the established configuration settings for organization-defined system components based on organization-defined operational requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-6 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-6.1 (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-6 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-6 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-000370">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Manage configuration settings for organization-defined system components using organization-defined automated mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-6 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-6 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-6 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-6 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000371">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Apply configuration settings for organization-defined system components using organization-defined automated mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-6 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-6 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-6 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-6 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000372">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Verify configuration settings for organization-defined system components using organization-defined automated mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-6 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-6 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-6 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-6 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000373">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines configuration settings for which unauthorized changes are responded to by automated mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-6 (2).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-6 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000374">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs automated mechanisms to respond to unauthorized changes to organization-defined configuration settings.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-6 (2).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-6 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000375">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization incorporates detection of unauthorized, security-relevant configuration changes into the organizations incident response capability.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-6 (3).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-6 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000376">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization ensures unauthorized, security-relevant configuration changes detected are monitored.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-6 (3).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-6 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000377">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization ensures unauthorized, security-relevant configuration changes detected are corrected.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-6 (3).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-6 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000378">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization ensures unauthorized, security-relevant configuration changes detected are available for historical purposes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-6 (3).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-6 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000379">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system (including modifications to the baseline configuration) demonstrates conformance to security configuration guidance (i.e., security checklists) prior to being introduced into a production environment.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-6 (4).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-6 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000380">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines prohibited or restricted functions, system ports, protocols, software and/or services for the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-7 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-7.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-7" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-7 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000381">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Configure the system to provide only organization-defined mission essential capabilities.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-7 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-7 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-7.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-7" />
- </references>
- </cci_item>
- <cci_item id="CCI-000382">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Configure the system to prohibit or restrict the use of organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-7 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-7.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-7" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-7 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000383">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the frequency of information system reviews to identify and eliminate unnecessary functions, ports, protocols and/or services.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-7 (1).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-7 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000384">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review the system per organization-defined frequency to identify unnecessary and nonsecure functions, ports, protocols, software, and services.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-7 (1) (a)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-7 (1).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-7 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-7 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000385">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization reviews the information system per organization-defined frequency to eliminate unnecessary functions, ports, protocols, and/or services.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-7 (1).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-7 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000386">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs automated mechanisms to prevent program execution on the information system in accordance with the organization-defined specifications.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-7 (2).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-7 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000387">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines registration requirements for functions, ports, protocols, and services.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-7 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-7 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM- 7(3).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-7 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000388">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Ensure compliance with organization-defined registration requirements for functions, ports, protocols, and services.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-7 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-7 (3).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-7 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-7 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000389">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops an inventory of information system components that accurately reflects the current information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-8 a 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-8.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-8 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000390">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization documents an inventory of information system components that accurately reflects the current information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-8 a 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-8.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-8 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000391">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization maintains an inventory of information system components that accurately reflects the current information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-8.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-8 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000392">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops an inventory of information system components that includes all components within the authorization boundary of the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-8 a 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-8.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-8 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000393">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization documents an inventory of information system components that includes all components within the authorization boundary of the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-8 a 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-8.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-8 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000394">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization maintains an inventory of information system components that is consistent with the authorization boundary of the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-8.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-8 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000395">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops an inventory of information system components that is at the level of granularity deemed necessary for tracking and reporting.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-8 a 3" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-8.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-8 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-000396">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization documents an inventory of information system components that is at the level of granularity deemed necessary for tracking and reporting.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-8 a 3" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-8.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-8 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-000397">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization maintains an inventory of information system components that is at the level of granularity deemed necessary for tracking and reporting.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-8.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-8 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-000398">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines information deemed necessary to achieve effective system component accountability.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-8 a 5" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-8 a 4" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-8.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-8 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-000399">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops an inventory of information system components that includes organization-defined information deemed necessary to achieve effective information system component accountability.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-8 a 4" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-8.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-8 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-000400">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization documents an inventory of information system components that includes organization-defined information deemed necessary to achieve effective information system component accountability.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-8 a 4" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-8.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-8 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-000401">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization maintains an inventory of information system components that includes organization-defined information deemed necessary to achieve effective property accountability.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-8.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-8 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-000402">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops an inventory of information system components that is available for review by designated organizational officials.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-8.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-8 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-000403">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization documents an inventory of information system components that is available for review by designated organizational officials.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-8.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-8 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-000404">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization maintains an inventory of information system components that is available for review by designated organizational officials.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-8.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-8 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-000405">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops an inventory of information system components that is available for audit by designated organizational officials.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-8.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-8 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-000406">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization documents an inventory of information system components that is available for audit by designated organizational officials.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-8.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-8 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-000407">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization maintains an inventory of information system components that is available for audit by designated organizational officials.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-8.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-8 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-000408">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Update the inventory of system components as part of component installations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-8 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-8 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-8 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-8 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000409">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Update the inventory of system components as part of component removals.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-8 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-8 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-8 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-8 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000410">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Update the inventory of system components as part of system updates.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-8 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-8 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-8 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-8 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000411">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Maintain the currency of the inventory of system components using organization-defined automated mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-8 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-8 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-8 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-8 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000412">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Maintain the completeness of the inventory of system components using organization-defined automated mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-8 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-8 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-8 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-8 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000413">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Maintain the accuracy of the inventory of system components using organization-defined automated mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-8 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-8 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-8 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-8 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000414">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Maintain the availability of the inventory of system components using organization-defined automated mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-8 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-8 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-8 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-8 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000415">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency of employing automated mechanisms to detect the presence of unauthorized hardware, software, and firmware components within the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-8 (3) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-8 (3) (a)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-8 (3).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-8 (3) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000416">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Detect the presence of unauthorized hardware, software, and firmware components within the system using organization-defined automated mechanisms, on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-8 (3) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-8 (3) (a)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-8 (3).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-8 (3) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000417">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization disables network access by unauthorized components/devices or notifies designated organizational officials.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-8 (3).1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-8 (3) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000418">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Include in the system component inventory information, a means for identifying by name, position, and/or role, individuals responsible and accountable for administering those components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-8 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-8 (4)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-8 (4).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-8 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000419">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system component inventories.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-8 (5)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-8 (5).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-8 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000420">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Include assessed component configurations and any approved deviations to current deployed configurations in the system component inventory.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-8 (6)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-8 (6)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-8 (6).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-8 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000421">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops a configuration management plan for the information system that addresses roles, responsibilities, and configuration management processes and procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-9 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-9.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-9 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000422">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization documents a configuration management plan for the information system that addresses roles, responsibilities, and configuration management processes and procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-9 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-9.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-9 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000423">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a configuration management plan for the system that addresses roles, responsibilities, and configuration management processes and procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-9 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-9 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-9.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-9 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000424">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops a configuration management plan for the information system that defines the configuration items for the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-9 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-9.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-9 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000425">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization documents a configuration management plan for the information system that defines the configuration items for the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-9 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-9.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-9 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000426">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a configuration management plan for the system that defines the configuration items for the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-9 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-9 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-9.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-9 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000427">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops a configuration management plan for the information system when in the system development life cycle the configuration items are placed under configuration management.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-9.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-9 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000428">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization documents a configuration management plan for the information system when in the system development life cycle the configuration items are placed under configuration management.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-9.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-9 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000429">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization implements a configuration management plan for the information system when in the system development life cycle the configuration items are placed under configuration management.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-9.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-9 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000430">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops a configuration management plan for the information system that establishes the means for identifying configuration items throughout the system development life cycle.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-9.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-9 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-000431">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization documents a configuration management plan for the information system that establishes the means for identifying configuration items throughout the system development life cycle.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-9.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-9 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-000432">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization implements a configuration management plan for the information system that establishes the means for identifying configuration items throughout the system development life cycle.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-9.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-9 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-000433">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops a configuration management plan for the information system that establishes a process for managing the configuration of the configuration items.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-9.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-9 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-000434">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization documents a configuration management plan for the information system that establishes a process for managing the configuration of the configuration items.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-9.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-9 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-000435">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization implements a configuration management plan for the information system that establishes a process for managing the configuration of the configuration items.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-9.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-9 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-000436">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Assign responsibility for developing the configuration management process to organizational personnel that are not directly involved in system development.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-9 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-9 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-9 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-9 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000437">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency with which to review and update the current contingency planning policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-1 c 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-1 b 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-1.2 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-1" />
- </references>
- </cci_item>
- <cci_item id="CCI-000438">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document an organizational-level; mission/business process-level; and/or system-level contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-1 a 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-1.1 (i) (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-1 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-1 a 1 (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000439">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminate an organizational-level; mission/business process-level; and/or system-level contingency planning policy to organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-1 a 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-1.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-1 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-1 a 1 (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000440">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current contingency planning policy in accordance with an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-1 c 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-1 b 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-1.2 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000441">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-1.1 (iv) (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-1 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-1 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-000443">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop a contingency plan for the system that identifies essential missions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-2 a 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-2.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-2 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-2 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-000444">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop a contingency plan for the system that identifies essential business functions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-2 a 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-2 a 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-2.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000445">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop a contingency plan for the system that identifies associated contingency requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-2 a 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-2.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-2 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-2 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-000446">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop a contingency plan for the system that provides recovery objectives.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-2 a 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-2.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-2 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-2 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-000447">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop a contingency plan for the system that provides restoration priorities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-2 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-2 a 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-2.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000448">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop a contingency plan for the system that provides metrics.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-2 a 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-2.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-2 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-2 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-000449">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop a contingency plan for the system that addresses contingency roles, responsibilities, assigned individuals with contact information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-2 a 3" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-2.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-2 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-2 a 3" />
- </references>
- </cci_item>
- <cci_item id="CCI-000450">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops a contingency plan for the information system that addresses maintaining essential missions despite an information system disruption.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-2 a 4" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-2.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000451">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops a contingency plan for the information system that addresses maintaining essential business functions despite an information system disruption.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-2 a 4" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-2.1 I)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000452">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops a contingency plan for the information system that addresses maintaining essential missions despite an information system compromise.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-2 a 4" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-2.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000453">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops a contingency plan for the information system that addresses maintaining essential business functions despite an information system compromise.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-2 a 4" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-2.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000454">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops a contingency plan for the information system that addresses maintaining essential missions despite an information system failure.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-2 a 4" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-2.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000455">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops a contingency plan for the information system that addresses maintaining essential business functions despite an information system failure.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-2 a 4" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-2.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000456">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop a contingency plan for the system that addresses eventual, full information system restoration without deterioration of the controls originally planned and implemented.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-2 a 5" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-2 a 5" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-2.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000457">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop a contingency plan for the system that is reviewed and approved by organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-2 a 6" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-2.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-2 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-2 a 7" />
- </references>
- </cci_item>
- <cci_item id="CCI-000458">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the key contingency personnel (identified by name and/or by role) and organizational elements designated to receive copies of the contingency plan.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-2 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-2 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-2.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-2 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000459">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Distributes copies of the contingency plan to an organization-defined list of key contingency personnel (identified by name and/or by role) and organizational elements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-2 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-2.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-2 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-2 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000460">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Coordinate contingency planning activities with incident handling activities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-2 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-2.2 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-2 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-2 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-000461">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency with which to review the contingency plan for the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-2 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-2 d" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-2.2 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-2 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-000462">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Reviews the contingency plan for the system in accordance with organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-2 d" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-2.2 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-2 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-2 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-000463">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Updates the contingency plan to address changes to the organization.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-2 e" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-2 e" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-2.2 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-2 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-000464">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Updates the contingency plan to address changes to the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-2 e" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-2.2 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-2 e" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-2 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-000465">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Updates the contingency plan to address changes to the environment of operation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-2 e" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-2 e" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-2.2 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-2 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-000466">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Updates the contingency plan to address problems encountered during contingency plan implementation, execution, or testing.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-2 e" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-2.2 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-2 e" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-2 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-000468">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Communicates contingency plan changes to an organization-defined list of key contingency personnel (identified by name and/or by role) and organizational elements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-2 f" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-2.2 (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-2 f" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-2 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-000469">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Coordinate contingency plan development with organizational elements responsible for related plans.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-2 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-2 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-2 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-2 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000470">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Conduct capacity planning so that necessary capacity for information processing exists during contingency operations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-2 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-2 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-2 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-2 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000471">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Conduct capacity planning so that necessary capacity for telecommunications exists during contingency operations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-2 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-2 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-2 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-2 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000472">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Conduct capacity planning so that necessary capacity for environmental support exists during contingency operations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-2 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-2 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-2 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-2 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000473">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the time period for planning the resumption of essential missions as a result of contingency plan activation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-2 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-2 (3).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-2 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-2 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000474">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the time period for planning the resumption of essential business functions as a result of contingency plan activation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-2 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-2 (3).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-2 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-2 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000475">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Plan for the resumption of all or essential mission functions within the organization-defined time period of contingency plan activation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-2 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-2 (3).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-2 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-2 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000476">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Plan for the resumption of all or essential business functions within the organization-defined time period of contingency plan activation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-2 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-2 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-2 (3).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-2 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000477">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the time period for planning the resumption of all missions as a result of contingency plan activation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-2 (4)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-2 (4).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-2 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000478">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the time period for planning the resumption of all business functions as a result of contingency plan activation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-2 (4)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-2 (4).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-2 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000479">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization plans for the resumption of all missions within an organization-defined time period of contingency plan activation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-2 (4)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-2 (4).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-2 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000480">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization plans for the resumption of all business functions within an organization-defined time period of contingency plan activation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-2 (4)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-2 (4).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-2 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000481">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Plan for the continuance of all or essential missions with little or no loss of operational continuity.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-2 (5)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-2 (5).1 (a)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-2 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-2 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000482">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Plan for the continuance of all or essential business functions with little or no loss of operational continuity.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-2 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-2 (5)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-2 (5).1 (a)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-2 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000483">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Plan for the transfer of all or essential mission functions to alternate processing and/or storage sites with minimal or no loss of operational continuity.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-2 (6)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-2 (6).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-2 (6)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-2 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000484">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Plan for the transfer of all or essential business functions to alternate processing and/or storage sites with minimal or no loss of operational continuity.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-2 (6)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-2 (6).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-2 (6)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-2 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000485">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency of contingency training to system users.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-3 a 3" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-3 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-3.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-3" />
- </references>
- </cci_item>
- <cci_item id="CCI-000486">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide contingency training to system users consistent with assigned roles and responsibilities within an organization-defined time period of assuming a contingency role or responsibility.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-3 a 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-3 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-3.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-3" />
- </references>
- </cci_item>
- <cci_item id="CCI-000487">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide contingency training to system users consistent with assigned roles and responsibilities in accordance with organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-3 a 3" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-3 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-3.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-3" />
- </references>
- </cci_item>
- <cci_item id="CCI-000488">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-3 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-3 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-3 (1).1 (i) (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-3 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000489">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ mechanisms used in operations to provide a more thorough and realistic contingency training environment.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-3 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-3 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-3 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-3 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000490">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency with which to test the contingency plan for the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-4 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-4 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-4.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-4" />
- </references>
- </cci_item>
- <cci_item id="CCI-000491">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the frequency to exercise the contingency plan for the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-4.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-4" />
- </references>
- </cci_item>
- <cci_item id="CCI-000492">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines contingency plan tests to be conducted for the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-4 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-4 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-4.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-4" />
- </references>
- </cci_item>
- <cci_item id="CCI-000493">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines contingency plan exercises to be conducted for the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-4.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-4" />
- </references>
- </cci_item>
- <cci_item id="CCI-000494">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Test the contingency plan for the system in accordance with organization-defined frequency using organization-defined tests to determine the effectiveness of the plan and the organizational readiness to execute the plan.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-4 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-4 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-4.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-4 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000495">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization exercises the contingency plan using organization-defined exercises in accordance with organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-4.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-4 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000496">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review the contingency plan test results.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-4 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-4 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-4.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-4 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000497">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Initiate corrective actions, if needed, after reviewing the contingency plan test results.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-4 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-4 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-4.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-4 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000498">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Coordinate contingency plan testing with organizational elements responsible for related plans.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-4 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-4 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-4 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-4 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000499">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization coordinates contingency plan exercises with organizational elements responsible for related plans.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-4 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-4 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000500">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Test the contingency plan at the alternate processing site to familiarize contingency personnel with the facility and available resources.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-4 (2) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-4 (2) (a)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-4 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-4 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000501">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization exercises the contingency plan at the alternate processing site to familiarize contingency personnel with the facility and available resources and to evaluate the site's capabilities to support contingency operations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-4 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-4 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000502">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Test the contingency plan using organization-defined automated mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-4 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-4 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-4 (3).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-4 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000503">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs automated mechanisms to more thoroughly and effectively exercise the contingency plan by providing more complete coverage of contingency issues, selecting more realistic exercise scenarios and environments, and more effectively stressing the information and supported missions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-4 (3).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-4 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000504">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Include a full recovery and reconstitution of the system to a known state as part of contingency plan testing.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-4 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-4 (4)4" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-4 (4).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-4 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000505">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish an alternate storage site, including necessary agreements to permit the storage of system backup information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-6 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-6 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-6.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-6" />
- </references>
- </cci_item>
- <cci_item id="CCI-000506">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization initiates necessary alternate storage site agreements to permit the storage and recovery of information system backup information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-6.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-6" />
- </references>
- </cci_item>
- <cci_item id="CCI-000507">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-6 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-6 (1).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-6 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-6 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000508">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Configure the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-6 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-6 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-6 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-6 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000509">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Identify potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-6 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-6 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-6 (3).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-6 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000510">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the time-period consistent with recovery time and recovery point objectives for essential missions/business functions to permit the transfer and resumption of organization-defined system operations at an alternate processing site when the primary processing capabilities are unavailable.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-7 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-7.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-7" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-7 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000511">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the time period for achieving the recovery time objectives for business functions within which processing must be resumed at the alternate processing site.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-7.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-7" />
- </references>
- </cci_item>
- <cci_item id="CCI-000512">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization establishes an alternate processing site.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-7.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-7 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000513">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish an alternate processing site including necessary agreements to permit the transfer and resumption of organization-defined system operations for essential mission functions within an organization-defined time period consistent with recovery time and recovery point objectives when the primary processing capabilities are unavailable.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-7 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-7.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-7 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-7 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000514">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish an alternate processing site including necessary agreements to permit the transfer and resumption of organization-defined system operations for essential business functions within an organization-defined time period consistent with recovery time and recovery point objectives when the primary processing capabilities are unavailable.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-7 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-7 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-7.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-7 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000515">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time period for transfer and resumption.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-7 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-7.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-7 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-7 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000516">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Identify an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-7 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-7 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-7 (1).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-7 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000517">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Identify potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-7 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-7 (2).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-7 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-7 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000518">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-7 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-7 (3).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-7 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-7 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000519">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Prepare the alternate processing site so that the site can serve as the operational site supporting essential missions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-7 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-7 (4)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-7 (4).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-7 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000520">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Prepare the alternate processing site so that the site can serve as the operational site supporting essential business functions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-7 (4)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-7 (4).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-7 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-7 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000521">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide controls at the alternate processing site that are equivalent to those at the primary site.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-7 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-7 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-7 (5).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-7 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000522">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the time-period within which to permit the resumption of organization-defined system operations for essential mission functions when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-8" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-8.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-8" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-8" />
- </references>
- </cci_item>
- <cci_item id="CCI-000523">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the time-period within which to permit the resumption of organization-defined system operations for essential business functions when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-8" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-8.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-8" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-8" />
- </references>
- </cci_item>
- <cci_item id="CCI-000524">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish alternate telecommunication services, including necessary agreements to permit the resumption of organization-defined system operations for essential mission functions within an organization-defined time period when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-8" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-8" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-8.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-8" />
- </references>
- </cci_item>
- <cci_item id="CCI-000525">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish alternate telecommunication services, including necessary agreements to permit the resumption of organization-defined system operations for essential business functions within an organization-defined time period when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-8" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-8.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-8" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-8" />
- </references>
- </cci_item>
- <cci_item id="CCI-000526">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop primary telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-8 (1) (a)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-8 (1).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-8 (1) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-8 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000527">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-8 (1) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-8 (1) (a)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-8 (1).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-8 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000528">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary telecommunications services are provided by a common carrier.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-8 (1) (b)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-8 (1).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-8 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000529">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the alternate telecommunications services are provided by a common carrier.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-8 (1) (b)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-8 (1).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-8 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000530">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Obtain alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-8 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-8 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-8 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-8 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000531">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Obtain alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-8 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-8 (3).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-8 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-8 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000532">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require primary telecommunications service providers to have contingency plans.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-8 (4) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-8 (4) (a)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-8 (4).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-8 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000533">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require alternate telecommunications service providers to have contingency plans.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-8 (4) (a)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-8 (4).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-8 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-8 (4) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000534">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency of conducting user-level information backups to support recovery time objectives and recovery point objectives.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-9 (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-9 (a)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-9 (6).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-9 (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000535">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Conduct backups of user-level information contained in organization-defined system components per organization-defined frequency that is consistent with recovery time and recovery point objectives.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-9 (a)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-9.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-9 (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-9 (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000536">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency of conducting system-level information backups to support recovery time objectives and recovery point objectives.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-9 (b)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-9.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-9 (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-9 (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000537">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Conduct backups of system-level information contained in the system per organization-defined frequency that is consistent with recovery time and recovery point objectives.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-9 (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-9 (b)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-9.1 (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-9 (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000538">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency of conducting system documentation backups, including security-related documentation, to support recovery time objectives and recovery point objectives.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-9 (c) " />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-9.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-9 (c)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-9 (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000539">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Conduct backups of system documentation, including security-related documentation, per an organization-defined frequency that is consistent with recovery time and recovery point objectives.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-9 (c) " />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-9.1 (vi)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-9 (c)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-9 (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000540">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization protects the confidentiality, integrity, and availability of backup information at storage locations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-9 (d)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-9.2" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-9 (d)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000541">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency with which to test backup information to verify media reliability and information integrity.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-9 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-9 (1).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-9 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-9 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000542">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Test backup information per an organization-defined frequency to verify media reliability and information integrity.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-9 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-9 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-9 (1).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-9 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000543">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Use a sample of backup information in the restoration of selected system functions as part of contingency plan testing.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-9 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-9 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-9 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-9 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000544">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization stores backup copies of the operating system in a separate facility or in a fire-rated container that is not colocated with the operational system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-9 (3).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-9 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000545">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization stores backup copies of critical information system software in a separate facility or in a fire-rated container that is not colocated with the operational system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-9 (3).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-9 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000546">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization stores backup copies of the information system inventory (including hardware, software, and firmware components) in a separate facility or in a fire-rated container that is not colocated with the operational system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-9 (3).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-9 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000547">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the time-period and transfer rate of the system backup information to the alternate storage site consistent with the recovery time and recovery point objectives.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-9 (5)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-9 (5).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-9 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-9 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000548">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Transfer system backup information to the alternate storage site in accordance with the organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-9 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-9 (5)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-9 (5).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-9 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000549">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Maintain a redundant secondary system that is not collocated with the primary system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-9 (6)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-9 (6).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-9 (6)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-9 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000550">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization provides for the recovery and reconstitution of the information system to a known state after a disruption.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-10" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-10.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-10" />
- </references>
- </cci_item>
- <cci_item id="CCI-000551">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization provides for the recovery and reconstitution of the information system to a known state after a compromise.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-10" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-10.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-10" />
- </references>
- </cci_item>
- <cci_item id="CCI-000552">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization provides for the recovery and reconstitution of the information system to a known state after a failure.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-10" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-10.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-10" />
- </references>
- </cci_item>
- <cci_item id="CCI-000553">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement transaction recovery for systems that are transaction-based.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-10 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-10 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-10 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-10 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000554">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines in the security plan, explicitly or by reference, the circumstances that can inhibit recovery and reconstitution of the information system to a known state.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-10 (3).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-10 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000555">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization provides compensating security controls for organization-defined circumstances that can inhibit recovery and reconstitution of the information system to a known state.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-10 (3).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-10 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000556">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines restoration time periods within which to restore system components from configuration-controlled and integrity-protected information representing a known, operational state for the components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-10 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-10 (4)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-10 (4).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-10 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000557">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide the capability to restore information system components within organization-defined restoration time periods from configuration-controlled and integrity-protected information representing a known, operational state for the components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-10 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-10 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-10 (4)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-10 (4).1" />
- </references>
- </cci_item>
- <cci_item id="CCI-000558">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the real-time or near-real-time failover capability to be provided for the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-13 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-13 (5)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-10 (5).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-10 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000559">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide real-time or near-real-time organization-defined failover capability for the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-13 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-13 (5)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-10 (5).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-10 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000560">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization protects backup and restoration hardware.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-10 (6)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-10 (6).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-10 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000561">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization protects backup and restoration firmware.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-10 (6)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-10 (6).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-10 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000562">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization protects backup and restoration software.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-10 (6)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-10 (6).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-10 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000563">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document an organization-level; mission/business process-level; and or system-level planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-1 a 1 (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-1 a 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PL-1.1 (i) (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PL-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000564">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminate an organization-level; mission/business process-level; and or system-level planning policy to organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-1 a 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PL-1.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PL-1 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-1 a 1 (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000565">
- <status>deprecated</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization reviews/updates, per organization-defined frequency, a formal, documented security planning policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PL-1.2 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PL-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000566">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document procedures to facilitate the implementation of the planning policy and associated planning controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PL-1.1 (iv) (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PL-1 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-1 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-000567">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminates planning procedures to organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PL-1.1 (vi)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PL-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000568">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current planning procedures in accordance with organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-1 b 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PL-1.2 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PL-1 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-1 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-000570">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops a security plan for the information system that is consistent with the organization's enterprise architecture; explicitly defines the authorization boundary for the system; describes the operational context of the information system in terms of mission and business processes; provides the security category and impact level of the information system, including supporting rationale; describes the operational environment for the information system; describes relationships with, or connections to, other information systems; provides an overview of the security requirements for the system; and describes the security controls in place or planned for meeting those requirements, including a rationale for the tailoring and supplemental decisions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PL-2.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PL-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000571">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop security and privacy plans for the system that are reviewed and approved by the authorizing official or designated representative prior to plan implementation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-2 a 15" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-2 a 9" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PL-2.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PL-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000572">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency for reviewing the plans for the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-2 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-2 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PL-2.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PL-2 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000573">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review the plans in accordance with organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-2 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-2 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PL-2.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PL-2 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000574">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-2 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-2 d" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PL-2.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PL-2 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-000576">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops a security Concept of Operations (CONOPS) for the information system containing, at a minimum: the purpose of the system; a description of the system architecture; the security authorization schedule; and the security categorization and associated factors considered in determining the categorization.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PL-2 (1).1 (i) (ii) (iii) (iv) (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PL-2 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000577">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency with which to review and update the CONOPS.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-7 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-7 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PL-2 (1).1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PL-2 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000578">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the CONOPS in accordance with organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-7 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-7 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PL-2 (1).1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PL-2 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000580">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops a functional architecture for the information system that identifies and maintains external interfaces.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PL-2 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PL-2 (2) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000581">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops a functional architecture for the information system that identifies and maintains the information being exchanged across the interfaces.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PL-2 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PL-2 (2) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000582">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops a functional architecture for the information system that identifies and maintains the protection mechanisms associated with each interface.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PL-2 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PL-2 (2) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000583">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops a functional architecture for the information system that identifies and maintains user roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PL-2 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PL-2 (2) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000584">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops a functional architecture for the information system that identifies and maintains the access privileges assigned to each role.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PL-2 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PL-2 (2) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000585">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops a functional architecture for the information system that identifies and maintains unique security requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PL-2 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PL-2 (2) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000586">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops a functional architecture for the information system that identifies and maintains types of information processed by the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PL-2 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PL-2 (2) (d)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000587">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops a functional architecture for the information system that identifies and maintains types of information stored by the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PL-2 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PL-2 (2) (d)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000588">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops a functional architecture for the information system that identifies and maintains types of information transmitted by the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PL-2 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PL-2 (2) (d)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000589">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops a functional architecture for the information system that identifies and maintains any specific protection needs in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PL-2 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PL-2 (2) (d)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000590">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops a functional architecture for the information system that identifies and maintains restoration priority of information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PL-2 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PL-2 (2) (e)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000591">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops a functional architecture for the information system that identifies and maintains restoration priority of information system services.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PL-2 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PL-2 (2) (e)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000592">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish the rules that describe their responsibilities and expected behavior, for information and system usage, for individuals requiring access to the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-4 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-4 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PL-4.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PL-4 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000593">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Receive a documented acknowledgement from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-4 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PL-4.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PL-4 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-4 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000594">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Include in the rules of behavior, restrictions on the use of social media, social networking sites, and external sites/applications.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-4 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PL-4 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PL-4 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-4 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000595">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Include in the rules of behavior, restrictions on posting organizational information on public websites.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-4 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PL-4 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PL-4 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-4 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000596">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization includes in the rules of behavior, explicit restrictions on sharing information system account information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PL-4 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PL-4 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000597">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization conducts a privacy impact assessment on the information system in accordance with OMB policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PL-5.1 (i) (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PL-5" />
- </references>
- </cci_item>
- <cci_item id="CCI-000598">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization plans and coordinates security-related activities affecting the information system before conducting such activities in order to reduce the impact on organizational operations (i.e., mission, functions, image, and reputation).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PL-6.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PL-6" />
- </references>
- </cci_item>
- <cci_item id="CCI-000599">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization plans and coordinates security-related activities affecting the information system before conducting such activities in order to reduce the impact on organizational assets.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PL-6.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PL-6" />
- </references>
- </cci_item>
- <cci_item id="CCI-000600">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization plans and coordinates security-related activities affecting the information system before conducting such activities in order to reduce the impact on organizational individuals.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PL-6.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PL-6" />
- </references>
- </cci_item>
- <cci_item id="CCI-000601">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency with which to review and update the current system and services acquisition policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-1 c 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-1 b 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-1.2 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-1" />
- </references>
- </cci_item>
- <cci_item id="CCI-000602">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document an organization-level; mission/business process-level; and/or system-level system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-1 a 1 (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-1 a 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-1.1 (i) (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000603">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminate to organization-defined personnel or roles an organization-level; mission/business process-level; and/or system-level system and services acquisition policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-1 a 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-1 a 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-1.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000604">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current system and services acquisition policy in accordance with organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-1 c 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-1 b 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-1.2 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000605">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-1.1 (iv) (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000606">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminate to organization-defined personnel or roles procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-1.1 (vi)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000607">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current system and services acquisition procedures in accordance with organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-1 c 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-1 b 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-1.2 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000608">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization includes a determination of information security requirements for the information system in mission process planning.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-2.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000609">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization includes a determination of information security requirements for the information system in business process planning.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-2.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000610">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Determine the resources required to protect the system or system service as part of the organizational capital planning and investment control process.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-2 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-2 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-2.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-2 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000611">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Document the resources required to protect the system or system service as part of the organizational capital planning and investment control process.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-2 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-2.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-2 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-2 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000612">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-2 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-2 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-2.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-2 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000613">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish a discrete line item for information security in organizational programming documentation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-2 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-2.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-2 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-2 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-000614">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish a discrete line item for information security in organizational budgeting documentation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-2 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-2.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-2 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-2 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-000615">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Manage the system using an organization-defined system development life cycle that incorporates information security considerations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-3 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-3 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-3.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000616">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Define and document information system security roles and responsibilities throughout the system development life cycle.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-3 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-3 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-3.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-3 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000617">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization documents information system security roles and responsibilities throughout the system development life cycle.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-3.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-3 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000618">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Identify individuals having information system security roles and responsibilities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-3 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-3 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-3.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-3 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-000619">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization includes security functional requirements/specifications, explicitly or by reference, in information system acquisition contracts based on an assessment of risk and in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-4.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-4 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000620">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization includes security-related documentation requirements, explicitly or by reference, in information system acquisition contracts based on an assessment of risk and in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-4.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-4 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000621">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization includes developmental and evaluation-related assurance requirements, explicitly or by reference, in information system acquisition contracts based on an assessment of risk and in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-4.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-4 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-000623">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to provide a description of the functional properties of the controls to be implemented.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-4 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-4 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-4 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-4 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000624">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires in acquisition documents that vendors/contractors provide information describing the design details of the security controls to be employed within the information system, information system components, or information system services (including functional interfaces among control components) in sufficient detail to permit analysis and testing of the controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-4 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-4 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000625">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires in acquisition documents that vendors/contractors provide information describing the implementation details of the security controls to be employed within the information system, information system components, or information system services (including functional interfaces among control components) in sufficient detail to permit analysis and testing of the controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-4 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-4 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000626">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires software vendors/manufacturers to minimize flawed or malformed software by demonstrating that their software development process employs state-of-the-practice software and security engineering methods.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-4 (3).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-4 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000627">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires software vendors/manufacturers to minimize flawed or malformed software by demonstrating that their software development process employs quality control processes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-4 (3).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-4 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000628">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires software vendors/manufacturers to minimize flawed or malformed software by demonstrating that their software development processes employ validation techniques.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-4 (3).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-4 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000629">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization ensures each information system component acquired is explicitly assigned to an information system, and that the owner of the system acknowledges this assignment.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-4 (4).1 (i) (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-4 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000630">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires in acquisition documents, that information system components are delivered in a secure, documented configuration, and that the secure configuration is the default configuration for any software reinstalls or upgrades.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-4 (5).1 (i) (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-4 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000631">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ only government off-the-shelf or commercial off-the-shelf information assurance and information assurance-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-4 (6) (a)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-4 (6).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-4 (6) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-4 (6) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000632">
- <status>deprecated</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs only commercial off-the-shelf (COTS) information assurance (IA) and IA-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-4 (6).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-4 (6) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000633">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Ensure that government off-the-shelf or commercial-off-the-shelf information assurance and information assurance-enabled information technology products have been evaluated and/or validated by NSA or in accordance with NSA-approved procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-4 (6) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-4 (6) (b)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-4 (6).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-4 (6) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000634">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Limit the use of commercially provided information assurance and information assurance-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-4 (7) (a)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-4 (7).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-4 (7) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-4 (7) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000635">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require, if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that the cryptographic module is FIPS-validated or NSA-approved.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-4 (7) (b)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-4 (7).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-4 (7) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-4 (7) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000636">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization obtains administrator documentation for the information system that describes secure configuration, installation, and operation of the information system; effective use and maintenance of the security features/functions; and known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-5.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-5 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000637">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization protects, as required, administrator documentation for the information system that describes secure configuration, installation, and operation of the information system; effective use and maintenance of the security features/functions; and known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-5.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-5 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000638">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization makes available to authorized personnel administrator documentation for the information system that describes secure configuration, installation, and operation of the information system; effective use and maintenance of the security features/functions; and known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-5.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-5 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000639">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization obtains user documentation for the information system that describes user-accessible security features/functions and how to effectively use those security features/functions; methods for user interaction with the information system, which enables individuals to use the system in a more secure manner; and user responsibilities in maintaining the security of the information and information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-5.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-5 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000640">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization protects, as required, user documentation for the information system that describes user-accessible security features/functions and how to effectively use those security features/functions; methods for user interaction with the information system, which enables individuals to use the system in a more secure manner; and user responsibilities in maintaining the security of the information and information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-5.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-5 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000641">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization makes available to authorized personnel user documentation for the information system that describes user-accessible security features/functions and how to effectively use those security features/functions; methods for user interaction with the information system, which enables individuals to use the system in a more secure manner; and user responsibilities in maintaining the security of the information and information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-5.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-5 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000642">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-5 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-5 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-5.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-5 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000643">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization obtains vendor/manufacturer documentation that describes the functional properties of the security controls employed within the information system with sufficient detail to permit analysis and testing.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-5 (1).1 (i) SA-5(2).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-5 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000644">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization protects, as required, vendor/manufacturer documentation that describes the functional properties of the security controls employed within the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-5 (1).1 (i) SA-5(2).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-5 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000645">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization makes available to authorized personnel vendor/manufacturer documentation that describes the functional properties of the security controls employed within the information system with sufficient detail to permit analysis and testing.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-5 (1).1 SA-5(2).1 SA-5(3).1 SA-5(4).1 (i)s" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-5 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000646">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization obtains vendor/manufacturer documentation that describes the security-relevant external interfaces to the information system with sufficient detail to permit analysis and testing.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-5 (1).1 SA-5(2).1 SA-5(3).1 SA-5(4) (ii)s" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-5 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000647">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization obtains vendor/manufacturer documentation that describes the high-level design of the information system in terms of subsystems and implementation details of the security controls employed within the system with sufficient detail to permit analysis and testing.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-5 (3).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-5 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000648">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization protects, as required, vendor/manufacturer documentation that describes the high-level design of the information system in terms of subsystems and implementation details of the security controls employed within the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-5 (3).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-5 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000650">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization obtains vendor/manufacturer documentation that describes the low-level design of the information system in terms of modules and implementation details of the security controls employed within the system with sufficient detail to permit analysis and testing.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-5 (4).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-5 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000651">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization protects, as required, vendor/manufacturer documentation that describes the low-level design of the information system in terms of modules and implementation details of the security controls employed within the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-5 (4).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-5 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000653">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization obtains the source code for the information system to permit analysis and testing.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-5 (5).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-5 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000654">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization protects, as required, the source code for the information system to permit analysis and testing.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-5 (5).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-5 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000655">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization uses software and associated documentation in accordance with contract agreements and copyright laws.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-6.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-6 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000656">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs tracking systems for software and associated documentation protected by quantity licenses to control copying and distribution.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-6.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-6 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000657">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization controls the use of peer-to-peer file sharing technology to ensure this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-6.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-6 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-000658">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization documents the use of peer-to-peer file sharing technology to ensure this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-6.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-6 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-000659">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization prohibits the use of binary executable code from sources with limited or no warranty without accompanying source code.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-6 (1).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-6 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000660">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization prohibits the use of machine executable code from sources with limited or no warranty without accompanying source code.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-6 (1).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-6 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000661">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization provides exceptions to the source code requirement only when no alternative solutions are available to support compelling mission/operational requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-6 (1).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-6 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000662">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization obtains express written consent of the authorizing official for exceptions to the source code requirement.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-6 (1).1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-6 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000663">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization (or information system) enforces explicit rules governing the installation of software by users.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-7.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-7" />
- </references>
- </cci_item>
- <cci_item id="CCI-000664">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Apply organization-defined systems security and privacy engineering principles in the specification of the system and system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-8" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-8.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-8" />
- </references>
- </cci_item>
- <cci_item id="CCI-000665">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Apply organization-defined systems security and privacy engineering principles in the design of the system and system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-8" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-8.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-8" />
- </references>
- </cci_item>
- <cci_item id="CCI-000666">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Apply organization-defined systems security and privacy engineering principles in the development of the system and system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-8" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-8.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-8" />
- </references>
- </cci_item>
- <cci_item id="CCI-000667">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Apply organization-defined systems security and privacy engineering principles in the implementation of the system and system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-8" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-8.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-8" />
- </references>
- </cci_item>
- <cci_item id="CCI-000668">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Apply organization-defined systems security and privacy engineering principles in the modification of the system and system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-8" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-8.1 (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-8" />
- </references>
- </cci_item>
- <cci_item id="CCI-000669">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require that providers of external system services comply with organizational security requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-9" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-9 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-9.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-9 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000670">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires that providers of external information system services employ organization-defined security controls in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-9 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-9.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-9 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000671">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines government oversight with regard to external information system services.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-9 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-9.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-9 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000672">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization documents government oversight with regard to external information system services.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-9 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-9.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-9 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000673">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines user roles and responsibilities with regard to external information system services.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-9 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-9.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-9 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000674">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization documents user roles and responsibilities with regard to external information system services.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-9 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-9.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-9 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000675">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization monitors security control compliance by external service providers.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-9.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-9 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-000676">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization conducts an organizational assessment of risk prior to the acquisition of dedicated information security services.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-9 (1).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-9 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000677">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization conducts an organizational assessment of risk prior to the outsourcing of dedicated information security services.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-9 (1).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-9 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000678">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the senior organizational official designated to approve acquisition of dedicated information security services.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-9 (1).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-9 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000679">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the senior organizational official designated to approve outsourcing of dedicated information security services.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-9 (1).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-9 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000680">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization ensures the acquisition of dedicated information security services is approved by an organization-designated senior organizational official.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-9 (1).1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-9 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000681">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization ensures the outsourcing of dedicated information security services is approved by an organization-designated senior organizational official.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-9 (1).1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-9 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000682">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires information system developers to perform configuration management during information system design.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-10.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-10 (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000683">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires information system developers to perform configuration management during information system development.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-10.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-10 (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000684">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires information system developers to perform configuration management during information system implementation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-10.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-10 (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000685">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires information system developers to perform configuration management during information system operation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-10.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-10 (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000686">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires information system integrators to perform configuration management during information system design.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-10.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-10 (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000687">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires information system integrators to perform configuration management during information system development.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-10.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-10 (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000688">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires information system integrators to perform configuration management during information system implementation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-10.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-10 (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000689">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires information system integrators to perform configuration management during information system operation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-10.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-10 (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000690">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires information system developers to manage and control changes to the information system during design.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-10.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-10 (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000691">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires information system integrators to manage and control changes to the information system during design.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-10.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-10 (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000692">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to implement only organization-approved changes to the system, component, or service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-10 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-10.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-10 (c)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-10 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-000693">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires information system integrators to implement only organization-approved changes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-10.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-10 (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000694">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to document approved changes to the system, component, or service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-10 d" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-10.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-10 (d)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-10 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-000695">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires information system integrators to document approved changes to the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-10.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-10 (d)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000696">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires that information system developers track security flaws and flaw resolution.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-10.1 (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-10 (e)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000697">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires information system integrators to track security flaws and flaw resolution.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-10.1 (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-10 (e)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000698">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to enable integrity verification of software and firmware components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-10 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-10 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-10 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-10 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000699">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires information system integrators to provide an integrity check of software to facilitate organizational verification of software integrity after delivery.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-10 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-10 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000700">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide an alternate configuration management process using organizational personnel in the absence of a dedicated developer configuration management team.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-10 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-10 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-10 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-10 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000701">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization provides an alternative configuration management process with organizational personnel in the absence of a dedicated integrator configuration management team.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-10 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-10 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000702">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires information system developers, in consultation with associated security personnel (including security engineers), to create a security test and evaluation plan.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-11.1 SA-11(3).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-11 (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000703">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires information system developers, in consultation with associated security personnel (including security engineers), to implement a security test and evaluation plan.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-11.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-11 (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000704">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires information system integrators, in consultation with associated security personnel (including security engineers), to create a security test and evaluation plan.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-11.1 SA-11(3).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-11 (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000705">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires information system integrators, in consultation with associated security personnel (including security engineers), to implement a security test and evaluation plan.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-11.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-11 (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000706">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires information system developers, in consultation with associated security personnel (including security engineers), to implement a verifiable flaw remediation process to correct weaknesses and deficiencies identified during the security testing and evaluation process.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-11.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-11 (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000707">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires information system integrators, in consultation with associated security personnel (including security engineers), to implement a verifiable flaw remediation process to correct weaknesses and deficiencies identified during the security testing and evaluation process.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-11.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-11 (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000708">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires information system developers, in consultation with associated security personnel (including security engineers), to document the results of the security testing/evaluation processes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-11.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-11 (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000709">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires information system developers, in consultation with associated security personnel (including security engineers), to document the results of the security flaw remediation processes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-11.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-11 (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000710">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires information system integrators, in consultation with associated security personnel (including security engineers), to document the results of the security testing/evaluation processes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-11.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-11 (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000711">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires information system integrators, in consultation with associated security personnel (including security engineers), to document the results of the security flaw remediation processes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-11.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-11 (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000712">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires information system developers to employ code analysis tools to examine software for common flaws and document the results of the analysis.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-11 (1).1 (i) (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-11 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000713">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires information system integrators to employ code analysis tools to examine software for common flaws and document the results of the analysis.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-11 (1).1 (i) (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-11 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000714">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires information system developers to perform a vulnerability analysis to document vulnerabilities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-11 (*2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-11 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000715">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires information system developers to perform a vulnerability analysis to document exploitation potential.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-11 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-11 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000716">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires information system developers to perform a vulnerability analysis to document risk mitigations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-11 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-11 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000717">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires information system integrators to perform a vulnerability analysis to document vulnerabilities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-11 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-11 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000718">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires information system integrators to perform a vulnerability analysis to document exploitation potential.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-11 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-11 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000719">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires information system integrators perform a vulnerability analysis to document risk mitigations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-11 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-11 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000720">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires information system developers implement the security test and evaluation plan under the witness of an independent verification and validation agent.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-1 1(3).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-11 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000721">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires information system integrators to implement the security test and evaluation plan under the witness of an independent verification and validation agent.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-1 1(3).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-11 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000722">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the security safeguards to employ to protect against supply chain threats to the information system, system component, or information system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-12" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-12.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-12" />
- </references>
- </cci_item>
- <cci_item id="CCI-000723">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization protects against supply chain threats to the information system, system component, or information system service by employing organization-defined security safeguards as part of a comprehensive, defense-in-breadth information security strategy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-12" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-12.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-12" />
- </references>
- </cci_item>
- <cci_item id="CCI-000724">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization purchases all anticipated information system components and spares in the initial acquisition.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-12 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-12 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000725">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization conducts a due diligence review of suppliers prior to entering into contractual agreements to acquire information system hardware.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-12 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-12 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000726">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization conducts a due diligence review of suppliers prior to entering into contractual agreements to acquire information system software.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-12 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-12 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000727">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization conducts a due diligence review of suppliers prior to entering into contractual agreements to acquire information system firmware.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-12 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-12 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000728">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization conducts a due diligence review of suppliers prior to entering into contractual agreements to acquire information system services.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-12 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-12 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000729">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization uses trusted shipping for information systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-12 (3).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-12 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000730">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization uses trusted shipping for information system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-12 (3).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-12 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000731">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization uses trusted shipping for information technology products.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-12 (3).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-12 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000732">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization uses trusted warehousing for information systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-12 (3).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-12 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000733">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization uses trusted warehousing for information system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-12 (3).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-12 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000734">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization uses trusted warehousing for information technology products.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-12 (3).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-12 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000735">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs a diverse set of suppliers for information systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-12 (4).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-12 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000736">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs a diverse set of suppliers for information system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-12 (4).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-12 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000737">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs a diverse set of suppliers for information technology products.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-12 (4).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-12 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000738">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs a diverse set of suppliers for information system services.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-12 (4).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-12 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000739">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs standard configurations for information systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-12 (5).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-12 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000740">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs standard configurations for information system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-12 (5).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-12 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000741">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs standard configurations for information technology products.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-12 (5).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-12 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000742">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization minimizes the time between purchase decisions and delivery of information systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-12 (6).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-12 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000743">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization minimizes the time between purchase decisions and delivery of information system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-12 (6).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-12 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000744">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization minimizes the time between purchase decisions and delivery of information technology products.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-12 (6).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-12 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000745">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs independent analysis and penetration testing against delivered information systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-12 (7).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-12 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000746">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs independent analysis and penetration testing against delivered information system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-12 (7).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-12 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000747">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs independent analysis and penetration testing against delivered information technology products.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-12 (7).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-12 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000748">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines level of trustworthiness for the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-13.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-13" />
- </references>
- </cci_item>
- <cci_item id="CCI-000749">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires that the information system meets the organization-defined level of trustworthiness.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-13.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-13" />
- </references>
- </cci_item>
- <cci_item id="CCI-000750">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the list of critical information system components that require re-implementation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-14.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-14" />
- </references>
- </cci_item>
- <cci_item id="CCI-000751">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization determines the organization-defined list of critical information system components that require re-implementation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-14" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-14 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000752">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization re-implements organization-defined critical information system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-14.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-14 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000753">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization identifies information system components for which alternative sourcing is not viable.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-14 (1).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-14 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000754">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines measures to be employed to prevent critical security controls for information system components from being compromised.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-14 (1).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-14 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000755">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs organization-defined measures to ensure critical security controls for the information system components are not compromised.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-14 (1).1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-14 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000756">
- <status>draft</status>
- <publishdate>2009-09-17</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops an identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-1 a 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-1.1 (i) (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000757">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminate an organization-level; mission/business process-level; and/or system-level identification and authentication policy to organization-defined personnel.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-1 a 1 (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-1 a 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-1.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000758">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current identification and authentication policy in accordance with the organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-1 c 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-1 b 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-1.2 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000759">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines a frequency for reviewing and updating the identification and authentication policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-1 c 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-1 b 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-1.2 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000760">
- <status>draft</status>
- <publishdate>2009-09-17</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-1.1 (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000761">
- <status>draft</status>
- <publishdate>2009-09-17</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization disseminates to organization-defined personnel or roles procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-1.1 (vi)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000762">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current identification and authentication procedures in accordance with the organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-1 c 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-1 b 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-1.2 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000763">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines a frequency for reviewing and updating the identification and authentication procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-1 c 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-1 b 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-1.2 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000764">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-2.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-2" />
- </references>
- </cci_item>
- <cci_item id="CCI-000765">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement multifactor authentication for network access to privileged accounts.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-2 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-2 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-2 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-2 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000766">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement multifactor authentication for network access to non-privileged accounts.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-2 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-2 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-2 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-2 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000767">
- <status>draft</status>
- <publishdate>2009-09-17</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system implements multifactor authentication for local access to privileged accounts.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-2 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-2 (3).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-2 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000768">
- <status>draft</status>
- <publishdate>2009-09-17</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system implements multifactor authentication for local access to non-privileged accounts.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-2 (4)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-2 (4).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-2 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000769">
- <status>draft</status>
- <publishdate>2009-09-17</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization allows the use of group authenticators only when used in conjunction with an individual/unique authenticator.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-2 (5).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-2 (5) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000770">
- <status>draft</status>
- <publishdate>2009-09-17</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-2 (5)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-2 (5).2 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-2 (5) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000771">
- <status>draft</status>
- <publishdate>2009-09-17</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system uses multifactor authentication for network access to privileged accounts where one of the factors is provided by a device separate from the information system being accessed.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-2 (6).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-2 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000772">
- <status>draft</status>
- <publishdate>2009-09-17</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system uses multifactor authentication for network access to non-privileged accounts where one of the factors is provided by a device separate from the information system being accessed.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-2 (7).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-2 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000773">
- <status>draft</status>
- <publishdate>2009-09-17</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines replay-resistant authentication mechanisms to be used for network access to privileged accounts.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-2 (8).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-2 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000774">
- <status>draft</status>
- <publishdate>2009-09-17</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system uses organization-defined replay-resistant authentication mechanisms for network access to privileged accounts.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-2 (8).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-2 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000775">
- <status>draft</status>
- <publishdate>2009-09-17</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines replay-resistant authentication mechanisms to be used for network access to non-privileged accounts.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-2 (9).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-2 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000776">
- <status>draft</status>
- <publishdate>2009-09-17</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system uses organization-defined replay-resistant authentication mechanisms for network access to non-privileged accounts.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-2 (9).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-2 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000777">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines devices and/or types of devices for which identification and authentication is required before establishing a connection.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-3" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-3" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-3.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-3" />
- </references>
- </cci_item>
- <cci_item id="CCI-000778">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Uniquely identify organization-defined devices and/or types of devices before establishing a local, remote, and/or network connection.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-3" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-3" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-3.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-3" />
- </references>
- </cci_item>
- <cci_item id="CCI-000779">
- <status>draft</status>
- <publishdate>2009-09-17</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system authenticates devices before establishing remote network connections using bidirectional authentication between devices that is cryptographically based.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-3 (1).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-3 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000780">
- <status>draft</status>
- <publishdate>2009-09-17</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system authenticates devices before establishing wireless network connections using bidirectional authentication between devices that is cryptographically based.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-3 (1).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-3 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000781">
- <status>draft</status>
- <publishdate>2009-09-17</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system authenticates devices before establishing network connections using bidirectional authentication between devices that is cryptographically based.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-3 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-3 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000782">
- <status>draft</status>
- <publishdate>2009-09-17</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization standardizes, with regard to dynamic address allocation, Dynamic Host Control Protocol (DHCP) lease information and the time assigned to DHCP-enabled devices.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-3 (3).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-3 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000783">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Audit lease information when assigned to a device.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-3 (3) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-3 (3) (b)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-3 (3).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-3 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000784">
- <status>draft</status>
- <publishdate>2009-09-17</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization manages information system identifiers for users and devices by receiving authorization from a designated organizational official to assign a user identifier.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-4.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-4 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000785">
- <status>draft</status>
- <publishdate>2009-09-17</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization manages information system identifiers for users and devices by receiving authorization from a designated organizational official to assign a device identifier.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-4.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-4 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000786">
- <status>draft</status>
- <publishdate>2009-09-17</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization manages information system identifiers for users and devices by selecting an identifier that uniquely identifies an individual.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-4.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-4 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000787">
- <status>draft</status>
- <publishdate>2009-09-17</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization manages information system identifiers for users and devices by selecting an identifier that uniquely identifies a device.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-4.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-4 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000788">
- <status>draft</status>
- <publishdate>2009-09-17</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization manages information system identifiers for users and devices by assigning the user identifier to the intended party.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-4.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-4 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-000789">
- <status>draft</status>
- <publishdate>2009-09-17</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization manages information system identifiers for users and devices by assigning the device identifier to the intended device.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-4.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-4 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-000790">
- <status>draft</status>
- <publishdate>2009-09-17</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines a time period for which the reuse of user identifiers is prohibited.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-4.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-4 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-000791">
- <status>draft</status>
- <publishdate>2009-09-17</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines a time period for which the reuse of device identifiers is prohibited.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-4.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-4 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-000792">
- <status>draft</status>
- <publishdate>2009-09-17</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization manages information system identifiers for users and devices by preventing reuse of user identifiers for an organization-defined time period.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-4.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-4 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-000793">
- <status>draft</status>
- <publishdate>2009-09-17</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization manages information system identifiers for users and devices by preventing reuse of device identifiers for an organization-defined time period.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-4.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-4 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-000794">
- <status>draft</status>
- <publishdate>2009-09-17</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines a time period of inactivity after which the identifier is disabled.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-4 e" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-4.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-4 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-000795">
- <status>draft</status>
- <publishdate>2009-09-17</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization manages information system identifiers by disabling the identifier after an organization-defined time period of inactivity.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-4 e" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-4.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-4 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-000796">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Prohibit the use of system account identifiers that are the same as public identifiers for individual accounts.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-4 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-4 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-4 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-4 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000797">
- <status>draft</status>
- <publishdate>2009-09-17</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires that registration to receive a user ID and password include authorization by a supervisor.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-4 (2) (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-4 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000798">
- <status>draft</status>
- <publishdate>2009-09-17</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires that registration to receive a user ID and password be done in person before a designated registration authority.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-4 (2) (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-4 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000799">
- <status>draft</status>
- <publishdate>2009-09-17</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires multiple forms of certification of individual identification, such as documentary evidence or a combination of documents and biometrics, be presented to the registration authority.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-4 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-4 (3).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-4 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000800">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines characteristics for identifying individual status.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-4 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-4 (4)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-4 (4).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-4 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000801">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Manage individual identifiers by uniquely identifying each individual as organization-defined characteristics identifying individual status.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-4 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-4 (4)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-4 (4).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-4 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000802">
- <status>draft</status>
- <publishdate>2009-09-17</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system dynamically manages identifiers, attributes, and associated access authorizations.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-4 (5).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-4 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000803">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-7" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-7" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-7.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-7" />
- </references>
- </cci_item>
- <cci_item id="CCI-000804">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-8" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-8" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-8.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-8" />
- </references>
- </cci_item>
- <cci_item id="CCI-000805">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document an organization-level; mission/business process-level; and/or system-level incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-1 a 1 (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-1 a 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IR-1.1 (i) (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IR-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000806">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminate an organization-level; mission/business process-level; and/or system-level incident response policy to organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-1 a 1 (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-1 a 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IR-1.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IR-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000807">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current incident response policy in accordance with organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-1 c 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-1 b 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IR-1.2 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IR-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000808">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency with which to review and update the current incident response policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-1 c 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-1 b 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IR-1.2 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IR-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000809">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document procedures to facilitate the implementation of incident response policy and associated incident response controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IR-1.1 (iv) (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IR-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000810">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminate the incident response procedures to organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IR-1.1 (vi)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IR-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000811">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current incident response procedures in accordance with organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-1 c 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-1 b 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IR-1.2 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IR-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000812">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency with which to review and update the current incident response procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-1 c 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-1 b 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IR-1.2 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IR-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000813">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide incident response training to system users consistent with assigned roles and responsibilities within an organization-defined time period of assuming an incident response role or responsibility.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-2 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IR-2.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IR-2 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-2 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-000814">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide incident response training in accordance with organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-2 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IR-2.1 (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IR-2 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-2 a 3" />
- </references>
- </cci_item>
- <cci_item id="CCI-000815">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines a frequency for incident response training.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-2 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IR-2.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IR-2 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-2 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-000816">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Incorporate simulated events into incident response training to facilitate effective response by personnel in crisis situations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-2 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IR-2 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IR-2 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-2 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000817">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide an incident response training environment using organization-defined automated mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-2 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IR-2 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IR-2 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-2 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000818">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Test the effectiveness of the incident response capability for the system on an organization-defined frequency using organization-defined tests.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-3" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IR-3.1 (iii) (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IR-3" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-3" />
- </references>
- </cci_item>
- <cci_item id="CCI-000819">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines a frequency for incident response tests.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-3" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-3" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IR-3.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IR-3" />
- </references>
- </cci_item>
- <cci_item id="CCI-000820">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines tests for incident response.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-3" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IR-3.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IR-3" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-3" />
- </references>
- </cci_item>
- <cci_item id="CCI-000821">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Test the incident response capability using organization-defined automated mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-3 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IR-3 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IR-3 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-3 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000822">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-4 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-4 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IR-4.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IR-4 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000823">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Coordinate incident handling activities with contingency planning activities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-4 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IR-4.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IR-4 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-4 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000824">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-4 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IR-4.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IR-4 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-000825">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Support the incident handling process using organization-defined automated mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-4 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IR-4 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IR-4 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-4 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000826">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Include organization-defined types of dynamic reconfiguration for organization-defined system components as part of the incident response capability.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-4 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IR-4 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IR-4 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-4 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000827">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Identify organization-defined classes of incidents for which organization-defined actions are to be taken to ensure continuation of organizational mission and business functions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-4 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IR-4 (3).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IR-4 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-4 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000828">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Identify actions to take in response to organization-defined classes of incidents to ensure continuation of organizational missions and business functions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-4 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-4 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IR-4 (3).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IR-4 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000829">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Correlate incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-4 (4)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IR-4 (4).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IR-4 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-4 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000830">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines security violations that, if detected, initiate a configurable capability to automatically disable the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-4 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-4 (5)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IR-4 (5).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IR-4 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000831">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a configurable capability to automatically disable the system if organization-defined security violations are detected.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-4 (5)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IR-4 (5).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IR-4 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-4 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000832">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Track and document incidents.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-5" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IR-5.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IR-5" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-5" />
- </references>
- </cci_item>
- <cci_item id="CCI-000833">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs automated mechanisms to assist in the tracking of security incidents.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-5 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IR-5 (1).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IR-5 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000834">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines a time period for personnel to report suspected incidents to the organizational incident response capability.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-6 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-6 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IR-6.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IR-6 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000835">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require personnel to report suspected incidents to the organizational incident response capability within the organization-defined time period.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-6 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-6 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IR-6.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IR-6 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000836">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Report incident information to organization-defined authorities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-6 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-6 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IR-6.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IR-6 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000837">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Report incidents using organization-defined automated mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-6 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-6 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IR-6 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IR-6 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000838">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Report system vulnerabilities associated with reported incidents to organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-6 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-6 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IR-6 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IR-6 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000839">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-7" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-7" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IR-7.1 (i) (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IR-7" />
- </references>
- </cci_item>
- <cci_item id="CCI-000840">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs automated mechanisms to increase the availability of incident response-related information and support.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-7 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IR-7 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IR-7 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000841">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish a direct, cooperative relationship between its incident response capability and external providers of system protection capability.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-7 (2) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-7 (2) (a)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IR-7 (2).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IR-7 (2) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000842">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Identify organizational incident response team members to the external providers.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-7 (2) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-7 (2) (b)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IR-7 (2).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IR-7 (2) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000843">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops an incident response plan that provides the organization with a roadmap for implementing its incident response capability; describes the structure and organization of the incident response capability; provides a high-level approach for how the incident response capability fits into the overall organization; meets the unique requirements of the organization, which relate to mission, size, structure, and functions; defines reportable incidents; provides metrics for measuring the incident response capability within the organization; and defines the resources and management support needed to effectively maintain and mature an incident response capability.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IR-8.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IR-8 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000844">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop an incident response plan that is reviewed and approved by organization-defined personnel or roles on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-8 a 9" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-8 a 8" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IR-8.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IR-8 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000845">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines incident response personnel (identified by name and/or by role) and organizational elements to whom copies of the incident response plan are distributed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-8 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-8 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IR-8.2 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IR-8 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000846">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Distributes copies of the incident response plan to organization-defined incident response personnel (identified by name and/or by role) and organizational elements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-8 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-8 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IR-8.2 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IR-8 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000847">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the frequency for reviewing the incident response plan.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-8 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IR-8.2 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IR-8 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-000848">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization reviews the incident response plan on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-8 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IR-8.2 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IR-8 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-000849">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-8 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-8 d" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IR-8.2 (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IR-8 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-000850">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Communicate incident response plan changes to organization-defined incident response personnel (identified by name and/or by role) and organizational elements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-8 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-8 e" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IR-8.2 (vi)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IR-8 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-000851">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency with which to review and update the current system maintenance policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-1 c 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-1 b 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-1.2 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-1" />
- </references>
- </cci_item>
- <cci_item id="CCI-000852">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document an organization-level; mission/business process-level; and/or system-level maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-1 a 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-1.1 (i and ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-1 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-1 a 1 (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000853">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminate an organization-level; mission/business process-level; and/or system-level maintenance policy to organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-1 a 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-1.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-1 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-1 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-000854">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current maintenance policy in accordance with organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-1 b 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-1.2 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-1 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-1 c 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-000855">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-1.1 (iv and v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-1 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-1 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-000856">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminate procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls to organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-1.1 (vi)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-1 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-1 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-000857">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current maintenance procedures in accordance with organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-1 c 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-1 b 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-1.2 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000858">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-2.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000859">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-2 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-2.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-2 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000860">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require that organization-defines personnel or roles explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-2 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-2 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-2.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-2 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-000861">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Sanitize equipment to remove organization-defined information from associated media prior to removal from organizational facilities for off-site maintenance, repairs or replacement.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-2 d" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-2.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-2 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-2 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-000862">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair or replacement actions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-2 e" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-2 e" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-2.1 (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-2 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-000863">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization maintains maintenance records for the information system that include the date and time of maintenance, the name of the individual performing the maintenance, the name of escort, if necessary, a description of the maintenance performed, and a list of equipment removed or replaced (including identification numbers, if applicable).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-2 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-2 (1) (a)(b)(c)(d)(e)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000864">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs automated mechanisms to schedule, conduct, and document maintenance and repairs as required.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-2 (2).1(i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-2 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000865">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Approve the use of system maintenance tools.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-3 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-3" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-3.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-3" />
- </references>
- </cci_item>
- <cci_item id="CCI-000866">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Control the use of system maintenance tools.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-3 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-3" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-3.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-3" />
- </references>
- </cci_item>
- <cci_item id="CCI-000867">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Monitor the use of system maintenance tools.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-3 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-3" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-3.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-3" />
- </references>
- </cci_item>
- <cci_item id="CCI-000868">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization maintains, on an ongoing basis, information system maintenance tools.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-3.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-3" />
- </references>
- </cci_item>
- <cci_item id="CCI-000869">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Inspect the maintenance tools used by maintenance personnel for improper or unauthorized modifications.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-3 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-3 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-3 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-3 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000870">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Check media containing diagnostic and test programs for malicious code before the media are used in the system.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-3 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-3 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-3 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-3 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000871">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Prevent the unauthorized removal of maintenance equipment containing organizational information by: (a) verifying that there is no organizational information contained on the equipment; (b) sanitizing or destroying the equipment; (c) retaining the equipment within the facility; or (d) obtaining an exemption from organization-defined personnel or roles explicitly authorizing removal of the equipment from the facility.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-3 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-3 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-3 (3).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-3 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000872">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs automated mechanisms to restrict the use of maintenance tools to authorized personnel only.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-3 (4).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-3 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000873">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Approve nonlocal maintenance and diagnostic activities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-4 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-4.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-4 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-4 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000874">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Monitor nonlocal maintenance and diagnostic activities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-4 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-4 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-4.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-4 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000875">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization controls non-local maintenance and diagnostic activities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-4.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-4 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000876">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-4 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-4.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-4 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-4 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000877">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-4 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-4.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-4 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-4 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-000878">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Maintain records for nonlocal maintenance and diagnostic activities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-4 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-4 d" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-4.1 (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-4 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-000879">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization terminates sessions and network connections when nonlocal maintenance is completed.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-4 e" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-4.1 (vi)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-4 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-000880">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization audits non-local maintenance and diagnostic sessions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-4 (1).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-4 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000881">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization documents, in the security plan for the information system, the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-4 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-4 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-4 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000882">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require that nonlocal maintenance and diagnostic services be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-4 (3) (a)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-4 (3).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-4 (3) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-4 (3) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000883">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Remove the component to be serviced from the system prior to nonlocal maintenance or diagnostic services; sanitize the component (for organizational information).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-4 (3) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-4 (3) (b)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-4 (3).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-4 (3) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000884">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Protect nonlocal maintenance sessions by employing organization-defined authenticators that are replay resistant.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-4 (4) (a)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-4 (4).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-4 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-4 (4) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000885">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires that maintenance personnel notify organization-defined personnel when non-local maintenance is planned (i.e., date/time).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-4 (5).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-4 (5) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000886">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to be notified of the date and time of planned nonlocal maintenance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-4 (5) (b)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-4 (5).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-4 (5) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-4 (5) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000887">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the approval of each nonlocal maintenance session by organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-4 (5) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-4 (5) (a)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-4 (5).1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-4 (5) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000888">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs cryptographic mechanisms to protect the integrity and confidentiality of non-local maintenance and diagnostic communications.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-4 (6).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-4 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000889">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs remote disconnect verification at the termination of non-local maintenance and diagnostic sessions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-4 (7).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-4 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000890">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish a process for maintenance personnel authorization.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-5 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-5 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-5.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-5 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000891">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Maintain a list of authorized maintenance organizations or personnel.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-5 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-5 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-5.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-5 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000892">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization ensures that personnel performing maintenance on the information system have required access authorizations or designates organizational personnel with required access authorizations and technical competence deemed necessary to supervise information system maintenance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-5.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-5 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000893">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-5 (1) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-5 (1) (a)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-5 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-5 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000894">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Requires maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals to be escorted and supervised during the performance of maintenance and diagnostic activities on the system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-5 (1) (a) (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-5 (1) (a) (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-5 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-5 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000895">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require that, prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the system be sanitized and all nonvolatile storage media be removed or physically disconnected from the system and secured.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-5 (1) (a) (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-5 (1) (a) (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-5 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-5 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000896">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires that in the event an information system component cannot be sanitized, the procedures contained in the security plan for the system be enforced.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-5 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-5 (1) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000897">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Verify that personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information possess security clearances and formal access approvals for at least the highest classification level and for all compartments of information on the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-5 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-5 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-5 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-5 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000898">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Verify that personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information are U.S. citizens.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-5 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-5 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-5 (3).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-5 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000899">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Ensure that cleared foreign nationals with appropriate security clearances are used to conduct maintenance and diagnostic activities on classified systems only when the systems are jointly owned and operated by the United States and foreign allied governments, or owned and operated solely by foreign allied governments.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-5 (4) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-5 (4) (a)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-5 (4).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-5 (4) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000900">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Ensure that that approvals, consents, and detailed operational conditions regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified systems are fully documented within Memoranda of Agreements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-5 (4) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-5 (4) (b)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-5 (4).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-5 (4) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000901">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines a list of security-critical information system components and/or key information technology components for which it will obtain maintenance support and/or spare parts.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-6.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-6" />
- </references>
- </cci_item>
- <cci_item id="CCI-000902">
- <status>draft</status>
- <publishdate>2009-09-18</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines a time period for obtaining maintenance support and/or spare parts for security-critical information system components and/or key information technology components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-6.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-6" />
- </references>
- </cci_item>
- <cci_item id="CCI-000903">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Obtain maintenance support and/or spare parts for organization-defined system components within an organization-defined time period of failure.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-6" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-6" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-6.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-6" />
- </references>
- </cci_item>
- <cci_item id="CCI-000904">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document an organization-level; mission/business process-level; and/or system-level physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-1 a 1 (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-1 a 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-1.1 (i and ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000905">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminate a physical and environmental protection policy to organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-1 a 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-1 a 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-1.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000906">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current physical and environmental protection policy in accordance with organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-1 c 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-1 b 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-1.2 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000907">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency with which to review and update the physical and environmental protection policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-1 c 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-1 b 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-1.2 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000908">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-1.1 (iv and v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000909">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminate physical and environmental protection procedures to organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-1.1 (vi)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000910">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current physical and environmental protection procedures in accordance with organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-1 c 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-1 b 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-1.2 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000911">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency with which to review and update the physical and environmental protection procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-1 c 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-1 b 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-1.2 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000912">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop a list of individuals with authorized access to the facility where the system resides.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-2 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-2 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-2 (1).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000913">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Issue authorization credentials for facility access.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-2 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-2.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-2 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-2 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000914">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review the access list detailing authorized facility access by individuals in accordance with organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-2 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-2.2 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-2 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-2 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-000915">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency with which to review the access list detailing authorized facility access by individuals.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-2 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-2.2 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-2 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-2 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-000916">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Authorize physical access to the facility where the system resides based on position or role.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-2 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-2 (1).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-2 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-2 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000917">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require two forms of identification from an organization-defined list of acceptable forms of identification for visitor access to the facility where the system resides.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-2 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-2 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-2 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-2 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000918">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization restricts physical access to the facility containing an information system that processes classified information to authorized personnel with appropriate clearances and access authorizations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-2 (3).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-2 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000919">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization enforces physical access authorizations at organization-defined entry/exit points to the facility where the information system resides.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-3 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-3.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000920">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Verify individual access authorizations before granting access to the facility.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-3 a 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-3 a 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-3.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-3 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000921">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization controls ingress/egress to the facility where the information system resides using one or more organization-defined physical access control systems/devices or guards.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-3 a 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-3.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-3 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-000922">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization controls access to areas officially designated as publicly accessible in accordance with the organization's assessment of risk.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-3.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-3 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-000923">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Secure keys, combinations, and other physical access devices.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-3 e" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-3 e" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-3.1 (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-3 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-000924">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Inventory organization-defined physical access devices on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-3 f" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-3 f" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-3.2 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-3 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-000925">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency for conducting inventories of organization-defined physical access devices.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-3 f" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-3 f" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-3.2 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-3 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-000926">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Change combinations and keys in accordance with organization-defined frequency and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-3 g" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-3 g" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-3.2 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-3 g" />
- </references>
- </cci_item>
- <cci_item id="CCI-000927">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines a frequency for changing combinations and keys.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-3 g" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-3 g" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-3.2 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-3 g" />
- </references>
- </cci_item>
- <cci_item id="CCI-000928">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce physical access authorizations to the system in addition to the physical access controls for the facility where the system resides at organization-defined physical spaces containing one or more components of the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-3 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-3 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-3 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-3 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000929">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Perform security checks in accordance with organization-defined frequency at the physical boundary of the facility or system for unauthorized exfiltration of information or removal of information system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-3 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-3 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-3 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-3 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000930">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ guards to control every physical access point to the facility where the system resides 24 hours per day, 7 days per week.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-3 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-3 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-3 (3).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-3 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000931">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Use lockable physical casings to protect organization-defined system components from unauthorized physical access.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-3 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-3 (4)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-3 (4).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-3 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000932">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines system components to be protected from unauthorized physical access using lockable physical casings.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-3 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-3 (4)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-3 (4).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-3 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000933">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ organization-defined anti-tamper technologies to deter and/or prevent physical tampering or alteration of organization-defined hardware components within the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-3 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-3 (5)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-3 (5).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-3 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000934">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs a penetration testing process that includes unannounced attempts to bypass or circumvent security controls associated with physical access points to the facility on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-3 (6)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-3 (6).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-3 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000935">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the frequency of unannounced attempts to be included in a penetration testing process to bypass or circumvent security controls associated with physical access points to the facility.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-3 (6)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-3 (6).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-3 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000936">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Controls physical access to organization-defined system distribution and transmission lines within organizational facilities using organization-defined security controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-4" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-4" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-4.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-4" />
- </references>
- </cci_item>
- <cci_item id="CCI-000937">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Control physical access to output from organization-defined output devices to prevent unauthorized individuals from obtaining the output.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-5" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-5" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-5.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-5" />
- </references>
- </cci_item>
- <cci_item id="CCI-000938">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization monitors physical access to the information system to detect and respond to physical security incidents.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-6.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-6 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000939">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review physical access logs in accordance with organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-6 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-6 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-6.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-6 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000940">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines a frequency for reviewing physical access logs.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-6 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-6 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-6.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-6 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000941">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Coordinate results of reviews and investigations with the organization's incident response capability.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-6 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-6 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-6.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-6 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-000942">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Monitor physical access to the facility where the system resides using physical intrusion alarms and surveillance equipment.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-6 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-6 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-6 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-6 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000943">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs automated mechanisms to recognize potential intrusions and initiate designated response actions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-6 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-6 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000944">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization controls physical access to the information system by authenticating visitors before authorizing access to the facility where the information system resides other than areas designated as publicly accessible.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-7.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-7" />
- </references>
- </cci_item>
- <cci_item id="CCI-000945">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization escorts visitors and monitors visitor activity, when required.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-7 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-7 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000946">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires two forms of identification for visitor access to the facility.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-7 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-7 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000947">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Maintain visitor access records to the facility where the system resides for an organization-defined time period.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-8 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-8 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-8.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-8 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000948">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review visitor access records in accordance with organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-8 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-8 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-8.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-8 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000949">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency with which to review the visitor access records for the facility where the system resides.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-8 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-8 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-8.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-8 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000950">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Maintain and review visitor access records using organization-defined automated mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-8 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-8 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-8 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-8 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000951">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization maintains a record of all physical access, both visitor and authorized individuals.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-8 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-8 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000952">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Protect power equipment and power cabling for the system from damage and destruction.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-9" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-9" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-9.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-9" />
- </references>
- </cci_item>
- <cci_item id="CCI-000953">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs redundant and parallel power cabling paths.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-9 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-9 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000954">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ automatic voltage controls for organization-defined critical system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-9 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-9 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-9 (2).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-9 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000955">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines critical system components that require automatic voltage controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-9 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-9 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-9 (2).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-9 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000956">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provides the capability of shutting off power to the organization-defined system or individual system components in emergency situations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-10 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-10 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-10.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-10 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000957">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Place emergency shutoff switches or devices in an organization-defined location by system or system component to facilitate access for authorized personnel.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-10 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-10 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-10.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-10 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000958">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines a location for emergency shutoff switches or devices by system or system component.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-10 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-10 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-10.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-10 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000959">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Protect emergency power shutoff capability from unauthorized activation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-10 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-10 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-10.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-10 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-000960">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization provides a short-term uninterruptible power supply to facilitate an orderly shutdown of the information system in the event of a primary power source loss.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-11.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-11" />
- </references>
- </cci_item>
- <cci_item id="CCI-000961">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide an alternate power supply for the system that is activated manually or automatically and that can maintain minimally required operational capability in the event of an extended loss of the primary power source.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-11 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-11 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-11 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-11 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000962">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization provides a long-term alternate power supply for the information system that is self-contained and not reliant on external power generation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-11 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-11 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000963">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-12" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-12" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-12.1 (i) (ii)(iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-12" />
- </references>
- </cci_item>
- <cci_item id="CCI-000964">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization provides emergency lighting for all areas within the facility supporting essential missions and business functions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-12 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-12 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000965">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ and maintain fire detection and suppression systems that are supported by an independent energy source.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-13" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-13" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-13.1 (i) (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-13" />
- </references>
- </cci_item>
- <cci_item id="CCI-000966">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs fire detection devices/systems for the information system that activate automatically and notify the organization and emergency responders in the event of a fire.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-13 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-13 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000967">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to the organization and emergency responders.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-13 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-13 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000968">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ an automatic fire suppression capability for the system when the facility is not staffed on a continuous basis.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-13 (2) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-13 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-13 (3).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-13 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000969">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization ensures that the facility undergoes, on an organization-defined frequency, fire marshal inspections and promptly resolves identified deficiencies.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-13 (4).1 (ii and iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-13 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000970">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines a frequency for fire marshal inspections.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-13 (4).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-13 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000971">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Maintain temperature; humidity; pressure; radiation; and/or organization-defined environmental control levels within the facility where the system resides at organization-defined acceptable levels.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-14 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-14 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-14.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-14 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000972">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines acceptable temperature, humidity, pressure, radiation, and/or organization-defined environmental control levels to be maintained within the facility where the system resides.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-14 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-14 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-14.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-14 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000973">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Monitor environmental control levels in accordance with organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-14 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-14 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-14.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-14 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000974">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines a frequency for monitoring environmental control levels.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-14 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-14 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-14.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-14 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000975">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ organization-defined automatic environmental controls in the facility to prevent fluctuations potentially harmful to the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-14 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-14 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-14 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-14 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000976">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ environmental control monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment to organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-14 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-14 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-14 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-14 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000977">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-15" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-15" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-15.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-15" />
- </references>
- </cci_item>
- <cci_item id="CCI-000978">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are working properly.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-15" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-15" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-15.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-15" />
- </references>
- </cci_item>
- <cci_item id="CCI-000979">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>Key personnel have knowledge of the master water shutoff or isolation valves.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-15" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-15" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-15.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-15" />
- </references>
- </cci_item>
- <cci_item id="CCI-000980">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs mechanisms that, without the need for manual intervention, protect the information system from water damage in the event of a water leak.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-15 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-15 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000981">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Authorize organization-defined types of system components entering and exiting the facility.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-16 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-16" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-16.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-16" />
- </references>
- </cci_item>
- <cci_item id="CCI-000982">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization monitors organization-defined types of information system components entering and exiting the facility.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-16" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-16.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-16" />
- </references>
- </cci_item>
- <cci_item id="CCI-000983">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Control organization-defined types of system components entering and exiting the facility.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-16 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-16" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-16.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-16" />
- </references>
- </cci_item>
- <cci_item id="CCI-000984">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Maintain records of system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-16 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-16" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-16.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-16" />
- </references>
- </cci_item>
- <cci_item id="CCI-000985">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ organization-defined controls at alternate work sites.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-17 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-17 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-17.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-17 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000986">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines management, operational, and technical information system security controls to be employed at alternate work sites.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-17.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-17 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000987">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Assess as feasible, the effectiveness of controls at alternate work sites.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-17 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-17 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-17.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-17 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-000988">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide a means for employees to communicate with information security personnel in case of incidents.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-17 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-17 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-17.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-17 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-000989">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Position system components within the facility to minimize potential damage from organization-defined physical and environmental hazards.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-18" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-18" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-18.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-18" />
- </references>
- </cci_item>
- <cci_item id="CCI-000990">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization positions information system components within the facility to minimize potential damage from environmental hazards.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-18.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-18" />
- </references>
- </cci_item>
- <cci_item id="CCI-000991">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Position system components within the facility to minimize the opportunity for unauthorized access.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-18" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-18" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-18.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-18" />
- </references>
- </cci_item>
- <cci_item id="CCI-000992">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization plans the location or site of the facility where the information system resides with regard to physical and environmental hazards, and for existing facilities, considers the physical and environmental hazards in its risk mitigation strategy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-18 (1).1 (i and ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-18 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000993">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Protect the system from information leakage due to electromagnetic signals emanations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-19" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-19" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-19.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-19" />
- </references>
- </cci_item>
- <cci_item id="CCI-000994">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization ensures that information system components, associated data communications, and networks are protected in accordance with national emissions and TEMPEST policies and procedures based on the security category or classification of the information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-19 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-19 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-19 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-000995">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document an organization-level; mission/business process-level; and/or system-level media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-1 a 1 (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-1 a 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MP-1.1 (i and ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MP-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000996">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminates a media protection policy to organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-1 a 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-1 a 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MP-1.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MP-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000997">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current media protection policy in accordance with organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-1 c 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-1 b 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MP-1.2 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MP-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000998">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines a frequency for reviewing and updating the current media protection policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-1 c 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-1 b 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MP-1.2 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MP-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-000999">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document procedures to facilitate the implementation of the media protection policy and associated media protection controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MP-1.1 (iv and v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MP-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001000">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminate to organization-defined personnel or roles procedures to facilitate the implementation of the media protection policy and associated media protection controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MP-1.1 (vi)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MP-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001001">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current media protection procedures in accordance with organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-1 c 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-1 b 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MP-1.2 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MP-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001002">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines a frequency for reviewing and updating the current media protection procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-1 c 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-1 b 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MP-1.2 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MP-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001003">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Restrict access to organization-defined types of digital and/or non-digital media to organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MP-2.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MP-2" />
- </references>
- </cci_item>
- <cci_item id="CCI-001004">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines types of digital and/or non-digital media for which the organization restricts access.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MP-2.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MP-2" />
- </references>
- </cci_item>
- <cci_item id="CCI-001005">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines personnel or roles from which to restrict access to organization-defined types of digital and/or non-digital media.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MP-2.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MP-2" />
- </references>
- </cci_item>
- <cci_item id="CCI-001006">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines security measures for restricting access to media.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MP-2.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MP-2" />
- </references>
- </cci_item>
- <cci_item id="CCI-001007">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Restrict access to media storage areas using organization-defined automated mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-4 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-4 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MP-2 (1).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MP-2 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001008">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Log access attempts and access granted using organization-defined automated mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-4 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-4 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MP-2 (1).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MP-2 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001009">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system uses cryptographic mechanisms to protect and restrict access to information on portable digital media.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MP-2 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MP-2 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001010">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Marks system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-3 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-3 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MP-3.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MP-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001011">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Exempt organization-defined types of system media from marking as long as the media remain within organization-defined controlled areas.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-3 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MP-3.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MP-3 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-3 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001012">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines types of system media to exempt from marking as long as the media remain within organization-defined controlled areas.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-3 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-3 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MP-3.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MP-3 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001013">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines controlled areas where organization-defined types of system media are exempt from being marked.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-3 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MP-3.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MP-3 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-3 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001014">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization physically controls and securely stores organization-defined types of digital and/or non-digital media within organization-defined controlled areas.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-4 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MP-4.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MP-4 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001015">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines types of digital and/or non-digital media to physically control and securely store within organization-defined controlled areas.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-4 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-4 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MP-4.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MP-4 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001016">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines controlled areas where organization-defined types of digital and/or non-digital media are physically controlled and securely stored.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-4 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-4 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MP-4.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MP-4 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001017">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines security measures for securing media storage.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MP-4.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MP-4 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001018">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-4 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MP-4.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MP-4 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001019">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs cryptographic mechanisms to protect information in storage.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MP-4 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MP-4 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001020">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization protects and controls organization-defined types of information system media during transport outside of controlled areas using organization-defined security safeguards.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-5 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MP-5.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MP-5 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001021">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines types of system media protected and controlled during transport outside of controlled areas.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-5 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-5 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MP-5" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MP-5 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001022">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines controls to be used to protect and control organization-defined types of system media during transport outside of controlled areas.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-5 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-5 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MP-5.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MP-5 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001023">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Maintain accountability for system media during transport outside of controlled areas.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-5 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-5 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MP-5.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MP-5 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001024">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Restrict the activities associated with the transport of system media to authorized personnel.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-5 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-5 d" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MP-5.1 (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MP-5 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-001025">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Document activities associated with the transport of system media.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-5 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-5 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MP-5 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MP-5 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001026">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ an identified custodian during transport of system media outside of controlled areas.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-5 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-5 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MP-5 (3).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MP-5 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001027">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-5 (4)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MP-5 (4).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MP-5 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001028">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Sanitize organization-defined system media prior to disposal, release out of organizational control, or release for reuse using organization-defined sanitization techniques and procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-6 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-6 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MP-6.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MP-6" />
- </references>
- </cci_item>
- <cci_item id="CCI-001029">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization tracks, documents, and verifies media sanitization and disposal actions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MP-6 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MP-6 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001030">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization tests sanitization equipment and procedures in accordance with the organization-defined frequency to verify that the intended sanitization is being achieved.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-6 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MP-6 (2).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MP-6 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001031">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines a frequency for testing sanitization equipment and procedures to ensure that the intended sanitization is being achieved.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-6 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-6 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MP-6 (2).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MP-6 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001032">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Apply nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the information system in accordance with organization-defined circumstances requiring sanitization of portable storage devices.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-6 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-6 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MP-6 (3).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MP-6 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001033">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines circumstances requiring sanitization of portable storage devices prior to connecting such devices to the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-6 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-6 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MP-6 (3).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MP-6 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001034">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization sanitizes information system media containing Controlled Unclassified Information (CUI) or other sensitive information in accordance with applicable organizational and/or federal standards and policies.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MP-6 (4).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MP-6 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001035">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization sanitizes information system media containing classified information in accordance with NSA standards and policies.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MP-6 (5).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MP-6 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001036">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization destroys information system media that cannot be sanitized.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MP-6 (6).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MP-6 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001037">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document an organization-level; mission/business process-level; system-level risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-1 a 1 (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="RA-1 a 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="RA-1.1 (i) (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="RA-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001038">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminate an organization-level; mission/business process-level; system-level risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance to organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-1 a 1 (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="RA-1 a 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="RA-1.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="RA-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001039">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current risk assessment policy in accordance with organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-1 c 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="RA-1 b 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="RA-1.2 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="RA-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001040">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency with which to review and update the current risk assessment policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-1 c 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="RA-1 b 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="RA-1.2 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="RA-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001041">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="RA-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="RA-1.1 (iv) (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="RA-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001042">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminate risk assessment procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls to organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="RA-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="RA-1.1 (vi)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="RA-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001043">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current risk assessment procedures in accordance with organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-1 c 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="RA-1 b 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="RA-1.2 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="RA-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001044">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency with which to review and update the current risk assessment procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-1 c 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="RA-1 b 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="RA-1.2 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="RA-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001045">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="RA-2 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="RA-2.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="RA-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001046">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Document the security categorization results including supporting rationale in the security plan for the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-2 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="RA-2 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="RA-2.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="RA-2 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001047">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Verify the security categorization decision is reviewed and approved by the authorizing official or authorizing official designated representative.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-2 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="RA-2 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="RA-2.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="RA-2 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-001048">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Conduct a risk assessment, including determining the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-3 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="RA-3 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="RA-3.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="RA-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001049">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Document risk assessment results in the organization-defined document.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="RA-3 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="RA-3.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="RA-3 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-3 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-001050">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review risk assessment results on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="RA-3 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="RA-3.1 (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="RA-3 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-3 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-001051">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines a frequency for reviewing risk assessment results.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-3 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="RA-3 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="RA-3.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="RA-3 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-001052">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Update the risk assessment on an organization-defined frequency or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="RA-3 e" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="RA-3" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="RA-3 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-3 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-001053">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines a frequency for updating the risk assessment.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="RA-3 e" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="RA-3" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="RA-3 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-3 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-001054">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Monitor and scan for vulnerabilities in the system and hosted applications on an organization-defined frequency and/or randomly in accordance with organization-defined process.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="RA-5 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="RA-5.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="RA-5 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-5 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001055">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines a frequency for scanning for vulnerabilities in the system and hosted applications, and/or randomly in accordance with organization-defined process.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="RA-5 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="RA-5.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="RA-5 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-5 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001056">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Monitor and scan for vulnerabilities in the system and hosted applications when new vulnerabilities potentially affecting the system/applications are identified and reported.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="RA-5 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="RA-5.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="RA-5 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-5 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001057">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: enumerating platforms, software flaws, and improper configurations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="RA-5 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="RA-5.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="RA-5 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-5 b 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-001058">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Analyze vulnerability scan reports and results from vulnerability monitoring.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="RA-5 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="RA-5.1 (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="RA-5 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-5 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-001059">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Remediate legitimate vulnerabilities in organization-defined response times in accordance with an organizational assessment risk.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-5 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="RA-5 d" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="RA-5.2 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="RA-5 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-001060">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines response times for remediating legitimate vulnerabilities in accordance with an organization assessment of risk.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="RA-5 d" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="RA-5.2 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="RA-5 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-5 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-001061">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Share information obtained from the vulnerability monitoring process and control assessments with organization-defined personnel or roles to help eliminate similar vulnerabilities in other systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="RA-5 e" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="RA-5.2 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="RA-5 e" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-5 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-001062">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="RA-5 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="RA-5 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="RA-5 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001063">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Update the system vulnerabilities scanned on an organization-defined frequency, prior to a new scan, and/or when new vulnerabilities are identified and reported.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-5 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="RA-5 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="RA-5 (2).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="RA-5 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001064">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines a frequency for updating the system vulnerabilities scanned.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="RA-5 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="RA-5 (2).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="RA-5 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-5 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001065">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs vulnerability scanning procedures that can demonstrate the breadth of coverage (i.e., information system components scanned).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="RA-5 (3).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="RA-5 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001066">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Determine information about the system that is discoverable.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-5 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="RA-5 (4)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="RA-5 (4).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="RA-5 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001067">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement privileged access authorization to organization-identified system components for organization-defined vulnerability scanning activities.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="RA-5 (5)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="RA-5 (5).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="RA-5 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-5 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001068">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Compare the results of multiple vulnerability scans using organization-defined automated mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="RA-5 (6)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="RA-5 (6).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="RA-5 (6)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-5 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001069">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization-defined frequency.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="RA-5 (7).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="RA-5 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001070">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines a frequency for employing automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="RA-5 (7).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="RA-5 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001071">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review historic audit logs to determine if a vulnerability identified in the organization-defined system has been previously exploited within an organization-defined time period.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="RA-5 (8)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="RA-5 (8).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="RA-5 (8)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-5 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001072">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs an independent penetration agent or penetration team to conduct a vulnerability analysis on the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="RA-5 (9).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="RA-5 (9) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001073">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs an independent penetration agent or penetration team to perform penetration testing on the information system based on the vulnerability analysis to determine the exploitability of identified vulnerabilities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="RA-5 (9).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="RA-5 (9) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001074">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops a system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-1 a 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-1.1 (i) (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001075">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminates to organization-defined personnel or roles the organization-level; mission/business process-level; and/or system-level system and communications protection policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-1 a 1 " />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-1 a 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-1.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001076">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current system and communications protection policy in accordance with organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-1 c 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-1 b 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-1.2 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001077">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency for reviewing and updating the current system and communications protection policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-1 c 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-1 b 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-1.2 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001078">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops system and communications protection procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-1.1 (iv) (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001079">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminates to organization-defined personnel or roles the procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-1.1 (vi)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001080">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current system and communications protection procedures in accordance with organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-1 c 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-1 b 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-1.2 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001081">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency for reviewing and updating the current system and communications protection procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-1 c 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-1 b 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-1.2 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001082">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Separate user functionality, including user interface services, from system management functionality.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-2.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-2" />
- </references>
- </cci_item>
- <cci_item id="CCI-001083">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Prevent the presentation of system management functionality at an interface for non-privileged users.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-2 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-2 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-2 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-2 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001084">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Isolate security functions from nonsecurity functions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-3" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-3.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-3" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-3" />
- </references>
- </cci_item>
- <cci_item id="CCI-001085">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ hardware separation mechanisms to implement security function isolation.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-3 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-3 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-3 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-3 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001086">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Isolate security functions enforcing access and information flow control from both nonsecurity functions and from other security functions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-3 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-3 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-3 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-3 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001087">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization implements an information system isolation boundary to minimize the number of nonsecurity functions included within the boundary containing security functions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-3 (3).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-3 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001088">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization implements security functions as largely independent modules that avoid unnecessary interactions between modules.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-3 (4).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-3 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001089">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-3 (5)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-3 (5).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-3 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-3 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001090">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Prevent unauthorized and unintended information transfer via shared system resources.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-4" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-4" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-4.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-4" />
- </references>
- </cci_item>
- <cci_item id="CCI-001091">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system does not share resources that are used to interface with systems operating at different security levels.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-4 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-4 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001092">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system protects against or limits the effects of the organization-defined or referenced types of denial of service attacks.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-5.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-5" />
- </references>
- </cci_item>
- <cci_item id="CCI-001093">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the types of denial of service events for protecting against or limiting the effects of the denial-of-service events.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-5 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-5" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-5.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-5" />
- </references>
- </cci_item>
- <cci_item id="CCI-001094">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Restrict the ability of individuals to launch organization-defined denial of service attacks against other systems.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-5 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-5 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-5 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-5 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001095">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Manage capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-5 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-5 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-5 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-5 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001096">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system limits the use of resources by priority.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-6.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-6" />
- </references>
- </cci_item>
- <cci_item id="CCI-001097">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Monitor and control communications at the external managed interfaces to the system and at key managed interfaces within the system.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-7 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-7.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-7 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001098">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-7 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-7.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-7 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-001099">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization physically allocates publicly accessible information system components to separate subnetworks with separate physical network interfaces.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-7 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-7 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001100">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system prevents public access into the organization's internal networks except as appropriately mediated by managed interfaces employing boundary protection devices.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-7 (2).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-7 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001101">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Limit the number of external network connections to the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-7 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-7 (3).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-7 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001102">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a managed interface for each external telecommunication service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (4) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-7 (4) (a)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-7 (4).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-7 (4) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001103">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish a traffic flow policy for each managed interface for each external telecommunication service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-7 (4) (b)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-7 (4).1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-7 (4) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (4) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001104">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs security controls as needed to protect the confidentiality and integrity of the information being transmitted.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-7 (4).1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-7 (4) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001105">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-7 (4) (d)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-7 (4).1 (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-7 (4) (d)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (4) (d)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001106">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review exceptions to the traffic flow policy on an organization-defined frequency for each external telecommunication service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-7 (4) (e)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-7 (4).1 (vi)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-7 (4) (e)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (4) (e)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001107">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines a frequency for the review of exceptions to the traffic flow policy for each external telecommunication service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (4) (e)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-7 (4) (e)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-7 (4).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-7 (4) (e)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001108">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Remove traffic flow policy exceptions that are no longer supported by an explicit mission or business need for each external telecommunication service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-7 (4) (e)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-7 (4).1 (vii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-7 (4) (f)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (4) (e)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001109">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Deny network communications traffic by default and allow network communications traffic by exception at managed interfaces; and/or for organization-defined systems.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-7 (5)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-7 (5).1 (i) (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-7 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001110">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization prevents the unauthorized release of information outside of the information system boundary or any unauthorized communication through the information system boundary when there is an operational failure of the boundary protection mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-7 (6).1 (i) (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-7 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001111">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system prevents remote devices that have established a non-remote connection with the system from communicating outside of that communications path with resources in external networks.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-7 (7).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-7 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001112">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Route organization-defined internal communications traffic to organization-defined external networks through authenticated proxy servers at managed interfaces.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (8)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-7 (8)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-7 (8).1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-7 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001113">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the internal communications traffic to be routed to external networks.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-7 (8)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-7 (8).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-7 (8)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001114">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the external networks to which organization-defined internal communications traffic should be routed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-7 (8)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-7 (8).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-7 (8)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001115">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system, at managed interfaces, denies network traffic and audits internal users (or malicious code) posing a threat to external information systems.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-7 (9).1 (i) (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-7 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001116">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Prevent the unauthorized exfiltration of information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-7 (10)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-7 (10).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-7 (10)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (10) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001117">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system checks incoming communications to ensure the communications are coming from an authorized source and routed to an authorized destination.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-7 (11).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-7 (11)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001118">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system implements host-based boundary protection mechanisms for servers, workstations, and mobile devices.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-7 (12).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-7 (12)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001119">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Isolate organization-defined information security tools, mechanisms, and support components from other internal system components by implementing physically separate subnetworks with managed interfaces to other components of the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (13)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-7 (13)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-7 (13).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-7 (13)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001120">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the information security tools, mechanisms, and support components to be isolated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-7 (13)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-7 (13).1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-7 (13)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (13)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001121">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Protect against unauthorized physical connections at organization-defined managed interfaces.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-7 (14)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-7 (14).1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-7 (14)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (14)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001122">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the managed interfaces where boundary protections against unauthorized physical connections are to be implemented.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-7 (14)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-7 (14).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-7 (14)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001123">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Route networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-7 (15)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-7 (15).1 (i) (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-7 (15)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (15)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001124">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Prevent discovery of specific system components that represent a managed interface.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (16)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-7 (16)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-7 (16).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-7 (16)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001125">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce adherence to protocol formats.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-7 (17)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-7 (17).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-7 (17)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (17)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001126">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Prevent systems from entering unsecure states in the event of an operational failure of a boundary protection device.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (18)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-7 (18)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-7 (18)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-7 (18)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001127">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system protects the integrity of transmitted information.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-8.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-8" />
- </references>
- </cci_item>
- <cci_item id="CCI-001128">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs cryptographic mechanisms to recognize changes to information during transmission unless otherwise protected by alternative physical measures.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-8 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-8 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001129">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system maintains the integrity of information during aggregation, packaging, and transformation in preparation for transmission.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-8 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-8 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001130">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system protects the confidentiality of transmitted information.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-9.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-9" />
- </references>
- </cci_item>
- <cci_item id="CCI-001131">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless otherwise protected by alternative physical measures.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-9 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-9 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001132">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system maintains the confidentiality of information during aggregation, packaging, and transformation in preparation for transmission.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-9 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-9 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001133">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Terminate the network connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-10" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-10" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-10.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-10" />
- </references>
- </cci_item>
- <cci_item id="CCI-001134">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the time period of inactivity after which the system terminates a network connection associated with a communications session.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-10" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-10" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-10.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-10" />
- </references>
- </cci_item>
- <cci_item id="CCI-001135">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide a physically or logically isolated trusted communication path for communication between the user and the trusted components of the system.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-11 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-11" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-11.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-11" />
- </references>
- </cci_item>
- <cci_item id="CCI-001136">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines security functions include information system authentication and reauthentication.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-11.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-11" />
- </references>
- </cci_item>
- <cci_item id="CCI-001137">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization establishes cryptographic keys for required cryptography employed within the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-12.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-12" />
- </references>
- </cci_item>
- <cci_item id="CCI-001138">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization manages cryptographic keys for required cryptography employed within the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-12.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-12" />
- </references>
- </cci_item>
- <cci_item id="CCI-001139">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Maintain availability of information in the event of the loss of cryptographic keys by users.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-12 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-12 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-12 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-12 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001140">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization produces, controls, and distributes symmetric cryptographic keys using NIST-approved or NSA-approved key management technology and processes.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-12 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-12 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001141">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization produces, controls, and distributes symmetric and asymmetric cryptographic keys using NSA-approved key management technology and processes.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-12 (3).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-12 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001142">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization produces, controls, and distributes asymmetric cryptographic keys using approved PKI Class 3 certificates or prepositioned keying material.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-12 (4).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-12 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001143">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization produces, controls, and distributes asymmetric cryptographic keys using approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user's private key.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-12 (5).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-12 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001144">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system implements required cryptographic protections using cryptographic modules that comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-13.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-13" />
- </references>
- </cci_item>
- <cci_item id="CCI-001145">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs, at a minimum, FIPS-validated cryptography to protect unclassified information.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-13 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-13 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001146">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs NSA-approved cryptography to protect classified information.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC013 (2(.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-13 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001147">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs, at a minimum, FIPS-validated cryptography to protect information when such information must be separated from individuals who have the necessary clearances yet lack the necessary access approvals.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-13 (3).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-13 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001148">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs FIPS-validated or NSA-approved cryptography to implement digital signatures.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-10 (5).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-10 (5)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-13 (4).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-13 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001149">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system protects the integrity and availability of publicly available information and applications.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-14.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-14" />
- </references>
- </cci_item>
- <cci_item id="CCI-001150">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Prohibit remote activation of collaborative computing devices and applications, excluding the organization-defined exceptions where remote activation is to be allowed.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-15 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-15 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-15.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-15 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001151">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines exceptions to the prohibition of collaborative computing devices where remote activation is to be allowed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-15 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-15 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-15.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-15 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001152">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide an explicit indication of use to users physically present at collaborative computing devices.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-15 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-15 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-15.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-15 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001153">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide physical or logical disconnect of collaborative computing devices in a manner that supports ease of use.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-15 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-15 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-15 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-15 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001154">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system or supporting environment blocks both inbound and outbound traffic between instant messaging clients that are independently configured by end users and external service providers.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-15 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-15 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001155">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disable or remove collaborative computing devices and applications from organization-defined systems or system components in organization-defined secure work areas.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-15 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-15 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-15 (3).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-15 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001156">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines secure work areas where collaborative computing devices and applications are to be disabled or removed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-15 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-15 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-15 (3).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-15 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001157">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Associate organization-defined security attributes with information exchanged between systems.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-16" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-16" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-16.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-16" />
- </references>
- </cci_item>
- <cci_item id="CCI-001158">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Verify the integrity of transmitted security attributes.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-16 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-16 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-16 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-16 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001159">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Issue public key certificates under an organization-defined certificate policy or obtain public key certificates from an approved service provider.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-17 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-17" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-17.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-17" />
- </references>
- </cci_item>
- <cci_item id="CCI-001160">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines acceptable and unacceptable mobile code and mobile code technologies.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-18 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-18.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-18 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-18 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001161">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization establishes usage restrictions for acceptable mobile code and mobile code technologies.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-18 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-18.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-18 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001162">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization establishes implementation guidance for acceptable mobile code and mobile code technologies.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-18 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-18.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-18 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001163">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Authorize the use of mobile code within the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-18 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-18 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-18.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-18 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-001164">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Monitor the use of mobile code within the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-18 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-18.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-18 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-18 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001165">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Control the use of mobile code within the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-18 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-18.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-18 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-18 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001166">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Identify organization-defined unacceptable mobile code.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-18 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-18 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-18 (1).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-18 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001167">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Verify that the development of mobile code to be deployed in information systems meets organization-defined mobile code requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-18 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-18 (2).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-18 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-18 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001168">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines mobile code requirements for the acquisition, development, and use of mobile code.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-18 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-18 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-18 (2).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-18 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001169">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Prevent the download of organization-defined unacceptable mobile code.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-18 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-18 (3).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-18 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-18 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001170">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Prevents the automatic execution of mobile code in organization-defined software applications.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-18 (4)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-18 (4).1 (iii) (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-18 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-18 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001171">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines software applications in which automatic mobile code execution is to be prohibited.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-18 (4)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-18 (4).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-18 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-18 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001172">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines actions to be enforced before executing mobile code.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-18 (4)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-18 (4).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-18 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-18 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001173">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization establishes usage restrictions for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-19 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-19.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-19 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001174">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization establishes implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-19 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-19.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-19 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001175">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization authorizes the use of VoIP within the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-19 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-19.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-19 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001176">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization monitors the use of VoIP within the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-19 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-19.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-19 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001177">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization controls the use of VoIP within the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-19 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-19.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-19 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001178">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide additional data origin authentication artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-20 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-20.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-20" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-20 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001179">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provides the means to indicate the security status of child zones, when operating as part of a distributed, hierarchical namespace.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-20 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-20 (1).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-20 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-20 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001180">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources when requested by client systems.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-21.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-21" />
- </references>
- </cci_item>
- <cci_item id="CCI-001181">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system performs data origin authentication and data integrity verification on all resolution responses received whether or not local client systems explicitly request this service.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-21 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-21 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001182">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-22" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-22" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-22.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-22" />
- </references>
- </cci_item>
- <cci_item id="CCI-001183">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Ensure the systems that collectively provide name/address resolution service for an organization implement internal/external role separation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-22" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-22" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-22.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-22" />
- </references>
- </cci_item>
- <cci_item id="CCI-001184">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Protect the authenticity of communications sessions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-23" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-23.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-23" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-23" />
- </references>
- </cci_item>
- <cci_item id="CCI-001185">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Invalidate session identifiers upon user logout or other session termination.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-23 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-23 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-23 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-23 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001186">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system provides a readily observable logout capability whenever authentication is used to gain access to web pages.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-23 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-23 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001187">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system generates a unique session identifier for each session.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-23 (3).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-23 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001188">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Generate a unique session identifier for each session with organization-defined randomness requirements.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-23 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-23 (4).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-23 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-23 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001189">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines randomness requirements for generating unique session identifiers.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-23 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-23 (4).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-23 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-23 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001190">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Fail to an organization-defined known-system state for the following failures on the indicated components while preserving organization-defined system state information in failure.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-24" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-24" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-24.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-24" />
- </references>
- </cci_item>
- <cci_item id="CCI-001191">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the known system state the system should fail to in the event of an organization-defined system failure.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-24" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-24.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-24" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-24" />
- </references>
- </cci_item>
- <cci_item id="CCI-001192">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines types of system failures for which should fail to an organization-defined known system state.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-24" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-24.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-24" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-24" />
- </references>
- </cci_item>
- <cci_item id="CCI-001193">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines system state information that should be preserved in the event of a system failure.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-24" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-24" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-24.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-24" />
- </references>
- </cci_item>
- <cci_item id="CCI-001194">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ minimal functionality and information storage on organization-defined information system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-25" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-25" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-25.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-25" />
- </references>
- </cci_item>
- <cci_item id="CCI-001195">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Include components within organizational systems specifically designed to be the target of malicious attacks for detecting, deflecting, and analyzing such attacks.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-26" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-26" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-26.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-26" />
- </references>
- </cci_item>
- <cci_item id="CCI-001196">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Include system components that proactively seek to identify network-based malicious code or malicious websites.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-35" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-35" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-26 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-26 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001197">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Include within organizational systems organization-defined platform-independent applications.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-27" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-27" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-27.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-27" />
- </references>
- </cci_item>
- <cci_item id="CCI-001198">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines applications that are platform independent.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-27" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-27" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-27.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-27" />
- </references>
- </cci_item>
- <cci_item id="CCI-001199">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Protects the confidentiality and/or integrity of organization-defined information at rest.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-28" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-28.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-28" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-28" />
- </references>
- </cci_item>
- <cci_item id="CCI-001200">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs cryptographic mechanisms to prevent unauthorized disclosure of information at rest unless otherwise protected by alternative physical measures.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-28 (1).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-28 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001201">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ a diverse set of information technologies for organization-defined system components in the implementation of the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-29" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-29" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-29.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-29" />
- </references>
- </cci_item>
- <cci_item id="CCI-001202">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs virtualization techniques to present information system components as other types of components, or components with differing configurations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-30.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-30" />
- </references>
- </cci_item>
- <cci_item id="CCI-001203">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ virtualization techniques to support the deployment of a diversity of operating systems that are changed on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-29 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-29 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-30 (1).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-30 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001204">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency of changes to operating systems and applications to support a diversity of deployments.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-29 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-29 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-30 (1).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-30 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001205">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs randomness in the implementation of the virtualization techniques.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-30 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-30 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001206">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires that information system developers/integrators perform a covert channel analysis to identify those aspects of system communication that are potential avenues for covert storage and timing channels.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-31.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-31" />
- </references>
- </cci_item>
- <cci_item id="CCI-001207">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Test a subset of the identified covert channels to determine which channels are exploitable.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-31 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-31 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-31 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-31 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001208">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization partitions the information system into components residing in separate physical domains (or environments) as deemed necessary.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-32.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-32" />
- </references>
- </cci_item>
- <cci_item id="CCI-001209">
- <status>draft</status>
- <publishdate>2009-09-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system protects the integrity of information during the processes of data aggregation, packaging, and transformation in preparation for transmission.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-33.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-33" />
- </references>
- </cci_item>
- <cci_item id="CCI-001210">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>For organization-defined system components, load and execute the operating environment from hardware-enforced, read-only media.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-34 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-34 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-34.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-34 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001211">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>For organization-defined system components, load and execute organization-defined applications from hardware-enforced, read-only media.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-34 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-34 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-34.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-34 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001212">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines system components on which the operating environment and organization-defined applications are loaded and executed from hardware-enforced, read-only media.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-34" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-34" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-34.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-34" />
- </references>
- </cci_item>
- <cci_item id="CCI-001213">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines applications that will be loaded and executed from hardware-enforced, read-only media.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-34 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-34 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-34.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-34 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001214">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ organization-defined system components with no writeable storage that is persistent across component restart or power on/off.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-34 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-34 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-34 (1).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-34 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001215">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system components to be employed with no writeable storage.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-34 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-34 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-34 (1).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-34 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001216">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Protect the integrity of information prior to storage on read-only media.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-34 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-34 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-34 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-34 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001217">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document an organization-level; mission/business process-level; and/or system level system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-1 a 1 (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-1 a 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-1.1 (i) (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001218">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminate an organization-level; mission/business process-level; and/or system level system and information integrity policy to organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-1 a 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-1 a 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-1.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001219">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current system and information integrity policy in accordance with organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-1 c 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-1 b 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-1.2 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001220">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document procedures to facilitate the implementation of the organization-level; mission/business process-level; and/or system level system and information integrity policy and associated system integrity controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-1.1 (iv) (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001221">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminate to organization-defined personnel or roles procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-1.1 (vi)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001222">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current system and information integrity procedures in accordance with organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-1 c 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-1 b 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-1.2 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001223">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency for reviewing and updating the current system and information integrity policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-1 c 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-1 b 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-1.2 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001224">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency for reviewing and updating the current system and information integrity procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-1 c 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-1 b 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-1.2 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001225">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Identify system flaws.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-2 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-2.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-2 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001226">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Report system flaws.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-2 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-2.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-2 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001227">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Correct system flaws.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-2 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-2.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-2 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001228">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Test software updates related to flaw remediation for effectiveness before installation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-2 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-2.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-2 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-2 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001229">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Test software updates related to flaw remediation for potential side effects before installation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-2 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-2 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-2.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-2 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001230">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Incorporate flaw remediation into the organizational configuration management process.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-2 d" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-2.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-2 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-2 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-001231">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization centrally manages the flaw remediation process.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-2 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-2 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-2 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001232">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization installs software updates automatically.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-2 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-2 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001233">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs automated mechanisms on an organization-defined frequency to determine the state of information system components with regard to flaw remediation.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-2 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-2 (2).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-2 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001234">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines a frequency for employing automated mechanisms to determine the state of information system components with regard to flaw remediation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-2 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-2 (2).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-2 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001235">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Measure the time between flaw identification and flaw remediation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-2 (3) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-2 (3) (a)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-2 (3).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-2 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001236">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines benchmarks for the time taken to apply corrective actions after flaw identification.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-2 (3) (b)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-2 (3).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-2 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-2 (3) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001237">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs automated patch management tools to facilitate flaw remediation to organization-defined information system components.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-2 (4).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-2 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001238">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines information system components for which automated patch management tools are to be employed to facilitate flaw remediation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-2 (4).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-2 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001239">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means or inserted through the exploitation of information system vulnerabilities.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-3.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001240">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-3 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-3.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-3 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001241">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Configure malicious code protection mechanisms to perform periodic scans of the system on an organization-defined frequency.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-3 c 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-3 c 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-3.1 (vi)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-3 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-001242">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization configures malicious code protection mechanisms to perform real-time scans of files from external sources at endpoints as the files are downloaded, opened, or executed in accordance with organizational security policy.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-3 c 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-3.1 (vi)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-3 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-001243">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Configure malicious code protection mechanisms to block malicious code; quarantine malicious code; and/or take organization-defined action(s) in response to malicious code detection.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-3 c 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-3.1 (vi)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-3 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-3 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-001244">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines one or more actions to perform in response to malicious code detection, such as blocking malicious code, quarantining malicious code, or sending alerts to administrators.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-3 c 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-3 c 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-3.1 (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-3 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-001245">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Address the receipt of false positives during malicious code detection and eradication, and the resulting potential impact on the availability of the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-3 d" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-3.1 (vii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-3 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-3 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-001246">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization centrally manages malicious code protection mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-3 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-3 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-3 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001247">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system automatically updates malicious code protection mechanisms.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-3 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-3 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-3 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001248">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system prevents non-privileged users from circumventing malicious code protection capabilities.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-3 (3).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-3 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001249">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Update malicious code protection mechanisms only when directed by a privileged user.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-3 (4)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-3 (4).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-3 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-3 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001250">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization does not allow users to introduce removable media into the information system.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-3 (5).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-3 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001251">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Test malicious code protection mechanisms on an organization-defined frequency by introducing a known benign code into the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-3 (6) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-3 (6) (a)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-3 (6).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-3 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001252">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization monitors events on the information system in accordance with organization-defined monitoring objectives and detects information system attacks.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-4.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-4 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001253">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the objectives of monitoring for attacks and indicators of potential attacks on the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 a 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 a 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-4.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-4 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001254">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization identifies unauthorized use of the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-4.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-4 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001255">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Invoke internal monitoring capabilities or deploy monitoring devices strategically within the system to collect organization-determined essential information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-4.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-4 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 c 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-001256">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Invoke internal monitoring capabilities or deploy monitoring devices at ad hoc locations within the system to track specific types of transactions of interest to the organization.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-4.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-4 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-001257">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Adjust the level of system monitoring activity when there is a change in increased risk to organizational operations and assets, individuals, other organizations, or the Nation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 e" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-4.1 (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-4 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-001258">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Obtain legal opinion with regard to system monitoring activities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 f" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-4.1 (vi)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-4 e" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-001259">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization interconnects and configures individual intrusion detection tools into a systemwide intrusion detection system using common protocols.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-4 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-4 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001260">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ automated tools to support near real-time analysis of events.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-4 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-4 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001261">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs automated tools to integrate intrusion detection tools into access control and flow control mechanisms for rapid response to attacks by enabling reconfiguration of these mechanisms in support of attack isolation and elimination.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-4 (3).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-4 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001262">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system monitors inbound and outbound communications for unusual or unauthorized activities or conditions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-4" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-4 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001263">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system provides near real-time alerts when any of the organization-defined list of compromise or potential compromise indicators occurs.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-4 (5).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-4 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001264">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the indicators of compromise or potential compromise which will result in system alerts being provided to organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (5)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-4 (5).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-4 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001265">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system prevents non-privileged users from circumventing intrusion detection and prevention capabilities.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-4 (6).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-4 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001266">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Notify an organization-defined incident response personnel (identified by name and/or by role) of detected suspicious events.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (7)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-4 (7).1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-4 (7)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (7) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001267">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines incident response personnel (identified by name and/or by role) to be notified of detected suspicious events.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (7) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (7)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-4 (7).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-4 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001268">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the least-disruptive actions to be taken by system to terminate suspicious events.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (7)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-4 (7).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-4 (7)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (7) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001269">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization protects information obtained from intrusion monitoring tools from unauthorized access, modification, and deletion.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-4 (8).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-4 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001270">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Test intrusion monitoring tools at an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (9)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-4 (9).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-4 (9)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001271">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency for testing intrusion monitoring tools.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (9)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (9)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-4 (9).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-4 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001272">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization makes provisions so encrypted traffic is visible to information system monitoring tools.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-4 (10).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-4 (10)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001273">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Analyze outbound communications traffic at the external interfaces to the system to discover anomalies.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (11)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-4 (11).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-4 (11)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (11)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001274">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Alert organization-defined personnel or roles using organization-defined automated mechanisms when inappropriate or unusual activities with security or privacy implications.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (12)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-4 (12).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-4 (12)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (12)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001275">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the activities which will trigger alerts to security personnel of inappropriate or unusual activities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (12)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (12)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-4 (12).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-4 (12)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001276">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Analyze communications traffic and event patterns for the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (13) (a)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-4 (13).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-4 (13) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (13) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001277">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop profiles representing common traffic and event patterns.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (13) (b)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-4 (13).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-4 (13) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (13) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001278">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization uses the traffic/event profiles in tuning system monitoring devices to reduce the number of false positives to an organization-defined measure of false positives and the number of false negatives to an organization-defined measure of false negatives.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-4 (13).1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-4 (13) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001279">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the respective measurements to which the organization must tune system monitoring devices to reduce the number of false positives.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-4 (13).1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-4 (13) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001280">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the respective measurements to which the organization must tune system monitoring devices to reduce the number of false negatives.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-4 (13).1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-4 (13) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001281">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs a wireless intrusion detection system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-4 (14).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-4 (14)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001282">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ an intrusion detection system to monitor wireless communications traffic as the traffic passes from wireless to wireline networks.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (15)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-4 (15).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-4 (15)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (15)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001283">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Correlate information from monitoring tools employed throughout the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (16)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-4 (16).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-4 (16)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (16)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001284">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Correlate information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (17)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-4 (17).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-4 (17)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (17)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001285">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Receive system security alerts, advisories, and directives from organization-defined external organizations on an ongoing basis.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-5 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-5 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-5.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-5 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001286">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Generate internal security alerts, advisories, and directives as deemed necessary.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-5 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-5 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-5.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-5 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001287">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminate security alerts, advisories, and directives to organization-defined personnel or roles, organization-defined elements within the organization, and/or organization-defined external organizations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-5 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-5 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-5.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-5 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-001288">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to whom the organization will disseminate security alerts, advisories, and directives.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-5 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-5 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-5.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-5 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-001289">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-5 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-5 d" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-5.1 (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-5 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-001290">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Broadcast security alert and advisory information throughout the organization using organization-defined automated mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-5 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-5 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-5 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-5 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001291">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system verifies the correct operation of security functions in accordance with organization-defined conditions and in accordance with organization-defined frequency (if periodic verification).</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-6.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-6" />
- </references>
- </cci_item>
- <cci_item id="CCI-001292">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the appropriate conditions, including the system transitional states if applicable, for verifying the correct operation of security functions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-6.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-6" />
- </references>
- </cci_item>
- <cci_item id="CCI-001293">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the information system responses and alternative action(s) to anomalies discovered during security function verification.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-6.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-6" />
- </references>
- </cci_item>
- <cci_item id="CCI-001294">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Alert organization-defined personnel or roles of failed security verification tests.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-6 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-6 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-6 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-6 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001295">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement automated mechanisms to support the management of distributed security function testing.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-6 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-6 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-6 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-6 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001296">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Report the results of security function verification to organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-6 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-6 (3).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-6 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-6 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001297">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system detects unauthorized changes to software and information.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-7.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-7" />
- </references>
- </cci_item>
- <cci_item id="CCI-001298">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization reassesses the integrity of software and information by performing, on an organization-defined frequency, integrity scans of the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-7 (1).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-7 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001299">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the frequency of integrity scans to be performed on the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-7 (1).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-7 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001300">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ automated tools that provide notification to organization-defined personnel or roles upon discovering discrepancies during integrity verification.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-7 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-7 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-7 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-7 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001301">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ centrally managed integrity verification tools.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-7 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-7 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-7 (3).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-7 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001302">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires use of tamper-evident packaging for organization-defined information system components during organization-defined conditions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-7 (4).1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-7 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001303">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines information system components that require tamper-evident packaging.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-7 (4).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-7 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001304">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines conditions (i.e., transportation from vendor to operational site, during operation, both) under which tamper-evident packaging must be used for organization-defined information system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-7 (4).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-7 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001305">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs spam protection mechanisms at information system entry and exit points to detect and take action on unsolicited messages transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-8.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-8 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001306">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization updates spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-8 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-8.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-8 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001307">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization centrally manages spam protection mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-8 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-8 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-8 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001308">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Automatically update spam protection mechanisms on an organization-defined frequency.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-8 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-8 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-8 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-8 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001309">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization restricts the capability to input information to the information system to authorized personnel.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-9.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-9" />
- </references>
- </cci_item>
- <cci_item id="CCI-001310">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Checks the validity of organization-defined information inputs to the system.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-10" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-10" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-10.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-10" />
- </references>
- </cci_item>
- <cci_item id="CCI-001311">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system identifies potentially security-relevant error conditions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-11.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-11 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001312">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Generates error messages that provide information necessary for corrective actions without revealing information that could be exploited.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-11 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-11 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-11.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-11 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001313">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines sensitive or potentially harmful information that should not be contained in error logs and administrative messages.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-11.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-11 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001314">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Reveal error messages only to organization-defined personnel or roles.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-11 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-11 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-11.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-11 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-001315">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Manage information within the system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-12" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-12" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-12.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-12" />
- </references>
- </cci_item>
- <cci_item id="CCI-001316">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization protects the information system from harm by considering mean time to failure rates for an organization-defined list of information system components in specific environments of operation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-13.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-13 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001317">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines a list of information system components for which mean time to failure rates should be considered to protect the information system from harm.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-13.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-13 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001318">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide substitute system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-13 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-13 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-13.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-13 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001319">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Takes system components out of service by transferring component responsibilities to a substitute component no later than an organization-defined fraction or percentage of mean time to failure (MTTF).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-13 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-13 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-13 (1).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-13 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001320">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the maximum fraction or percentage of mean time to failure (MTTF) used to determine when system components are taken out of service by transferring component responsibilities to substitute components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-13 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-13 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-13 (1).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-13 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001321">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Prohibit processes from executing without supervision for more than an organization-defined time period.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-7 (16)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-7 (16)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-13 (2).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-13 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001322">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines a time period that is the longest a process is allowed to execute without supervision.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-7 (16)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-7 (16)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-13 (2).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-13 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001323">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Manually initiate transfers between active and standby system components when the use of the active component reaches an organization-defined percentage of the mean time to failure..</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-13 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-13 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-13 (3).1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-13 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001324">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the minimum frequency at which the organization manually initiates a transfer between active and standby information system components if the mean time to failure (MTTF) exceeds the organization-defined time period.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-13 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-13 (3).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-13 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001325">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines a time period that the mean time to failure (MTTF) must exceed before the organization manually initiates a transfer between active and standby information system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-13 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-13 (3).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-13 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001326">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>If system component failures are detected, ensure standby components are successfully and transparently installed within an organization-defined time period.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-13 (4) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-13 (4) (a)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-13 (4).1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-13 (4) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001327">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines a time period for a standby system component to be successfully and transparently installed for the system component that has failed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-13 (4) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-13 (4) (a)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-13 (4).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-13 (4) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001328">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>If system component failures are detected, activate an organization-defined alarm, automatically shut down the system, and/or organization-defined action.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-13 (4) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-13 (4) (b)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-13 (4).1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-13 (4) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001329">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the alarm to be activated when a system component failure is detected.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-13 (4) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-13 (4) (b)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-13 (4).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-13 (4) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001330">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Prohibit the use of unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-19 (4) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-19 (4) (a)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-19 (4).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-19 (4) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001331">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Prohibit the connection of unclassified mobile devices to classified systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-19 (4) (b) (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-19 (4) (b) (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-19 (4).1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-19 (4) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001332">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Connection of unclassified mobile devices to unclassified systems requires approval from the authorizing official.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-19 (4) (b) (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-19 (4) (b) (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-19 (4).1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-19 (4) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001333">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-19 (4) (b) (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-19 (4) (b) (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-19 (4).1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-19 (4) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001334">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require unclassified mobile devices used in facilities containing systems processing, storing, or transmitting classified information and the information stored on those devices be subject to random reviews and inspections by organization-defined security officials.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-19 (4) (b) (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-19 (4) (b) (4)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-19 (4).1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-19 (4) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001335">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines security officials to perform reviews and inspections of unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-19 (4) (b) (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-19 (4) (b) (4)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-19 (4).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-19 (4) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001336">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Retain individual training records for an organization-defined time-period.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-4 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AT-4 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AT-4.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AT-4 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001337">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the time period for retaining individual training records.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-4 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AT-4 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AT-4.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AT-4 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001338">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system associates the identity of the information producer with the information.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-10 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-10 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001339">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system validates the binding of the information producer's identity to the information.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-10 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-10 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001340">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Maintain reviewer or releaser identity and credentials within the established chain of custody for all information reviewed or released.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-10 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-10 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-10 (3).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-10 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001341">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Validate the binding of the information reviewer identity to the information at the transfer or release points prior to release or transfer between organization-defined security domains.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-10 (4) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-10 (4) (a)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-10 (4).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-10 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001342">
- <status>deprecated</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs either FIPS-validated or NSA-approved cryptography to implement digital signatures.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-10 (5).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-10 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001343">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system invokes a system shutdown in the event of an audit failure, unless an alternative audit capability exists.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-5 (4).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-5 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001344">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization specifies the permitted actions for each authorized information system process, role, and/or user in the audit and accountability policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-6 (7).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-6 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001345">
- <status>deprecated</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs automated mechanisms to alert security personnel of any organization-defined inappropriate or unusual activities with security implications.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-6 (8).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-6 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001346">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines a list of inappropriate or unusual activities with security implications that are to result in alerts to security personnel.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-6 (8).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-6 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001347">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization performs, in a physically dedicated information system, full-text analysis of privileged functions executed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-6 (9).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-6 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001348">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Store audit records on an organization-defined frequency in a repository that is part of a physically different system or system component that the system or component being audited.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-9 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-9 (2).1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-9 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-9 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001349">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines a frequency for storing audit records in a repository that is part of a physically different system or system component than the system or component being audited.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-9 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-9 (2).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-9 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-9 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001350">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement cryptographic mechanisms to protect the integrity of audit information.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-9 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-9 (3).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-9 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-9 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001351">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Authorize access to management of audit logging functionality to only an organization-defined subset of privileged users or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-9 (4)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-9 (4).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-9 (4) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-9 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001352">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization protects the audit records of non-local accesses to privileged accounts and the execution of privileged functions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-9 (4).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-9 (4) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001353">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-12 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-12 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-12 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-12 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001354">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization manages information system accounts by deactivating temporary accounts that are no longer required.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-2.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-2 h" />
- </references>
- </cci_item>
- <cci_item id="CCI-001355">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization manages information system accounts by deactivating accounts of terminated or transferred users.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-2.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-2 h" />
- </references>
- </cci_item>
- <cci_item id="CCI-001356">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization monitors for atypical usage of information system accounts.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-2 (5).1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-2 (5) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001357">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization reports atypical usage to designated organizational officials.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-2 (5).1 (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-2 (5) (d)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001358">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish privileged user accounts in accordance with a role-based access scheme; or an attribute-based access scheme.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 (7) (a)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-2 (7).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-2 (7) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 (7) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001359">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization tracks privileged role assignments.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-2 (7).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-2 (7) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001360">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Monitor privileged role assignments.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 (7) (b)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-2 (7).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-2 (7) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 (7) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001361">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines a time period after which temporary accounts are automatically terminated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-2 (2).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-2 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001362">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system enforces a Discretionary Access Control (DAC) policy that allows users to specify and control sharing by named individuals or groups of individuals, or by both.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-3 (4).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-3 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001363">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization establishes a Discretionary Access Control (DAC) policy that allows users to specify and control sharing by named individuals or groups of individuals, or by both.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-3 (4).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-3 (4) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001365">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines a time period after which emergency accounts are automatically terminated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-2 (2).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-2 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001366">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines user information to be encrypted or stored off-line in a secure location.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-3 (6).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-3 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001367">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines system information to be encrypted or stored off-line in a secure location.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-3 (6).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-3 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001368">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-4.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-4" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4" />
- </references>
- </cci_item>
- <cci_item id="CCI-001371">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines security or privacy policy filters requiring fully enumerated formats which are to be implemented when transferring information between different security domains.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (14)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4 (14)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-4 (14).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-4 (14)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001372">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>When transferring information between different security domains, implement organization-defined security or privacy policy filters requiring fully enumerated formats that restrict data structure and content.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4 (14)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-4 (14).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-4 (14)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (14)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001373">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>When transferring information between different security domains, examine the information for the presence of organization-defined unsanctioned information.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (15)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4 (15)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-4 (15).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-4 (15)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001374">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>When transferring information between different security domains, prohibit the transfer of such information in accordance with the organization-defined security pr privacy policy.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4 (15)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-4 (15).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-4 (15)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (15)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001376">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system uniquely identifies source domains for information transfer.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-4 (17).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-4 (17) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001377">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system uniquely authenticates source domains for information transfer.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-4 (17).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-4 (17) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001380">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization documents separation of duties of individuals.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-5 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-5.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-5 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001382">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the number of consecutive, unsuccessful login attempts to the mobile device.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-7 (2).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-7 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001383">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system provides additional protection for mobile devices accessed via login by purging information from the device after an organization-defined number of consecutive, unsuccessful login attempts to the mobile device.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-7 (2).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-7 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001384">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>For publicly accessible systems, display system use information with organization-defined conditions before granting further access to the publicly accessible system.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-8 c 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-8 c 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-8.2 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-8 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-001385">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>For publicly accessible systems, displays references, if any, to monitoring that are consistent with privacy accommodations for such systems that generally prohibit those activities.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-8 c 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-8 c 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-8.2 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-8 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-001386">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>For publicly accessible systems, displays references, if any, to recording that are consistent with privacy accommodations for such systems that generally prohibit those activities.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-8 c 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-8 c 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-8.2 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-8 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-001387">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>For publicly accessible systems, displays references, if any, to auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-8 c 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-8 c 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-8.2 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-8 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-001388">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>For publicly accessible systems, includes a description of the authorized uses of the system.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-8 c 3" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-8 c 3" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-8.2 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-8 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-001389">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the time period that the system notifies the user of the number of successful logon/access attempts.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-9 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-9 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-9 (2).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-9 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001390">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the time period that the system notifies the user of the number of unsuccessful logon/access attempts.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-9 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-9 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-9 (2).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-9 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001391">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Notify the user, upon successful logon, of the number of successful logons/accesses during the organization-defined time period.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-9 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-9 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-9 (2).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-9 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001392">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Notify the user, upon successful logon, of the number of unsuccessful logon/access attempts during the organization-defined time period.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-9 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-9 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-9 (2).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-9 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001393">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the security-related characteristics/parameters of the user's account which, when changed, will result in a notification being provided to the user during the organization-defined time period.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-9 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-9 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-9 (3).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-9 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001394">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the time period during which organization-defined security-related changes to the user's account are to be tracked.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-9 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-9 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-9 (3).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-9 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001395">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Notify the user, upon successful logon, of changes to organization-defined security-related characteristics/parameters of the user's account during the organization-defined time-period.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-9 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-9 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-9 (3).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-9 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001396">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines security attributes for which the information system supports and maintains the bindings for information in storage.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-16.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-16" />
- </references>
- </cci_item>
- <cci_item id="CCI-001397">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines security attributes for which the information system supports and maintains the bindings for information in process.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-16.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-16" />
- </references>
- </cci_item>
- <cci_item id="CCI-001398">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines security attributes for which the information system supports and maintains the bindings for information in transmission.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-16.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-16" />
- </references>
- </cci_item>
- <cci_item id="CCI-001399">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system supports and maintains the binding of organization-defined security attributes to information in storage.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-16.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-16" />
- </references>
- </cci_item>
- <cci_item id="CCI-001400">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system supports and maintains the binding of organization-defined security attributes to information in process.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-16.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-16" />
- </references>
- </cci_item>
- <cci_item id="CCI-001401">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system supports and maintains the binding of organization-defined security attributes to information in transmission.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-16.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-16" />
- </references>
- </cci_item>
- <cci_item id="CCI-001402">
- <status>draft</status>
- <publishdate>2009-09-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization monitors for unauthorized remote access to the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-17.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-17 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-001403">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Automatically audit account modification actions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 (4)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-2 (4).1 (i and ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-2 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001404">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Automatically audit account disabling actions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 (4)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-2 (4).1 (i and ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-2 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001405">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Automatically audit account removal actions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 (4)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-2 (4).1 (i and ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-2 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001406">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines a time period of expected inactivity when users are required to log out.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 (5)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-2 (5).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-2 (5) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001407">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Administer privileged user accounts in accordance with a role-based access scheme; or an attribute-based access scheme.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 (7) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 (7) (a)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-2 (7).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-2 (7) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001408">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines privileged commands for which dual authorization is to be enforced.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-3 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-3" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-3 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001409">
- <status>draft</status>
- <publishdate>2009-09-24</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines nondiscretionary access control policies to be enforced over the organization-defined set of users and resources, where the rule set for each policy specifies access control information employed by the policy rule set (e.g., position, nationality, age, project, time of day) and required relationships among the access control information to permit access.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-3 (3).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-3 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001410">
- <status>draft</status>
- <publishdate>2009-09-24</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the set of users and resources over which the information system is to enforce nondiscretionary access control policies.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-3 (3).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-3 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001411">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines security-relevant information to which the information system prevents access except during secure, non-operable system states.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-3 (5)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-3 (5).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-3 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001412">
- <status>draft</status>
- <publishdate>2009-09-24</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization encrypts or stores off-line, in a secure location, organization-defined user information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-3 (6).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-3 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001413">
- <status>draft</status>
- <publishdate>2009-09-24</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization encrypts or stores off-line, in a secure location, organization-defined system information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-3 (6).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-3 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001414">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce approved authorizations for controlling the flow of information between connected systems based on organization-defined information flow control policies.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-4.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-4" />
- </references>
- </cci_item>
- <cci_item id="CCI-001415">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines limitations for the embedding of data types within other data types.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4 (5)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-4 (5).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-4 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001416">
- <status>draft</status>
- <publishdate>2009-09-24</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines one-way information flows to be enforced by the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4 (7)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-4 (7).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-4 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001417">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines security policy filters to be enforced and used as a basis for flow control decisions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4 (8)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-4 (8).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-4 (8)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (8) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001418">
- <status>draft</status>
- <publishdate>2009-09-24</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines security policy filters for which the information system enforces the use of human review.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-4 (9).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-4 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001419">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the security functions or security-relevant information to which users of system accounts, or roles, have access.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-6 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-6 (2).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-6 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-6 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001420">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the privileged commands to which network access is to be authorized only for organization-defined compelling operational needs.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-6 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-6 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-6 (3).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-6 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001421">
- <status>draft</status>
- <publishdate>2009-09-25</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization limits authorization to super user accounts on the information system to designated system administration personnel.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-6 (5).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-6 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001422">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Prohibit privileged access to the system by non-organizational users.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-6 (6)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-6 (6).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-6 (6)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-6 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001423">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the time period in which the organization-defined maximum number of consecutive invalid logon attempts occur.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-7 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-7" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-7.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-7" />
- </references>
- </cci_item>
- <cci_item id="CCI-001424">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Dynamically associate security attributes with organization-defined subjects in accordance with organization-defined security policies as information is created and combined.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-16 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-16 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001425">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provides authorized individuals (or processes acting on behalf of individuals) the capability to change the value of associated security attributes.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-16 (2).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-16 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001426">
- <status>draft</status>
- <publishdate>2009-09-25</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system maintains the binding of security attributes to information with sufficient assurance that the information--attribute association can be used as the basis for automated policy actions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-16 (3).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-16 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001427">
- <status>draft</status>
- <publishdate>2009-09-25</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system allows authorized users to associate security attributes with information.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-16 (4).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-16 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001428">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Displays security attributes in human-readable form on each object that the system transmits to output devices to identify organization-identified special dissemination, handling, or distribution instructions using organization-identified human-readable, standard naming conventions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 (5)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-16 (5).1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-16 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001429">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Identifies special dissemination, handling, or distribution instructions for identifying security attributes on output.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 (5)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-16 (5).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-16 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001430">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Identifies human-readable, standard naming conventions for identifying security attributes on output.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 (5)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-16 (5).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-16 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001431">
- <status>draft</status>
- <publishdate>2009-09-25</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines a frequency for monitoring for unauthorized remote connections to the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-17 (5).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-17 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001432">
- <status>draft</status>
- <publishdate>2009-09-25</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization takes appropriate action if an unauthorized remote connection to the information system is discovered.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-17 (5).1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-17 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001433">
- <status>draft</status>
- <publishdate>2009-09-25</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines a list of security functions and security-relevant information that for remote access sessions have organization-defined security measures employed and are audited.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-17 (7).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-17 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001434">
- <status>draft</status>
- <publishdate>2009-09-25</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines additional security measures to be employed when an organization-defined list of security functions and security-relevant information is accessed remotely.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-17 (7).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-17 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001435">
- <status>draft</status>
- <publishdate>2009-09-25</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines networking protocols within the information system deemed to be nonsecure.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-17 (8).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-17 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001436">
- <status>draft</status>
- <publishdate>2009-09-25</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization disables organization-defined networking protocols within the information system deemed to be nonsecure except for explicitly identified components in support of specific operational requirements.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-17 (8).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-17 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001437">
- <status>draft</status>
- <publishdate>2009-09-25</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization documents the rationale for the execution of privileged commands and access to security-relevant information in the security plan for the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-17 (4).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-17 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001438">
- <status>draft</status>
- <publishdate>2009-09-25</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization establishes usage restrictions for wireless access.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-18 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-18.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-18 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001439">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish implementation guidance for wireless access.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-18 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-18.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-18 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-18 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001440">
- <status>draft</status>
- <publishdate>2009-09-25</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization monitors for unauthorized wireless access to the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-18.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-18 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001441">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Authorize each type of wireless access to the system prior to allowing such connections.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-18 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-18.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-18 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-18 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001442">
- <status>draft</status>
- <publishdate>2009-09-25</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization enforces requirements for wireless connections to the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-18.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-18 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-001443">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Protect wireless access to the system using authentication of users and/or devices.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-18 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-18 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-18 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-18 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001444">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Protect wireless access to the system using encryption.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-18 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-18 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-18 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-18 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001445">
- <status>draft</status>
- <publishdate>2009-09-25</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization monitors for unauthorized wireless connections to the information system on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-18 (2).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-18 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001446">
- <status>draft</status>
- <publishdate>2009-09-25</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization scans for unauthorized wireless access points on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-18 (2).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-18 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001447">
- <status>draft</status>
- <publishdate>2009-09-25</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines a frequency of monitoring for unauthorized wireless connections to information system, including scans for unauthorized wireless access points.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-18 (2).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-18 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001448">
- <status>draft</status>
- <publishdate>2009-09-25</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization takes appropriate action if an unauthorized wireless connection is discovered.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-18 (2).1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-18 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001449">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disable, when not intended for use, wireless networking capabilities internally embedded within system components prior to issuance and deployment.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-18 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-18 (3).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-18 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-18 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001450">
- <status>draft</status>
- <publishdate>2009-09-25</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization does not allow users to independently configure wireless networking capabilities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-18 (4).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-18 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001451">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Select radio antennas and calibrate transmission power levels to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-18 (5)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-18 (5).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-18 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-18 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001452">
- <status>draft</status>
- <publishdate>2009-05-25</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system enforces the organization-defined time period during which the limit of consecutive invalid access attempts by a user is counted.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-7.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-7 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001453">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement cryptographic mechanisms to protect the integrity of remote access sessions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-17 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-17 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-17 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-17 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001454">
- <status>draft</status>
- <publishdate>2009-09-29</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization ensures that remote sessions for accessing an organization-defined list of security functions and security-relevant information are audited.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-17 (7).1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-17 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001455">
- <status>draft</status>
- <publishdate>2009-09-29</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization explicitly identifies components needed in support of specific operational requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-17 (8).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-17 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001456">
- <status>draft</status>
- <publishdate>2009-09-29</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines locations that the organization deems to be of significant risk in accordance with organizational policies and procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-19.1 (vi)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-19 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-001457">
- <status>draft</status>
- <publishdate>2009-09-29</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines inspection and preventative measures to be applied on mobile devices returning from locations that the organization deems to be of significant risk in accordance with organizational policies and procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-19.1 (vii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-19 g" />
- </references>
- </cci_item>
- <cci_item id="CCI-001458">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Requires that if classified information is found on mobile devices, the incident handling policy be followed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-19 (4) (b) (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-19 (4) (b) (4)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-19 (4).1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-19 (4) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001459">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines system components that provide audit record generation capability.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-12 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-12 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-12.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-12 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001460">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Monitor organization-defined open source information and/or information sites per organization-defined frequency for evidence of unauthorized disclosure of organizational information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-13 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-13" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-13.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-13" />
- </references>
- </cci_item>
- <cci_item id="CCI-001461">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines a frequency for monitoring open source information and/or information sites for evidence of unauthorized exfiltration or disclosure of organizational information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-13 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-13" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-13.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-13" />
- </references>
- </cci_item>
- <cci_item id="CCI-001462">
- <status>draft</status>
- <publishdate>2009-09-29</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system provides the capability for authorized users to capture/record and log content related to a user session.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-14 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-14.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-14 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001463">
- <status>draft</status>
- <publishdate>2009-09-29</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system provides the capability to remotely view/hear all content related to an established user session in real time.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-14.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-14 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001464">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Initiates session audits automatically at system start-up.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-14 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-14 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-14 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-14 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001465">
- <status>draft</status>
- <publishdate>2009-09-29</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to store organization-controlled information using the external information systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-20.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-20 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001466">
- <status>draft</status>
- <publishdate>2009-09-29</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to transmit organization-controlled information using the external information systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-20.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-20 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001467">
- <status>draft</status>
- <publishdate>2009-09-29</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization prohibits authorized individuals from using an external information system to process organization-controlled information except in situations where the organization can verify the implementation of required security controls on the external system as specified in the organization's information security policy and security plan.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-20 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-20 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001468">
- <status>draft</status>
- <publishdate>2009-09-29</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization prohibits authorized individuals from using an external information system to store organization-controlled information except in situations where the organization can verify the implementation of required security controls on the external system as specified in the organization's information security policy and security plan.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-20 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-20 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001469">
- <status>draft</status>
- <publishdate>2009-09-29</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization prohibits authorized individuals from using an external information system to transmit organization-controlled information except in situations where the organization can verify the implementation of required security controls on the external system as specified in the organization's information security policy and security plan.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-20 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-20 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001470">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines information sharing circumstances where user discretion is required.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-21 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-21 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-21.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-21 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001471">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ organization-defined automated mechanisms or manual processes required to assist users in making information sharing/collaboration decisions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-21 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-21 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-21.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-21 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001472">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the automated mechanisms or manual processes required to assist users in making information sharing/collaboration decisions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-21 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-21 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-21.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-21 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001473">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate individuals authorized to post information onto a publicly accessible system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-22 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-22 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-22.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-22 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001474">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-22 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-22 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-22.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-22 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001475">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-22 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-22 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-22.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-22 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-001476">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review the content on the publicly accessible system for nonpublic information on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-22 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-22 d" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-22.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-22 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-001477">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines a frequency for reviewing the content on the publicly accessible system for nonpublic information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-22 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-22 d" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-22.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-22 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-001478">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Remove nonpublic information from the publicly accessible system, if discovered.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-22 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-22 d" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-22.1 (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-22 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-001479">
- <status>draft</status>
- <publishdate>2009-09-29</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization provides refresher security awareness training to all information system users (including managers, senior executives, and contractors) in accordance with the organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AT-2 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AT-2.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AT-2" />
- </references>
- </cci_item>
- <cci_item id="CCI-001480">
- <status>draft</status>
- <publishdate>2009-09-29</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the frequency for providing refresher security awareness training to all information system users (including managers, senior executives, and contractors).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AT-2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AT-2.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AT-2" />
- </references>
- </cci_item>
- <cci_item id="CCI-001481">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide organization-defined personnel or roles with initial training in the employment and operation of environmental controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-3 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AT-3 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AT-3 (1).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AT-3 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001482">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide organization-defined personnel or roles with refresher training in the employment and operation of environmental controls in accordance with the organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AT-3 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AT-3 (1).1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AT-3 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-3 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001483">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines a frequency for providing employees with refresher training in the employment and operation of environmental controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AT-3 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AT-3 (1).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AT-3 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-3 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001484">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency of (or situation requiring) logging for each identified event.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-2 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-2 d" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-2.1 (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-2 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-001485">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the event types for logging within the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-2 d" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-2.1 (vi)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-2 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-2 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-001486">
- <status>draft</status>
- <publishdate>2009-09-29</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines a frequency for reviewing and updating the list of organization-defined auditable events.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-2 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-2 (3).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-2 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001487">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Ensure that audit records containing information that establishes the identity of any individuals, subjects, or objects/entities associated with the event.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-3 f" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-3" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-3.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-3" />
- </references>
- </cci_item>
- <cci_item id="CCI-001488">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the additional information to be included in the audit records.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-3 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-3 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-3 (1).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-3 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001489">
- <status>draft</status>
- <publishdate>2009-09-29</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines information system components for which generated audit records are centrally managed by the organization.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-3 (2).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-3 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001490">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the actions to be taken by the system upon audit failure, including shutting down the system, overwriting oldest audit records, and stopping the generation of audit records.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-5 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-5 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-5.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-5 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001491">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-6 (6)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-6 (6)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-6 (6).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-6 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001492">
- <status>draft</status>
- <publishdate>2009-09-29</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines an authoritative time source for the synchronization of internal information system clocks.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-8 (1) (a)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-8 (1).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-8 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001493">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Protect audit tools from unauthorized access.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-9" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-9.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-9" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-9 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001494">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Protect audit tools from unauthorized modification.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-9" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-9" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-9.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-9" />
- </references>
- </cci_item>
- <cci_item id="CCI-001495">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Protect audit tools from unauthorized deletion.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-9" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-9.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-9" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-9" />
- </references>
- </cci_item>
- <cci_item id="CCI-001496">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement cryptographic mechanisms to protect the integrity of audit tools.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-9 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-9 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-9 (3).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-9 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001497">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines a frequency for the review and update to the baseline configuration of the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-2 (1) (a)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-2 (1).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-2 (1) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-2 b 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-001498">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines a time period after which proposed changes to the system that have not been approved or disapproved are highlighted.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-3 (1) (c)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-3 (1).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-3 (1) (c)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-3 (1) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001499">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Limit privileges to change software resident within software libraries.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-5 (6)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-5 (6)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-5 (6).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-5 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001500">
- <status>draft</status>
- <publishdate>2009-09-29</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system automatically implements organization-defined safeguards and countermeasures if security functions (or mechanisms) are changed inappropriately.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-5 (7).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-5 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001501">
- <status>draft</status>
- <publishdate>2009-09-29</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines safeguards and countermeasures to be employed by the information system if security functions (or mechanisms) are changed inappropriately.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-5 (7).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-5 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001502">
- <status>draft</status>
- <publishdate>2009-09-29</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization monitors changes to the configuration settings in accordance with organizational policies and procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-6 d" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-6.1 (vi)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-6 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-001503">
- <status>draft</status>
- <publishdate>2009-09-29</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization controls changes to the configuration settings in accordance with organizational policies and procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-6 d" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-6.1 (vi)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-6 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-001504">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document an organization-level; mission/business process-level; and/or system-level personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-1 a 1 (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-1 a 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PS-1.1 (i) (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PS-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001505">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminate an organization-level; mission/business process-level; and/or system-level personnel security policy to organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-1 a 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-1 a 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PS-1.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PS-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001506">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current personnel security policy in accordance with organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-1 c 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-1 b 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PS-1.2 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PS-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001507">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency with which to review and update the current personnel security policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-1 c 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-1 b 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PS-1.2 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PS-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001508">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency with which to review and update the current personnel security procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-1 c 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-1 b 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PS-1.2 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PS-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001509">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document procedures to facilitate the implementation of the personnel security policy and associated personnel security controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PS-1.1 (iv) (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PS-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001510">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminate personnel security procedures to organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PS-1.1 (vi)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PS-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001511">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current personnel security procedures in accordance with organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-1 c 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-1 b 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PS-1.2 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PS-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001512">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Assign a risk designation to all organizational positions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-2 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-2 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PS-2.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PS-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001513">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish screening criteria for individuals filling organizational positions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-2 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-2 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PS-2.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PS-2 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001514">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update position risk designations in accordance with organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-2 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-2 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PS-2.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PS-2 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-001515">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency with which to review and update position risk designations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-2 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-2 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PS-2.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PS-2 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-001516">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Screen individuals prior to authorizing access to the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-3 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-3 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PS-3.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PS-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001517">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Rescreen individuals with authorized access to the system in accordance with organization-defined conditions requiring rescreening, and where rescreening is so indicated, on the organization-defined frequency of rescreening.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-3 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-3 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PS-3.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PS-3 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001518">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the conditions requiring rescreening of individuals with authorized access to the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-3 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-3 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PS-3.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PS-3 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001519">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency for rescreening individuals with authorized access to the information system when organization-defined conditions requiring rescreening are met.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-3 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-3 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PS-3.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PS-3 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001520">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Verify that individuals accessing a system processing, storing, or transmitting classified information are cleared and indoctrinated to the highest classification level of the information to which they have access on the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-3 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-3 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PS-3 (1).1 (i) (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PS-3 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001521">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Verify that individuals accessing a system processing, storing, or transmitting types of classified information which require formal indoctrination, are formally indoctrinated for all of the relevant types of information to which they have access on the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-3 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-3 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PS-3 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PS-3 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001522">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Upon termination of individual employment, disable system access within an organization-defined time period.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-4 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-4 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PS-4.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PS-4 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001523">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Upon termination of individual employment, conduct exit interviews that include a discussion of organization-defined information security topics.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-4 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-4 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PS-4.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PS-4 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001524">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Upon termination of individual employment, retrieve all security-related organizational system-related property.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-4 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-4 d" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PS-4.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PS-4 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-001525">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Upon termination of individual employment, retain access to organizational information formerly controlled by the terminated individual.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-4 e" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-4 e" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PS-4.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PS-4 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-001526">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Upon termination of individual employment, retain access to organizational systems formerly controlled by the terminated individual.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-4 e" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-4 e" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PS-4.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PS-4 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-001527">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and confirm the ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-5 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-5 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PS-5.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PS-5" />
- </references>
- </cci_item>
- <cci_item id="CCI-001528">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Initiate organization-defined transfer or reassignment actions within an organization-defined time period following the formal personnel transfer action.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-5 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-5 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PS-5.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PS-5" />
- </references>
- </cci_item>
- <cci_item id="CCI-001529">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines transfer or reassignment actions to initiate within an organization-defined time period following the formal personnel transfer action.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-5 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-5 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PS-5.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PS-5" />
- </references>
- </cci_item>
- <cci_item id="CCI-001530">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the time period within which the organization initiates organization-defined transfer or reassignment actions following the formal personnel transfer action.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-5 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-5 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PS-5.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PS-5" />
- </references>
- </cci_item>
- <cci_item id="CCI-001531">
- <status>draft</status>
- <publishdate>2009-11-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization ensures that individuals requiring access to organizational information and information systems sign appropriate access agreements prior to being granted access.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-6 c 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PS-6.1 (i) (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PS-6 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001532">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the access agreements for organizational systems in accordance with organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-6 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-6 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PS-6.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PS-6 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001533">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency with which to review and update access agreements for organizational systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-6 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-6 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PS-6.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PS-6 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001534">
- <status>draft</status>
- <publishdate>2009-11-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization ensures that access to information with special protection measures is granted only to individuals who have a valid access authorization that is demonstrated by assigned official government duties.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PS-6 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PS-6 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001535">
- <status>draft</status>
- <publishdate>2009-11-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization ensures that access to information with special protection measures is granted only to individuals who satisfy associated personnel security criteria.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PS-6 (1).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PS-6 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001536">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Verify that access to classified information requiring special protection is granted only to individuals who have a valid access authorization that is demonstrated by assigned official government duties.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-6 (2) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-6 (2) (a)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PS-6 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PS-6 (2) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001537">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Verify that access to classified information requiring special protection is granted only to individuals who satisfy associated personnel security criteria.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-6 (2) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-6 (2) (b)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PS-6 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PS-6 (2) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001538">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Verify that access to classified information requiring special protection is granted only to individuals who have read, understood, and signed a nondisclosure agreement.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-6 (2) (c)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-6 (2) (c)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PS-6 (2).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PS-6 (2) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001539">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish personnel security requirements including security roles and responsibilities for external providers.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-7 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-7 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PS-7.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PS-7 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001540">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Document personnel security requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-7 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-7 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PS-7.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PS-7 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001541">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Monitor provider compliance with personnel security requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-7 e" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-7 e" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PS-7.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PS-7 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-001542">
- <status>draft</status>
- <publishdate>2009-11-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs a formal sanctions process for individuals failing to comply with established information security policies and procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-8 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PS-8.1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PS-8" />
- </references>
- </cci_item>
- <cci_item id="CCI-001543">
- <status>draft</status>
- <publishdate>2009-11-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization disseminates the most recent information security program plan to appropriate entities in the organization that includes roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PM-1.1 (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PM-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001544">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Manage system authenticators by ensuring that authenticators have sufficient strength of mechanism for their intended use.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-5.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-5 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-001545">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines a frequency for reviewing and updating the access control policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-1 c 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-1 b 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-1.2 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001546">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines a frequency for reviewing and updating the access control procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-1 b 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-1.2 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-1 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-1 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-001547">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency on which it will review information system accounts for compliance with account management requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 j" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-2.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-2 j" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 j" />
- </references>
- </cci_item>
- <cci_item id="CCI-001548">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the information flow control policies for controlling the flow of information within the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-4.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-4" />
- </references>
- </cci_item>
- <cci_item id="CCI-001549">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the information flow control policies for controlling the flow of information between interconnected systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-4.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-4" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4" />
- </references>
- </cci_item>
- <cci_item id="CCI-001550">
- <status>draft</status>
- <publishdate>2010-05-11</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines approved authorizations for controlling the flow of information within the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-4.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-4" />
- </references>
- </cci_item>
- <cci_item id="CCI-001551">
- <status>draft</status>
- <publishdate>2010-05-11</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines approved authorizations for controlling the flow of information between interconnected systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-4.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-4" />
- </references>
- </cci_item>
- <cci_item id="CCI-001552">
- <status>draft</status>
- <publishdate>2010-05-11</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines policy that allows or disallows information flows based on changing conditions or operational considerations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-4 (3).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-4 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001553">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines security or privacy policy filters that privileged administrators have the capability to enable and disable.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4 (10)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-4 (10).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-4 (10)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (10)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001554">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the security or privacy policy filters that privileged administrators have the capability to configure.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4 (11)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-4 (11).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-4 (11)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (11)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001555">
- <status>draft</status>
- <publishdate>2010-05-11</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system uniquely identifies destination domains for information transfer.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-4 (17).1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-4 (17) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001556">
- <status>draft</status>
- <publishdate>2010-05-11</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system uniquely authenticates destination domains for information transfer.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-4 (17).1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-4 (17) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001557">
- <status>draft</status>
- <publishdate>2010-05-11</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system tracks problems associated with the information transfer.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-4 (17).1 (vii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-4 (17) c" />
- </references>
- </cci_item>
- <cci_item id="CCI-001558">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the security functions (deployed in hardware, software, and firmware) for which access must be authorized.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-6 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-6 (1).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-6 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-6 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001559">
- <status>draft</status>
- <publishdate>2010-05-11</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization identifies the individuals authorized to change the value of associated security attributes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-16 (2).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-16 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001560">
- <status>draft</status>
- <publishdate>2010-05-11</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization identifies individuals (or processes acting on behalf of individuals) authorized to associate organization-defined security attributes with organization-defined objects.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 (4)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-16 (4).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-16 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001561">
- <status>draft</status>
- <publishdate>2010-05-11</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines managed access control points for remote access to the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-17 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-17 (3).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-17 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001562">
- <status>draft</status>
- <publishdate>2010-05-11</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the appropriate action(s) to be taken if an unauthorized remote connection is discovered.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-17 (5).1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-17 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001563">
- <status>draft</status>
- <publishdate>2010-05-11</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the appropriate action(s) to be taken if an unauthorized wireless connection is discovered.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-18 (2).1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-18 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001564">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency of security awareness and training policy reviews and updates.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-1 c 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AT-1 b 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AT-1.2 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AT-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001565">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency of security awareness and training procedure reviews and updates.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AT-1 b 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AT-1.2 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AT-1 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-1 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-001566">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide organization-defined personnel or roles with initial training in the employment and operation of physical security controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AT-3 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AT-3 (2).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AT-3 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-3 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001567">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide organization-defined personnel or roles with refresher training, thereafter, in the employment and operation of physical security controls in accordance with the organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-3 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AT-3 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AT-3 (2).1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AT-3 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001568">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines a frequency for providing employees with refresher training in the employment and operation of physical security controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AT-3 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AT-3 (2).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AT-3 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-3 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001569">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency on which the current audit and accountability policy will be reviewed and updated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-1 c 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-1 b 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-1.2 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001570">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency on which the current audit and accountability procedures will be reviewed and updated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-1 b 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-1.2 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-1 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-1 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-001571">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the event types that the system is capable of logging in support of the audit function.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-2 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-2.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-2 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001572">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to be alerted in the event of an audit logging process failure.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-5 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-5.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-5 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-5 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001573">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines whether to reject or delay network traffic that exceeds organization-defined thresholds.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-5 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-5 (3).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-5 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-5 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001574">
- <status>draft</status>
- <publishdate>2010-05-11</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system rejects or delays, as defined by the organization, network traffic which exceed the organization-defined thresholds.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-5 (3).1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-5 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001575">
- <status>draft</status>
- <publishdate>2010-05-11</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the system or system component for storing audit records that is a different system or system component than the system or component being audited.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-9 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-9 (2).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-9 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001576">
- <status>deprecated</status>
- <publishdate>2010-05-11</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system produces a system-wide (logical or physical) audit trail of information system audit records.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-12 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-12 (1).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-12 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001577">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the information system components from which audit records are to be compiled into the system-wide audit trail.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-12 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AU-12 (1).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AU-12 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-12 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001578">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency to review and update the current assessment, authorization, and monitoring procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-1 b 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-1.2 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-1 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-1 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-001579">
- <status>draft</status>
- <publishdate>2010-05-11</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization conducts security control assessments using organization-defined forms of testing in accordance with organization-defined frequency and assessment techniques.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-2 (2).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-2 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001580">
- <status>draft</status>
- <publishdate>2010-05-11</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization identifies connections to external information systems (i.e., information systems outside of the authorization boundary).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-3.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-3 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001581">
- <status>draft</status>
- <publishdate>2010-05-11</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines personnel or roles to whom the security status of the organization and the information system should be reported.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-7 g" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-7.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-7 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001582">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines other forms of control assessments other than in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment that should be included as part of the control assessments.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-2 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-2 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-7 (2).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-7 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001583">
- <status>draft</status>
- <publishdate>2010-05-11</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization selects announced or unannounced assessments for each form of security control assessment.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-2 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-7 (2).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-7 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001584">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency with which to review and update configuration management procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-1 b 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-1.2 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-1 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-001585">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the circumstances that require reviews and updates to the baseline configuration of the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-2 b 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-2 (1) (b)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-2 (1).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-2 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001586">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the configuration change control element responsible for coordinating and providing oversight for configuration change control activities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-3 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-3 g" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-3.1 (vi)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-3 f" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-3 g" />
- </references>
- </cci_item>
- <cci_item id="CCI-001587">
- <status>draft</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization, when analyzing new software in a separate test environment, looks for security impacts due to flaws, weaknesses, incompatibility, or intentional malice.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-4 (1).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-4 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001588">
- <status>draft</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization-defined security configuration checklists reflect the most restrictive mode consistent with operational requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-6 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-6.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-6 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001589">
- <status>draft</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization incorporates detection of unauthorized, security-relevant configuration changes into the organization’s incident response capability to ensure they are tracked.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-6 (3).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-6 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001590">
- <status>deprecated</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops a list of software programs authorized to execute on the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-7 (2).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-7 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001591">
- <status>deprecated</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops a list of software programs not authorized to execute on the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-7 (2).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-7 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001592">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the rules authorizing the terms and conditions of software program usage on the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-7 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-7 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-7 (2).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-7 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001593">
- <status>deprecated</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization maintains a list of software programs authorized to execute on the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-7 (2).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-7 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001594">
- <status>deprecated</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization maintains a list of software programs not authorized to execute on the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-7 (2).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-7 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001595">
- <status>draft</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization maintains rules authorizing the terms and conditions of software program usage on the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CM-7 (2).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CM-7 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001596">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency with which to review and update the current contingency planning procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-1 b 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-1.2 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-1 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-001597">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminate contingency planning procedures to organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-1.1 (vi)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-1 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-001598">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current contingency planning procedures in accordance with the organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-1 c 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-1 b 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-1.2 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-1" />
- </references>
- </cci_item>
- <cci_item id="CCI-001599">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Sustain operational continuity of essential missions until full information system restoration at primary processing and/or storage sites.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-2 (5)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-2 (5).1 (b)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-2 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-2 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001600">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Sustains operational continuity of essential business functions until full information system restoration at primary processing and/or storage sites.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-2 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-2 (5)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-2 (5).1 (b)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-2 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001601">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Sustain operational continuity of essential mission functions at alternate processing and/or storage sites until system restoration to primary processing and/or storage sites.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-2 (6)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-2 (6).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-2 (6)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-2 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001602">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Sustain operational continuity of essential business functions at alternate processing and/or storage sites until system restoration at primary processing and/or storage sites.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-2 (6)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-2 (6)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-2 (6).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-2 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001603">
- <status>draft</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The contingency plan identifies the primary storage site hazards.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-6 (1).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-6 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001604">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Outline explicit mitigation actions for potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-6 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-6 (3).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-6 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-6 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001605">
- <status>draft</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The contingency plan identifies the primary processing site hazards.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-7 (1).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-7 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001606">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Identify potential accessibility problems to outline explicit mitigation actions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-7 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-7 (2).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-7 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-7 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001607">
- <status>draft</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization establishes alternate telecommunications services to support the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-8.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-8 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001608">
- <status>draft</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization identifies the primary provider's telecommunications service hazards.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-8 (3).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-8 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001609">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Activate the redundant secondary system that is not collocated with the primary system without loss of information or disruption to operations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-9 (6)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-9 (6)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CP-9 (6).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CP-9 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001610">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the time-period (by authenticator type) for changing/refreshing authenticators.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 g" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-5.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-5 g" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-001611">
- <status>draft</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the minimum number of special characters for password complexity enforcement.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 (1) (a)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-5 (1).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-5 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001612">
- <status>draft</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the minimum number of upper case characters for password complexity enforcement.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 (1) (a)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-5 (1).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-5 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001613">
- <status>draft</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the minimum number of lower case characters for password complexity enforcement.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 (1) (a)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-5 (1).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-5 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001614">
- <status>draft</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the minimum number of numeric characters for password complexity enforcement.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 (1) (a)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-5 (1).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-5 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001615">
- <status>draft</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the minimum number of characters that are changed when new passwords are created.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 (1) (b)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-5 (1).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-5 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001616">
- <status>draft</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines minimum password lifetime restrictions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 (1) (d)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-5 (1).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-5 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001617">
- <status>draft</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines maximum password lifetime restrictions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 (1) (d)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-5 (1).1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-5 (1) (d)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001618">
- <status>draft</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the number of generations for which password reuse is prohibited.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 (1) (e)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-5 (1).1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-5 (1) (d)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001619">
- <status>draft</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system enforces password complexity by the minimum number of special characters used.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 (1) (a)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-5 (1).1 (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-5 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001620">
- <status>draft</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the types of and/or specific authenticators for which the registration process must be carried out in person before a designated registration authority with authorization by a designated organizational official (e.g., a supervisor).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-5 (3).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-5 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001621">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement organization-defined security controls to manage the risk of compromise due to individuals having accounts on multiple systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 (8)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IA-5 (8).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IA-5 (8)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001622">
- <status>draft</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization identifies personnel with incident response roles and responsibilities with respect to the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IR-2.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IR-2" />
- </references>
- </cci_item>
- <cci_item id="CCI-001623">
- <status>draft</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The incident response training material addresses the procedures and activities necessary to fulfill identified organizational incident response roles and responsibilities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IR-2.1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IR-2" />
- </references>
- </cci_item>
- <cci_item id="CCI-001624">
- <status>draft</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization documents the results of incident response tests.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-3" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IR-3.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IR-3" />
- </references>
- </cci_item>
- <cci_item id="CCI-001625">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement the resulting incident handling activity changes to incident response procedures, training, and testing accordingly.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-4 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-4 c" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IR-4.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IR-4 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-001626">
- <status>draft</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs automated mechanisms to assist in the collection of security incident information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-5 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IR-5 (1).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IR-5 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001627">
- <status>draft</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs automated mechanisms to assist in the analysis of security incident information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-5 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="IR-5 (1).1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="IR-5 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001628">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines a frequency with which to review and update the current maintenance procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-1 b 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-1.2 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-1 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-001629">
- <status>draft</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs automated mechanisms to produce up-to-date, accurate, complete, and available records of all maintenance and repair actions needed, in process, and complete.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-2 (2).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-2 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001630">
- <status>draft</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>Designated organizational personnel review the maintenance records of the non-local maintenance and diagnostic sessions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-4 (1).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-4 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001631">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>After the service is performed, inspect and sanitize the component (for potentially malicious software) before reconnecting the component to the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-4 (3) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-4 (3) (b)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-4 (3).1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-4 (3) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001632">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Protect nonlocal maintenance sessions by separating the maintenance session from other network sessions with the system by either physically separated communications paths or logically separated communications paths based upon encryption.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-4 (4) (b)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MA-4 (4).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MA-4 (4) (a) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-4 (4) (b) (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001633">
- <status>draft</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines removable media types and information output requiring marking.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="MP-3.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="MP-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001634">
- <status>draft</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization identifies authorized personnel with appropriate clearances and access authorizations for gaining physical access to the facility containing an information system that processes classified information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-2 (3).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-2 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001635">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Remove individuals from the facility access list when access is no longer required.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-2 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-2 d" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PE-2.2 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PE-2 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-001636">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency with which to review and update the current planning policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-1 b 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PL-1.2 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PL-1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-1 c 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-001637">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current planning policy in accordance with organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-1 b 1" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PL-1.2 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PL-1 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-1 c 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-001638">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency with which to review and update the current planning procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-1 b 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PL-1.2 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PL-1 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-1 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-001639">
- <status>draft</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization makes readily available to individuals requiring access to the information system the rules that describe their responsibilities and expected behavior with regard to information and information system usage.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-4 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PL-4.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PL-4 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001640">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Address information security issues in the updating of a critical infrastructure and key resources protection plan.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-8" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-8" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PM-8.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PM-8" />
- </references>
- </cci_item>
- <cci_item id="CCI-001641">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the process for conducting random vulnerability scans on the system and hosted applications.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="RA-5 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="RA-5.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="RA-5 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-5 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001642">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the organizational document in which risk assessment results are documented (e.g., security plan, privacy plan; risk assessment report).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="RA-3 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="RA-3.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="RA-3 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-3 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-001643">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Monitor and scan for vulnerabilities in the system and hosted applications in accordance with the organization-defined process for random scans.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-5 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="RA-5 a" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="RA-5.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="RA-5 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001644">
- <status>draft</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs vulnerability scanning procedures that can demonstrate the depth of coverage (i.e., vulnerabilities checked).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="RA-5 (3).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="RA-5 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001645">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system components to which privileged access is authorized for organization-defined vulnerability scanning activities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="RA-5 (5)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="RA-5 (5).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="RA-5 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-5 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001646">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency with which to review and update the current system and services acquisition procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-1 c 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-1 b 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-1.2 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-1" />
- </references>
- </cci_item>
- <cci_item id="CCI-001647">
- <status>draft</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires the use of a FIPS-validated, cryptographic module for a technology product that relies on cryptographic functionality to enforce its security policy when no U.S. Government Protection Profile exists for such a specific technology type.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-4 (7).1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-4 (7) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001648">
- <status>draft</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization makes available to authorized personnel the source code for the information system to permit analysis and testing.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-5 (5).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-5 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001649">
- <status>draft</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization identifies and documents (as appropriate) explicit rules to be enforced when governing the installation of software by users.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-7.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-7" />
- </references>
- </cci_item>
- <cci_item id="CCI-001650">
- <status>draft</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires the information system developers to manage and control changes to the information system during development.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-10.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-10 (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001651">
- <status>draft</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires the information system integrators to manage and control changes to the information system during development.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-10.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-10 (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001652">
- <status>draft</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires the information system developers to manage and control changes to the information system during implementation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-10.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-10 (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001653">
- <status>draft</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires the information system integrators to manage and control changes to the information system during implementation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-10.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-10 (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001654">
- <status>draft</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires the information system developers to manage and control changes to the information system during modification.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-10.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-10 (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001655">
- <status>draft</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires the information system integrators to manage and control changes to the information system during modification.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-10.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-10 (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001656">
- <status>draft</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the security functions of the information system to be isolated from nonsecurity functions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-3.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-3" />
- </references>
- </cci_item>
- <cci_item id="CCI-001657">
- <status>draft</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the external boundary of the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-7.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-7 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001658">
- <status>draft</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines key internal boundaries of the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-7.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-7 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001659">
- <status>draft</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the mediation necessary for public access to the organization's internal networks.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-7 (2).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-7 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001660">
- <status>draft</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the measures to protect against unauthorized physical connections across boundary protections implemented at organization-defined managed interfaces.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-7 (14).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-7 (14)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001661">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the security functions, to at a minimum, include system authentication and re-authentication, for permitting users to invoke the trusted communications path.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-11 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-11" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-11.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-11" />
- </references>
- </cci_item>
- <cci_item id="CCI-001662">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Take organization-defined corrective action when organization-defined unacceptable mobile code is identified.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-18 (1)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-18 (1).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-18 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-18 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001663">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide the means to enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services), when operating as part of a distributed, hierarchical namespace.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-20 b" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-20 (1).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-20 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-20 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001664">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Recognize only session identifiers that are system-generated.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-23 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-23 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-23 (3).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-23 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001665">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Preserve organization-defined system state information in the event of a system failure.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-24" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-24.1 (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-24" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-24" />
- </references>
- </cci_item>
- <cci_item id="CCI-001666">
- <status>draft</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs cryptographic mechanisms to prevent unauthorized modification of information at rest unless otherwise protected by alternative physical measures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-28 (1).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-28 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001667">
- <status>draft</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization compares the time measured between flaw identification and flaw remediation with organization-defined benchmarks.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-2 (3).1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-2 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001668">
- <status>draft</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs malicious code protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means or inserted through the exploitation of information system vulnerabilities.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-3.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001669">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency of testing malicious code protection mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-3 (6) (a)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-3 (6).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-3 (6)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-3 (6) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001670">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Take organization-defined least-disruptive actions to terminate suspicious events.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (7)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-4 (7).1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-4 (7)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (7) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001671">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Analyze outbound communications traffic at selected organization-defined interior points within the system to discover anomalies.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (11)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-4 ( 11).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-4 (11)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (11)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001672">
- <status>draft</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs a wireless intrusion detection system to identify rogue wireless devices.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-4 (14).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-4 (14)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001673">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises or breaches to the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (14)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-4 (14).1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-4 (14)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (14)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001674">
- <status>draft</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system responds to security function anomalies in accordance with organization-defined responses and alternative action(s).</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-6.1 (v)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-6" />
- </references>
- </cci_item>
- <cci_item id="CCI-001675">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles that are to receive reports on the results of security function verification.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-6 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-6 (3).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-6 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-6 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001676">
- <status>draft</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines, for periodic security function verification, the frequency of the verifications.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-6.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-6" />
- </references>
- </cci_item>
- <cci_item id="CCI-001677">
- <status>draft</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs spam protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and take action on unsolicited messages transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-8.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-8 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001678">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Retain information within the system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-12" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-12" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-12.1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-12" />
- </references>
- </cci_item>
- <cci_item id="CCI-001679">
- <status>draft</status>
- <publishdate>2010-05-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization provides a mechanism to exchange active and standby roles of the components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-13.1 (iv)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-13 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001680">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop an organization-wide information security program plan that includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="PM-1.1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="PM-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001681">
- <status>deprecated</status>
- <publishdate>2011-04-26</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the frequency at which each form of security control assessment should be conducted.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-2 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="CA-7(2).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="CA-7 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001682">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Automatically removes or disables emergency accounts after an organization-defined time period for each type of account.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-2 (2).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-2 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001683">
- <status>draft</status>
- <publishdate>2011-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system notifies organization-defined personnel or roles for account creation actions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 (4)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-2 (4).1 (i and ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-2 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001684">
- <status>draft</status>
- <publishdate>2011-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system notifies organization-defined personnel or roles for account modification actions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 (4)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-2 (4).1 (i and ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-2 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001685">
- <status>draft</status>
- <publishdate>2011-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system notifies organization-defined personnel or roles for account disabling actions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 (4)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-2 (4).1 (i and ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-2 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001686">
- <status>draft</status>
- <publishdate>2011-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system notifies organization-defined personnel or roles for account removal actions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 (4)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-2 (4).1 (i and ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-2 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001687">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Verify that the use of mobile code deployed in system meets organization-defined mobile code requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-18 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-18 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-18 (2).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-18 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001688">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Verify the acquisition of mobile code deployed in the system meets organization-defined mobile code requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-18 (2)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-18 (2).1 (ii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-18 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-18 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001689">
- <status>draft</status>
- <publishdate>2011-05-27</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization, if an information system component failure is detected, automatically shuts down the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SI-13 (4).1 (iii)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SI-13 (4) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001690">
- <status>draft</status>
- <publishdate>2011-10-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization protects, as required, vendor/manufacturer documentation that describes the security-relevant external interfaces to the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-5 (1).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-5 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001691">
- <status>draft</status>
- <publishdate>2011-10-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization makes available to authorized personnel vendor/manufacturer documentation that describes the security-relevant external interfaces to the information system with sufficient detail to permit analysis and testing.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-5 (1).1 (i)" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-5 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001692">
- <status>draft</status>
- <publishdate>2011-10-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization makes available to authorized personnel vendor/manufacturer documentation that describes the low-level design of the information system in terms of modules and implementation details of the security controls employed within the system with sufficient detail to permit analysis and testing.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SA-5 (4).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SA-5 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001693">
- <status>draft</status>
- <publishdate>2011-10-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system enforces a Discretionary Access Control (DAC) policy that limits propagation of access rights.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-3 (4).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-3 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001694">
- <status>draft</status>
- <publishdate>2011-10-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system enforces a Discretionary Access Control (DAC) policy that includes or excludes access to the granularity of a single user.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="AC-3 (4).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="AC-3 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001695">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Prevent the execution of organization-defined unacceptable mobile code.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-18 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-18 (3)" />
- <reference creator="NIST" title="NIST SP 800-53A" version="1" location="NIST" index="SC-18 (3).1" />
- <reference creator="NIST" title="NIST SP 800-53" version="3" location="NIST" index="SC-18 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001726">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Use software in accordance with contract agreements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-10 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-10 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001727">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Use software documentation in accordance with contract agreements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-10 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-10 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001728">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Use software in accordance with copyright laws.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-10 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-10 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001729">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Use software documentation in accordance with copyright laws.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-10 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-10 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001730">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Track the use of software protected by quantity licenses to control copying of the software.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-10 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-10 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001731">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Track the use of software documentation protected by quantity licenses to control distribution of the software documentation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-10 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-10 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001732">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Control the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-10 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-10 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-001733">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-10 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-10 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-001734">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the restrictions to be followed on the use of open source software.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-10 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-10 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001735">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish organization-defined restrictions on the use of open source software.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-10 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-10 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001736">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the number of previous versions of the baseline configuration of the system required to support rollback.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-2 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-2 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001737">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems or system components that are to have organization-defined configurations applied when located in areas of significant risk.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-2 (7) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-2 (7) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001738">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the configurations to be implemented on systems and system components when they are located in areas of significant risk.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-2 (7) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-2 (7) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001739">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Issue organization-defined systems or system components with organization-defined configurations to individuals traveling to locations the organization deems to be of significant risk.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-2 (7) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-2 (7) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001740">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review proposed configuration-controlled changes to the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-3 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-3 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001741">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Document configuration change decisions associated with the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-3 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-3 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-001742">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the approval authorities to be notified when proposed changes to the system are received.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-3 (1) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-3 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001743">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the security responses to be automatically implemented if baseline configurations are changed in an unauthorized manner.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-3 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-3 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001744">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement organization-defined security responses automatically if baseline configurations are changed in an unauthorized manner.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-3 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-3 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001745">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the controls that are to be provided by the cryptographic mechanisms are under configuration management.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-3 (6)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-3 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001746">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Ensure that cryptographic mechanisms used to provide organization-defined control are under configuration management.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-3 (6)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-3 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001747">
- <status>draft</status>
- <publishdate>2013-02-28</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines critical software components the information system will prevent from being installed without verification the component has been digitally signed using a certificate that is recognized and approved by the organization.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-5 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001748">
- <status>draft</status>
- <publishdate>2013-02-28</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines critical firmware components the information system will prevent from being installed without verification the component has been digitally signed using a certificate that is recognized and approved by the organization.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-5 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001749">
- <status>draft</status>
- <publishdate>2013-02-28</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system prevents the installation of organization-defined software components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-5 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001750">
- <status>draft</status>
- <publishdate>2013-02-28</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system prevents the installation of organization-defined firmware components without verification the firmware component has been digitally signed using a certificate that is recognized and approved by the organization.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-5 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001751">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines system-level information requiring enforcement of a dual authorization for system changes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-5 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-5 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001752">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce dual authorization for implementing changes to organization-defined system-level information.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-5 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-5 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001753">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Limit privileges to change system components within a production or operational environment.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-5 (5) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-5 (5) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001754">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Limit privileges to change system-related information within a production or operational environment.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-5 (5) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-5 (5) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001755">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system components for which any deviation from the established configuration settings are to be identified, documented, and approved.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-6 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-6 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-001756">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the operational requirements on which the configuration settings for the organization-defined system components are to be based.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-6 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-6 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-001757">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the actions to employ when responding to unauthorized changes to the organization-defined configuration settings.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-6 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-6 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001758">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the configuration settings for which to employ organization-defined actions in response to unauthorized changes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-6 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-6 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001759">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Take organization-defined actions in response to unauthorized changes to organization-defined configuration settings.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-6 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-6 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001760">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency of system reviews to identify unnecessary and/or nonsecure functions, ports, protocols, software, and services.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-7 (1) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-7 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001761">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the functions, ports, protocols, software, and services within the information system that are to be disabled or removed when deemed unnecessary and/or nonsecure.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-7 (1) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-7 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001762">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disable or remove organization-defined functions, ports, protocols, software, and services within the system deemed to be unnecessary and/or nonsecure.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-7 (1) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-7 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001763">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the policies regarding software program usage and restrictions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-7 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-7 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001764">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Prevent program execution in accordance with organization-defined policies, rules of behavior, and/or access agreements regarding software program usage and restrictions; rules authorizing the terms and conditions of software program usage.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-7 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-7 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001765">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the software programs not authorized to execute on the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-7 (4) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-7 (4) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001766">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Identify the organization-defined software programs not authorized to execute on the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-7 (4) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-7 (4) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001767">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the system.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-7 (4) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-7 (4) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001768">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency on which the list of unauthorized software programs will be reviewed and updated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-7 (4) (c)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-7 (4) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001769">
- <status>deprecated</status>
- <publishdate>2013-02-28</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the frequency on which it will update the list of unauthorized software programs.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-7 (4) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001770">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the list of unauthorized software programs per organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-7 (4) (c)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-7 (4) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001771">
- <status>deprecated</status>
- <publishdate>2013-02-28</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization updates the list of unauthorized software programs per organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-7 (4) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001772">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the software programs authorized to execute on the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-7 (5) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-7 (5) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001773">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Identify the organization-defined software programs authorized to execute on the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-7 (5) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-7 (5) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001774">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-7 (5) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-7 (5) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001775">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency on which the list of authorized software programs will be reviewed and updated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-7 (5) (c)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-7 (5) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001776">
- <status>deprecated</status>
- <publishdate>2013-02-28</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the frequency on which it will update the list of authorized software programs.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-7 (5) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001777">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the list of authorized software programs per organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-7 (5) (c)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-7 (5) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001778">
- <status>deprecated</status>
- <publishdate>2013-02-28</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization updates the list of authorized software programs per organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-7 (5) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001779">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency on which the system component inventory is to be reviewed and updated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-8 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-8 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001780">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the system component inventory per organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-8 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-8 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001781">
- <status>deprecated</status>
- <publishdate>2013-03-01</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the frequency on which the information system component inventory is to be updated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-8 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001782">
- <status>deprecated</status>
- <publishdate>2013-03-01</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization updates the information system component inventory per organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-8 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001783">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to be notified when unauthorized hardware, software, and firmware components are detected within the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-8 (3) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-8 (3) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001784">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>When unauthorized hardware, software, and firmware components are detected within the system, take action to disable network access by such components; isolate the components, and/or notify organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-8 (3) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-8 (3) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001785">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide a centralized repository for the inventory of system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-8 (7)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-8 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001786">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Support the tracking of system components by geographic location using organization-defined automated mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-8 (8)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-8 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001787">
- <status>draft</status>
- <publishdate>2013-03-01</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the acquired information system components that are to be assigned to an information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-8 (9) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001788">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Assign system components to a system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-8 (9) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-8 (9) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001789">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Receive an acknowledgement from organization-defined personnel or roles of the acquired system components to a system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-8 (9) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-8 (9) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001790">
- <status>draft</status>
- <publishdate>2013-03-01</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops a configuration management plan for the information system that establishes a process for identifying configuration items throughout the system development life cycle.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-9 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001791">
- <status>draft</status>
- <publishdate>2013-03-01</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization documents a configuration management plan for the information system that establishes a process for identifying configuration items throughout the system development life cycle.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-9 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001792">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a configuration management plan for the system that establishes a process for identifying configuration items throughout the system development life cycle.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-9 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-9 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001793">
- <status>draft</status>
- <publishdate>2013-03-01</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops a configuration management plan for the information system that establishes a process for managing the configuration of the configuration items.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-9 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001794">
- <status>draft</status>
- <publishdate>2013-03-01</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization documents a configuration management plan for the information system that establishes a process for managing the configuration of the configuration items.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-9 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001795">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a configuration management plan for the system that establishes a process for managing the configuration of the configuration items.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-9 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-9 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001796">
- <status>draft</status>
- <publishdate>2013-03-01</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops a configuration management plan for the information system that places the configuration items under configuration management.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-9 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-001797">
- <status>draft</status>
- <publishdate>2013-03-01</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization documents a configuration management plan for the information system that places the configuration items under configuration management.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-9 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-001798">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a configuration management plan for the system that places the configuration items under configuration management.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-9 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-9 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-001799">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document a configuration management plan for the system that protects the configuration management plan from unauthorized disclosure and modification.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-9 e" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-9 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-001800">
- <status>deprecated</status>
- <publishdate>2013-03-01</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization documents a configuration management plan for the information system that protects the configuration management plan from unauthorized disclosure and modification.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-9 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-001801">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a configuration management plan for the system that protects the configuration management plan from unauthorized disclosure and modification.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-9 e" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-9 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-001802">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Track the use of software documentation protected by quantity licenses to control copying of the software documentation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-10 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-10 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001803">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Track the use of software protected by quantity licenses to control distribution of the software.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-10 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-10 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001804">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the policies for governing the installation of software by users.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-11 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-11 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001805">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish organization-defined policies governing the installation of software by users.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-11 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-11 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001806">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines methods to be employed to enforce the software installation policies.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-11 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-11 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001807">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce software installation policies through organization-defined methods.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-11 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-11 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001808">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency on which it will monitor software installation policy compliance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-11 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-11 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-001809">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Monitor software installation policy compliance per an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-11 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-11 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-001810">
- <status>draft</status>
- <publishdate>2013-03-01</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the personnel or roles to be notified when unauthorized software is detected.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-11 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001811">
- <status>draft</status>
- <publishdate>2013-03-01</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system alerts organization-defined personnel or roles when the unauthorized installation of software is detected.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-11 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001812">
- <status>draft</status>
- <publishdate>2013-03-01</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system prohibits user installation of software without explicit privileged status.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-11 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001813">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce access restrictions using organization-defined mechanisms.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-5 (1) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-5 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001814">
- <status>draft</status>
- <publishdate>2013-03-01</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The Information system supports auditing of the enforcement actions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-5 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001815">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the controls to be applied to devices when individuals return from areas of significant risk.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-2 (7) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-2 (7) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001816">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Apply organization-defined controls to the systems or components when the individuals return from travel.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-2 (7) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-2 (7) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001817">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>When analyzing changes to the system, looks for privacy impacts due to flaws, weaknesses, incompatibility, or intentional malice.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-4 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-4 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001818">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Analyze changes to the system in a separate test environment before installation in an operational environment.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-4 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-4 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001819">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement approved configuration-controlled changes to the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-3 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-3 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-001820">
- <status>deprecated</status>
- <publishdate>2013-03-01</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization documents a configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-1 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-001821">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the organizational personnel or roles to whom the organization-level; mission/business process-level; and/or system-level configuration management policy is to be disseminated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-1 a 1 (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-1 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-001822">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminate the organization-level; mission/business process-level; and/or system-level configuration management policy to organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-1 a 1 (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-1 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-001823">
- <status>deprecated</status>
- <publishdate>2013-03-01</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization documents the procedures to facilitate the implementation of the configuration management policy and associated configuration management controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-1 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-001824">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the organizational personnel or roles to whom the organization-level; mission/business process-level; and/or system-level configuration management procedures are to be disseminated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-1 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-001825">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminate to organization-defined personnel or roles the procedures to facilitate the implementation of the organization-level; mission/business process-level; and/or system-level configuration management policy and associated configuration management controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-1 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-001826">
- <status>draft</status>
- <publishdate>2013-03-05</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the circumstances upon which the organization reviews the information system changes to determine whether unauthorized changes have occurred.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-5 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001827">
- <status>draft</status>
- <publishdate>2013-03-05</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the frequency with which to review information system privileges.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-5 (5) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001828">
- <status>draft</status>
- <publishdate>2013-03-05</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the frequency with which to reevaluate information system privileges.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-5 (5) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001829">
- <status>draft</status>
- <publishdate>2013-03-05</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization reviews information system privileges per an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-5 (5) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001830">
- <status>draft</status>
- <publishdate>2013-03-05</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization reevaluates information system privileges per an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-5 (5) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001831">
- <status>deprecated</status>
- <publishdate>2013-03-14</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization documents an audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-1 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-001832">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminate the organization-level; mission/business process-level; and/or system-level audit and accountability policy to organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-1 a 1 (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-1 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-001833">
- <status>deprecated</status>
- <publishdate>2013-03-14</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization documents procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-1 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-001834">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminate to organization-defined personnel or roles procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-1 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-001835">
- <status>deprecated</status>
- <publishdate>2013-03-14</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the frequency on which it will review the audit and accountability policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-1 b 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-001836">
- <status>deprecated</status>
- <publishdate>2013-03-14</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the frequency on which it will update the audit and accountability policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-1 b 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-001837">
- <status>deprecated</status>
- <publishdate>2013-03-14</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization reviews the audit and accountability policy on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-1 b 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-001838">
- <status>deprecated</status>
- <publishdate>2013-03-14</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization updates the audit and accountability policy on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-1 b 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-001839">
- <status>deprecated</status>
- <publishdate>2013-03-14</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the frequency on which it will review the audit and accountability procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-1 b 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-001840">
- <status>deprecated</status>
- <publishdate>2013-03-14</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the frequency on which it will update the audit and accountability procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-1 b 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-001841">
- <status>deprecated</status>
- <publishdate>2013-03-14</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization reviews the audit and accountability procedures on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-1 b 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-001842">
- <status>deprecated</status>
- <publishdate>2013-03-14</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization updates the audit and accountability procedures on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-1 b 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-001843">
- <status>deprecated</status>
- <publishdate>2013-03-14</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines a frequency for updating the list of organization-defined auditable events.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-2 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001844">
- <status>draft</status>
- <publishdate>2013-03-14</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system provides centralized management and configuration of the content to be captured in audit records generated by organization-defined information system components.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-3 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001845">
- <status>deprecated</status>
- <publishdate>2013-03-14</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system provides centralized configuration of the content to be captured in audit records generated by organization-defined information system components.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-3 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001846">
- <status>draft</status>
- <publishdate>2013-03-14</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines information system components that will generate the audit records which are to be captured for centralized management of the content.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-3 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001847">
- <status>draft</status>
- <publishdate>2013-03-14</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines information system components that will generate the audit records which are to be captured for centralized configuration of the content.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-3 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001848">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the audit log retention requirements for allocating audit log storage capacity.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-4" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-4" />
- </references>
- </cci_item>
- <cci_item id="CCI-001849">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Allocate audit log storage capacity to accommodate organization-defined audit record retention requirements.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-4" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-4" />
- </references>
- </cci_item>
- <cci_item id="CCI-001850">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency to off-load audit records onto a different system or media than the system being audited.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-4 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-4 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001851">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Transfer audit logs per organization-defined frequency to a different system, system component, or media than the system or system component conducting the logging.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-4 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-4 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001852">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel, roles and/or locations to receive a warning when allocated audit log storage volume reaches a defined percentage of maximum audit log storage capacity.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-5 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-5 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001853">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the time period within which organization-defined personnel, roles, and/or locations are to receive warnings when allocated audit log storage volume reaches an organization-defined percentage of maximum audit log storage capacity.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-5 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-5 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001854">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the percentage of maximum audit log storage capacity that is to be reached, at which time the system will provide a warning to organization-defined personnel, roles, and/or locations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-5 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-5 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001855">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide a warning to organization-defined personnel, roles, and/or locations within an organization-defined time period when allocated audit log storage volume reaches an organization-defined percentage of repository maximum audit log storage capacity.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-5 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-5 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001856">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the real-time period in which to provide an alert when organization-defined audit failure events occur.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-5 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-5 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001857">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel, roles, and/or locations to receive alerts when organization-defined audit failure events occur.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-5 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-5 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001858">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide an alert in an organization-defined real-time-period to organization-defined personnel, roles, and/or locations when organization-defined audit failure events requiring real-time alerts occur.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-5 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-5 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001859">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the network communication traffic volume thresholds reflecting limits on auditing capacity, specifying when the information system will reject or delay network traffic that exceed those thresholds.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-5 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-5 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001860">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the audit logging failures which, should they occur, will invoke an organization-defined system mode.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-5 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-5 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001861">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Invoke a full system shutdown, partial system shutdown, or degraded operational mode with limited mission or business functionality available in the event of organization-defined audit logging failures, unless an alternate audit logging capability exists.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-5 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-5 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001862">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the types of inappropriate or unusual activity to be reviewed and analyzed in the audit records.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-6 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-6 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001863">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to receive the reports of organization-defined inappropriate or unusual activity.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-6 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-6 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001864">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Integrate audit review and analysis using organization-defined automated mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-6 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-6 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001865">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Integrate reporting processes using organization-defined automated mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-6 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-6 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001866">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the data/information to be collected from other sources to enhance its ability to identify inappropriate or unusual activity.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-6 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-6 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001867">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Integrate analysis of audit records with analysis of vulnerability scanning information, performance data, system monitoring information, and/or organization-defined data/information collected from other sources to further enhance the ability to identify inappropriate or unusual activity.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-6 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-6 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001868">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Specify the permitted actions for each information system process, role, and/or user associated with the review and analysis of audit information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-6 (7)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-6 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001869">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Specify the permitted actions for each information system process, role, and/or user associated with the reporting of audit information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-6 (7)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-6 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001870">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Perform a full-text analysis of logged privileged commands in a physically-distinct component or subsystem of the system, or other system that is dedicated to that analysis.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-6 (8)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-6 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001871">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Correlate information from non-technical sources with audit record information to enhance organization-wide situational awareness.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-6 (9)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-6 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001872">
- <status>draft</status>
- <publishdate>2013-03-15</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization adjusts the level of audit review and analysis within the information system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-6 (10)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001873">
- <status>deprecated</status>
- <publishdate>2013-03-15</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization adjusts the level of audit analysis within the information system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-6 (10)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001874">
- <status>draft</status>
- <publishdate>2013-03-15</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization adjusts the level of audit reporting within the information system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-6 (10)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001875">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide an audit reduction capability that supports on-demand audit review and analysis.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-7 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-7 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001876">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide an audit reduction capability that supports on-demand reporting requirements.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-7 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-7 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001877">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide an audit reduction capability that supports after-the-fact investigations of incidents.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-7 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-7 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001878">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide a report generation capability that supports on-demand audit review and analysis.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-7 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-7 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001879">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide a report generation capability that supports on-demand reporting requirements.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-7 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-7 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001880">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide a report generation capability that supports after-the-fact investigations of security incidents.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-7 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-7 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001881">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide an audit reduction capability that does not alter original content or time ordering of audit records.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-7 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-7 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001882">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide a report generation capability that does not alter original content or time ordering of audit records.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-7 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-7 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001883">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the audit fields within audit records to be processed, sorted, and searched for events of interest by the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-7 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-7 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001884">
- <status>draft</status>
- <publishdate>2013-03-15</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the audit fields within audit records to be sorted for events of interest by the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-7 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001885">
- <status>draft</status>
- <publishdate>2013-03-15</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the audit fields within audit records to be searched for events of interest by the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-7 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001886">
- <status>draft</status>
- <publishdate>2013-03-15</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system provides the capability to sort audit records for events of interest based on the content of organization-defined audit fields within audit records.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-7 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001887">
- <status>draft</status>
- <publishdate>2013-03-15</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system provides the capability to search audit records for events of interest based on the content of organization-defined audit fields within audit records.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-7 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001888">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the granularity of time measurement for time stamps generated for audit records.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-8 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-8 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001889">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Record time stamps for audit records that meet organization-defined granularity of time measurement.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-8 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-8 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001890">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Record time stamps for audit records that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-8 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-8 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001891">
- <status>draft</status>
- <publishdate>2013-03-15</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system compares internal information system clocks on an organization-defined frequency with an organization-defined authoritative time source.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-8 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001892">
- <status>draft</status>
- <publishdate>2013-03-15</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the time difference which, when exceeded, will require the information system to synchronize the internal information system clocks to the organization-defined authoritative time source.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-8 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001893">
- <status>draft</status>
- <publishdate>2013-03-15</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system identifies a secondary authoritative time source that is located in a different geographic region than the primary authoritative time source.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-8 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001894">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the subset of privileged users who will be authorized access to the management of audit functionality.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-9 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-9 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001895">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the audit information requiring dual authorization for movement or deletion actions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-9 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-9 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001896">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce dual authorization for movement and/or deletion of organization-defined audit information.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-9 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-9 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001897">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the subset of privileged users or roles who will be authorized read-only access to audit information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-9 (6)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-9 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001898">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Authorize read-only access to audit information to an organization-defined subset of privileged users or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-9 (6)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-9 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001899">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the actions to be covered by non-repudiation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-10" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-10" />
- </references>
- </cci_item>
- <cci_item id="CCI-001900">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the strength of binding to be applied to the binding of the identity of the information producer with the information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-10 (1) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-10 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001901">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Bind the identity of the information producer with the information to an organization-defined strength of binding.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-10 (1) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-10 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001902">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide the means for authorized individuals to determine the identity of the producer of the information.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-10 (1) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-10 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001903">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency on which the information system is to validate the binding of the information producer identity to the information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-10 (2) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-10 (2) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001904">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Validates the binding of the information producer identity to the information at an organization-defined frequency.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-10 (2) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-10 (2) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001905">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the actions to be performed in the event of an error when validating the binding of the information producer identity to the information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-10 (2) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-10 (2) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001906">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Perform organization-defined actions in the event of an error when validating the binding of the information producer identity to the information.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-10 (2) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-10 (2) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001907">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the security domains which will require the information system validate the binding of the information reviewer identity to the information at the transfer or release points prior to release/transfer.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-10 (4) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-10 (4) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001908">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the action the system is to perform in the event of an information reviewer identity binding validation error.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-10 (4) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-10 (4) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001909">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Perform organization-defined actions in the event of an information reviewer identity binding validation error.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-10 (4) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-10 (4) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001910">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles allowed to select which event types are to be logged by specific components of the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-12 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-12 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001911">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the selectable event criteria to be used as the basis for changes to the auditing to be performed on organization-defined system components, by organization-defined individuals or roles, within organization-defined time thresholds.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-12 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-12 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001912">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the time thresholds for organization-defined individuals or roles to change the auditing to be performed based on organization-defined selectable event criteria.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-12 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-12 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001913">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the individuals or roles that are to be provided the capability to change the auditing to be performed based on organization-defined selectable event criteria, within organization-defined time thresholds.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-12 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-12 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001914">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide the capability for organization-defined individuals or roles to change the logging to be performed on organization-defined system components based on organization-defined selectable event criteria within organization-defined time thresholds.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-12 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-12 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001915">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the open source information and/or information sites to be monitored for evidence of unauthorized exfiltration or disclosure of organizational information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-13 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-13" />
- </references>
- </cci_item>
- <cci_item id="CCI-001916">
- <status>draft</status>
- <publishdate>2013-03-15</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs automated mechanisms to determine if organizational information has been disclosed in an unauthorized manner.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-13 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001917">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency for reviewing the open source information sites being monitored.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-13 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-13 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001918">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review the open source information sites being monitored per organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-13 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-13 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001919">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide the capability for organization-defined users or roles to select a user session to record; view; hear; or log the content of a user session under organization-defined circumstances.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-14 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-14" />
- </references>
- </cci_item>
- <cci_item id="CCI-001920">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide the capability for authorized users to remotely view and hear content related to an established user session in real time.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-14 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-14 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001921">
- <status>draft</status>
- <publishdate>2013-03-15</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the alternative audit functionality to be provided in the event of a failure in the primary audit capability.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-15" />
- </references>
- </cci_item>
- <cci_item id="CCI-001922">
- <status>draft</status>
- <publishdate>2013-03-15</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization provides an alternative audit capability in the event of a failure in primary audit capability that provides organization-defined alternative audit functionality.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-15" />
- </references>
- </cci_item>
- <cci_item id="CCI-001923">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the audit information to be coordinated among external organizations when audit information is transmitted across organizational boundaries.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-16" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-16" />
- </references>
- </cci_item>
- <cci_item id="CCI-001924">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the methods to be employed when coordinating audit information among external organizations when audit information is transmitted across organizational boundaries.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-16" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-16" />
- </references>
- </cci_item>
- <cci_item id="CCI-001925">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ organization-defined methods for coordinating organization-defined audit information among external organizations when audit information is transmitted across organizational boundaries.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-16" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-16" />
- </references>
- </cci_item>
- <cci_item id="CCI-001926">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Preserve the identity of individuals in cross-organizational audit trails.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-16 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-16 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001927">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the organizations that will be provided cross-organizational audit information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-16 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-16 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001928">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the cross-organizational sharing agreements to be established with organization-defined organizations authorized to be provided cross-organizational sharing of audit information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-16 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-16 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001929">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide cross-organizational audit information to organization-defined organizations based on organization-defined cross organizational sharing agreements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-16 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-16 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001930">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to whom the organization-level; mission/business process-level; and/or system-level audit and accountability policy is to be disseminated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-1 a 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-1 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-001931">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to whom the audit and accountability procedures are to be disseminated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-1 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-001932">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization documents an identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-1 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-001933">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the personnel or roles to be recipients of the identification and authentication policy and the procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-1 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-001934">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization documents procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-1 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-001935">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the strength of mechanism requirements for the device that is separate from the system gaining access to privileged accounts.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-2 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001936">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system implements multifactor authentication for network access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-2 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001937">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The device used in the information system implementation of multifactor authentication for network access to privileged accounts meets organization-defined strength of mechanism requirements.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-2 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001938">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the strength of mechanism requirements for the device that is separate from the system gaining access to non-privileged accounts.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-2 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001939">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system implements multifactor authentication for network access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-2 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001940">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The device used in the information system implementation of multifactor authentication for network access to non-privileged accounts meets organization-defined strength of mechanism requirements.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-2 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001941">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement replay-resistant authentication mechanisms for access to privileged accounts and/or non-privileged accounts.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-2 (8)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-2 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001942">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-2 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001943">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system accounts for which single sign-on capability will be provided.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-2 (10)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-2 (10)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001944">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system services for which single sign-on capability will be provided.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-2 (10)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-2 (10)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001945">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide a single sign-on capability for organization-defined system accounts.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-2 (10)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-2 (10)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001946">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide a single sign-on capability for organization-defined system services.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-2 (10)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-2 (10)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001947">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the strength of mechanism requirements for the device that is separate from the system gaining access and is to provide one factor of a multifactor authentication for remote access to privileged accounts.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-2 (11)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001948">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system implements multifactor authentication for remote access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-2 (11)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001949">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The device used in the information system implementation of multifactor authentication for remote access to privileged accounts meets organization-defined strength of mechanism requirements.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-2 (11)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001950">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the strength of mechanism requirements for the device that is separate from the system gaining access and is to provide one factor of a multifactor authentication for remote access to non-privileged accounts.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-2 (11)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001951">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system implements multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-2 (11)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001952">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The device used in the information system implementation of multifactor authentication for remote access to non-privileged accounts meets organization-defined strength of mechanism requirements.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-2 (11)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001953">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Accepts Personal Identity Verification-compliant credentials.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-2 (12)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-2 (12)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001954">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Electronically verifies Personal Identity Verification-compliant credentials.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-2 (12)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-2 (12)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001955">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the out-of-band authentication to be implemented under organization-defined conditions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-2 (13)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-2 (13)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001956">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the conditions for implementing organization-defined out-of-band authentication.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-2 (13)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-2 (13)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001957">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement organization-defined out-of-band authentication mechanisms under organization-defined conditions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-2 (13)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-2 (13)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001958">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Authenticate organization-defined devices and/or types of devices before establishing a local, remote, and/or network connection.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-3" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-3" />
- </references>
- </cci_item>
- <cci_item id="CCI-001959">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the devices and/or types of devices the system is to authenticate before establishing a connection.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-3 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-3 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001960">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the lease information to be assigned to devices.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-3 (3) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-3 (3) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001961">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the lease duration to be assigned to devices.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-3 (3) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-3 (3) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001962">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Where addresses are allocated dynamically, standardize dynamic address allocation lease information assigned to devices in accordance with organization-defined lease information.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-3 (3) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-3 (3) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001963">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Where addresses are allocated dynamically, standardize dynamic address allocation lease duration assigned to devices in accordance with organization-defined lease duration.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-3 (3) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-3 (3) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001964">
- <status>deprecated</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the configuration management process that is to handle the device identification procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-3 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001965">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the configuration management process that is to handle the device authentication procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-3 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-3 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001966">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Handle device identification based on attestation is handled by the organization-defined configuration management process.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-3 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-3 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001967">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Authenticate organization-defined devices and/or types of devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-3 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-3 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001968">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the configuration management process that is to handle the device identification procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-3 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-3 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001969">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Handle device authentication based on attestation is handled by the organization-defined configuration management process.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-3 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-3 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001970">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles that authorize the assignment of individual, group, role, and device identifiers.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-4 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-4 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001971">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Manage system identifiers by receiving authorization from organization-defined personnel or roles to assign an individual, group, role, or device identifier.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-4 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-4 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001972">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Manage system identifiers by selecting an identifier that identifies an individual, group, role, or device.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-4 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-4 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-001973">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Manage system identifiers by assigning the identifier to the intended individual, group, role, or device.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-4 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-4 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-001974">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the time period for which the reuse of identifiers is prohibited.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-4 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-4 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-001975">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Manage system identifiers by preventing reuse of identifiers for an organization-defined time period.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-4 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-4 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-001976">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Manage individual identifiers dynamically in accordance with organization-defined identifier policy.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-4 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-4 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001977">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the external organizations with which it will coordinate for cross-management of identifiers.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-4 (6)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-4 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001978">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Coordinate with organization-defined external organizations for cross-organization management of identifiers.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-4 (6)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-4 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001979">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires the registration process to receive an individual identifier be conducted in person before a designated registration authority.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-4 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001980">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Manage system authenticators by verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-001981">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Manage system authenticators by establishing administrative procedures for initial authenticator distribution.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-001982">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization manages information system authenticators by establishing administrative procedures for lost/compromised authenticators.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-001983">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization manages information system authenticators by establishing administrative procedures for damaged authenticators.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-001984">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Manage system authenticators by establishing administrative procedures for revoking authenticators.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-001985">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Manage system authenticators by implementing administrative procedures for initial authenticator distribution.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-001986">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization manages information system authenticators by implementing administrative procedures for lost/compromised authenticators.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-001987">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization manages information system authenticators by implementing administrative procedures for damaged authenticators.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-001988">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Manage system authenticators by implementing administrative procedures for revoking authenticators.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-001989">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization manages information system authenticators by changing default content of authenticators prior to information system installation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-001990">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Manage system authenticators by changing authenticators for group or role accounts when membership to those accounts changes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 i" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 j" />
- </references>
- </cci_item>
- <cci_item id="CCI-001991">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system, for PKI-based authentication, implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 (2) (d)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001992">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the personnel or roles responsible for authorizing the organization's registration authority accountable for the authenticator registration process.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001993">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the registration authority accountable for the authenticator registration process.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001994">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the types of and/or specific authenticators that are subject to the authenticator registration process.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001995">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires that the registration process, to receive organization-defined types of and/or specific authenticators, be conducted in person, or by a trusted third-party, before an organization-defined registration authority with authorization by organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001996">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the requirements required by the automated tools to determine if password authenticators are sufficiently strong.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001997">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy organization-defined requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001998">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require developers and installers of system components to provide unique authenticators or change default authenticators prior to delivery and installation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-001999">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the external organizations to be coordinated with for cross-organization management of credentials.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002000">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization coordinates with organization-defined external organizations for cross-organization management of credentials.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002001">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Bind identities and authenticators dynamically using organization-defined binding rules.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 (10)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 (10)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002002">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the token quality requirements to be employed by the information system mechanisms for token-based authentication.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 (11)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002003">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system, for token-based authentication, employs mechanisms that satisfy organization-defined token quality requirements.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 (11)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002004">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the biometric quality requirements to be employed by the mechanisms for biometric-based authentication.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 (12)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 (12)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002005">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>For biometric-based authentication, employ mechanisms that satisfy organization-defined biometric quality requirements.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 (12)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 (12)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002006">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the time period after which the use of cached authenticators is prohibited.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 (13)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 (13)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002007">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Prohibit the use of cached authenticators after an organization-defined time period.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 (13)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 (13)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002008">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>For PKI-based authentication, employs an organization-wide methodology for managing the content of PKI trust stores installed across all platforms including networks, operating systems, browsers, and applications.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 (14)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 (14)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002009">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Accept Personal Identity Verification-compliant credentials from other federal agencies.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-8 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-8 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002010">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Electronically verify Personal Identity Verification-compliant credentials from other federal agencies.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-8 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-8 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002011">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system accepts FICAM-approved third-party credentials.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-8 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002012">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the information systems which will employ only FICAM-approved information system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-8 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002013">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs only FICAM-approved information system components in organization-defined information systems to accept third-party credentials.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-8 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002014">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system conforms to FICAM-issued profiles.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-8 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002015">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Accept federated or PKI credentials that meet organization-defined policy.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-8 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-8 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002016">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Verify federated PKI credentials that meet organization-defined policy.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-8 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-8 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002017">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the information system services requiring identification.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-9" />
- </references>
- </cci_item>
- <cci_item id="CCI-002018">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system services and applications requiring authentication.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-9" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-9" />
- </references>
- </cci_item>
- <cci_item id="CCI-002019">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the security safeguards to be used when identifying information system services.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-9" />
- </references>
- </cci_item>
- <cci_item id="CCI-002020">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the security safeguards to be used when authenticating information system services.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-9" />
- </references>
- </cci_item>
- <cci_item id="CCI-002021">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Uniquely identify organization-defined system services and applications before establishing communications with devices, users, or other services or applications.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-9" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-9" />
- </references>
- </cci_item>
- <cci_item id="CCI-002022">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Uniquely authenticate organization-defined system services and applications before establishing communications with devices, users, or other services or applications.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-9" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-9" />
- </references>
- </cci_item>
- <cci_item id="CCI-002023">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization ensures that service providers receive identification information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-9 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002024">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization ensures that service providers validate identification information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-9 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002025">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization ensures that service providers transmit identification information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-9 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002026">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization ensures that service providers receive authentication information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-9 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002027">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization ensures that service providers validate authentication information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-9 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002028">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization ensures that service providers transmit authentication information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-9 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002029">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the services between which identification decisions are to be transmitted.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-9 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002030">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the services between which authentication decisions are to be transmitted.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-9 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002031">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization ensures that identification decisions are transmitted between organization-defined services consistent with organizational policies.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-9 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002032">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization ensures that authentication decisions are transmitted between organization-defined services consistent with organizational policies.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-9 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002033">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the specific circumstances or situations when individuals accessing the system employ organization-defined supplemental authentication techniques or mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-10" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-10" />
- </references>
- </cci_item>
- <cci_item id="CCI-002034">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the supplemental authentication techniques or mechanisms to be employed in specific organization-defined circumstances or situations by individuals accessing the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-10" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-10" />
- </references>
- </cci_item>
- <cci_item id="CCI-002035">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require individuals accessing the system employ organization-defined supplemental authentication techniques or mechanisms under specific organization-defined circumstances or situations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-10" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-10" />
- </references>
- </cci_item>
- <cci_item id="CCI-002036">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the circumstances or situations under which users will be required to reauthenticate.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-11" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-11" />
- </references>
- </cci_item>
- <cci_item id="CCI-002037">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the circumstances or situations under which devices will be required to reauthenticate.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-11" />
- </references>
- </cci_item>
- <cci_item id="CCI-002038">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires users to reauthenticate upon organization-defined circumstances or situations requiring reauthentication.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-11" />
- </references>
- </cci_item>
- <cci_item id="CCI-002039">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires devices to reauthenticate upon organization-defined circumstances or situations requiring reauthentication.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-11" />
- </references>
- </cci_item>
- <cci_item id="CCI-002040">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires that the registration process to receive an individual identifier includes supervisor authorization.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-4 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002041">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system allows the use of a temporary password for system logons with an immediate change to a permanent password.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 (1) (f)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002042">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Manage system authenticators by protecting authenticator content from unauthorized modification.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 g" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 h" />
- </references>
- </cci_item>
- <cci_item id="CCI-002043">
- <status>draft</status>
- <publishdate>2013-05-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization uses only FICAM-approved path discovery and validation products and services.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 (15)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002044">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines measures to be employed to ensure that long-term audit records generated by the system can be retrieved.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-11 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-11 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002045">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ organization-defined measures to ensure that long-term audit records generated by the information system can be retrieved.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-11 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-11 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002046">
- <status>draft</status>
- <publishdate>2013-05-29</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system synchronizes the internal system clocks to the authoritative time source when the time difference is greater than the organization-defined time period.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-8 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002047">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system components on which the auditing that is to be performed can be changed by organization-defined individuals or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-12 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-12 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002048">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to whom the awareness and training policy is disseminated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-1 a 1 (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AT-1 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-002049">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to whom the organization-level; mission/business process-level; system-level awareness and training procedures are disseminated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AT-1 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-002050">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to whom initial and refresher training in the employment and operation of environmental controls is to be provided.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-3 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AT-3 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002051">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to whom initial and refresher training in the employment and operation of physical security controls is to be provided.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-3 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AT-3 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002052">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide practical exercises in security training that reinforce training objectives.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-3 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AT-3 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002053">
- <status>draft</status>
- <publishdate>2013-06-05</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization provides training to its personnel on organization-defined indicators of malicious code to recognize suspicious communications and anomalous behavior in organizational information systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AT-3 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002054">
- <status>draft</status>
- <publishdate>2013-06-05</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines indicators of malicious code to recognize suspicious communications and anomalous behavior in organizational information systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AT-3 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002055">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide literacy training on recognizing and reporting potential indicators of insider threat.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-2 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AT-2 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002056">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the time period the records of configuration-controlled changes are to be retained.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-3 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-3 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-002057">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel to be notified when approved changes to the system are completed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-3 (1) (f)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-3 (1) (f)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002058">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ automated mechanisms to notify organization-defined personnel when approved changes to the system are completed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-3 (1) (f)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-3 (1) (f)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002059">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system components for which the organization will employ automated mechanisms to centrally manage, apply, and verify configuration settings.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-6 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CM-6 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002060">
- <status>deprecated</status>
- <publishdate>2013-06-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops and documents a security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-1 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-002061">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to whom the organization-level; mission/business process; system-level assessment, authorization, and monitoring policy is to be disseminated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-1 a 1 (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-1 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-002062">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to whom the assessment, authorization, monitoring procedures are to be disseminated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-1 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-002063">
- <status>draft</status>
- <publishdate>2013-06-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the level of independence for assessors or assessment teams to conduct security control assessments of organizational information systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-2 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002064">
- <status>draft</status>
- <publishdate>2013-06-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization selects one or more security assessment techniques to be conducted.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-2 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002065">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency at which to conduct control assessments.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-2 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-2 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002066">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Leverage the results of control assessments of the organization-defined system performed by an organization-defined external organization when the assessment meets organization-defined requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-2 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-2 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002067">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system for which the results of control assessments will be leveraged.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-2 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-2 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002068">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the external organizations from which control assessment results for organization-defined systems will be accepted.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-2 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-2 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002069">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the requirements the control assessments for organization-defined systems from organization-defined external organizations must meet.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-2 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-2 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002070">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop a control assessment plan that describes the scope of the assessment including assessment team, and assessment roles and responsibilities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-2 b 3" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-2 a 3" />
- </references>
- </cci_item>
- <cci_item id="CCI-002071">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the individuals or roles to whom the results of the control assessment are to be provided.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-2 f" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-2 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-002072">
- <status>draft</status>
- <publishdate>2013-06-21</publishdate>
- <contributor>DISA FSP</contributor>
- <definition>The organization defines the unclassified, national security systems that are prohibited from directly connecting to an external network without the use of an organization-defined boundary protection device.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-3 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002073">
- <status>draft</status>
- <publishdate>2013-06-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the boundary protection device to be used to connect organization-defined unclassified, national security systems to an external network.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-3 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002074">
- <status>draft</status>
- <publishdate>2013-06-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the boundary protection device to be used for the direct connection of classified, national security system to an external network.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-3 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002075">
- <status>draft</status>
- <publishdate>2013-06-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization prohibits the direct connection of an organization-defined unclassified, non-national security system to an external network without the use of organization-defined boundary protection device.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-3 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002076">
- <status>draft</status>
- <publishdate>2013-06-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the unclassified, non-national security system that is prohibited from directly connecting to an external network without the use of an organization-defined boundary protection device.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-3 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002077">
- <status>draft</status>
- <publishdate>2013-06-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the boundary protection device to be used to directly connect an organization-defined unclassified, non-national security system to an external network.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-3 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002078">
- <status>draft</status>
- <publishdate>2013-06-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization prohibits the direct connection of an organization-defined information system to a public network.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-3 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002079">
- <status>draft</status>
- <publishdate>2013-06-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the information system that is prohibited from directly connecting to a public network.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-3 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002080">
- <status>draft</status>
- <publishdate>2013-06-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs either an allow-all, deny-by-exception or a deny-all, permit-by-exception policy for allowing organization-defined information systems to connect to external information systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-3 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002081">
- <status>draft</status>
- <publishdate>2013-06-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the information systems that employ either an allow-all, deny-by-exception or a deny-all, permit-by-exception policy for allowing connections to external information systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-3 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002082">
- <status>draft</status>
- <publishdate>2013-06-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization selects either an allow-all, deny-by-exception or a deny-all, permit-by-exception policy for allowing organization-defined information systems to connect to external information systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-3 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002083">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the agreements on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-3 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-3 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-002084">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency at which reviews and updates to the agreements must be conducted.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-3 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-3 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-002085">
- <status>draft</status>
- <publishdate>2013-06-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the level of independence the assessors or assessment teams must have to monitor the security controls in the information system on an ongoing basis.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-7 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002086">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ trend analyses to determine if control implementations, the frequency of continuous monitoring activities, and the types of activities used in the continuous monitoring process need to be modified based on empirical data.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-7 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-7 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002087">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish organization-defined system-level metrics to be monitored.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-7 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-7 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002088">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish organization-defined frequencies for monitoring.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-7 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-7 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-002089">
- <status>draft</status>
- <publishdate>2013-06-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization establishes and defines the frequencies for assessments supporting continuous monitoring.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-7 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-002090">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-7 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-7 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-002091">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a continuous monitoring program that includes correlation and analysis of information generated by assessments and monitoring.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-7 e" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-7 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-002092">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a continuous monitoring program that includes response actions to address results of the analysis of control assessment and monitoring information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-7 f" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-7 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-002093">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Conduct penetration testing in accordance with organization-defined frequency on organization-defined systems or system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-8" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-8" />
- </references>
- </cci_item>
- <cci_item id="CCI-002094">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency for conducting penetration testing on organization-defined systems or system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-8" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-8" />
- </references>
- </cci_item>
- <cci_item id="CCI-002095">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems or system components on which penetration testing will be conducted.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-8" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-8" />
- </references>
- </cci_item>
- <cci_item id="CCI-002096">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ an independent penetration agent or penetration team to perform penetration testing on the system or system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-8 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-8 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002097">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines red team exercises to simulate attempts by adversaries to compromise organizational systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-8 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-8 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002098">
- <status>draft</status>
- <publishdate>2013-06-21</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines rules of engagement for red team exercises to simulate attempts by adversaries to compromise organizational information systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-8 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002099">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ organization-defined red team exercises to simulate attempts by adversaries to compromise organizational systems in accordance with applicable rules of engagement.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-8 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-8 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002100">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Perform security compliance checks on constituent components prior to the establishment of the internal connection.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-9 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-9 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002101">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Authorizes internal connections of organization-defined system components or classes of components to the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-9 (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-9 (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002102">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system components or classes of components that are authorized internal connections to the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-9 (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-9 (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002103">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Document, for each internal connection, the interface characteristics.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-9 (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-9 (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002104">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Document, for each internal connection, the security requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-9 (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-9 (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002105">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Document, for each internal connection, the nature of the information communicated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-9 (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CA-9 (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002106">
- <status>draft</status>
- <publishdate>2013-06-24</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization documents the access control policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-1 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-002107">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to be recipients of the organization-level; mission/business process-level; and/or system-level access control policy necessary to facilitate the implementation of the access control policy and associated access controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-1 a 1 (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-1 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-002108">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to be recipients of the procedures necessary to facilitate the implementation of the organization-level; mission/business process-level; and/or system-level access control policy and associated access controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-1 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-002109">
- <status>draft</status>
- <publishdate>2013-06-24</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization documents procedures to facilitate the implementation of the access control policy and associated access controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-1 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-002110">
- <status>draft</status>
- <publishdate>2013-06-24</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the information system account types that support the organizational missions/business functions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002111">
- <status>draft</status>
- <publishdate>2013-06-24</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization identifies and selects the organization-defined information system account types of information system accounts which support organizational missions/business functions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002112">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Assign account managers.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-002113">
- <status>draft</status>
- <publishdate>2013-06-24</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization establishes conditions for role membership.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-002114">
- <status>deprecated</status>
- <publishdate>2013-06-24</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization specifies authorized users of the information system for each account.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-002115">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Specify authorized users of the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 d 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-002116">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Specify authorized users of the group.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 d 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-002117">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Specify authorized users of the role membership.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 d 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-002118">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Specify authorized access authorizations (i.e., privileges) for each account.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 d 3" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-002119">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Specify organization-attributes (as required) for each account on the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 d 3" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-002120">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles authorized to approve the creation of accounts.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 e" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-002121">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the procedures to be employed when creating, enabling, modifying, disabling, and removing information system accounts.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 f" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-002122">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Monitor the use of accounts.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 g" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 g" />
- </references>
- </cci_item>
- <cci_item id="CCI-002123">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Notify account managers and organization-defined personnel or roles within an organization-defined time-period when accounts are no longer required.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 h 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 h 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-002124">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Notify account managers and organization-defined personnel or roles within an organization-defined time-period when users are terminated or transferred.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 h 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 h 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-002125">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Notify account managers and organization-defined personnel or roles within an organization-defined time-period when system usage or need-to-know changes for an individual.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 h 3" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 h 3" />
- </references>
- </cci_item>
- <cci_item id="CCI-002126">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Authorize access to the system based on a valid access authorization.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 i 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 i 1 " />
- </references>
- </cci_item>
- <cci_item id="CCI-002127">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Authorize access to the system based on intended system usage.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 i 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 i 2 " />
- </references>
- </cci_item>
- <cci_item id="CCI-002128">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Authorize access to the system based on organization-defined attributes (as required).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 i 3" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 i 3 " />
- </references>
- </cci_item>
- <cci_item id="CCI-002129">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 k" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 k" />
- </references>
- </cci_item>
- <cci_item id="CCI-002130">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Automatically audit account enabling actions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002131">
- <status>draft</status>
- <publishdate>2013-06-24</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the personnel or roles to be notified on account creation, modification, enabling, disabling, and removal actions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002132">
- <status>draft</status>
- <publishdate>2013-06-24</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system notifies organization-defined personnel or roles for account enabling actions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002133">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines other conditions when users are required to log out.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002134">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines a list of dynamic privilege management capabilities to be implemented.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 (6)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002135">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement the organization-defined list of dynamic privilege management capabilities.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 (6)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002136">
- <status>draft</status>
- <publishdate>2013-06-24</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the actions to be taken when privileged role assignments are no longer appropriate.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 (7) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002137">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Revoke access when privileged role or attribute assignments are no longer appropriate.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 (7) (d)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 (7) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002138">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system accounts that can be dynamically created.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 (8)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002139">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Create organization-defined system accounts dynamically.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 (8)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002140">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the conditions for establishing shared/group accounts.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 (9)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002141">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Only permit the use of shared and group accounts that meet organization-defined conditions for establishing shared and group accounts.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 (9)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002142">
- <status>draft</status>
- <publishdate>2013-06-24</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system terminates shared/group account credentials when members leave the group.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 (10)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002143">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the circumstances and/or usage conditions that are to be enforced for organization-defined information system accounts.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 (11)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 (11)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002144">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system accounts that are to be subject to the enforcement of organization-defined circumstances and/or usage conditions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 (11)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 (11)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002145">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce organization-defined circumstances and/or usage conditions for organization-defined system accounts.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 (11)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 (11)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002146">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines atypical usage for which the system accounts are to be monitored.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 (12) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 (12) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002147">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Monitor system accounts for organization-defined atypical usage.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 (12) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 (12) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002148">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to whom atypical usage of system accounts are to be reported.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 (12) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 (12) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002149">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Report atypical usage of system accounts to organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 (12) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 (12) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002150">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the time period within which the accounts of users posing a significant risk are to be disabled after discovery of the risk.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 (13)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 (13)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002151">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disable accounts of individuals within an organization-defined time-period of discovery of organization-defined significant risk.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 (13)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-2 (13)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002152">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines other actions necessary for which dual authorization is to be enforced.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-3 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002153">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the mandatory access control policies that are to be enforced over all subjects and objects.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-3 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002154">
- <status>draft</status>
- <publishdate>2013-06-24</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The mandatory access control policy specifies that the policy is uniformly enforced across all subjects and objects within the boundary of the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (3) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-3 (3) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002155">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce organization-defined mandatory access control policy over all subjects and objects where the policy specifies that a subject that has been granted access to information is constrained from passing the information to unauthorized subjects or objects.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (3) (b) (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-3 (3) (b) (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002156">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce organization-defined mandatory access control policy over all subjects and objects where the policy specifies that a subject that has been granted access to information is constrained from granting its privileges to other subjects.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (3) (b) (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-3 (3) (b) (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002157">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce organization-defined mandatory access control policy over all subjects and objects where the policy specifies that a subject that has been granted access to information is constrained from changing one or more security attributes on subjects, objects, the system, or system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (3) (b) (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-3 (3) (b) (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002158">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce organization-defined mandatory access control policy over all subjects and objects where the policy specifies that a subject that has been granted access to information is constrained from choosing the security attributes to be associated with newly created or modified objects.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (3) (b) (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-3 (3) (b) (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002159">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce organization-defined mandatory access control policy over all subjects and objects where the policy specifies that a subject that has been granted access to information is constrained from choosing the attribute values to be associated with newly created or modified objects.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (3) (b) (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-3 (3) (b) (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002160">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce organization-defined mandatory access control policy over all subjects and objects where the policy specifies that a subject that has been granted access to information is constrained from changing the rules governing access control.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (3) (b) (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-3 (3) (b) (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002161">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines subjects which may explicitly be granted organization-defined privileges such that they are not limited by any of the mandatory access control constraints.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (3) (c)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-3 (3) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002162">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the privileges that may explicitly be granted to organization-defined subjects such that they are not limited by any of the mandatory access control constraints.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (3) (c)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-3 (3) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002163">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the discretionary access control policies the information system is to enforce over subjects and objects.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-3 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002164">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce organization-defined discretionary access control policy that over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: pass the information to any other subjects or objects; grant its privileges to other subjects; change security attributes on subjects, objects, the information system, or the information system's components; choose the security attributes to be associated with newly created or revised objects; and/or change the rules governing access control.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-3 (4) " />
- </references>
- </cci_item>
- <cci_item id="CCI-002165">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce organization-defined discretionary access control policies over defined subjects and objects.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-3 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002166">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the role-based access control policies to enforce over all subjects and objects.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (7)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-3 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002167">
- <status>draft</status>
- <publishdate>2013-06-24</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the subjects over which the information system will enforce a role-based access control policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-3 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002168">
- <status>draft</status>
- <publishdate>2013-06-24</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the objects over which the information system will enforce a role-based access control policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-3 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002169">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce a role-based access control policy over defined subjects and objects based upon organization-defined roles and users authorized to assume such roles.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (7)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-3 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002170">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Control access based upon organization-defined roles and users authorized to assume such roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (7)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-3 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002171">
- <status>deprecated</status>
- <publishdate>2013-06-24</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system enforces a role-based access control policy over organization-defined subjects.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-3 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002172">
- <status>deprecated</status>
- <publishdate>2013-06-24</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system enforces a role-based access control policy over organization-defined objects.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-3 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002173">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the roles authorized to control access based upon the role-based access control policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (7)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-3 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002174">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the users authorized to control access based upon the role-based access control policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (7)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-3 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002175">
- <status>deprecated</status>
- <publishdate>2013-06-24</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system controls access based upon organization-defined roles authorized to assume such roles, employing the organization-defined role-based access control policy.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-3 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002176">
- <status>deprecated</status>
- <publishdate>2013-06-24</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system controls access based upon organization-defined users authorized to assume such roles, employing the organization-defined role-based access control policy.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-3 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002177">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the rules governing the timing of revocation of access authorizations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (8)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-3 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002178">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce the revocation of access authorizations resulting from changes to the security attributes of subjects based on organization-defined rules governing the timing of revocations of access authorizations.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (8)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-3 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002179">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce the revocation of access authorizations resulting from changes to the security attributes of objects based on organization-defined rules governing the timing of revocations of access authorizations.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (8)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-3 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002180">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the controls the organization-defined system or system component is to provide to protect information released outside the established system boundary.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (9) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-3 (9) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002181">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines system or system components that are to provide organization-defined controls to protect information received outside the established system boundary.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (9) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-3 (9) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002182">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Release information outside of the established system boundary only if organization-defined system or system components provides organization-defined controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (9) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-3 (9) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002183">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the controls to be used to validate the appropriateness of the information designated for release.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (9) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-3 (9) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002184">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Release information outside of the established system boundary only if organization-defined controls are used to validate the appropriateness of the information designated for release.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (9) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-3 (9) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002185">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the conditions on which it will employ an audited override of automated access control mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (10)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-3 (10)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002186">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ an audited override of automated access control mechanisms under organization-defined conditions by organization-defined roles.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (10)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-3 (10)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002187">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the security attributes to be used to enforce organization-defined information flow control policies.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002188">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the information, source, and destination objects with which the organization-defined security attributes are to be associated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002189">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the information flow control policies to be enforced for flow control decisions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002190">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Use organization-defined security attributes associated with organization-defined information, source, and destination objects to enforce organization-defined information flow control policies as a basis for flow control decisions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002191">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the information flow control policies to be enforced by the information system using protected processing domains.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002192">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the policies to enforce dynamic information flow control.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002193">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines procedures or methods to be employed to prevent encrypted information from bypassing flow control mechanisms, such as decrypting the information, blocking the flow of the encrypted information, and/or terminating communications sessions attempting to pass encrypted information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002194">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the metadata the information system uses to enforce information flow control.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (6)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002195">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the information flows against which the organization-defined security or privacy policy filters are to be enforced.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (8) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002196">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the information flows for which will enforce the use of human reviews under organization-defined conditions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (9)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002197">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the conditions which will require the use of human reviews of organization-defined information flows.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (9)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002198">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce the use of human reviews for organization-defined information flows under organization-defined conditions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (9)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002199">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the conditions that provides the capability for privileged administrators to enable and disable organization-defined security policy filters.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (10)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4 (10)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002200">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the data type identifiers to be used to validate data being transferred between different security domains.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (12)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4 (12)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002201">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>When transferring information between different security domains, use organization-defined data type identifiers to validate data essential for information flow decisions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (12)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4 (12)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002202">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the policy-relevant subcomponents into which information being transferred between different security domains is to be decomposed for submission to policy enforcement mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (13)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4 (13)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002203">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the unsanctioned information when transferring information between different security domains.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (15)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4 (15)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002204">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the security or privacy policy which prohibits the transfer of unsanctioned information between different security domains.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (15)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4 (15)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002205">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Uniquely identify and authenticate source by organization, system, application, service, and/or individual for information transfer.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (17)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4 (17)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002206">
- <status>deprecated</status>
- <publishdate>2013-06-24</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system uniquely authenticates source by organization, system, application, and/or individual for information transfer.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4 (17)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002207">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Uniquely identify and authenticate destination points by organization, system, application, service, and/or individual for information transfer.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (17)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4 (17)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002208">
- <status>deprecated</status>
- <publishdate>2013-06-24</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system uniquely authenticates destination by organization, system, application, and/or individual for information transfer.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4 (17)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002209">
- <status>draft</status>
- <publishdate>2013-06-24</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the techniques to be used to bind security attributes to information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4 (18)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002210">
- <status>draft</status>
- <publishdate>2013-06-24</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system binds security attributes to information using organization-defined binding techniques to facilitate information flow policy enforcement.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4 (18)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002211">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>When transferring information between different security domains, implement organization-defined security or privacy filters on metadata.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (19)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4 (19)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002212">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the solutions in approved configurations to be employed to control the flow of organization-defined information across security domains.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (20)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4 (20)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002213">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the information to be subjected to flow control across security domains.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (20)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4 (20)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002214">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ organization-defined solutions in approved configurations to control the flow of organization-defined information across security domains.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (20)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4 (20)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002215">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the mechanisms and/or techniques to be used to logically or physically separate information flows.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (21)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4 (21)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002216">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the types of information required to accomplish logical or physical separation of information flows.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (21)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4 (21)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002217">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Separate information flows logically or physically using organization-defined mechanisms and/or techniques to accomplish organization-defined required separations by types of information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (21)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4 (21)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002218">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide access from a single device to computing platforms, applications, or data residing on multiple different security domains, while preventing any information flow between the different security domains.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (22)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-4 (22)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002219">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the duties of individuals requiring separation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-5 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-5 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002220">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Define system access authorizations to support separation of duties.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-5 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-5 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-002221">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the security-relevant information for which access must be explicitly authorized.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-6 (1) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-6 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002222">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Authorize access for organization-defined individuals or roles to organization-defined security functions (deployed in hardware, software, and firmware).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-6 (1) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-6 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002223">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Authorize access for organization-defined individuals or roles to organization-defined security-relevant information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-6 (1) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-6 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002224">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the compelling operational needs that must be met in order to be authorized network access to organization-defined privileged commands.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-6 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-6 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002225">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide separate processing domains to enable finer-grained allocation of user privileges.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-6 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-6 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002226">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to whom privileged accounts are to be restricted on the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-6 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-6 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002227">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Restrict privileged accounts on the system to organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-6 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-6 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002228">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency on which it conducts reviews of the privileges assigned to organization-defined roles or classes of users.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-6 (7) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-6 (7) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002229">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the roles or classes of users that are to have their privileges reviewed on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-6 (7) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-6 (7) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002230">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review, on an organization-defined frequency, the privileges assigned to organization-defined roles or classes of users to validate the need for such privileges.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-6 (7) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-6 (7) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002231">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-6 (7) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-6 (7) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002232">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the software that is prevented from executing at a higher privilege than users executing the software.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-6 (8)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-6 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002233">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Prevent the organization-defined software from executing at higher privilege levels than users executing the software.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-6 (8)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-6 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002234">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Log the execution of privileged functions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-6 (9)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-6 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002235">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Prevent non-privileged users from executing privileged functions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-6 (10)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-6 (10)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002236">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the time period the information system will automatically lock the account or node when the maximum number of unsuccessful logon attempts is exceeded.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-7 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-7 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-002237">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the delay algorithm to delay the next logon prompt when the maximum number of unsuccessful logon attempts is exceeded.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-7 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-7 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-002238">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Automatically lock the account or node for either an organization-defined time period, until the locked account or node is released by an administrator, or delays the next logon prompt according to the organization-defined delay algorithm when the maximum number of unsuccessful logon attempts is exceeded.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-7 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-7 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-002239">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the mobile devices that are to be purged or wiped after an organization-defined number of consecutive, unsuccessful device logon attempts.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-7 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-7 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002240">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the purging or wiping requirements and techniques to be used on organization-defined mobile devices after an organization-defined number of consecutive, unsuccessful device logon attempts.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-7 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-7 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002241">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the number of consecutive, unsuccessful device logon attempts after which the organization-defined mobile devices will be purged or wiped.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-7 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-7 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002242">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Purge or wipe information from organization-defined mobile devices based on organization-defined purging or wiping requirements and techniques after an organization-defined number of consecutive, unsuccessful device logon attempts.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-7 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-7 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002243">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Organization-defined system use notification message or banner is to state that users are accessing a U.S. Government system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-8 a 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-8 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-002244">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Organization-defined system use notification message or banner is to state that system usage may be monitored, recorded, and subject to audit.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-8 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-8 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-002245">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Organization-defined system use notification message or banner is to state that unauthorized use of the system is prohibited and subject to criminal and civil penalties.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-8 a 3" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-8 a 3" />
- </references>
- </cci_item>
- <cci_item id="CCI-002246">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Organization-defined system use notification message or banner is to state that use of the system indicates consent to monitoring and recording.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-8 a 4" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-8 a 4" />
- </references>
- </cci_item>
- <cci_item id="CCI-002247">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the use notification message or banner the system displays to users before granting access to the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-8 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-8 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002248">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the conditions of use which are to be displayed to users of the system before granting further access.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-8 c 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-8 c 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-002249">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the additional information to be included in the notification to the user upon successful logon.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-9 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-9 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002250">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Notify the user, upon successful logon, of the following additional information: organization-defined additional information.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-9 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-9 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002251">
- <status>deprecated</status>
- <publishdate>2013-06-24</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system notifies the user, upon successful logon (access), of the date and time of the last logon (access).</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-9 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002252">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the accounts and/or account types for which will limit the number of concurrent sessions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-10" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-10" />
- </references>
- </cci_item>
- <cci_item id="CCI-002253">
- <status>deprecated</status>
- <publishdate>2013-06-24</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the account types for which the information system will limit the number of concurrent sessions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-10" />
- </references>
- </cci_item>
- <cci_item id="CCI-002254">
- <status>deprecated</status>
- <publishdate>2013-06-24</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the conditions or trigger events requiring session disconnect to be employed by the information system when automatically terminating a user session.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-12" />
- </references>
- </cci_item>
- <cci_item id="CCI-002255">
- <status>deprecated</status>
- <publishdate>2013-06-24</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the user actions that can be performed on the information system without identification and authentication.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-14 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002256">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines security attributes having organization-defined types of security attribute values which are associated with information in storage.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002257">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines security attributes having organization-defined types of security attribute values which are associated with information in process.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002258">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines security attributes, having organization-defined types of security attribute values, which are associated with information in transmission.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002259">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines security attribute values associated with organization-defined types of security attributes for information in storage.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002260">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines security attribute values associated with organization-defined types of security attributes for information in process.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002261">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines security attribute values associated with organization-defined types of security attributes for information in transmission.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002262">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provides the means to associate organization-defined types of security attributes having organization-defined security attribute values with information in storage.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002263">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provides the means to associate organization-defined types of security attributes having organization-defined security attribute values with information in process.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002264">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provides the means to associate organization-defined types of security attributes having organization-defined security attribute values with information in transmission.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002265">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Ensure that the security attribute associations are made with the information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-002266">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Ensure that the security attribute associations are retained with the information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 b " />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-002267">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the security attributes that are permitted for organization-defined systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-002268">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems for which permitted organization-defined attributes are to be established.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-002269">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish the following permitted organization-defined security attributes in AC-16a for organization-defined systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-002270">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the attribute values or ranges permitted for each of the established security attributes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-002271">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Determine the following permitted attribute value or ranges for each of the established attributes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-002272">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Dynamically associate security attributes with organization-defined objects in accordance with organization-defined security policies as information is created and combined.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002273">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the security policies to adhere to when dynamically associating security attributes with organization-defined subjects and objects.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002274">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the subjects with which the information system is to dynamically associate security attributes as information is created and combined.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002275">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the objects with which the information system is to dynamically associate security attributes as information is created and combined.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002276">
- <status>draft</status>
- <publishdate>2013-06-24</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization identifies the individuals authorized to define the value of associated security attributes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002277">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provides authorized individuals (or processes acting on behalf of individuals) the capability to define the value of associated security attributes.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002278">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the security attributes for which the association and integrity to organization-defined subjects and objects is maintained.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002279">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the subjects for which the association and integrity of organization-defined security attributes is maintained.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002280">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the objects for which the association and integrity of organization-defined security attributes is maintained.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002281">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Maintain the association of organization-defined security attributes to organization-defined subjects.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002282">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Maintain the association of organization-defined security attributes to organization-defined objects.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002283">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Maintain the integrity of organization-defined security attributes associated with organization-defined subjects.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002284">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Maintain the integrity of organization-defined security attributes associated with organization-defined objects.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002285">
- <status>draft</status>
- <publishdate>2013-06-24</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization identifies individuals (or processes acting on behalf of individuals) authorized to associate organization-defined security attributes with organization-defined subjects.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002286">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the subjects with which organization-defined security attributes may be associated by authorized individuals (or processes acting on behalf of individuals).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002287">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the objects with which organization-defined security attributes may be associated by authorized individuals (or processes acting on behalf of individuals).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002288">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the security attributes authorized individuals (or processes acting on behalf of individuals) are permitted to associate with organization-defined subjects and objects.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002289">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide the capability to associate organization-defined security attributes with organization-defined subjects by authorized individuals (or processes acting on behalf of individuals).</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002290">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide the capability to associate organization-defined security attributes with organization-defined objects by authorized individuals (or processes acting on behalf of individuals).</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002291">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the security policies to be followed by personnel when associating organization-defined security attributes with organization-defined subjects and objects.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (6)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002292">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the security attributes which are to be associated with organization-defined subjects and objects.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (6)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002293">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the subjects to be associated, and that association maintained, with organization-defined security attributes in accordance with organization-defined security policies.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (6)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002294">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the objects to be associated, and that association maintained, with organization-defined security attributes in accordance with organization-defined security policies.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (6)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002295">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require personnel to associate organization-defined security attributes with organization-defined subjects in accordance with organization-defined security policies.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (6)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002296">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require personnel to associate organization-defined security attributes with organization-defined objects in accordance with organization-defined security policies.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (6)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002297">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require personnel to maintain the association of organization-defined security attributes with organization-defined subjects in accordance with organization-defined security policies.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (6)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002298">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require personnel to maintain the association of organization-defined security attributes with organization-defined objects in accordance with organization-defined security policies.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (6)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002299">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide a consistent interpretation of security attributes transmitted between distributed system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (7)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002300">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the techniques and technologies to be implemented when associating security attributes with information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (8)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002301">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the level of assurance to be provided when implementing organization-defined techniques and technologies in associating security attributes to information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (8)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002302">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement organization-defined techniques and technologies with an organization-defined level of assurance in associating security attributes to information.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (8)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002303">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the techniques or procedures to be employed to validate re-grading mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (9)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002304">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Change security attributes associated with information are reassigned only via re-grading mechanisms validated using organization-defined techniques or procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (9)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002305">
- <status>draft</status>
- <publishdate>2013-06-24</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization identifies individuals authorized to define or change the type and value of security attributes available for association with subjects and objects.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 (10)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002306">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide authorized individuals the capability to define or change the type of security attributes available for association with subjects.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (10)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 (10)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002307">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide authorized individuals the capability to define or change the value of security attributes available for association with subjects.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (10)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 (10)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002308">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide authorized individuals the capability to define or change the type of security attributes available for association with objects.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (10)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 (10)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002309">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide authorized individuals the capability to define or change the type of security attributes available for association with objects.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (10)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-16 (10)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002310">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish and document usage restrictions for each type of remote access allowed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-17 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-17 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002311">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish and document configuration/connection requirements for each type of remote access allowed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-17 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-17 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002312">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish and document implementation guidance for each type of remote access allowed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-17 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-17 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002313">
- <status>deprecated</status>
- <publishdate>2013-06-24</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system controls remote access methods.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-17 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002314">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ automated mechanisms to control remote access methods.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-17 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-17 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002315">
- <status>draft</status>
- <publishdate>2013-06-24</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the number of managed network access control points through which the information system routes all remote access.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-17 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002316">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Authorize access to security-relevant information via remote access only in a format that provides assessable evidence for organization-defined needs.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-17 (4) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-17 (4) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002317">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the needs for when the execution of privileged commands via remote access is to be authorized.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-17 (4) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-17 (4) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002318">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the needs for when access to security-relevant information via remote access is to be authorized.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-17 (4) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-17 (4) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002319">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Document the rationale for authorization of the execution of privilege commands via remote access.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-17 (4) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-17 (4) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002320">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Document the rationale for authorization of access to security-relevant information via remote access.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-17 (4) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-17 (4) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002321">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the time-period within which it disconnects or disables remote access to the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-17 (9)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-17 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002322">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide the capability to disconnect or disable remote access to the system within the organization-defined time period.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-17 (9)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-17 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002323">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish configuration requirements and connection requirements for wireless access.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-18 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-18 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002324">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Identify and explicitly authorizes users allowed to independently configure wireless networking capabilities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-18 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-18 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002325">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish configuration requirements for organization-controlled mobile devices, to include when such devices are outside of controlled areas.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-19 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-19 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002326">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish connection requirements for organization-controlled mobile devices, to include when such devices are outside of controlled areas.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-19 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-19 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002327">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the security policies which restrict the connection of classified mobile devices to classified systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-19 (4) (c)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-19 (4) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002328">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Restrict the connection of classified mobile devices to classified systems in accordance with organization-defined security policies.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-19 (4) (c)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-19 (4) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002329">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the mobile devices that are to employ full-device or container encryption to protect the confidentiality and integrity of the information on the device.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-19 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-19 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002330">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employs full-device encryption or container encryption to protect the confidentiality of information on organization-defined mobile devices.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-19 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-19 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002331">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employs full-device encryption or container encryption to protect the integrity of information on organization-defined mobile devices.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-19 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-19 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002332">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish organization-defined terms and conditions, and/or identify organization-defined controls asserted to be implemented on external systems, consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to process, store, or transmit organization-controlled information using the external systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-20 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-20 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-002333">
- <status>draft</status>
- <publishdate>2013-06-24</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization permits authorized individuals to use an external information system to access the information system only when the organization verifies the implementation of required security controls on the external system as specified in the organization's information security policy and security plan.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-20 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002334">
- <status>draft</status>
- <publishdate>2013-06-24</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization permits authorized individuals to use an external information system to process organization-controlled information only when the organization verifies the implementation of required security controls on the external system as specified in the organization's information security policy and security plan.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-20 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002335">
- <status>draft</status>
- <publishdate>2013-06-24</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization permits authorized individuals to use an external information system to store organization-controlled information only when the organization verifies the implementation of required security controls on the external system as specified in the organization's information security policy and security plan.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-20 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002336">
- <status>draft</status>
- <publishdate>2013-06-24</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization permits authorized individuals to use an external information system to transmit organization-controlled information only when the organization verifies the implementation of required security controls on the external system as specified in the organization's information security policy and security plan.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-20 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002337">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after the system retains approved system connection or processing agreements with the organizational entity hosting the external system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-20 (1) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-20 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002338">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Restrict the use of non-organizationally owned systems or system components to process, store, or transmit organizational information using organization-defined restrictions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-20 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-20 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002339">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the network accessible storage devices that are to be prohibited from being used in external systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-20 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-20 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002340">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Prohibit the use of organization-defined network accessible storage devices in external systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-20 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-20 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002341">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the information sharing restrictions to be enforced when implementing information search and retrieval services.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-21 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-21 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002342">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement information search and retrieval services that enforce organization-defined information sharing restrictions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-21 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-21 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002343">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the data mining prevention techniques to be employed to protect organization-defined data storage objects against data mining.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-23" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-23" />
- </references>
- </cci_item>
- <cci_item id="CCI-002344">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the data mining detection techniques to be employed to detect data mining attempts against organization-defined data storage objects.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-23" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-23" />
- </references>
- </cci_item>
- <cci_item id="CCI-002345">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the data storage objects that are to be protected against data mining attempts.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-23" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-23" />
- </references>
- </cci_item>
- <cci_item id="CCI-002346">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employs organization-defined data mining prevention techniques for organization-defined data storage objects to protect against unauthorized data mining.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-23" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-23" />
- </references>
- </cci_item>
- <cci_item id="CCI-002347">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ organization-defined data mining detection techniques for organization-defined data storage objects to detect data mining attempts.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-23" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-23" />
- </references>
- </cci_item>
- <cci_item id="CCI-002348">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the access control decisions that are to be applied to each access request prior to access enforcement.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-24" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-24" />
- </references>
- </cci_item>
- <cci_item id="CCI-002349">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish procedures or implement mechanisms to ensure organization-defined access control decisions are applied to each access request prior to access enforcement.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-24" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-24" />
- </references>
- </cci_item>
- <cci_item id="CCI-002350">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the access authorization information that is to be transmitted using organization-defined security safeguards to organization-defined systems that enforce access control decisions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-24 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-24 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002351">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the controls to be employed when transmitting organization-defined access authorization information to organization-defined systems that enforce access control decisions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-24 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-24 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002352">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems that are to be recipients of organization-defined access authorization information using organization-defined security safeguards.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-24 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-24 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002353">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Transmit organization-defined access authorization information using organization-defined controls to organization-defined systems that enforce access control decisions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-24 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-24 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002354">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the security attributes, not to include the identity of the user or process acting on behalf of the user, to be used as the basis for enforcing access control decisions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-24 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-24 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002355">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce access control decisions based on organization-defined security or privacy attributes that do not include the identity of the user or process acting on behalf of the user.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-24 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-24 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002356">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the access control policies to be implemented by the reference monitor.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-25" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-25" />
- </references>
- </cci_item>
- <cci_item id="CCI-002357">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a reference monitor for organization-defined access control policies that is tamperproof.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-25" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-25" />
- </references>
- </cci_item>
- <cci_item id="CCI-002358">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a reference monitor for organization-defined access control policies that is always invoked.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-25" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-25" />
- </references>
- </cci_item>
- <cci_item id="CCI-002359">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a reference monitor for organization-defined access control policies that is small enough to be subject to analysis and testing, the completeness of which can be assured.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-25" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-25" />
- </references>
- </cci_item>
- <cci_item id="CCI-002360">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the conditions or trigger events requiring session disconnect when automatically terminating a user session.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-12" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-12" />
- </references>
- </cci_item>
- <cci_item id="CCI-002361">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Automatically terminate a user session after organization-defined conditions or trigger events requiring session disconnect.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-12" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-12" />
- </references>
- </cci_item>
- <cci_item id="CCI-002362">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the information resources requiring authentication in order to gain access.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-12 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-12 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002363">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide a logout capability for user-initiated communications sessions whenever authentication is used to gain access to organization-defined information resources.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-12 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-12 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002364">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Display an explicit logout message to users indicating the reliable termination of authenticated communications sessions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-12 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-12 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002365">
- <status>draft</status>
- <publishdate>2013-06-26</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization manages information system authenticators by requiring individuals to take specific security safeguards to protect authenticators.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 i" />
- </references>
- </cci_item>
- <cci_item id="CCI-002366">
- <status>draft</status>
- <publishdate>2013-06-26</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization manages information system authenticators by having devices implement specific security safeguards to protect authenticators.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 i" />
- </references>
- </cci_item>
- <cci_item id="CCI-002367">
- <status>draft</status>
- <publishdate>2013-06-26</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization ensures unencrypted static authenticators are not embedded in applications.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IA-5 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002368">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to whom the organization-level; mission/business process-level; system-level risk assessment policy is disseminated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-1 a 1 (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="RA-1 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-002369">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to whom the risk assessment procedures are disseminated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="RA-1 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-002370">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminate risk assessment results to organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-3 e" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="RA-3 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-002371">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to whom the risk assessment results will be disseminated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-3 e" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="RA-3 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-002372">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Correlate the output from vulnerability scanning tools to determine the presence of multi-vulnerability and multi-hop attack vectors.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-5 (10)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="RA-5 (10)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002373">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Define the breadth and depth of vulnerability scanning coverage.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-5 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="RA-5 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002374">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the corrective actions if unintended information about the system is discovered.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-5 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="RA-5 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002375">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Take organization-defined corrective actions if information about the system is discovered.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-5 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="RA-5 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002376">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles with whom the information obtained from the vulnerability monitoring process and control assessments will be shared.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-5 e" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="RA-5 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-002377">
- <status>draft</status>
- <publishdate>2013-07-02</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization documents the system and communications protection policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-1 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-002378">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to be recipients of the organization-level; mission/business process-level; and/or system-level system and communications protection policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-1 a 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-1 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-002379">
- <status>draft</status>
- <publishdate>2013-07-02</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization documents procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-1 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-002380">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to be recipients of the procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-1 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-002381">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Minimize the number of nonsecurity functions included within the isolation boundary containing security functions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-3 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-3 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002382">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement security functions as largely independent modules that maximize internal cohesiveness within modules and minimize coupling between modules.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-3 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-3 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002383">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the procedures to be employed to prevent unauthorized information transfer via shared resources when system processing explicitly switches between different information classification levels or security categories.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-4 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-4 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002384">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Prevent unauthorized information transfer via shared resources in accordance with organization-defined procedures when system processing explicitly switches between different information classification levels or security categories.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-4 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-4 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002385">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Protect against or limit the effects of organization-defined types of denial of service events.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-5 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-5" />
- </references>
- </cci_item>
- <cci_item id="CCI-002386">
- <status>draft</status>
- <publishdate>2013-07-02</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the security safeguards to be employed to protect the information system against, or limit the effects of, denial of service attacks.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-5" />
- </references>
- </cci_item>
- <cci_item id="CCI-002387">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the denial of service attacks against other systems that the system is to restrict the ability of individuals to launch.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-5 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-5 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002388">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the monitoring tools to be employed to detect indicators of denial of service attacks against the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-5 (3) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-5 (3) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002389">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ organization-defined monitoring tools to detect indicators of denial of service attacks against, or launched from, the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-5 (3) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-5 (3) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002390">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system resources to be monitored to determine if sufficient resources exist to prevent effective denial of service attacks.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-5 (3) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-5 (3) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002391">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Monitor organization-defined system resources to determine if sufficient resources exist to prevent effective denial of service attacks.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-5 (3) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-5 (3) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002392">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the resources to be allocated to protect the availability of system resources.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-6" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-6" />
- </references>
- </cci_item>
- <cci_item id="CCI-002393">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the controls to be employed to protect the availability of system resources.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-6" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-6" />
- </references>
- </cci_item>
- <cci_item id="CCI-002394">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Protect the availability of resources by allocating organization-defined resources based on priority, quota, and/or organization-defined controls.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-6" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-6" />
- </references>
- </cci_item>
- <cci_item id="CCI-002395">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement subnetworks for publicly accessible system components that are physically and/or logically separated from internal organizational networks.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-7 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-002396">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Protect the confidentiality and integrity of the information being transmitted across each interface for each external telecommunication service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (4) (c)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-7 (4) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002397">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Prevent split tunneling for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using organization-defined safeguards.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (7)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-7 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002398">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Detect outgoing communications traffic posing a threat to external systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (9) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-7 (9) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002399">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Deny outgoing communications traffic posing a threat to external systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (9) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-7 (9) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002400">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Audit the identity of internal users associated with denied outgoing communications traffic posing a threat to external systems.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (9) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-7 (9) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002401">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the authorized sources from which the system will allow incoming communications.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (11)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-7 (11)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002402">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the authorized destinations for routing inbound communications.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (11)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-7 (11)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002403">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Only allow incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (11)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-7 (11)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002404">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the host-based boundary protection mechanisms that are to be implemented at organization-defined system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (12)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-7 (12)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002405">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system components at which organization-defined host-based boundary protection mechanisms will be implemented.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (12)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-7 (12)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002406">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement organization-defined host-based boundary protection mechanisms at organization-defined system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (12)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-7 (12)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002407">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the managed interfaces at which protect against unauthorized physical connections.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (14)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-7 (14)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002408">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the communication clients that are independently configured by end users and external service providers which will block both inbound and outbound communications traffic.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (19)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-7 (19)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002409">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Block inbound and outbound communications traffic between organization-defined communication clients that are independently configured by end users and external service providers.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (19)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-7 (19)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002410">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines system components that are to be dynamically isolated from other system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (20)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-7 (20)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002411">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide the capability to dynamically isolate organization-defined system components from other system components.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (20)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-7 (20)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002412">
- <status>deprecated</status>
- <publishdate>2013-07-02</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the information system components supporting organization-defined missions and/or business functions that are to be separated using boundary protection mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-7 (21)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002413">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system components supporting organization-defined missions and/or business functions that are to be isolated using boundary protection mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (21)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-7 (21)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002414">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the missions and/or business functions for which boundary protection mechanisms will be employed to isolate the supporting organization-defined system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (21)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-7 (21)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002415">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ boundary protection mechanisms to isolate organization-defined system components supporting organization-defined missions and/or business functions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (21)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-7 (21)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002416">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement separate network addresses to connect to systems in different security domains.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (22)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-7 (22)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002417">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disable feedback to senders on protocol format validation failure.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (23)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-7 (23)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002418">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Protect the confidentiality and/or integrity of transmitted information.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-8" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-8" />
- </references>
- </cci_item>
- <cci_item id="CCI-002419">
- <status>draft</status>
- <publishdate>2013-07-02</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the alternative physical safeguards to be employed when cryptographic mechanisms are not implemented to protect information during transmission.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-8 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002420">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Maintain the confidentiality and/or integrity of information during preparation for transmission.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-8 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-8 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002421">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-8 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-8 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002422">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Maintain the confidentiality and/or integrity of information during reception.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-8 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-8 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002423">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement cryptographic mechanisms to protect message externals unless otherwise protected by organization-defined alternative physical controls.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-8 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-8 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002424">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the alternative physical controls to be employed when cryptographic mechanisms to conceal or randomize communication patterns are not implemented.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-8 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-8 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002425">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement cryptographic mechanisms to conceal or randomize communication patterns unless otherwise protected by organization-defined alternative physical controls.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-8 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-8 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002426">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide a trusted communications path that is irrefutably distinguishable from other communications paths.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-11 (1) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-11 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002427">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the alternative physical controls to be employed to protect message externals when cryptographic mechanisms are not implemented.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-8 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-8 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002428">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the requirements for cryptographic key generation to be employed within the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-12" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-12" />
- </references>
- </cci_item>
- <cci_item id="CCI-002429">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the requirements for cryptographic key distribution to be employed within the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-12" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-12" />
- </references>
- </cci_item>
- <cci_item id="CCI-002430">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the requirements for cryptographic key storage to be employed within the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-12" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-12" />
- </references>
- </cci_item>
- <cci_item id="CCI-002431">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the requirements for cryptographic key access to be employed within the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-12" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-12" />
- </references>
- </cci_item>
- <cci_item id="CCI-002432">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the requirements for cryptographic key destruction to be employed within the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-12" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-12" />
- </references>
- </cci_item>
- <cci_item id="CCI-002433">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish cryptographic keys when cryptography employed within the system in accordance with organization-defined requirements for key generation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-12" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-12" />
- </references>
- </cci_item>
- <cci_item id="CCI-002434">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish cryptographic keys when cryptography employed within the system in accordance with organization-defined requirements for key distribution.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-12" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-12" />
- </references>
- </cci_item>
- <cci_item id="CCI-002435">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish cryptographic keys when cryptography employed within the system in accordance with organization-defined requirements for key storage.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-12" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-12" />
- </references>
- </cci_item>
- <cci_item id="CCI-002436">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish cryptographic keys when cryptography employed within the system in accordance with organization-defined requirements for key access.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-12" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-12" />
- </references>
- </cci_item>
- <cci_item id="CCI-002437">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish cryptographic keys when cryptography employed within the system in accordance with organization-defined requirements for key destruction.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-12" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-12" />
- </references>
- </cci_item>
- <cci_item id="CCI-002438">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Manage cryptographic keys when cryptography employed within the system in accordance with organization-defined requirements for key generation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-12" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-12" />
- </references>
- </cci_item>
- <cci_item id="CCI-002439">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Manage cryptographic keys when cryptography employed within the system in accordance with organization-defined requirements for key distribution.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-12" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-12" />
- </references>
- </cci_item>
- <cci_item id="CCI-002440">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Manage cryptographic keys when cryptography employed within the system in accordance with organization-defined requirements for key storage.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-12" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-12" />
- </references>
- </cci_item>
- <cci_item id="CCI-002441">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Manage cryptographic keys when cryptography employed within the system in accordance with organization-defined requirements for key access.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-12" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-12" />
- </references>
- </cci_item>
- <cci_item id="CCI-002442">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Manage cryptographic keys when cryptography employed within the system in accordance with organization-defined requirements for key destruction.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-12" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-12" />
- </references>
- </cci_item>
- <cci_item id="CCI-002443">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Produce symmetric cryptographic keys using NIST FIPS-validated or NSA-approved key management technology and processes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-12 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-12 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002444">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Control symmetric cryptographic keys using NIST FIPS-validated or NSA-approved key management technology and processes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-12 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-12 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002445">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Distribute symmetric cryptographic keys using NIST FIPS-validated or NSA-approved key management technology and processes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-12 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-12 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002446">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Produces asymmetric cryptographic keys using: NSA-approved key management technology and processes; prepositioned keying material; DoD-approved or DoD-issued Medium Assurance PKI certificates; DoD-approved or DoD-issued Medium Hardware Assurance PKI certificates and hardware security tokens that protect the user's private key; or certificates issued in accordance with organization-defined requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-12 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-12 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002447">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Control asymmetric cryptographic keys using: NSA-approved key management technology and processes; prepositioned keying material; DoD-approved or DoD-issued Medium Assurance PKI certificates; DoD-approved or DoD-issued Medium Hardware Assurance PKI certificates and hardware security tokens that protect the user's private key; or certificates issued in accordance with organization-defined requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-12 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-12 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002448">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Distribute asymmetric cryptographic keys using: NSA-approved key management technology and processes; prepositioned keying material; DoD-approved or DoD-issued Medium Assurance PKI certificates; DoD-approved or DoD-issued Medium Hardware Assurance PKI certificates and hardware security tokens that protect the user's private key; or certificates issued in accordance with organization-defined requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-12 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-12 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002449">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the cryptographic uses, and type of cryptography required for each use, to be implemented by the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-13" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-13" />
- </references>
- </cci_item>
- <cci_item id="CCI-002450">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement organization-defined types of cryptography for each specified cryptography use.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-13 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-13" />
- </references>
- </cci_item>
- <cci_item id="CCI-002451">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems or system components from which collaborative computing devices and applications in organization-defined secure work areas are to be disabled or removed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-15 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-15 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002452">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the online meetings and teleconferences for which the system provides an explicit indication of current participants.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-15 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-15 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002453">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide an explicit indication of current participants in organization-defined online meetings and teleconferences.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-15 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-15 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002454">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the security attributes to associate with the information being exchanged between systems and between system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-16" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-16" />
- </references>
- </cci_item>
- <cci_item id="CCI-002455">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Associate organization-defined security attributes with information exchanged between system components.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-16" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-16" />
- </references>
- </cci_item>
- <cci_item id="CCI-002456">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the certificate policy employed to issue public key certificates.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-17 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-17" />
- </references>
- </cci_item>
- <cci_item id="CCI-002457">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the corrective actions to be taken when organization-defined unacceptable mobile code is identified.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-18 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-18 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002458">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines what constitutes unacceptable mobile code by using corrective actions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-18 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-18 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002459">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the unacceptable mobile code to prevent download and execution.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-18 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-18 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002460">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce organization-defined actions prior to executing mobile code.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-18 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-18 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002461">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Allow execution of permitted mobile code only in confined virtual machine environments.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-18 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-18 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002462">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide additional data integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-20 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-20 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002463">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide data origin artifacts for internal name/address resolution queries.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-20 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-20 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002464">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide data integrity protection artifacts for internal name/address resolution queries.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-20 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-20 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002465">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Request data origin authentication verification on the name/address resolution responses the system receives from authoritative sources.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-21" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-21" />
- </references>
- </cci_item>
- <cci_item id="CCI-002466">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Request data integrity verification on the name/address resolution responses the system receives from authoritative sources.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-21" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-21" />
- </references>
- </cci_item>
- <cci_item id="CCI-002467">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Perform data integrity verification on the name/address resolution responses the system receives from authoritative sources.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-21" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-21" />
- </references>
- </cci_item>
- <cci_item id="CCI-002468">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Perform data origin verification authentication on the name/address resolution responses the system receives from authoritative sources.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-21" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-21" />
- </references>
- </cci_item>
- <cci_item id="CCI-002469">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the certificate authorities allowed to be used for verification of the establishment of protected sessions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-23 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-23 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002470">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Only allow the use of organization-defined certificate authorities for verification of the establishment of protected sessions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-23 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-23 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002471">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system components, with minimal functionality and information storage, to be employed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-25" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-25" />
- </references>
- </cci_item>
- <cci_item id="CCI-002472">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the information at rest that is to be protected.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-28" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-28" />
- </references>
- </cci_item>
- <cci_item id="CCI-002473">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the information at rest for which cryptographic mechanisms will be implemented.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-28 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-28 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002474">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system components which require the implementation of cryptographic mechanisms to prevent unauthorized disclosure and modification of organization-defined information at rest.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-28 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-28 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002475">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information when at rest on organization-defined system components.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-28 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-28 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002476">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement cryptographic mechanisms to prevent unauthorized disclosure of organization-defined information at rest on organization-defined system components.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-28 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-28 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002477">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the information to be removed from online storage and stored in an offline secure location.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-28 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-28 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002478">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Remove organization-defined information from online storage.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-28 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-28 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002479">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Store organization-defined information in an offline secure location.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-28 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-28 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002480">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system components for which a diverse set of information technologies are to be employed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-29" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-29" />
- </references>
- </cci_item>
- <cci_item id="CCI-002481">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ virtualization techniques to support the deployment of a diversity of applications that are changed per organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-29 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-29 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002482">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the concealment and misdirection techniques employed for organization-defined systems to confuse and mislead adversaries.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-30" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-30" />
- </references>
- </cci_item>
- <cci_item id="CCI-002483">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems for which organization-defined concealment and misdirection techniques are to be employed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-30" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-30" />
- </references>
- </cci_item>
- <cci_item id="CCI-002484">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the time periods at which to employ organization-defined concealment and misdirection techniques on organization-defined systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-30" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-30" />
- </references>
- </cci_item>
- <cci_item id="CCI-002485">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ organization-defined concealment and misdirection techniques for organization-defined information systems at organization-defined time periods to confuse and mislead adversaries.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-30" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-30" />
- </references>
- </cci_item>
- <cci_item id="CCI-002486">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the techniques to be employed to introduce randomness into organizational operations and assets.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-30 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-30 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002487">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ organization-defined techniques to introduce randomness into organizational operations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-30 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-30 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002488">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ organization-defined techniques to introduce randomness into organizational assets.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-30 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-30 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002489">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the processing and/or storage locations to be changed at random intervals or at an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-30 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-30 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002490">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency at which the location of organization-defined processing and/or storage changes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-30 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-30 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002491">
- <status>deprecated</status>
- <publishdate>2013-07-02</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization changes the location of organization-defined processing and/or storage at an organization-defined time frequency or at random time intervals.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-30 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002492">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Change the location of organization-defined processing and/or storage at an organization-defined time frequency or at random time intervals.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-30 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-30 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002493">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system components in which it will employ realistic but misleading information regarding its security state or posture.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-30 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-30 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002494">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ realistic, but misleading, information in organization-defined system components about its security state or posture.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-30 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-30 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002495">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the techniques to be employed to hide or conceal organization-defined system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-30 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-30 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002496">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system components to be hidden or concealed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-30 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-30 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002497">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ organization-defined techniques to hide or conceal organization-defined system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-30 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-30 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002498">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Perform a covert channel analysis to identify those aspects of communications within the system that are potential avenues for covert storage and/or timing channels.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-31 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-31 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002499">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Estimate the maximum bandwidth of the covert storage and timing channels.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-31 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-31 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-002500">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the maximum bandwidth values to which covert storage and/or timing channels are to be reduced.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-31 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-31 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002501">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Reduce the maximum bandwidth for identified covert storage and/or timing channels to organization-defined values.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-31 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-31 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002502">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the subset of identified covert channels in the operational environment of the system that are to have the bandwidth measured.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-31 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-31 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002503">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Measure the bandwidth of an organization-defined subset of identified covert channels in the operational environment of the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-31 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-31 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002504">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system components into which the system is partitioned.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-32" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-32" />
- </references>
- </cci_item>
- <cci_item id="CCI-002505">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the circumstances under which the system components are to be physically or logically separated to support partitioning.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-32" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-32" />
- </references>
- </cci_item>
- <cci_item id="CCI-002506">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Partitions the system into organization-defined system components residing in separate physical or logical domains or environments based on organization-defined circumstances for physical or logical separation of components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-32" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-32" />
- </references>
- </cci_item>
- <cci_item id="CCI-002507">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Control read-only media after information has been recorded onto the media.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-34 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-34 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002508">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system firmware components for which hardware-based, write-protect is employed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-51 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-34 (3) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002509">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ hardware-based, write-protect for organization-defined information system firmware components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-51 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-34 (3) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002510">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the individuals authorized to manually disable hardware-based, write-protect for firmware modifications and re-enable the write-protect prior to returning to operational mode.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-51 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-34 (3) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002511">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement specific procedures for organization-defined authorized individuals to manually disable hardware-based, write-protect for firmware modifications.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-51 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-34 (3) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002512">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement specific procedures for organization-defined authorized individuals to manually re-enable hardware write-protect prior to returning to operational mode.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-51 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-34 (3) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002513">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the processing that is to be distributed across multiple physical locations or logical domains.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-36" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-36" />
- </references>
- </cci_item>
- <cci_item id="CCI-002514">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the storage components that is to be distributed across multiple physical locations or logical domains.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-36" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-36" />
- </references>
- </cci_item>
- <cci_item id="CCI-002515">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Distributes organization-defined processing across multiple physical locations or logical domains.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-36" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-36" />
- </references>
- </cci_item>
- <cci_item id="CCI-002516">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Distributes organization-defined storage components across multiple physical locations or logical domains.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-36" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-36" />
- </references>
- </cci_item>
- <cci_item id="CCI-002517">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the distributed processing components that are to be polled to identify potential faults, errors, or compromises.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-36 (1) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-36 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002518">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the distributed storage components that are to be polled to identify potential faults, errors, or compromises.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-36 (1) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-36 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002519">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ polling techniques to identify potential faults, errors, or compromises to organization-defined distributed processing components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-36 (1) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-36 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002520">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ polling techniques to identify potential faults, errors, or compromises to organization-defined distributed storage components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-36 (1) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-36 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002521">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the out-of-band channels to be employed for the physical delivery or electronic transmission of organization-defined information, system components, or devices.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-37" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-37" />
- </references>
- </cci_item>
- <cci_item id="CCI-002522">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the information, system components, or devices that are to be electronically transmitted or physically delivered via organization-defined out-of-band channels.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-37" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-37" />
- </references>
- </cci_item>
- <cci_item id="CCI-002523">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the individuals or systems authorized to be recipients of organization-defined information, system components, or devices to be delivered by employing organization-defined out-of-band channels for electronic transmission or physical delivery.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-37, SC-37 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-37" />
- </references>
- </cci_item>
- <cci_item id="CCI-002524">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ organization-defined out-of-band channels for the physical delivery or electronic transmission of organization-defined information, system components, or devices to organization-defined individuals or systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-37" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-37" />
- </references>
- </cci_item>
- <cci_item id="CCI-002525">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the controls to be employed to ensure only organization-defined individuals or information systems receive organization-defined information, information system components, or devices.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-37 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-37 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002526">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the information, system components, or devices which are to be received only by organization-defined individuals or systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-37 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-37 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002527">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ organization-defined controls to ensure only organization-defined individuals or systems receive the organization-defined information, system components, or devices.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-37 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-37 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002528">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the operations security controls to be employed to protect key organizational information throughout the system development life cycle.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-38" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-38" />
- </references>
- </cci_item>
- <cci_item id="CCI-002529">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ organization-defined operations security controls to protect key organizational information throughout the system development life cycle.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-38" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-38" />
- </references>
- </cci_item>
- <cci_item id="CCI-002530">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Maintain a separate execution domain for each executing system process.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-39" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-39" />
- </references>
- </cci_item>
- <cci_item id="CCI-002531">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement hardware separation mechanisms to facilitate process isolation.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-39 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-39 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002532">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the multi-threaded processing in which a separate execution domain is maintained by the system for each thread.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-39 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-39 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002533">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Maintain a separate execution domain for each thread in organization-defined multi-threaded processing.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-39 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-39 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002534">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines types of signal parameter attacks or references to sources for such attacks from which the system protects organization-defined wireless links.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-40" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-40" />
- </references>
- </cci_item>
- <cci_item id="CCI-002535">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the external and internal wireless links the system is to protect from organization-defined types of signal parameter attacks or references to sources for such attacks.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-40" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-40" />
- </references>
- </cci_item>
- <cci_item id="CCI-002536">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Protect organization-defined external and internal wireless links from organization-defined types of signal parameter attacks or references to sources for such attacks.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-40" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-40" />
- </references>
- </cci_item>
- <cci_item id="CCI-002537">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the level of protection against the effects of intentional electromagnetic interference to be achieved by implemented cryptographic mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-40 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-40 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002538">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement cryptographic mechanisms that achieve an organization-defined level of protection against the effects of intentional electromagnetic interference.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-40 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-40 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002539">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the level of reduction the system is to implement to reduce the detection potential of wireless links.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-40 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-40 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002540">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement cryptographic mechanisms to reduce the detection potential of wireless links to an organization-defined level of reduction.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-40 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-40 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002541">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement cryptographic mechanisms to identify and reject wireless transmissions that are deliberate attempts to achieve imitative or manipulative communications deception based on signal parameters.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-40 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-40 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002542">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the wireless transmitters that are to have cryptographic mechanisms implemented to prevent the identification of the wireless transmitters.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-40 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-40 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002543">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement cryptographic mechanisms to prevent the identification of organization-defined wireless transmitters by using the transmitter signal parameters.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-40 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-40 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002544">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems or system components on which organization-defined connection ports or input/output devices are to be physically or logically disabled or removed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-41" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-41" />
- </references>
- </cci_item>
- <cci_item id="CCI-002545">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the connection ports or input/output devices that are to be physically or logically disabled or removed from organization-defined systems or system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-41" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-41" />
- </references>
- </cci_item>
- <cci_item id="CCI-002546">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Physically or logically disable or remove organization-defined connection ports or input/output devices on organization-defined systems or system components.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-41" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-41" />
- </references>
- </cci_item>
- <cci_item id="CCI-002547">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the exceptions where remote activation of sensors is allowed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-42 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-42 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002548">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Prohibit the use of devices possessing organization-defined environmental sensing capabilities in organization-defined facilities, areas, or systems; and/or the remote activation of environmental sensing capabilities on organizational systems or system components except for the organization-defined exceptions where remote activation of sensors is allowed.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-42 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-42 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002549">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the class of users to receive explicit indication of sensor use.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-42 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-42 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-002550">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide an explicit indication of sensor use to the organization-defined class of users.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-42 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-42 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-002551">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the sensors to be configured so that collected data or information is reported only to authorized individuals or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-42 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-42 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002552">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Verify that the system is configured so that data or information collected by the organization-defined sensors is only reported to authorized individuals or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-42 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-42 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002553">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the measures to be employed to ensure data or information collected by organization-defined sensors is used only for authorized purposes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-42 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-42 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002554">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the sensors that are to collect data or information for authorized purposes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-42 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-42 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002555">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ organization-defined measures, so that data or information collected by organization-defined sensors is only used for authorized purposes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-42 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-42 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002556">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the environmental sensing capabilities prohibited on devices used in organization-defined facilities, areas, or systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-42 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-42 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002557">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the facilities, areas, or systems where devices processing organization-defined environmental sensing capabilities are prohibited.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-42 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-42 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002558">
- <status>draft</status>
- <publishdate>2013-07-02</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization prohibits the use of devices possessing organization-defined environmental sensing capabilities in organization-defined facilities, areas, or systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-42 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002559">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system components for which usage restrictions and implementation guidance are to be established.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-43 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-43 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002560">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish usage restrictions and implementation guidance for organization-defined system components based on the potential to cause damage to the system if used maliciously.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-43 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-43 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002561">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Authorize the use of organization-defined system components which have the potential to cause damage to the system if used maliciously.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-43 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-43 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-002562">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Monitor the use of organization-defined system components which have the potential to cause damage to the system if used maliciously.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-43 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-43 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-002563">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Control the use of organization-defined system components which have the potential to cause damage to the system if used maliciously.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-43 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-43 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-002564">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system, system component, or location where a detonation chamber capability is employed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-44" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-44" />
- </references>
- </cci_item>
- <cci_item id="CCI-002565">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ a detonation chamber capability within an organization-defined system, system component, or location.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-44" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-44" />
- </references>
- </cci_item>
- <cci_item id="CCI-002566">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines personnel or roles to whom a media protection policy and procedures will be disseminated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-1 a 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-1 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-002567">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and approve media sanitization.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-6 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-6 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002568">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Track and document media sanitization.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-6 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-6 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002569">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Verify media sanitization.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-6 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-6 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002570">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and approve media disposal actions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-6 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-6 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002571">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Track and document media disposal actions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-6 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-6 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002572">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Verify media disposal actions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-6 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-6 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002573">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce dual authorization for the sanitization of organization-defined system media.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-6 (7)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-6 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002574">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system media that dual authorization is enforced for sanitization.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-6 (7)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-6 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002575">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines systems or system components from which information is purged or wiped, either remotely or under the organization-defined conditions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-6 (8)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-6 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002576">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines conditions under which information from organization-defined systems or system components are to be purged or wiped.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-6 (8)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-6 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002577">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide the capability to purge or wipe information from organization-defined systems, system components either remotely or under organization-defined conditions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-6 (8)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-6 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002578">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines system media to sanitize prior to disposal, release out of organizational control, or release for reuse using organization-defined sanitization techniques and procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-6 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-6 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002579">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the sanitization techniques and procedures to be used to sanitize organization-defined system media prior to disposal, release out of organizational control, or release for reuse.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-6 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-6 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002580">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-6 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-6 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-002581">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the types of system media to restrict or prohibit on organization-defined systems or system components using organization-defined controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-7 (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-7" />
- </references>
- </cci_item>
- <cci_item id="CCI-002582">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems or system components on which to restrict or prohibit the use of organization-defined types of system media using organization-defined controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-7 (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-7" />
- </references>
- </cci_item>
- <cci_item id="CCI-002583">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the controls to use for restricting or prohibiting the use of organization-defined types of system media on organization-defined systems or system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-7 (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-7" />
- </references>
- </cci_item>
- <cci_item id="CCI-002584">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Restrict or prohibit the use of organization-defined types of system media on organization-defined systems or system components using organization-defined controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-7 (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-7" />
- </references>
- </cci_item>
- <cci_item id="CCI-002585">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-7 (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-7 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002586">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Prohibit the use of sanitization-resistant media in organizational systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-7 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-7 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002587">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Document system media downgrading actions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-8 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-8 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002588">
- <status>draft</status>
- <publishdate>2013-07-09</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs organization-defined tests of downgrading equipment in accordance with organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-8 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002589">
- <status>draft</status>
- <publishdate>2013-07-09</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs procedures to verify correct performance of organization-defined tests of downgrading equipment in accordance with organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-8 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002590">
- <status>draft</status>
- <publishdate>2013-07-09</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines tests to employ for downgrading equipment.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-8 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002591">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency with which to test downgrading equipment and procedures to ensure correct performance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-8 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-8 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002592">
- <status>draft</status>
- <publishdate>2013-07-09</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines Controlled Unclassified Information (CUI).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-8 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002593">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Downgrade system media containing Controlled Unclassified Information (CUI) prior to public release.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-8 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-8 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002594">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Downgrade system media containing classified information prior to release to individuals without required access authorizations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-8 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-8 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002595">
- <status>deprecated</status>
- <publishdate>2013-07-09</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization establishes an organization-defined information system media downgrading process that includes employing downgrading mechanisms with organization-defined strength and integrity.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-8 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002596">
- <status>draft</status>
- <publishdate>2013-07-09</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization establishes and defines an information system media downgrading process that includes employing downgrading mechanisms with organization-defined strength and integrity.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-8 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002597">
- <status>draft</status>
- <publishdate>2013-07-09</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines strength and integrity for downgrading mechanisms to establish an organization-defined information system media downgrading process.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-8 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002598">
- <status>draft</status>
- <publishdate>2013-07-09</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization ensures that the information system media downgrading process is commensurate with the security category and/or classification level of the information to be removed and the access authorizations of the potential recipients of the downgraded information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-8 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-002599">
- <status>draft</status>
- <publishdate>2013-07-09</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines and identifies the information system media requiring downgrading.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-8 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-002600">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Downgrade the identified system media using the established process.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-8 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MP-8 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-002601">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to whom the system and information integrity policy and procedures are to be disseminated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-1 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002602">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Test firmware updates related to flaw remediation for effectiveness before installation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-2 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-2 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-002603">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Test firmware updates related to flaw remediation for potential side effects before installation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-2 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-2 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-002604">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the time period following the release of updates within which security-related software updates are to be installed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-2 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-2 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-002605">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Install security-relevant software updates within an organization-defined time period of the release of the updates.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-2 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-2 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-002606">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the time period following the release of updates within which security-related firmware updates are to be installed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-2 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-2 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-002607">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Install security-relevant firmware updates within an organization-defined time period of the release of the updates.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-2 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-2 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-002608">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish organization-defined benchmarks for the time taken to apply corrective actions after flaw identification.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-2 (3) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-2 (3) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002609">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system components on which organization-defined security-relevant software updates will be automatically installed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-2 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-2 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002610">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system components on which organization-defined security-relevant firmware updates will be automatically installed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-2 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-2 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002611">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the security-relevant software updates to be automatically installed on organization-defined system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-2 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-2 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002612">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the security-relevant firmware updates to be automatically installed on organization-defined system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-2 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-2 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002613">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Install organization-defined security-relevant software updates automatically to organization-defined system components.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-2 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-2 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002614">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Install organization-defined security-relevant firmware updates automatically to organization-defined system components.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-2 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-2 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002615">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the software components to remove previous versions after updated versions have been installed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-2 (6)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-2 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002616">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the firmware components to remove previous versions after updated versions have been installed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-2 (6)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-2 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002617">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Remove previous versions of organization-defined software components after updated versions have been installed.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-2 (6)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-2 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002618">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Remove previous versions of organization-defined firmware components after updated versions have been installed.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-2 (6)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-2 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002619">
- <status>draft</status>
- <publishdate>2013-07-11</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs malicious code protection mechanisms at information system entry points to detect malicious code.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002620">
- <status>draft</status>
- <publishdate>2013-07-11</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs malicious code protection mechanisms at information system exit points to detect malicious code.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002621">
- <status>draft</status>
- <publishdate>2013-07-11</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs malicious code protection mechanisms at information system entry points to eradicate malicious code.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002622">
- <status>draft</status>
- <publishdate>2013-07-11</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs malicious code protection mechanisms at information system exit points to eradicate malicious code.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002623">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency for performing periodic scans of the system for malicious code.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-3 c 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-3 c 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-002624">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Configure malicious code protection mechanisms to perform real-time scans of files from external sources at endpoint; and/or network entry and exit points as the files are downloaded, opened, or executed in accordance with organizational policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-3 c 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-3 c 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-002625">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>When testing malicious code protection mechanisms, verify the detection of the code.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-3 (6) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-3 (6) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002626">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>When testing malicious code protection mechanisms, verify the associated incident reporting of the code occurs.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-3 (6) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-3 (6) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002627">
- <status>draft</status>
- <publishdate>2013-07-11</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system implements nonsignature-based malicious code detection mechanisms.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-3 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002628">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the unauthorized operating system commands that are to be detected through the kernel application programming interface on organization-defined system hardware components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-3 (8) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-3 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002629">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system hardware components that are to detect organization-defined unauthorized operating system commands through the kernel programming application interface.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-3 (8) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-3 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002630">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Detect organization-defined unauthorized operating system commands through the kernel application programming interface at organization-defined system hardware components.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-3 (8) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-3 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002631">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Issue a warning; audit the command execution; and/or prevent the execution of the command when organization-defined unauthorized operating system commands are detected.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-3 (8) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-3 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002632">
- <status>draft</status>
- <publishdate>2013-07-11</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the remote commands that are to be authenticated using organization-defined safeguards for malicious code protection.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-3 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002633">
- <status>draft</status>
- <publishdate>2013-07-11</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the security safeguards to be implemented to authenticate organization-defined remote commands for malicious code protection.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-3 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002634">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the tools to be employed to analyze the characteristics and behavior of malicious code.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-3 (10) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-3 (10) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002635">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the techniques to be employed to analyze the characteristics and behavior of malicious code.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-3 (10) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-3 (10) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002636">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ organization-defined tools to analyze the characteristics and behavior of malicious code.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-3 (10) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-3 (10) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002637">
- <status>draft</status>
- <publishdate>2013-07-11</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system implements organization-defined security safeguards to authenticate organization-defined remote commands for malicious code protection.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-3 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002638">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ organization-defined techniques to analyze the characteristics and behavior of malicious code.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-3 (10) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-3 (10) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002639">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Incorporate the results from malicious code analysis into organizational incident response processes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-3 (10) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-3 (10) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002640">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Incorporate the results from malicious code analysis into organizational flaw remediation processes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-3 (10) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-3 (10) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002641">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Monitor the system to detect attacks and indicators of potential attacks in accordance with organization-defined monitoring objectives.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 a 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-002642">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Monitor the system to detect unauthorized local connections.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-002643">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Monitor the system to detect unauthorized network connections.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-002644">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Monitor the system to detect unauthorized remote connections.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-002645">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the techniques and methods to be used to identify unauthorized use of the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-002646">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Identify unauthorized use of the system through organization-defined techniques and methods.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-002647">
- <status>draft</status>
- <publishdate>2013-07-11</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization protects information obtained from intrusion-monitoring tools from unauthorized access.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-002648">
- <status>draft</status>
- <publishdate>2013-07-11</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization protects information obtained from intrusion-monitoring tools from unauthorized modification.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-002649">
- <status>draft</status>
- <publishdate>2013-07-11</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization protects information obtained from intrusion-monitoring tools from unauthorized deletion.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-002650">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system monitoring information that is to be provided the organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 g" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 g" />
- </references>
- </cci_item>
- <cci_item id="CCI-002651">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles that are to be provided organization-defined system monitoring information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 g" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 g" />
- </references>
- </cci_item>
- <cci_item id="CCI-002652">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency at which the organization will provide the organization-defined system monitoring information to organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 g" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 g" />
- </references>
- </cci_item>
- <cci_item id="CCI-002653">
- <status>deprecated</status>
- <publishdate>2013-07-11</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization provides organization-defined information system monitoring information to organization-defined personnel or roles as needed or per organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4" />
- </references>
- </cci_item>
- <cci_item id="CCI-002654">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide organization-defined system monitoring information to organization-defined personnel or roles as needed, and/or per organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 g" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 g" />
- </references>
- </cci_item>
- <cci_item id="CCI-002655">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Connects individual intrusion detection tools into an system-wide intrusion detection system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002656">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Configures individual intrusion detection tools into an system-wide intrusion detection system.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002657">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ automated tools to integrate intrusion detection tools into access control mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002658">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ automated tools to integrate intrusion detection tools into flow control mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002659">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency on which it will monitor inbound communications for unusual or unauthorized activities or conditions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (4) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002660">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency on which it will monitor outbound communications for unusual or unauthorized activities or conditions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (4) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002661">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Monitor inbound communications traffic per organization-defined frequency for organization-defined unusual or unauthorized activities or conditions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (4) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002662">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Monitor outbound communications traffic per organization-defined frequency for organization-defined unusual or unauthorized activities or conditions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (4) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002663">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to receive alerts when organization-defined indicators of compromise or potential compromise occur.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002664">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Alert organization-defined personnel or roles when organization-defined compromise indicators generate the occurrence of a compromise or a potential compromise.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002665">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the encrypted communications traffic that is to be visible to organization-defined system monitoring tools.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (10)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (10)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002666">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system monitoring tools that will have visibility into organization-defined encrypted communications traffic.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (10)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (10)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002667">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Make provisions so that organization-defined encrypted communications traffic is visible to organization-defined system monitoring tools.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (10)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (10)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002668">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the interior points within the system where outbound communications will be analyzed to discover anomalies.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (11)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (11)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002669">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Use the traffic and event profiles in tuning system-monitoring devices.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (13) (c)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (13) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002670">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the interior points within the system where outbound communications will be analyzed to detect covert exfiltration of information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (18)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (18)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002671">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Analyze outbound communications traffic at the external interfaces of the system to detect covert exfiltration of information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (18)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (18)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002672">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Analyze outbound communications traffic at organization-defined interior points within the system to detect covert exfiltration of information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (18)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (18)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002673">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the additional monitoring to be implemented for individuals identified as posing an increased level of risk.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (19)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (19)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002674">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the sources that may be used to identify individuals who pose an increased level of risk.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (19)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (19)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002675">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement organization-defined additional monitoring of individuals who have been identified by organization-defined sources as posing an increased level of risk.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (19)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (19)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002676">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines additional monitoring to be implemented for privileged users.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (20)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (20)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002677">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement organization-defined additional monitoring of privileged users.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (20)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (20)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002678">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines additional monitoring to be implemented for individuals during an organization-defined probationary period.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (21)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (21)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002679">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the probationary period during which additional monitoring will be implemented for individuals.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (21)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (21)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002680">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement organization-defined additional monitoring of individuals during an organization-defined probationary period.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (21)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (21)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002681">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the authorization or approval process for network services.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (22) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (22)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002682">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to be alerted when unauthorized or unapproved network services are detected.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (22) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (22)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002683">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Detect network services that have not been authorized or approved by the organization-defined authorization or approval processes.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (22) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (22)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002684">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Audit and/or alert organization-defined personnel when unauthorized network services are detected.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (22) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (22)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002685">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the host-based monitoring mechanisms to be implemented at organization-defined information system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (23)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (23)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002686">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system components at which organization-defined host-based monitoring mechanisms are to be implemented.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (23)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (23)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002687">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement organization-defined host-based monitoring mechanisms at organization-defined system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (23)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (23)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002688">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Discover indicators of compromise.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (24)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (24)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002689">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Collects indicators of compromise.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (24)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (24)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002690">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Distribute indicators of compromise provided by organization-defined sources, to organization-defined personnel or roles.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (24)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (24)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002691">
- <status>draft</status>
- <publishdate>2013-07-11</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system uses indicators of compromise.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-4 (24)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002692">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the external organizations from which it receives information system security alerts, advisories, and directives.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-5 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-5 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002693">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the elements within the organization to whom the organization will disseminate security alerts, advisories, and directives.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-5 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-5 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-002694">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the external organizations to which the organization will disseminate security alerts, advisories, and directives.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-5 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-5 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-002695">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the security functions that require verification of correct operation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-6 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-6 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002696">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Verify correct operation of organization-defined security functions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-6 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-6 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002697">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency at which it will verify correct operation of organization-defined security functions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-6 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-6 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-002698">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system transitional states when the system will verify correct operation of organization-defined security functions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-6 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-6 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-002699">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Perform verification of the correct operation of organization-defined security functions: when the system is in an organization-defined transitional state; upon command by a user with appropriate privileges; and/or on an organization-defined frequency.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-6 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-6 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-002700">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to be notified when security verification tests fail.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-6 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-6 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-002701">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines alternative action(s) to be taken when anomalies in the operation of organization-defined security functions are discovered.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-6 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-6 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-002702">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Shut the system down, restart the system, and/or initiate organization-defined alternative action(s) when anomalies in the operation of the organization-defined security functions are discovered.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-6 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-6 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-002703">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the software, firmware, and information which will be subjected to integrity verification tools to detect unauthorized changes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-7" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-7" />
- </references>
- </cci_item>
- <cci_item id="CCI-002704">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ integrity verification tools to detect unauthorized changes to organization-defined software, firmware, and information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-7 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-7" />
- </references>
- </cci_item>
- <cci_item id="CCI-002705">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the software on which integrity checks will be performed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-7 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-7 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002706">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the firmware on which integrity checks will be performed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-7 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-7 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002707">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the information on which integrity checks will be performed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-7 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-7 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002708">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the transitional state or security-relevant events when performing integrity checks on software, firmware, and information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-7 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-7 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002709">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency at which integrity checks of software, firmware, and information will be performed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-7 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-7 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002710">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Perform an integrity check of organization-defined software at startup, at organization-defined transitional states or security-relevant events, or on an organization-defined frequency.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-7 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-7 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002711">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Perform an integrity check of organization-defined firmware at startup, at organization-defined transitional states or security-relevant events, or on an organization-defined frequency.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-7 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-7 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002712">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Perform an integrity check of organization-defined information at startup, at organization-defined transitional states or security-relevant events, or on an organization-defined frequency.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-7 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-7 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002713">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to be notified when discrepancies are discovered during integrity verification.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-7 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-7 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002714">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the controls that are to be employed when integrity violations are discovered.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-7 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-7 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002715">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Automatically shut the system down, restart the system, and/or implement organization-defined controls when integrity violations are discovered.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-7 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-7 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002716">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement cryptographic mechanisms to detect unauthorized changes to software.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-7 (6)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-7 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002717">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement cryptographic mechanisms to detect unauthorized changes to firmware.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-7 (6)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-7 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002718">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement cryptographic mechanisms to detect unauthorized changes to information.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-7 (6)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-7 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002719">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the unauthorized security-relevant changes to the system that are to be incorporated into the organizational incident response capability.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-7 (7)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-7 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002720">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Incorporate the detection of organization-defined security-relevant unauthorized changes into the organizational incident response capability.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-7 (7)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-7 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002721">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles that are to be alerted when a potential integrity violation is detected.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-7 (8)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-7 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002722">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines other actions that can be taken when a potential integrity violation is detected.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-7 (8)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-7 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002723">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Upon detection of a potential integrity violation, provides the capability to audit the event.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-7 (8)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-7 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002724">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Upon detection of a potential integrity violation, initiate one or more of the following actions: generate an audit record; alert the current user; alert organization-defined personnel or roles; and/or organization-defined other actions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-7 (8)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-7 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002725">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system component which will have the integrity of the boot process verified.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-7 (9)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-7 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002726">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Verify the integrity of the boot process of organization-defined system components.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-7 (9)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-7 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002727">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the mechanisms to be implemented to protect the integrity of the boot firmware in organization-defined system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-7 (10)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-7 (10)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002728">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system components on which organization-defined mechanisms will be implemented to protect the integrity of the boot firmware.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-7 (10)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-7 (10)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002729">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement organization-defined mechanisms to protect the integrity of boot firmware in organization-defined system components.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-7 (10)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-7 (10)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002730">
- <status>draft</status>
- <publishdate>2013-07-11</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the user-installed software that is to be executed in a confined physical or virtual machine environment with limited privileges.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-7 (11)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002731">
- <status>draft</status>
- <publishdate>2013-07-11</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires that organization-defined user-installed software execute in a confined physical or virtual machine environment with limited privileges.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-7 (11)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002732">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the user-installed software that is to have its integrity verified prior to execution.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-7 (12)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-7 (12)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002733">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require that the integrity of organization-defined user-installed software be verified prior to execution.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-7 (12)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-7 (12)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002734">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles which have the authority to explicitly approve binary or machine-executable code.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-7 (13)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-7 (13)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002735">
- <status>draft</status>
- <publishdate>2013-07-11</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization allows execution of binary or machine-executable code obtained from sources with limited or no warranty and without the provision of source code only in confined physical or virtual machine environments.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-7 (13)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002736">
- <status>draft</status>
- <publishdate>2013-07-11</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization allows execution of binary or machine-executable code obtained from sources with limited or no warranty and without the provision of source code only with the explicit approval of organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-7 (13)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002737">
- <status>draft</status>
- <publishdate>2013-07-11</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization prohibits the use of binary or machine-executable code from sources with limited or no warranty and without the provision of source code.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-7 (14) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002738">
- <status>draft</status>
- <publishdate>2013-07-11</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization provides exceptions to the source code requirement only for compelling mission/operational requirements and with the approval of the authorizing official.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-7 (14) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002739">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the software or firmware components on which cryptographic mechanisms are to be implemented to support authentication prior to installation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-7 (15)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-7 (15)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002740">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement cryptographic mechanisms to authenticate organization-defined software or firmware components prior to installation.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-7 (15)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-7 (15)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002741">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ spam protection mechanisms at system entry points to detect and take action on unsolicited messages.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-8 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-8 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002742">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ spam protection mechanisms at system exit points to detect and take action on unsolicited messages.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-8 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-8 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002743">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement spam protection mechanisms with a learning capability to more effectively identify legitimate communications traffic.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-8 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-8 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002744">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the inputs on which the system is to conduct validity checks.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-10" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-10" />
- </references>
- </cci_item>
- <cci_item id="CCI-002745">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the inputs defined in base control (SI-10), which provide a manual override capability for input validation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-10 (1) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-10 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002746">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide a manual override capability for input validation of organization-defined inputs defined in base control (SI-10).</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-10 (1) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-10 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002747">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the individuals who have the authorization to use the manual override capability for input validation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-10 (1) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-10 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002748">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Restrict the use of the manual override capability to only organization-defined authorized individuals.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-10 (1) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-10 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002749">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Audit the use of the manual override capability.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-10 (1) (c)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-10 (1) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002750">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the time-period within which input validation errors are to be reviewed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-10 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-10 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002751">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the time-period within which input validation errors are to be resolved.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-10 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-10 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002752">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review input validation errors within an organization-defined time period.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-10 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-10 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002753">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Resolve input validation errors within an organization-defined time period.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-10 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-10 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002754">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Verify that the system behaves in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-10 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-10 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002755">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Account for timing interactions among system components in determining appropriate responses for invalid inputs.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-10 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-10 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002756">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the trusted sources to which the usage of information inputs will be restricted (e.g., whitelisting).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-10 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-10 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002757">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the acceptable formats to which information inputs are restricted.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-10 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-10 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002758">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Restrict the use of information inputs to organization-defined trusted sources and/or organization-defined formats.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-10 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-10 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002759">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to whom error messages are to be revealed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-11 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-11 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-002760">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Determines mean time to failure (MTTF) for organization-defined system components in specific environments of operation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-13 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-13 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002761">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system components in specific environments of operation for which the mean time to failure (MTTF) is to be determined.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-13 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-13 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002762">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the mean time to failure (MTTF) substitution criteria to be employed as a means to determine the need to exchange active and standby components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-13 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-13 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-002763">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provides a means to exchange active and standby components in accordance with the organization-defined mean time to failure (MTTF) substitution criteria.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-13 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-13 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-002764">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines non-persistent system components and services to be implemented.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-14" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-14" />
- </references>
- </cci_item>
- <cci_item id="CCI-002765">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency at which the organization-defined non-persistent system components and services will be terminated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-14" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-14" />
- </references>
- </cci_item>
- <cci_item id="CCI-002766">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement organization-defined non-persistence system components and services that are initiated in a known state.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-14" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-14" />
- </references>
- </cci_item>
- <cci_item id="CCI-002767">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement organization-defined non-persistence system components and services that are terminated upon end of session of use and/or periodically at an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-14" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-14" />
- </references>
- </cci_item>
- <cci_item id="CCI-002768">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the trusted sources from which it obtains software and data employed during the refreshing of non-persistent system components and services.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-14 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-14 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002769">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Obtain software and data employed during non-persistent system component and service refreshes are obtained from organization-defined trusted sources.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-14 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-14 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002770">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the software programs and/or applications from which the system is to validate the information output to ensure the information is consistent with expected content.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-15" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-15" />
- </references>
- </cci_item>
- <cci_item id="CCI-002771">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Validate information output from organization-defined software programs and/or applications to ensure that the information is consistent with the expected content.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-15" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-15" />
- </references>
- </cci_item>
- <cci_item id="CCI-002772">
- <status>deprecated</status>
- <publishdate>2013-07-11</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the security safeguards to be implemented to protect the information system's memory from unauthorized code execution.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-15" />
- </references>
- </cci_item>
- <cci_item id="CCI-002773">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the fail-safe procedures to be implemented when organization-defined failure conditions occur.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-17" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-17" />
- </references>
- </cci_item>
- <cci_item id="CCI-002774">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the failure conditions which, when they occur, will result in the information system implementing organization-defined fail-safe procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-17" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-17" />
- </references>
- </cci_item>
- <cci_item id="CCI-002775">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement organization-defined fail-safe procedures when organization-defined failure conditions occur.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-17" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-17" />
- </references>
- </cci_item>
- <cci_item id="CCI-002776">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to whom the organization-level; mission/business process-level; and/or system-level incident response policy is disseminated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-1 a 1 (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-1 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-002777">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to whom the incident response procedures are disseminated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-1 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-002778">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the time period in which system users who assume an incident response role or responsibility receive incident response training.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-2 a 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002779">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide incident response training to system users consistent with assigned roles and responsibilities when required by system changes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-2 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-2 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-002780">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Coordinate incident response testing with organizational elements responsible for related plans.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-3 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-3 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002781">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system components for dynamic reconfiguration as part of the incident response capability.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-4 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-4 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002782">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement an incident handling capability for incidents involving insider threats.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-4 (6)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-4 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002783">
- <status>draft</status>
- <publishdate>2013-07-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization coordinates an incident handling capability for insider threats across organization-defined components or elements of the organization.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-4 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002784">
- <status>draft</status>
- <publishdate>2013-07-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines components or elements of the organization across which an incident handling capability for insider threats will be coordinated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-4 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002785">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Coordinate with organization-defined external organizations to correlate and share organization-defined incident information to achieve a cross-organization perspective on incident awareness and more effective incident responses.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-4 (8)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-4 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002786">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines external organizations with which to correlate and share organization-defined incident information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-4 (8)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-4 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002787">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines incident information to correlate and share with organization-defined external organizations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-4 (8)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-4 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002788">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ organization-defined dynamic response capabilities to effectively respond to incidents.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-4 (9)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-4 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002789">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines dynamic response capabilities to effectively respond to incidents.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-4 (9)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-4 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002790">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Coordinate incident handling activities involving supply chain events with other organizations involved in the supply chain.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-4 (10)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-4 (10)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002791">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines authorities to whom incident information is reported.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-6 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-6 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-002792">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines personnel or roles to whom system vulnerabilities associated with reported incident information are reported.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-6 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-6 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002793">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide incident information to other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-6 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-6 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002794">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop an incident response plan.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-8 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-8 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002795">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop an incident response plan that provides the organization with a roadmap for implementing its incident response capability.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-8 a 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-8 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-002796">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop an incident response plan that describes the structure and organization of the incident response capability.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-8 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-8 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-002797">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop an incident response plan that provides a high-level approach for how the incident response capability fits into the overall organization.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-8 a 3" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-8 a 3" />
- </references>
- </cci_item>
- <cci_item id="CCI-002798">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop an incident response plan that meets the unique requirements of the organization, which relate to mission, size, structure, and functions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-8 a 4" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-8 a 4" />
- </references>
- </cci_item>
- <cci_item id="CCI-002799">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop an incident response plan that defines reportable incidents.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-8 a 5" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-8 a 5" />
- </references>
- </cci_item>
- <cci_item id="CCI-002800">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop an incident response plan that provides metrics for measuring the incident response capability within the organization.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-8 a 6" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-8 a 6" />
- </references>
- </cci_item>
- <cci_item id="CCI-002801">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop an incident response plan that defines the resources and management support needed to effectively maintain and mature an incident response capability.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-8 a 7" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-8 a 7" />
- </references>
- </cci_item>
- <cci_item id="CCI-002802">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines personnel or roles to review and approve the incident response plan.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-8 a 9" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-8 a 8" />
- </references>
- </cci_item>
- <cci_item id="CCI-002803">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines incident response personnel (identified by name and/or by role) and organizational elements to whom incident response plan changes will be communicated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-8 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-8 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-002804">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Protect the incident response plan from unauthorized disclosure and modification.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-8 e" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-8 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-002805">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Respond to information spills by identifying the specific information involved in the system contamination.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-9 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-9 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002806">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Respond to information spills by alerting organization-defined personnel or roles of the information spill using a method of communication not associated with the spill.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-9 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-9 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-002807">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to be alerted of information spills using a method of communication not associated with the spill.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-9 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-9 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-002808">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Respond to information spills by isolating the contaminated system or system component.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-9 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-9 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-002809">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Respond to information spills by eradicating the information from the contaminated system or component.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-9 e" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-9 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-002810">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Respond to information spills by identifying other systems or system components that may have been subsequently contaminated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-9 f" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-9 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-002811">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Respond to information spills by performing additional organization-defined actions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-9 g" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-9 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-002812">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines additional actions required to respond to information spills.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-9 g" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-9 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-002813">
- <status>draft</status>
- <publishdate>2013-07-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization assigns organization-defined personnel or roles with responsibility for responding to information spills.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-9 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002814">
- <status>deprecated</status>
- <publishdate>2013-07-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization assigns organization-defined personnel or roles with responsibility for responding to information spills.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-9 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002815">
- <status>draft</status>
- <publishdate>2013-07-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines personnel or roles to whom responsibility for responding to information spills will be assigned.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-9 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002816">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide information spillage response training according to an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-9 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-9 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002817">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency with which to provide information spillage response training.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-9 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-9 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002818">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement organization-defined procedures to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-9 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-9 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002819">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the procedures to be implemented to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-9 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-9 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002820">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ organization-defined controls for personnel exposed to information not within assigned access authorizations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-9 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-9 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002821">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the controls to be employed for personnel exposed to information not within assigned access authorizations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-9 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-9 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002822">
- <status>draft</status>
- <publishdate>2013-07-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization establishes an integrated team of forensic/malicious code analysts, tool developers, and real-time operations personnel.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IR-10" />
- </references>
- </cci_item>
- <cci_item id="CCI-002823">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the controls to be implemented to protect the system's memory from unauthorized code execution.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-16" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-16" />
- </references>
- </cci_item>
- <cci_item id="CCI-002824">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement organization-defined controls to protect its memory from unauthorized code execution.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-16" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SI-16" />
- </references>
- </cci_item>
- <cci_item id="CCI-002825">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to whom the organizational-level; mission/business process-level; and/or system-level contingency planning policy is to be disseminated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-1 a 1 (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-1 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-002826">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines personnel or roles to whom the contingency planning procedures are disseminated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-1 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-002827">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Coordinate the contingency plan with the contingency plans of external service providers to ensure that contingency requirements can be satisfied.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-2 (7)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-2 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002828">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Identify critical system assets supporting all or essential mission functions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-2 (8)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-2 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002829">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Identify critical system assets supporting all or essential business functions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-2 (8)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-2 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002830">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles who review and approve the contingency plan for the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-2 a 7" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-2 a 6" />
- </references>
- </cci_item>
- <cci_item id="CCI-002831">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines a list of key contingency personnel (identified by name and/or by role) and organizational elements to whom contingency plan changes are to be communicated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-2 f" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-2 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-002832">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Protects the contingency plan from unauthorized disclosure and modification.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-2 h" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-2 g" />
- </references>
- </cci_item>
- <cci_item id="CCI-002833">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the time period that contingency training is to be provided to system users consistent with assigned roles and responsibilities within assuming a contingency role or responsibility.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-3 a 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002834">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide contingency training to system users consistent with assigned roles and responsibilities when required by system changes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-3 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-3 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-002835">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Test the contingency plan at the alternate processing site to evaluate the capabilities of the alternate processing site to support contingency operations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-4 (2) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-4 (2) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002836">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Ensure that the alternate storage site provides security controls equivalent to that of the primary site.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-6 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-6 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-002837">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Plan for circumstances that preclude returning to the primary processing site.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-7 (6)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-7 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002838">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Prepare for circumstances that preclude returning to the primary processing site.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-7 (6)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-7 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002839">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines system operations that are permitted to transfer and resume at an alternate processing site for essential missions/business functions when the primary processing capabilities are unavailable.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-7 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-7 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002840">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system operations to be resumed for essential mission functions within the organization-defined time period when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-8" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-8" />
- </references>
- </cci_item>
- <cci_item id="CCI-002841">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system operations to be resumed for essential business functions within the organization-defined time period when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-8" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-8" />
- </references>
- </cci_item>
- <cci_item id="CCI-002842">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review provider contingency plans to ensure that the plans meet organizational contingency requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-8 (4) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-8 (4) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002843">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency with which to obtain evidence of contingency testing by providers.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-8 (4) (c)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-8 (4) (c) " />
- </references>
- </cci_item>
- <cci_item id="CCI-002844">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency with which to obtain evidence of contingency training by providers.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-8 (4) (c)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-8 (4) (c) " />
- </references>
- </cci_item>
- <cci_item id="CCI-002845">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Obtain evidence of contingency testing by providers in accordance with organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-8 (4) (c)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-8 (4) (c) " />
- </references>
- </cci_item>
- <cci_item id="CCI-002846">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Obtain evidence of contingency training by providers in accordance with organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-8 (4) (c)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-8 (4) (c) " />
- </references>
- </cci_item>
- <cci_item id="CCI-002847">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency with which to test alternate telecommunication services.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-8 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-8 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002848">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Test alternate telecommunication services per organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-8 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-8 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002849">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines critical system software and other security-related information, of which backup copies must be stored in a separate facility or in a fire-rated container.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-9 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-9 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002850">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Store backup copies of organization-defined critical system software and other security-related information in a separate facility or in a fire-rated container that is not collocated with the operational system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-9 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-9 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002851">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the backup information that requires dual authorization for deletion or destruction.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-9 (7)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-9 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002852">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce dual authorization for the deletion or destruction of organization-defined backup information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-9 (7)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-9 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002853">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide the capability to employ organization-defined alternative communications protocols in support of maintaining continuity of operations.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-11" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-11" />
- </references>
- </cci_item>
- <cci_item id="CCI-002854">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the alternative communications protocols the system must be capable of providing in support of maintaining continuity of operations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-11" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-11" />
- </references>
- </cci_item>
- <cci_item id="CCI-002855">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>When organization-defined conditions are detected, enters a safe mode of operation with organization-defined restrictions of safe mode of operation.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-12" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-12" />
- </references>
- </cci_item>
- <cci_item id="CCI-002856">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the conditions that, when detected, the information system enters a safe mode of operation with organization-defined restrictions of safe mode of operation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-12" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-12" />
- </references>
- </cci_item>
- <cci_item id="CCI-002857">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the restrictions of the safe mode of operation that the system will enter when organization-defined conditions are detected.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-12" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-12" />
- </references>
- </cci_item>
- <cci_item id="CCI-002858">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ organization-defined alternative or supplemental security mechanisms for satisfying organization-defined security functions when the primary means of implementing the security function is unavailable or compromised.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-13" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-13" />
- </references>
- </cci_item>
- <cci_item id="CCI-002859">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the alternative or supplemental security mechanisms that will be employed for satisfying organization-defined security functions when the primary means of implementing the security function is unavailable or compromised.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-13" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-13" />
- </references>
- </cci_item>
- <cci_item id="CCI-002860">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the security functions that must be satisfied when the primary means of implementing the security function is unavailable or compromised.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-13" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="CP-13" />
- </references>
- </cci_item>
- <cci_item id="CCI-002861">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to whom an organization-level; mission/business process-level; and/or system-level maintenance policy is disseminated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-1 a 1 (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-1 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-002862">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to whom system maintenance procedures are to be disseminated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-1 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-002863">
- <status>draft</status>
- <publishdate>2013-07-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs automated mechanisms to schedule, conduct, and document repairs.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-2 (2) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002864">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Produce up-to date, accurate, and complete records of all maintenance requested, scheduled, in process, and completed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-2 (2) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-2 (2) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002865">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Produce up-to date, accurate, and complete records of all repair actions requested, scheduled, in process, and completed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-2 (2) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-2 (2) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002866">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Schedule maintenance on system components in accordance with manufacturer or vendor specifications and/or organizational requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-2 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002867">
- <status>draft</status>
- <publishdate>2013-07-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization performs maintenance on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-2 a " />
- </references>
- </cci_item>
- <cci_item id="CCI-002868">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Document records of maintenance on system components in accordance with manufacturer or vendor specifications and/or organizational requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-2 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002869">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review records of maintenance on system components in accordance with manufacturer or vendor specifications and/or organizational requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-2 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002870">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Schedule repair on system components in accordance with manufacturer or vendor specifications and/or organizational requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-2 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002871">
- <status>draft</status>
- <publishdate>2013-07-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization performs repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002872">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Document repair on system components in accordance with manufacturer or vendor specifications and/or organizational requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-2 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002873">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review records of repairs on system components in accordance with manufacturer or vendor specifications and/or organizational requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-2 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002874">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles who can explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repairs or replacement.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-2 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-2 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-002875">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Include organization-defined information in organizational maintenance records.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-2 f" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-2 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-002876">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the information to include in organizational maintenance records.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-2 f" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-2 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-002877">
- <status>deprecated</status>
- <publishdate>2013-07-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization prevents the unauthorized removal of maintenance equipment containing organizational information by verifying that there is no organizational information contained on the equipment.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-3 (3) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002878">
- <status>deprecated</status>
- <publishdate>2013-07-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization prevents the unauthorized removal of maintenance equipment containing organizational information by sanitizing or destroying the equipment.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-3 (3) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002879">
- <status>deprecated</status>
- <publishdate>2013-07-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization prevents the unauthorized removal of maintenance equipment containing organizational information by retaining the equipment within the facility.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-3 (3) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002880">
- <status>deprecated</status>
- <publishdate>2013-07-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization prevents the unauthorized removal of maintenance equipment containing organizational information by retaining the equipment within the facility.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-3 (3) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002881">
- <status>deprecated</status>
- <publishdate>2013-07-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization prevents the unauthorized removal of maintenance equipment containing organizational information by obtaining an exemption from organization-defined personnel or roles explicitly authorizing removal of the equipment from the facility.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-3 (3) (d)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002882">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles who can provide an exemption that explicitly authorizes removal of equipment from the facility.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-3 (3) (d)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-3 (3) (d)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002883">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Restrict the use of maintenance tools to authorized personnel only.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-3 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-3 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002884">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Log organization-defined audit events for nonlocal maintenance and diagnostic sessions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-4 (1) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-4 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002885">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the audit events for logged for nonlocal maintenance and diagnostic sessions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-4 (1) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-4 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002886">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review the audit records of the maintenance and diagnostic sessions to detect anomalous behavior.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-4 (1) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-4 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002887">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the authenticators that are replay resistant which will be employed to protect nonlocal maintenance sessions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-4 (4) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-4 (4) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002888">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles authorized to approve each nonlocal maintenance session.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-4 (5) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-4 (5) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002889">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Notify organization-defined personnel or roles of the date and time of planned nonlocal maintenance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-4 (5) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-4 (5) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002890">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement organization-defined cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-4 (6)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-4 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002891">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Verify session and network connection termination after the completion of nonlocal maintenance and diagnostic sessions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-4 (7)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-4 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002892">
- <status>draft</status>
- <publishdate>2013-07-22</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-5 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002893">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Ensure that non-escorted personnel performing maintenance activities not directly associated with the system but in the physical proximity of the system, have required access authorization.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-5 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-5 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002894">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-5 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-5 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-002895">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-5 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-5 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-002896">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system components for which it obtains maintenance support and/or spare parts.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-6" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-6" />
- </references>
- </cci_item>
- <cci_item id="CCI-002897">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines a time period for obtaining maintenance support and/or spare parts for organization-defined system components after a failure.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-6" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-6" />
- </references>
- </cci_item>
- <cci_item id="CCI-002898">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Perform preventive maintenance on organization-defined information system components at organization-defined time intervals.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-6 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-6 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002899">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines system components on which to perform preventive maintenance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-6 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-6 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002900">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines time intervals at which to perform preventive maintenance on organization-defined system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-6 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-6 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002901">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Perform predictive maintenance on organization-defined system components at organization-defined intervals.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-6 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-6 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002902">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines system components on which to perform predictive maintenance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-6 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-6 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002903">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines time intervals at which to perform predictive maintenance on organization-defined system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-6 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-6 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002904">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Transfer predictive maintenance data to a maintenance management system using organization-defined automated mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-6 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-6 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002905">
- <status>draft</status>
- <publishdate>2013-08-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs automated mechanisms to schedule, conduct, and document maintenance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-2 (2) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002906">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the vulnerability scanning activities in which the system implements privileged access authorization to organization-identified information system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-5 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="RA-5 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002907">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system mode to be invoked, such as a full system shutdown, a partial system shutdown, or a degraded operational mode with limited mission or business functionality available, in the event of organization-defined audit logging failures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-5 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AU-5 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002908">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to whom an organization-level; mission/business process-level; and/or system-level physical and environmental protection policy is disseminated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-1 a 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-1 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-002909">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to whom the physical and environmental protection procedures are disseminated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-1 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-002910">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Approve a list of individuals with authorized access to the facility where the system resides.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-2 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002911">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Maintain a list of individuals with authorized access to the facility where the system resides.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-2 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002912">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines a list of acceptable forms of identification for visitor access to the facility where the system resides.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-2 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-2 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002913">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Restrict unescorted access to the facility where the system resides to personnel with one or more of the following: security clearances for all information contained within the system; formal access authorizations for all information contained within the system; need for access to all information contained within the system; organization-defined physical access authorizations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-2 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-2 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002914">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the credentials required for personnel to have unescorted access to the facility where the system resides.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-2 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-2 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002915">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the entry and exit points to the facility where the system resides.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-3 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002916">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the physical access control systems or devices or guards that control ingress and egress to the facility where the system resides.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-3 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-3 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-002917">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Maintain physical access audit logs for organization-defined entry/exit points to the facility where the system resides.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-3 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-3 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-002918">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines entry and exit points to the facility where the system resides that require physical access audit logs be maintained.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-3 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-3 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-002919">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Control access to areas within the facility designated as publicly accessible by implementing organization-defined access controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-3 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-3 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-002920">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines physical access controls to control access to areas within the facility designated as publicly accessible.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-3 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-3 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-002921">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Escort visitors in the facility where the information system resides during organization-defined circumstances requiring visitor escorts.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-3 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-3 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-002922">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines circumstances requiring visitor escorts in the facility where the system resides.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-3 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-3 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-002923">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Monitor visitor activity in the facility where the system resides during organization-defined circumstances requiring visitor monitoring.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-3 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-3 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-002924">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines circumstances requiring visitor monitoring in the facility where the system resides.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-3 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-3 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-002925">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the physical access devices to inventory.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-3 f" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-3 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-002926">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the physical spaces containing one or more components of the system that require physical access authorizations and controls at the facility where the system resides.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-3 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-3 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002927">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency with which to perform security checks at the physical boundary of the facility or system for exfiltration of information or removal of system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-3 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-3 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002928">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines anti-tamper technologies to detect and prevent physical tampering or alteration of organization-defined hardware components within the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-3 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-3 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002929">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines hardware components within the system for which to employ organization-defined security safeguards to detect and prevent physical tampering or alteration.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-3 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-3 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002930">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines system distribution and transmission lines within organizational facilities to control physical access to using organization-defined security controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-4" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-4" />
- </references>
- </cci_item>
- <cci_item id="CCI-002931">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines security controls to control physical access to organization-defined system distribution and transmission lines within organizational facilities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-4" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-4" />
- </references>
- </cci_item>
- <cci_item id="CCI-002932">
- <status>draft</status>
- <publishdate>2013-08-27</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization controls physical access to output from organization-defined output devices.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-5 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002933">
- <status>draft</status>
- <publishdate>2013-08-27</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines output devices for which physical access to output is controlled.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-5 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002934">
- <status>draft</status>
- <publishdate>2013-08-27</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization ensures that only authorized individuals receive output from organization-defined output devices.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-5 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002935">
- <status>draft</status>
- <publishdate>2013-08-27</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system controls physical access to output from organization-defined output devices.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-5 (2) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002936">
- <status>draft</status>
- <publishdate>2013-08-27</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The information system links individual identity to receipt of output from organization-defined output devices.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-5 (2) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002937">
- <status>draft</status>
- <publishdate>2013-08-27</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization marks organization-defined information system output devices indicating the appropriate security marking of the information permitted to be output from the device.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-5 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002938">
- <status>draft</status>
- <publishdate>2013-08-27</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the information system output devices marked indicating the appropriate security marking of the information permitted to be output from the device.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-5 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002939">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Monitor physical access to the facility where the system resides to detect and respond to physical security incidents.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-6 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-6 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002940">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review physical access logs upon occurrence of organization-defined events or potential indications of events.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-6 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-6 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-002941">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines events or potential indications of events requiring review of physical access logs.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-6 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-6 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-002942">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Recognize organization-defined classes or types of intrusions, using organization-defined automated mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-6 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-6 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002943">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the classes or types of intrusions to recognize using automated mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-6 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-6 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002944">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Initiate organization-defined response actions to organization-defined classes or types of intrusions, using organization-defined automated mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-6 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-6 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002945">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the response actions to initiate when organization-defined classes or types of intrusions are recognized.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-6 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-6 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002946">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ video surveillance of organization-defined operational areas.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-6 (3) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-6 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002947">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the operational areas in which to employ video surveillance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-6 (3) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-6 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002948">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Retain video surveillance recordings for an organization-defined time period.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-6 (3) (c)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-6 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002949">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the time period to retain video surveillance recordings.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-6 (3) (c)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-6 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002950">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Monitor physical access to the system in addition to the physical access monitoring of the facility as organization-defined physical spaces containing one or more components of the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-6 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-6 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002951">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines physical spaces containing one or more components of the information system in which physical access is monitored.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-6 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-6 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002952">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the time period to maintain visitor access records to the facility where the system resides.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-8 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-8 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002953">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ redundant power cabling paths that are physically separated by an organization-defined distance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-9 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-9 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002954">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the distance by which to physically separate redundant power cabling paths.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-9 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-9 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002955">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide an uninterruptible power supply to facilitate an orderly shutdown of the system, and/or transition of the system to long-term alternate power in the event of a primary power source loss.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-11" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-11" />
- </references>
- </cci_item>
- <cci_item id="CCI-002956">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide an alternate power supply for the system that is activated manually or automatically and that is self-contained.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-11 (2) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-11 (2) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002957">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide an alternate power supply for the system that is activated manually or automatically and that is not reliant on external power generation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-11 (2) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-11 (2) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002958">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide an alternate power supply for the system that is activated manually or automatically and that is capable of maintaining minimally required operational capability or full operational capability in the event of an extended loss of the primary power source.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-11 (2) (c)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-11 (2) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002959">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provides emergency lighting for all areas within the facility supporting essential mission functions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-12 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-12 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002960">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide emergency lighting for all areas within the facility supporting essential business functions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-12 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-12 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002961">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ fire detection systems for the system that activate automatically.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-13 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-13 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002962">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ fire detection systems for the system that automatically activate to notify organization-defined personnel or roles and organization-defined emergency responders in the event of a fire.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-13 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-13 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002963">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to be notified in the event of a fire.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-13 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-13 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002964">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the emergency responders to be notified in the event of a fire.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-13 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-13 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002965">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ fire suppression systems for the system that activate automatically and notify organization-defined personnel or roles and organization-defined emergency responders.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-13 (2) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-13 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002966">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to be automatically notified of any activation of fire suppression systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-13 (2) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-13 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002967">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the emergency responders to be automatically notified of any activation of fire suppression systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-13 (2) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-13 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002968">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Ensure that the facility undergoes, on an organization-defined frequency, fire protection inspections by authorized and qualified inspectors.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-13 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-13 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002969">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines a frequency with which the facility undergoes fire protection inspections.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-13 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-13 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002970">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Ensure the identified deficiencies are resolved within an organization-defined time period.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-13 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-13 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002971">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the time period within which to resolve deficiencies identified during facility fire protection inspections.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-13 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-13 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002972">
- <status>draft</status>
- <publishdate>2013-08-29</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs automated mechanisms to detect the presence of water in the vicinity of the information system and alerts organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-15 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002973">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to be alerted when automated mechanisms detect the presence of water near the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-15 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-15 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002974">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines types of system components to authorize and control entering and exiting the facility and to maintain records.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-16 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-16" />
- </references>
- </cci_item>
- <cci_item id="CCI-002975">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines controls to employ at alternate work sites.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-17 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-17 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002976">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines physical and environmental hazards that could cause potential damage to system components within the facility.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-18" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-18" />
- </references>
- </cci_item>
- <cci_item id="CCI-002977">
- <status>draft</status>
- <publishdate>2013-08-29</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization plans the location or site of the facility where the information system resides with regard to physical and environmental hazards.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-18 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002978">
- <status>draft</status>
- <publishdate>2013-08-29</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization considers the physical and environmental hazards in its risk mitigation strategy for existing facilities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-18 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-002979">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ organization-defined asset location technologies to track and monitor the location and movement of organization-defined assets within organization-defined controlled areas.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-20" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-20 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002980">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines asset location technologies to track and monitor the location and movement of organization-defined assets within organization-defined controlled areas.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-20" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-20 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002981">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the assets within the organization-defined controlled areas which are to be tracked and monitored for their location and movement.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-20" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-20 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002982">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines controlled areas where the location and movement of organization-defined assets are tracked and monitored.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-20" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-20 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-002983">
- <status>draft</status>
- <publishdate>2013-08-29</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization ensures that asset location technologies are employed in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PE-20 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-002984">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop an organization-wide information security program plan that reflects the coordination among organizational entities responsible for information security.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-1 a 3" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-1 a 3" />
- </references>
- </cci_item>
- <cci_item id="CCI-002985">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminate an organization-wide information security program plan that provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-1 a 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-1 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-002986">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminate an organization-wide information security program plan that includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-1 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-002987">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminate an organization-wide information security plan that reflects the coordination among organizational entities responsible for information security.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-1 a 3" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-1 a 3" />
- </references>
- </cci_item>
- <cci_item id="CCI-002988">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminate an organization-wide information security program plan that is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-1 a 4" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-1 a 4" />
- </references>
- </cci_item>
- <cci_item id="CCI-002989">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Protect the information security program plan from unauthorized disclosure.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-1 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-1 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-002990">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Protect the information security program plan from unauthorized modification.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-1 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-1 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-002991">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a process to ensure that plans of action and milestones for the information security program and associated organizational systems are developed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-4 a 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-4 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-002992">
- <status>draft</status>
- <publishdate>2013-08-29</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems are reported in accordance with OMB FISMA reporting requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-4 a 3" />
- </references>
- </cci_item>
- <cci_item id="CCI-002993">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review plans of action and milestones for the security program and associated organization systems for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-4 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-4 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-002994">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the risk management strategy in accordance with organization-defined frequency or as required, to address organizational changes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-9 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-9 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-002995">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency with which to review and update the risk management strategy to address organizational changes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-9 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-9 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-002996">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement an insider threat program that includes a cross-discipline insider threat incident handling team.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-12" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-12" />
- </references>
- </cci_item>
- <cci_item id="CCI-002997">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish a security workforce development and improvement program.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-13" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-13" />
- </references>
- </cci_item>
- <cci_item id="CCI-002998">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a process for ensuring that organizational plans for conducting security testing activities associated with organizational systems are developed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-14 a 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-14 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-002999">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a process for ensuring that organizational plans for conducting security testing activities associated with organizational systems are maintained.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-14 a 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-14 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-003000">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a process for ensuring that organizational plans for conducting security training activities associated with organizational systems are developed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-14 a 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-14 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-003001">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a process for ensuring that organizational plans for conducting security training activities associated with organizational systems are maintained.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-14 a 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-14 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-003002">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a process for ensuring that organizational plans for conducting security monitoring activities associated with organizational systems are developed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-14 a 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-14 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-003003">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a process for ensuring that organizational plans for conducting security monitoring activities associated with organizational information systems are maintained.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-14 a 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-14 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-003004">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a process for ensuring that organizational plans for conducting security testing associated with organizational systems continue to be executed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-14 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-14 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-003005">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a process for ensuring that organizational plans for conducting security training associated with organizational systems continue to be executed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-14 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-14 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-003006">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a process for ensuring that organizational plans for conducting security monitoring activities associated with organizational systems continue to be executed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-14 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-14 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-003007">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review testing plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-14 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-14 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003008">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review training plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-14 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-14 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003009">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-14 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-14 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003010">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish and institutionalize contact with selected groups and associations within the security community to facilitate ongoing security education and training for organizational personnel.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-15 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-15 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003011">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish and institutionalize contact with selected groups and associations within the security community to maintain currency with recommended security practices, techniques, and technologies.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-15 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-15 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003012">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish and institutionalize contact with selected groups and associations within the security community to share current security information including threats, vulnerabilities, and incidents.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-15 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-15 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003013">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-16" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PM-16" />
- </references>
- </cci_item>
- <cci_item id="CCI-003014">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce organization-defined mandatory access control policies over all subjects and objects.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-3 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003015">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Specifies that organization-defined subjects may explicitly be granted organization-defined privileges such that they are not limited by any defined subset (or all) of the above constraints.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (3) (c)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AC-3 (3) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003016">
- <status>draft</status>
- <publishdate>2013-09-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization, upon termination of individual employment, notifies organization-defined personnel or roles within an organization-defined time period.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-4 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-003017">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to whom an organization-level; mission/business process-level; and/or system-level personnel security policy is disseminated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-1 a 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-1 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-003018">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to whom the personnel security procedures are disseminated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-1 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-003019">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Verify that individuals accessing a system processing, storing, or transmitting information requiring special protection have valid access authorizations that are demonstrated by assigned official government duties.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-3 (3) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-3 (3) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003020">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Verify that individuals accessing a system processing, storing, or transmitting information requiring special protection satisfy organization-defined additional personnel screening criteria.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-3 (3) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-3 (3) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003021">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines additional personnel screening criteria that individuals accessing a system processing, storing, or transmitting information requiring protection must satisfy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-3 (3) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-3 (3) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003022">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the time period within which to disable system access upon termination of individual employment.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-4 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-4 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003023">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Upon termination of individual employment, terminate or revoke any authenticators and credentials associated with the individual.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-4 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-4 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003024">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines information security topics to be discussed while conducting exit interviews.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-4 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-4 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003025">
- <status>draft</status>
- <publishdate>2013-09-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines personnel or roles to notify upon termination of individual employment.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-4 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-003026">
- <status>draft</status>
- <publishdate>2013-09-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the time period within which to notify organization-defined personnel or roles upon termination of individual employment.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-4 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-003027">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Notify terminated individuals of applicable, legally binding post-employment requirements for the protection of organizational information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-4 (1) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-4 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003028">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require terminated individuals to sign an acknowledgment of post-employment requirements as part of the organizational termination process.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-4 (1) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-4 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003029">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Use organization-defined automated mechanisms to notify organization-defined personnel or roles of individual termination actions; and/or disable access to system resources.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-4 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-4 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003030">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to be notified by automated mechanism of individual termination actions, and/or disable access to system resources.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-4 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-4 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003031">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-5 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-5 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003032">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Notify organization-defined personnel or roles within an organization-defined time period when individuals are transferred or reassigned to other positions within the organization.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-5 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-5 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-003033">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines personnel or roles to be notified when individuals are transferred or reassigned to other positions within the organization.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-5 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-5 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-003034">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the time period within which organization-defined personnel or roles are to be notified when individuals are transferred or reassigned to other positions within the organization.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-5 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-5 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-003035">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document access agreements for organizational systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-6 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-6 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003036">
- <status>draft</status>
- <publishdate>2013-09-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization ensures that individuals requiring access to organizational information and information systems re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or in accordance with organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-6 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-003037">
- <status>draft</status>
- <publishdate>2013-09-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the frequency for individuals requiring access to organization information and information systems to re-sign access agreements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-6 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-003038">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Notify individuals of applicable, legally binding post-employment requirements for protection of organizational information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-6 (3) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-6 (3) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003039">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require individuals to sign an acknowledgement of legally binding post-employment requirements for protection of organizational information, if applicable, as part of granting initial access to covered information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-6 (3) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-6 (3) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003040">
- <status>draft</status>
- <publishdate>2013-09-12</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires third-party providers to comply with personnel security policies and procedures established by the organization.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-7 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003041">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require external providers to notify organization-defined personnel or roles of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within an organization-defined time period.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-7 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-7 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-003042">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines personnel or roles whom external providers are to notify when external personnel who possess organizational credentials and /or badges or who have system privileges are transferred or terminated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-7 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-7 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-003043">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the time period for external providers to notify organization-defined personnel or roles when external personnel who possess organizational credentials and/or badges, or who have system privileges are transferred or terminated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-7 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-7 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-003044">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Notify organization-defined personnel or roles within an organization-defined time period when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-8 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-8 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003045">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines personnel or roles who are to be notified when a formal employee sanctions process is initiated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-8 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-8 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003046">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the time period within which to notify organization-defined personnel or roles when a formal employee sanctions process is initiated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-8 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PS-8 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003047">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to whom the planning policy is disseminated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-1 a 1 (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-1 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-003048">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to whom the planning procedures are disseminated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-1 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-003049">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop security and privacy plans for the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-2 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003050">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop security and privacy plans for the system that are consistent with the organization's enterprise architecture.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-2 a 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-2 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-003051">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop security and privacy plans for the system that explicitly defines the authorization boundary for the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-2 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-2 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-003052">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop security and privacy plans for the system that describes the operational context of the system in terms of missions and business processes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-2 a 3" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-2 a 3" />
- </references>
- </cci_item>
- <cci_item id="CCI-003053">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop security and privacy plans for the system that provide the security categorization of the system, including supporting rationale.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-2 a 6" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-2 a 4" />
- </references>
- </cci_item>
- <cci_item id="CCI-003054">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop security and privacy plans for the system that describe the operational environment for the system and any dependencies on or connections to, other systems or system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-2 a 9" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-2 a 5" />
- </references>
- </cci_item>
- <cci_item id="CCI-003055">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop security and privacy plans for the system that provide an overview of the security and privacy requirements for the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-2 a 10" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-2 a 6" />
- </references>
- </cci_item>
- <cci_item id="CCI-003056">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop security and privacy plans for the system that identify any relevant control baselines or overlays, if applicable.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-2 a 11" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-2 a 7" />
- </references>
- </cci_item>
- <cci_item id="CCI-003057">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop security and privacy plans for the system that describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-2 a 12" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-2 a 8" />
- </references>
- </cci_item>
- <cci_item id="CCI-003058">
- <status>deprecated</status>
- <publishdate>2013-09-23</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization distributes copies of the security plan to organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-2 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003059">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Distribute copies of the plans to organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-2 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-2 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003060">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to whom copies of the plans are distributed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-2 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-2 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003061">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Communicate subsequent changes to the plans to organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-2 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-2 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003062">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to whom changes to the plans are communicated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-2 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-2 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003063">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Protect the plans from unauthorized disclosure.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-2 e" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-2 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-003064">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Protect the plans from unauthorized modification.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-2 e" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-2 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-003065">
- <status>draft</status>
- <publishdate>2013-09-23</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization plans and coordinates security-related activities affecting the information system with organization-defined individuals or groups before conducting such activities in order to reduce the impact on other organizational entities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-2 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003066">
- <status>deprecated</status>
- <publishdate>2013-09-23</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the individuals or groups with whom security-related activities are planned and coordinated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-2 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003067">
- <status>draft</status>
- <publishdate>2013-09-23</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the individuals or groups with whom security-related activities are planned and coordinated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-2 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003068">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the rules of behavior in accordance with organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-4 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-4 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003069">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency with which to review and update the rules of behavior.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-4 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-4 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003070">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge, on an organization-defined frequency, and/or when the rules of behavior are revised or updated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-4 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-4 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-003071">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop a security Concept of Operations (CONOPS) for the system describing how the organization intends to operate the system from the perspective of information security.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-7 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-7 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003072">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop security architectures for the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-8 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-8 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003073">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop security architectures for the system that describes the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-8 a 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-8 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-003074">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop security architectures for the system that describe how the architectures are integrated into and support the enterprise architecture.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-8 a 3" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-8 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-003075">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop security architectures for the system that describe any assumptions about, and dependencies on, external systems and services.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-8 a 4" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-8 a 3" />
- </references>
- </cci_item>
- <cci_item id="CCI-003076">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the architectures in accordance with organization-defined frequency to reflect updates in the enterprise architecture.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-8 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-8 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003077">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency with which to review and update the system architecture.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-8 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-8 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003078">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Reflect planned security architecture changes in the security plans.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-8 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-8 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003079">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Reflect planned security architecture changes in the security Concept of Operations (CONOPS).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-8 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-8 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003080">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Reflect planned security architecture changes in the security organizational procurements and acquisitions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-8 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-8 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003081">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Design the security architecture for the system using a defense-in-depth approach that allocates organization-defined controls to organization-defined locations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-8 (1) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-8 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003082">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Design the security architecture for the system using a defense-in-depth approach that allocates organization-defined controls to organization-defined architectural layers.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-8 (1) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-8 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003083">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the controls to be allocated to organization-defined locations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-8 (1) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-8 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003084">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the controls to be allocated to organization-defined architectural layers.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-8 (1) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-8 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003085">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the locations to which the system allocates organization-defined controls in the security architecture.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-8 (1) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-8 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003086">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the architectural layers to which the system allocates organization-defined controls in the security architecture.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-8 (1) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-8 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003087">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Design the security architecture for the system using a defense-in-depth approach that ensures that the allocated controls operate in a coordinated and mutually reinforcing manner.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-8 (1) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-8 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003088">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require that organization-defined controls allocated to organization-defined locations and architectural layers be obtained from different suppliers.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-8 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-8 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003089">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to whom the organization-level; mission/business process-level; and/or system-level system and services acquisition policy is disseminated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-1 a 1 (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-1 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-003090">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to whom procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls are disseminated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-1 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-1 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-003091">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Determine the high-level information security requirements for the system or system service in mission and business process planning.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-2 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-2 a " />
- </references>
- </cci_item>
- <cci_item id="CCI-003092">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines a system development life cycle that is used to manage the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-3 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003093">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Integrate the organizational information security risk management process into system development life cycle activities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-3 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-3 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-003094">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Include the security functional requirements, explicitly or by reference, using standardized contract language; and/or organization-defined contract language in the acquisition contract for the information system, system component, or information system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-4 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-4 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003095">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Include the strength of mechanism requirements, explicitly or by reference, using standardized contract language; and/or organization-defined contract language in the acquisition contract for the information system, system component, or information system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-4 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-4 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003096">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Include the security assurance requirements, explicitly or by reference, using standardized contract language; and/or organization-defined contract language in the acquisition contract for the information system, system component, or information system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-4 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-4 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003097">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Include the security documentation requirements, explicitly or by reference, using standardized contract language; and/or organization-defined contract language in the acquisition contract for the information system, system component, or information system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-4 e" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-4 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-003098">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Include the requirements for protecting security documentation, explicitly or by reference, using standardized contract language; and/or organization-defined contract language in the acquisition contract for the information system, system component, or information system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-4 f" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-4 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-003099">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Include the description of the system development environment and environment in which the system is intended to operate, explicitly or by reference, using standardized contract language; and/or organization-defined contract language in the acquisition contract for the information system, system component, or information system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-4 g" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-4 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-003100">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Include the acceptance criteria, explicitly or by reference, using standardized contract language; and/or organization-defined contract language in the acquisition contract for the information system, system component, or information system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-4 i" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-4 g" />
- </references>
- </cci_item>
- <cci_item id="CCI-003101">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to provide design information for the controls that includes security-relevant external system interfaces, high-level design, low-level design, source code, hardware schematics, and/or organization-defined design information at an organization-defined level of detail.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-4 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-4 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003102">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to provide implementation information for the controls that includes security-relevant external system interfaces, high-level design, low-level design, source code, hardware schematics, and/or organization-defined implementation information at an organization-defined level of detail.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-4 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-4 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003103">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the design information that the developer of the system, system component, or system service is required to provide for the controls to be designed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-4 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-4 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003104">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the implementation information that the developer of the system, system component, or system service is required to provide for the security controls to be implemented.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-4 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-4 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003105">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the level of detail for the design information of the controls that is required to be provided by the developer of the information system, system component, or information system services.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-4 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-4 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003106">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the level of detail for the implementation information of the security controls that is required to be provided by the developer of the information system, system component, or information system services.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-4 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-4 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003107">
- <status>draft</status>
- <publishdate>2013-09-23</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires the developer of the information system, system component, or information system service to demonstrate the use of a system development life cycle that includes organization-defined state-of-the-practice system/security engineering methods, software development methods, testing/evaluation/validation techniques, and quality control processes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-4 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003108">
- <status>draft</status>
- <publishdate>2013-09-23</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the state-of-the-practice system/security engineering methods, software development methods, testing/evaluation/validation techniques, and quality control processes that the developer of the information system, system component, or information system service is required to include when demonstrating the use of a system development life cycle.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-4 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003109">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to deliver the system, component, or service with organization-defined security configurations implemented.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-4 (5) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-4 (5) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003110">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the security configurations required to be implemented when the developer delivers the system, system component, or system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-4 (5) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-4 (5) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003111">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Requires the developer of the system, system component, or system service to use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-4 (5) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-4 (5) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003112">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to produce a plan for the continuous monitoring of control effectiveness that is consistent with the continuous monitoring program of the organization.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-4 (8)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-4 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003113">
- <status>draft</status>
- <publishdate>2013-09-23</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the level of detail to be contained in the plan for the continuous monitoring of security control effectiveness that the developer of the information system, system component, or information system services is required to produce.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-4 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003114">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to identify the functions, ports, protocols, and services intended for organizational use.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-4 (9)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-4 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003115">
- <status>deprecated</status>
- <publishdate>2013-09-23</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-4 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003116">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-4 (10)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-4 (10)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003117">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Centrally manage organization-defined controls and related processes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-9" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-9" />
- </references>
- </cci_item>
- <cci_item id="CCI-003118">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the controls and related processes to be centrally managed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-9" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="PL-9" />
- </references>
- </cci_item>
- <cci_item id="CCI-003119">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ a technical surveillance countermeasures survey at organization-defined locations on an organization-defined frequency or when organization-defined events or indicators occur.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-6" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="RA-6" />
- </references>
- </cci_item>
- <cci_item id="CCI-003120">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the locations where technical surveillance countermeasures surveys are to be employed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-6" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="RA-6" />
- </references>
- </cci_item>
- <cci_item id="CCI-003121">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency on which to employ technical surveillance countermeasures surveys.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-6" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="RA-6" />
- </references>
- </cci_item>
- <cci_item id="CCI-003122">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the events or indicators upon which technical surveillance countermeasures surveys are to be employed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-6" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="RA-6" />
- </references>
- </cci_item>
- <cci_item id="CCI-003123">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement organization-defined cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-4 (6)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="MA-4 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003124">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Obtain or develop administrator documentation for the system, system component, or system service that describes secure configuration of the system, component, or service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-5 a 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-5 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-003125">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Obtain or develop administrator documentation for the system, system component, or system service that describes secure installation of the system, component, or service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-5 a 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-5 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-003126">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Obtain or develop administrator documentation for the system, system component, or system service that describes secure operation of the system, component, or service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-5 a 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-5 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-003127">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Obtain or develop administrator documentation for the system, system component, or system services that describes effective use and maintenance of security functions and mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-5 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-5 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-003128">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Obtain or develop administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding configuration and use of administrative or privileged functions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-5 a 3" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-5 a 3" />
- </references>
- </cci_item>
- <cci_item id="CCI-003129">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Obtain or develop user documentation for the system, system component, or system service that describes user-accessible security functions and mechanisms and how to effectively use those functions and mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-5 b 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-5 b 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-003130">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Obtain or develop user documentation for the system, system component, or system service that describes methods for user interaction which enables individuals to use the system, component, or service in a more secure manner.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-5 b 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-5 b 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-003131">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Obtain or develop user documentation for the system, system component, or system service that describes user responsibilities in maintaining the security of the system, component, or service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-5 b 3" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-5 b 3" />
- </references>
- </cci_item>
- <cci_item id="CCI-003132">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Take organization-defined actions in response to attempts to obtain either unavailable or nonexistent documentation for the system, system component, or system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-5 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-5 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003133">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines actions to be taken in response to attempts to obtain either unavailable or nonexistent documentation for the system, system component, or system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-5 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-5 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003134">
- <status>draft</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization protects information system, system component, or information system service documentation as required, in accordance with the risk management strategy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-5 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-003135">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Distribute system, system component, or system service documentation to organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-5 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-5 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-003136">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to whom system, system component, or system service documentation is to be distributed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-5 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-5 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-003137">
- <status>draft</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines security controls that providers of external information system services employ in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-9 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003138">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ organization-defined processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-9 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-9 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003139">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines processes, methods, and techniques to employ to monitor control compliance by external service providers on an ongoing basis.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-9 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-9 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003140">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Conduct an organizational assessment of risk prior to the acquisition or outsourcing of information security services.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-9 (1) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-9 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003141">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Verify that the acquisition or outsourcing of dedicated information security services is approved by organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-9 (1) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-9 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003142">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles authorized to approve the acquisition or outsourcing of dedicated information security services.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-9 (1) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-9 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003143">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require providers of organization-defined external system services to identify the functions, ports, protocols, and other services required for the use of such services.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-9 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-9 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003144">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the external system services for which the providers are required to identify the functions, ports, protocols, and other services required for the use of such services.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-9 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-9 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003145">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish trust relationships with external service providers based on organization-defined security requirements, properties, factors, or conditions defining acceptable trust relationships.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-9 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-9 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003146">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Document trust relationships with external service providers based on organization-defined security requirements, properties, factors, or conditions defining acceptable trust relationships.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-9 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-9 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003147">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Maintain trust relationships with external service providers based on organization-defined security requirements, properties, factors, or conditions defining acceptable trust relationships.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-9 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-9 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003148">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines security requirements, properties, factors, or conditions defining acceptable trust relationships with external service providers.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-9 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-9 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003149">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Take organization-defined actions to verify that the interests of organization-defined external service providers are consistent with and reflect organizational interests.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-9 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-9 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003150">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the actions taken to verify that the interests of organization-defined external service providers are consistent with and reflect organizational interests.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-9 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-9 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003151">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines external service providers whose interests are consistent with and reflect organizational interests.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-9 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-9 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003152">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Restrict the location of information processing, information or data, and/or system services to organization-defined locations based on organization-defined requirements or conditions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-9 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-9 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003153">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the locations for which to restrict information processing, information or data, and/or system services based on organization-defined requirements or conditions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-9 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-9 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003154">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the requirements or conditions on which to base restricting the location of information processing, information or data, and/or system services to organization-defined locations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-9 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-9 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003155">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to perform configuration management during system, component, or service design, development, implementation, operation and/or disposal.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-10 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-10 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003156">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to document the integrity of changes to organization-defined configuration items under configuration management.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-10 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-10 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003157">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to manage the integrity of changes to organization-defined configuration items under configuration management.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-10 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-10 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003158">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to control the integrity of changes to organization-defined configuration items under configuration management.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-10 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-10 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003159">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the configuration items under configuration management that require the integrity of changes to be documented, managed and controlled.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-10 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-10 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003160">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to document the potential security impacts of approved changes to the system, component, or service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-10 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-10 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-003161">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to track security flaws within the system, component, or service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-10 e" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-10 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-003162">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to track flaw resolution within the system, component, or service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-10 e" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-10 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-003163">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to report findings of security flaws and flaw resolution within the system, component, or service to organization-defined personnel.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-10 e" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-10 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-003164">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel to whom security flaw findings and flaw resolution within the system, component, or service are reported.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-10 e" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-10 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-003165">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to enable integrity verification of hardware components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-10 (3)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-10 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003166">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to employ tools for comparing newly generated versions of security-relevant hardware descriptions with previous versions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-10 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-10 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003167">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to employ tools for comparing newly generated versions of source code with previous versions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-10 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-10 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003168">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to employ tools for comparing newly generated versions of object code with previous versions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-10 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-10 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003169">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to maintain the integrity of the mapping between the master build data describing the current version of security-relevant hardware, software, and firmware and the on-site master copy of the data for the current version.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-10 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-10 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003170">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to execute procedures for ensuring that security-relevant hardware, software, and firmware updates distributed to the organization are exactly as specified by the master copies.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-10 (6)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-10 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003171">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service, at all post-design phases of the system development life cycle, to develop a plan for ongoing security control assessment.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-11 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-11 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003172">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to implement a plan for ongoing security control assessment.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-11 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-11 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003173">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Requires the developer of the system, system component, or system service, at all post-design phases of the system development life cycle, to perform unit, integration, system, and/or regression testing/evaluation on an organization-defined frequency, at an organization-defined depth and coverage.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-11 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-11 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003174">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the depth and coverage at which to perform unit, integration, system, and/or regression testing/evaluation on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-11 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-11 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003175">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Requires the developer of the system, system component, or system service, at all post-design phases of the system development life cycle, to produce evidence of the execution of the assessment plan.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-11 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-11 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003176">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Requires the developer of the system, system component, or system service, at all post-design phases of the system development life cycle, to produce the results of the testing and evaluation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-11 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-11 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003177">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Requires the developer of the system, system component, or system service, at all post-design phases of the system development life cycle, to implement a verifiable flaw remediation process.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-11 d" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-11 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-003178">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Requires the developer of the system, system component, or system service, at all post-design phases of the system development life cycle, to correct flaws identified during testing/evaluation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-11 e" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-11 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-003179">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to employ static code analysis tools to identify common flaws.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-11 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-11 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003180">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to document the results of static code analysis.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-11 (1)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-11 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003181">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-11 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-11 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003182">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analysis during subsequent testing and evaluation of the system, component, or service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-11 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-11 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003183">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require an independent agent satisfying organization-defined independence criteria to verify the correct implementation of the developer security assessment plan.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-11 (3) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-11 (3) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003184">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require an independent agent satisfying organization-defined independence criteria to verify the evidence produced during security testing and evaluation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-11 (3) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-11 (3) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003185">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the independence criteria the independent agent must satisfy prior to verifying the correct implementation of the developer security assessment plan and the evidence produced during security testing and evaluation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-11 (3) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-11 (3) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003186">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Verify that the independent agent either is provided with sufficient information to complete the verification process or has been granted the authority to obtain such information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-11 (3) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-11 (3) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003187">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to perform a manual code review of organization-defined specific code using organization-defined processes, procedures, and/or techniques.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-11 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-11 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003188">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the specific code for which the developer of the system, system component, or system service is required to perform a manual code review using organization-defined process, procedures, and/or techniques.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-11 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-11 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003189">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the processes, procedures, and/or techniques to be used by the developer of the system, system component, or system service to perform a manual code review of organization-defined specific code.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-11 (4)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-11 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003190">
- <status>draft</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires the developer of the information system, system component, or information system service to perform penetration testing at an organization-defined breadth/depth and with organization-defined constraints.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-11 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003191">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the breadth and depth at which the developer of the system, system component, or system service is required to perform penetration testing.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-11 (5) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-11 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003192">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the constraints on penetration testing performed by the developer of the system, system component, or system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-11 (5) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-11 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003193">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to perform attack surface reviews.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-11 (6)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-11 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003194">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to verify that the scope of testing and evaluation provides complete coverage of required controls at an organization-defined depth of testing and evaluation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-11 (7)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-11 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003195">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the depth of testing and evaluation to which the developer of the system, system component, or system service is required to verify that the scope of security testing and evaluation provides complete coverage of the required controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-11 (7)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-11 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003196">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to employ dynamic code analysis tools to identify common flaws.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-11 (8)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-11 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003197">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to document the results of the dynamic code analysis.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-11 (8)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-11 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003198">
- <status>draft</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs organization-defined tailored acquisition strategies, contract tools, and procurement methods for the purchase of the information system, system component, or information system service from suppliers.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-12 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003199">
- <status>draft</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines tailored acquisition strategies, contract tools, and procurement methods to employ for the purchase of the information system, system component, or information system service from suppliers.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-12 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003200">
- <status>draft</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization conducts a supplier review prior to entering into a contractual agreement to acquire the information system, system component, or information system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-12 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003201">
- <status>draft</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs organization-defined security safeguards to limit harm from potential adversaries identifying and targeting the organizational supply chain.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-12 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003202">
- <status>draft</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines security safeguards to employ to limit harm from potential adversaries identifying and targeting the organizational supply chain.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-12 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003203">
- <status>draft</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization conducts an assessment of the information system, system component, or information system service prior to selection, acceptance, or update.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-12 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003204">
- <status>deprecated</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization conducts an assessment of the information system, system component, or information system service prior to selection, acceptance, or update.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-12 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003205">
- <status>draft</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization uses all-source intelligence analysis of suppliers and potential suppliers of the information system, system component, or information system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-12 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003206">
- <status>draft</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs organization-defined Operations Security (OPSEC) safeguards in accordance with classification guides to protect supply chain-related information for the information system, system component, or information system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-12 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003207">
- <status>deprecated</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs organization-defined tailored acquisition strategies, contract tools, and procurement methods for the purchase of the information system, system component, or information system service from suppliers.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-12 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003208">
- <status>deprecated</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs organization-defined tailored acquisition strategies, contract tools, and procurement methods for the purchase of the information system, system component, or information system service from suppliers.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-12 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003209">
- <status>deprecated</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs organization-defined tailored acquisition strategies, contract tools, and procurement methods for the purchase of the information system, system component, or information system service from suppliers.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-12 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003210">
- <status>draft</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the Operations Security (OPSEC) safeguards to be employed in accordance with classification guides to protect supply chain-related information for the information system, system component, or information system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-12 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003211">
- <status>deprecated</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the Operations Security (OPSEC) safeguards to be employed in accordance with classification guides to protect supply chain-related information for the information system, system component, or information system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-12 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003212">
- <status>draft</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs organization-defined security safeguards to validate that the information system or system component received is genuine and has not been altered.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-12 (10)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003213">
- <status>draft</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the security safeguards to be employed to validate that the information system or system component received is genuine and has not been altered.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-12 (10)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003214">
- <status>draft</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs organizational analysis, independent third-party analysis, organizational penetration testing and/or independent third-party penetration testing of organization-defined supply chain elements, processes, and actors associated with the information system, system component, or information system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-12 (11)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003215">
- <status>draft</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the supply chain elements, processes, and actors associated with the information system, system component, or information system service for organizational analysis, independent third-party analysis, organizational penetration testing and/or independent third-party penetration testing.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-12 (11)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003216">
- <status>draft</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization establishes inter-organizational agreements with entities involved in the supply chain for the information system, system component, or information system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-12 (12)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003217">
- <status>draft</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization establishes inter-organizational procedures with entities involved in the supply chain for the information system, system component, or information system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-12 (12)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003218">
- <status>draft</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs organization-defined security safeguards to ensure an adequate supply of organization-defined critical information system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-12 (13)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003219">
- <status>draft</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the security safeguards to be employed to ensure an adequate supply of organization-defined critical information system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-12 (13)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003220">
- <status>draft</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the critical information system components for which organization-defined security safeguards are employed to ensure adequate supply.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-12 (13)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003221">
- <status>draft</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization establishes unique identification of organization-defined supply chain elements, processes, and actors for the information system, system component, or information system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-12 (14)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003222">
- <status>draft</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization retains unique identification of organization-defined supply chain elements, processes, and actors for the information system, system component, or information system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-12 (14)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003223">
- <status>draft</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the supply chain elements, processes, and actors for the information system, system component, or information system service to establish and retain unique identification.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-12 (14)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003224">
- <status>draft</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization establishes a process to address weaknesses or deficiencies in supply chain elements identified during independent or organizational assessments of such elements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-12 (15)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003225">
- <status>draft</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization describes the trustworthiness required in the organization-defined information system, information system component, or information system service supporting its critical missions/business functions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-13 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003226">
- <status>draft</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the information system, information system component, or information system service supporting its critical missions/business functions in which the trustworthiness must be described.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-13 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003227">
- <status>draft</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization implements an organization-defined assurance overlay to achieve trustworthiness required to support its critical missions/business functions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-13 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003228">
- <status>draft</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines an assurance overlay to be implemented to achieve trustworthiness required to support its critical missions/business functions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-13 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003229">
- <status>draft</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization identifies critical information system components by performing a criticality analysis for organization-defined information systems, information system components, or information system services at organization-defined decision points in the system development life cycle.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-14" />
- </references>
- </cci_item>
- <cci_item id="CCI-003230">
- <status>draft</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization identifies critical information system functions by performing a criticality analysis for organization-defined information systems, information system components, or information system services at organization-defined decision points in the system development life cycle.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-14" />
- </references>
- </cci_item>
- <cci_item id="CCI-003231">
- <status>draft</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the information systems, information system components, or information system services for which the organization identifies critical information system components and functions for criticality analysis.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-14" />
- </references>
- </cci_item>
- <cci_item id="CCI-003232">
- <status>draft</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the decision points in the system development life cycle at which to perform a criticality analysis to identify critical information system components and functions for organization-defined information systems, information system components, or information system services.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-14" />
- </references>
- </cci_item>
- <cci_item id="CCI-003233">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to follow a documented development process.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15" />
- </references>
- </cci_item>
- <cci_item id="CCI-003234">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to follow a documented development process that explicitly addresses security requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 a 1" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-003235">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to follow a documented development process that identifies the standards used in the development process.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-003236">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to follow a documented development process that identifies the tools used in the development process.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 a 2" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-003237">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to follow a documented development process that documents the specific tool options and tool configurations used in the development process.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 a 3" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 a 3" />
- </references>
- </cci_item>
- <cci_item id="CCI-003238">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to follow a documented development process that documents changes to the process and/or tools used in development.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 a 4" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 a 4" />
- </references>
- </cci_item>
- <cci_item id="CCI-003239">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to follow a documented development process that manages changes to the process and/or tools used in development.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 a 4" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 a 4" />
- </references>
- </cci_item>
- <cci_item id="CCI-003240">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to follow a documented development process that ensures the integrity of changes to the process and/or tools used in development.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 a 4" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 a 4" />
- </references>
- </cci_item>
- <cci_item id="CCI-003241">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review the development process in accordance with organization-defined frequency to determine if the development process selected and employed can satisfy organization-defined security requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003242">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review the development standards in accordance with organization-defined frequency to determine if the development standards selected and employed can satisfy organization-defined security requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003243">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review the development tools in accordance with organization-defined frequency to determine if the development tools selected and employed can satisfy organization-defined security requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003244">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review the development tool options/configurations in accordance with organization-defined frequency to determine if the development tool options and tool configurations selected and employed can satisfy organization-defined security requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003245">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency on which to review the development process, standards, tools, and tool options/configurations to determine if the process, standards, tools, and tool options and tool configurations selected and employed can satisfy organization-defined security requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003246">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the security requirements that must be satisfied by conducting a review of the development process, standards, tools, and tool options and tool configurations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003247">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to define quality metrics at the beginning of the development process.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 (1) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003248">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to provide evidence of meeting the quality metrics in accordance with organization-defined frequency, organization-defined program review milestones, and/or upon delivery.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 (1) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003249">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency on which the developer of the information system, system component, or information system service is required to provide evidence of meeting the quality metrics.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 (1) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003250">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the program review milestones at which the developer of the information system, system component, or information system service is required to provide evidence of meeting the quality metrics.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 (1) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003251">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to select a security tracking tool for use during the development process.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003252">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to employ a security tracking tool for use during the development process.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 (2)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003253">
- <status>draft</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires the developer of the information system, system component, or information system service to perform a criticality analysis at an organization-defined breadth/depth and at organization-defined decision points in the system development life cycle.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003254">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the breadth/depth of criticality analysis at which the developer of the system, system component, or system service is required to perform a criticality analysis.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 (3) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003255">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines decision points in the system development life cycle at which the developer of the system, system component, or system service is required to perform a criticality analysis.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 (3) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003256">
- <status>draft</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires that developers perform threat modeling for the information system at an organization-defined breadth/depth.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003257">
- <status>draft</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires that developers perform a vulnerability analysis for the information system at an organization-defined breadth/depth.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003258">
- <status>draft</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the breadth/depth at which threat modeling for the information system must be performed by developers.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003259">
- <status>draft</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the breadth/depth at which vulnerability analysis for the information system must be performed by developers.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003260">
- <status>draft</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>Threat modeling performed by the developer for the information system uses organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 (4) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003261">
- <status>draft</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>Vulnerability analysis performed by the developer for the information system uses organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 (4) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003262">
- <status>draft</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels to be used to perform threat modeling for the information system by the developer.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 (4) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003263">
- <status>draft</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels to be used to perform a vulnerability analysis for the information system by the developer.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 (4) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003264">
- <status>draft</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires the threat modeling performed by the developers employ organization-defined tools and methods.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 (4) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003265">
- <status>draft</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires the vulnerability analysis performed by the developers employ organization-defined tools and methods.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 (4) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003266">
- <status>draft</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines tools and methods to be employed to perform threat modeling for the information system by the developer.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 (4) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003267">
- <status>draft</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines tools and methods to be employed to perform a vulnerability analysis for the information system by the developer.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 (4) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003268">
- <status>draft</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires that developers performing threat modeling for the information system produce evidence that meets organization-defined acceptance criteria.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 (4) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003269">
- <status>draft</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires that developers performing vulnerability analysis for the information system produce evidence that meets organization-defined acceptance criteria.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 (4) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003270">
- <status>draft</status>
- <publishdate>2013-09-30</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the acceptance criteria that must be met when threat modeling of the information system is performed by the developer.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 (4) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003271">
- <status>draft</status>
- <publishdate>2013-10-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the acceptance criteria that must be met when vulnerability analysis of the information system is performed by the developer.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 (4) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003272">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to reduce attack surfaces to organization-defined thresholds.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003273">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the thresholds to which the developer of the system, system component, or system service is required to reduce attack surfaces.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 (5)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003274">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to implement an explicit process to continuously improve the development process.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 (6)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003275">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system services, on an organization-defined frequency, to perform an automated vulnerability analysis using organization-defined tools.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 (7) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 (7) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003276">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the tools the developer of the system, system component, or system services uses to perform an automated vulnerability analysis.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 (7) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 (7) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003277">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system services, on an organization-defined frequency, to determine the exploitation potential for discovered vulnerabilities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 (7) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 (7) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003278">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system services, on an organization-defined frequency, to determine potential risk mitigations for delivered vulnerabilities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 (7) (c)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 (7) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003279">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system services, on an organization-defined frequency, to deliver the outputs of the tools and results of the vulnerability analysis to organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 (7) (d)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 (7) (d)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003280">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to whom the outputs of the tools and results of the vulnerability analysis are delivered.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 (7) (d)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 (7) (d)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003281">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to use threat modeling from similar systems, components, or services to inform the current development process.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 (8)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003282">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to use vulnerability analysis from similar systems, components, or services to inform the current development process.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 (8)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003283">
- <status>draft</status>
- <publishdate>2013-10-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization approves the use of live data in development environments for the information system, system component, or information system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003284">
- <status>draft</status>
- <publishdate>2013-10-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization approves the use of live data in test environments for the information system, system component, or information system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003285">
- <status>draft</status>
- <publishdate>2013-10-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization documents the use of live data in development environments for the information system, system component, or information system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003286">
- <status>draft</status>
- <publishdate>2013-10-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization documents the use of live data in test environments for the information system, system component, or information system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003287">
- <status>draft</status>
- <publishdate>2013-10-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization controls the use of live data in development environments for the information system, system component, or information system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003288">
- <status>draft</status>
- <publishdate>2013-10-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization controls the use of live data in test environments for the information system, system component, or information system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003289">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to provide an incident response plan.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 (10)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 (10)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003290">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system or system component to archive the system or component to be released or delivered together with the corresponding evidence supporting the final security review.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 (11)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-15 (11)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003291">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to provide organization-defined training on the correct use and operation of the implemented security functions, controls, and/or mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-16" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-16" />
- </references>
- </cci_item>
- <cci_item id="CCI-003292">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the training the developer of the system, system component, or information system service is required to provide on the correct use and operation of the implemented security functions, controls, and/or mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-16" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-16" />
- </references>
- </cci_item>
- <cci_item id="CCI-003293">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to produce a design specification and security architecture.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17" />
- </references>
- </cci_item>
- <cci_item id="CCI-003294">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to produce a design specification and security architecture that is consistent with and supportive of the organization's security architecture which is established within and is an integrated part of the organization's enterprise architecture.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003295">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to produce a design specification and security architecture that accurately and completely describes the required security functionality.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003296">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to produce a design specification and security architecture that accurately and completely describes the allocation of security controls among physical and logical components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003297">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to produce a design specification and security architecture that expresses how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 c" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003298">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system to produce, as an integral part of the development process, a formal policy model describing the organization-defined elements of organizational security policy to be enforced.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (1) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003299">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the elements of organizational security policy to be described in the formal policy model for enforcement on the system, system component, or system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (1) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003300">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational security policy when implemented.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (1) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003301">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to define security-relevant hardware.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (2) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17 (2) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003302">
- <status>deprecated</status>
- <publishdate>2013-10-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires the developer of the information system, system component, or information system service to define security-relevant hardware.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17 (2) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003303">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to define security-relevant software.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (2) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17 (2) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003304">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to define security-relevant firmware.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (2) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17 (2) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003305">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to provide a rationale that the definition for security-relevant hardware is complete.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (2) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17 (2) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003306">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to provide a rationale that the definition for security-relevant software is complete.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (2) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17 (2) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003307">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to provide a rationale that the definition for security-relevant firmware is complete.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (2) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17 (2) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003308">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant hardware in terms of exceptions, error messages, and effects.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (3) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17 (3) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003309">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant software in terms of exceptions, error messages, and effects.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (3) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17 (3) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003310">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant firmware in terms of exceptions, error messages, and effects.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (3) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17 (3) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003311">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to show via proof to the extent feasible with additional informal demonstration as necessary, that the formal top-level specification is consistent with the formal policy model.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (3) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17 (3) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003312">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant hardware.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (3) (c)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17 (3) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003313">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant software.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (3) (c)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17 (3) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003314">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant firmware.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (3) (c)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17 (3) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003315">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to show that the formal top-level specification is an accurate description of the implemented security-relevant hardware.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (3) (d)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17 (3) (d)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003316">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to show that the formal top-level specification is an accurate description of the implemented security-relevant software.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (3) (d)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17 (3) (d)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003317">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to show that the formal top-level specification is an accurate description of the implemented security-relevant firmware.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (3) (d)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17 (3) (d)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003318">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to describe the security-relevant hardware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant hardware.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (3) (e)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17 (3) (e)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003319">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to describe the security-relevant software mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant software.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (3) (e)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17 (3) (e)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003320">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to describe the security-relevant firmware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant firmware.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (3) (e)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17 (3) (e)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003321">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant hardware in terms of exceptions, error messages, and effects.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (4) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17 (4) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003322">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant software in terms of exceptions, error messages, and effects.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (4) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17 (4) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003323">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant firmware in terms of exceptions, error messages, and effects.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (4) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17 (4) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003324">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to show via informal demonstration or convincing argument with formal methods as feasible that the descriptive top-level specification is consistent with the formal policy model.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (4) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17 (4) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003325">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant hardware.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (4) (c)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17 (4) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003326">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant software.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (4) (c)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17 (4) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003327">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant firmware.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (4) (c)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17 (4) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003328">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (4) (d)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17 (4) (d)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003329">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant software.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (4) (d)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17 (4) (d)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003330">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant firmware.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (4) (d)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17 (4) (d)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003331">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to describe the security-relevant hardware mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant hardware.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (4) (e)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17 (4) (e)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003332">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to describe the security-relevant software mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant software.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (4) (e)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17 (4) (e)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003333">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to describe the security-relevant firmware mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant firmware.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (4) (e)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17 (4) (e)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003334">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to design and structure the security-relevant hardware to use a complete, conceptually simple protection mechanism with precisely defined semantics.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (5) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17 (5) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003335">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to design and structure the security-relevant software to use a complete, conceptually simple protection mechanism with precisely defined semantics.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (5) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17 (5) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003336">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to design and structure the security-relevant firmware to use a complete, conceptually simple protection mechanism with precisely defined semantics.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (5) (a)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17 (5) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003337">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to internally structure the security-relevant hardware with specific regard for the complete, conceptually simple protection mechanism with precisely defined semantics.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (5) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17 (5) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003338">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to internally structure the security-relevant software with specific regard for the complete, conceptually simple protection mechanism with precisely defined semantics.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (5) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17 (5) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003339">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to internally structure the security-relevant firmware with specific regard for the complete, conceptually simple protection mechanism with precisely defined semantics.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (5) (b)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17 (5) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003340">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, component, or system service to structure security-relevant hardware to facilitate testing.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (6)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003341">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, component, or system service to structure security-relevant software to facilitate testing.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (6)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003342">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, component, or system service to structure security-relevant firmware to facilitate testing.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (6)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003343">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, component, or system service to structure security-relevant hardware to facilitate controlling access with least privilege.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (7)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003344">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, component, or system service to structure security-relevant software to facilitate controlling access with least privilege.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (7)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003345">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, component, or system service to structure security-relevant firmware to facilitate controlling access with least privilege.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (7)" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-17 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003346">
- <status>draft</status>
- <publishdate>2013-10-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization implements a tamper protection program for the information system, system component, or information system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-18" />
- </references>
- </cci_item>
- <cci_item id="CCI-003347">
- <status>draft</status>
- <publishdate>2013-10-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs anti-tamper technologies and techniques during multiple phases in the system development life cycle including design.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-18 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003348">
- <status>draft</status>
- <publishdate>2013-10-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs anti-tamper technologies and techniques during multiple phases in the system development life cycle including development.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-18 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003349">
- <status>draft</status>
- <publishdate>2013-10-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs anti-tamper technologies and techniques during multiple phases in the system development life cycle including integration.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-18 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003350">
- <status>draft</status>
- <publishdate>2013-10-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs anti-tamper technologies and techniques during multiple phases in the system development life cycle including operations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-18 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003351">
- <status>draft</status>
- <publishdate>2013-10-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization employs anti-tamper technologies and techniques during multiple phases in the system development life cycle including maintenance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-18 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003352">
- <status>draft</status>
- <publishdate>2013-10-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization inspects organization-defined information systems, system components, or devices at random, at an organization-defined frequency, and/or upon organization-defined indications of need for inspection to detect tampering.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-18 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003353">
- <status>draft</status>
- <publishdate>2013-10-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the information systems, system components, or devices to inspect at random, at an organization-defined frequency, and/or upon organization-defined indications of need for inspection to detect tampering.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-18 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003354">
- <status>draft</status>
- <publishdate>2013-10-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the frequency on which to inspect organization-defined information systems, system components, or devices to detect tampering.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-18 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003355">
- <status>draft</status>
- <publishdate>2013-10-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines indications of need for inspection to detect tampering during inspections of organization-defined information systems, system components, or devices.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-18 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003356">
- <status>draft</status>
- <publishdate>2013-10-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops an anti-counterfeit policy that includes the means to detect counterfeit components from entering the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-19 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003357">
- <status>draft</status>
- <publishdate>2013-10-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops an anti-counterfeit policy that includes the means to prevent counterfeit components from entering the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-19 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003358">
- <status>draft</status>
- <publishdate>2013-10-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops anti-counterfeit procedures that include the means to detect counterfeit components from entering the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-19 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003359">
- <status>draft</status>
- <publishdate>2013-10-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops anti-counterfeit procedures that include the means to prevent counterfeit components from entering the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-19 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003360">
- <status>draft</status>
- <publishdate>2013-10-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization implements an anti-counterfeit policy that includes the means to detect counterfeit components from entering the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-19 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003361">
- <status>draft</status>
- <publishdate>2013-10-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization implements an anti-counterfeit policy that includes the means to prevent counterfeit components from entering the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-19 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003362">
- <status>draft</status>
- <publishdate>2013-10-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization implements anti-counterfeit procedures that include the means to detect counterfeit components from entering the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-19 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003363">
- <status>draft</status>
- <publishdate>2013-10-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization implements anti-counterfeit procedures that include the means to prevent counterfeit components from entering the information system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-19 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003364">
- <status>draft</status>
- <publishdate>2013-10-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization reports counterfeit information system components to the source of the counterfeit component, organization-defined external reporting organizations, and/or organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-19 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003365">
- <status>draft</status>
- <publishdate>2013-10-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the external reporting organizations to which counterfeit information system components are to be reported.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-19 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003366">
- <status>draft</status>
- <publishdate>2013-10-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the personnel or roles to whom counterfeit information system components are to be reported.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-19 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003367">
- <status>draft</status>
- <publishdate>2013-10-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization trains organization-defined personnel or roles to detect counterfeit information system components (including hardware, software, and firmware).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-19 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003368">
- <status>draft</status>
- <publishdate>2013-10-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the personnel or roles to be trained to detect counterfeit information system components (including hardware, software, and firmware).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-19 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003369">
- <status>draft</status>
- <publishdate>2013-10-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization maintains configuration control over organization-defined information system components awaiting service/repair.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-19 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003370">
- <status>draft</status>
- <publishdate>2013-10-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the information system components awaiting service/repair over which configuration control must be maintained.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-19 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003371">
- <status>draft</status>
- <publishdate>2013-10-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization maintains configuration control over serviced/repaired components awaiting return to service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-19 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003372">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Define the support from external providers to be provided for alternative sources for continued support for unsupported system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-22 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-22 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003373">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide in-house support and/or organization-defined support from external providers for alternative sources for continued support for unsupported components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-22 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-22 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003374">
- <status>draft</status>
- <publishdate>2013-10-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization documents approval for the continued use of unsupported system components required to satisfy mission/business needs.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-22 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003375">
- <status>draft</status>
- <publishdate>2013-10-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization provides justification for the continued use of unsupported system components required to satisfy mission/business needs.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-22 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003376">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-22 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-22 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003377">
- <status>draft</status>
- <publishdate>2013-10-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the actions the developer of the information system, system component, or information system service must take to ensure the required screening criteria are satisfied.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-21 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003378">
- <status>draft</status>
- <publishdate>2013-10-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the actions the developer of the information system, system component, or information system service must take to ensure the required access authorizations are satisfied.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-21 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003379">
- <status>draft</status>
- <publishdate>2013-10-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires the developer of the information system, system component, or information system service take organization-defined actions to ensure the required screening criteria are satisfied.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-21 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003380">
- <status>draft</status>
- <publishdate>2013-10-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requires the developer of the information system, system component, or information system service take organization-defined actions to ensure the required access authorizations are satisfied.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-21 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003381">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines additional personnel screening criteria that must be satisfied by the developer of an organization-defined system, system component, or system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-21 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-21 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003382">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require that the developer of an organization-defined information system, system component, or information system service satisfies organization-defined additional personnel screening criteria.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-21 b" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-21 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003383">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the official government duties to be assigned to the developer of an organization-defined system, system component, or system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-21 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-21 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003384">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system, system component, or system service which requires the system developer to have appropriate access authorizations, satisfy additional personnel screening criteria, and provide information that the access authorizations and screening criteria are satisfied.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-21" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-21 " />
- </references>
- </cci_item>
- <cci_item id="CCI-003385">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require that the developer of an organization-defined system, system component, or system service has appropriate access authorizations as determined by assigned organization-defined official government duties.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-21 a" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-21 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003386">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the critical system components to re-implement or custom develop.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-20" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-20" />
- </references>
- </cci_item>
- <cci_item id="CCI-003387">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Re-implement or custom develops organization-defined critical system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-20" />
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-20" />
- </references>
- </cci_item>
- <cci_item id="CCI-003388">
- <status>draft</status>
- <publishdate>2013-10-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the frequency on which to scan for counterfeit information system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-19 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003389">
- <status>draft</status>
- <publishdate>2013-10-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization scans for counterfeit information system components in accordance with organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-19 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003390">
- <status>draft</status>
- <publishdate>2013-10-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the techniques and methods used to dispose of information system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-19 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003391">
- <status>draft</status>
- <publishdate>2013-10-03</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization disposes of information system components using organization-defined techniques and methods.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SA-19 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003392">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization determines and documents the legal authority that permits the collection of personally identifiable information (PII), either generally or in support of a specific program or information system need.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AP-1" />
- </references>
- </cci_item>
- <cci_item id="CCI-003393">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization determines and documents the legal authority that permits the use of personally identifiable information (PII), either generally or in support of a specific program or information system need.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AP-1" />
- </references>
- </cci_item>
- <cci_item id="CCI-003394">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization determines and documents the legal authority that permits the maintenance of personally identifiable information (PII), either generally or in support of a specific program or information system need.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AP-1" />
- </references>
- </cci_item>
- <cci_item id="CCI-003395">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization determines and documents the legal authority that permits the sharing of personally identifiable information (PII), either generally or in support of a specific program or information system need.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AP-1" />
- </references>
- </cci_item>
- <cci_item id="CCI-003396">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization describes, in its privacy notices, the purpose(s) for which personally identifiable information (PII) is collected.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AP-2" />
- </references>
- </cci_item>
- <cci_item id="CCI-003397">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization appoints a Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) accountable for developing, implementing, and maintaining an organization-wide governance and privacy program to ensure compliance with all applicable laws and regulations regarding the collection, use, maintenance, sharing, and disposal of personally identifiable information (PII) by programs and information systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003398">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization describes, in its privacy notices, the purpose(s) for which personally identifiable information (PII) is used.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AP-2" />
- </references>
- </cci_item>
- <cci_item id="CCI-003399">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization describes, in its privacy notices, the purpose(s) for which personally identifiable information (PII) is maintained.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AP-2" />
- </references>
- </cci_item>
- <cci_item id="CCI-003400">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization describes, in its privacy notices, the purpose(s) for which personally identifiable information (PII) is shared.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AP-2" />
- </references>
- </cci_item>
- <cci_item id="CCI-003401">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization monitors federal privacy laws and policy for changes that affect the privacy program.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003402">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the allocation of budget resources sufficient to implement and operate the organization-wide privacy program.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-1 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003403">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the allocation of staffing resources sufficient to implement and operate the organization-wide privacy program.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-1 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003404">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization allocates sufficient organization-defined budget resources to implement and operate the organization-wide privacy program.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-1 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003405">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization allocates sufficient organization-defined staffing resources to implement and operate the organization-wide privacy program.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-1 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003406">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops a strategic organizational privacy plan for implementing applicable privacy controls, policies, and procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-1 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-003407">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops operational privacy policies which govern the appropriate privacy and security controls for programs, information systems, or technologies involving personally identifiable information (PII).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-1 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-003408">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization disseminates operational privacy policies which govern the appropriate privacy and security controls for programs, information systems, or technologies involving personally identifiable information (PII).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-1 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-003409">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization implements operational privacy policies which govern the appropriate privacy and security controls for programs, information systems, or technologies involving personally identifiable information (PII).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-1 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-003410">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops operational privacy procedures which govern the appropriate privacy and security controls for programs, information systems, or technologies involving personally identifiable information (PII).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-1 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-003411">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization disseminates operational privacy procedures which govern the appropriate privacy and security controls for programs, information systems, or technologies involving personally identifiable information (PII).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-1 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-003412">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization implements operational privacy procedures which govern the appropriate privacy and security controls for programs, information systems, or technologies involving personally identifiable information (PII).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-1 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-003413">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the frequency, minimally biennially, on which the privacy plan, policies, and procedures are to be updated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-1 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-003414">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization updates the privacy plan per organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-1 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-003415">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization updates the privacy policies per organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-1 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-003416">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization updates the privacy procedures per organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-1 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-003417">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization documents a privacy risk management process which assesses the privacy risk to individuals.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003418">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization implements a privacy risk management process which assesses the privacy risk to individuals.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003419">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization's privacy risk management process assesses the privacy risk to individuals resulting from the collection of personally identifiable information (PII).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003420">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization's privacy risk management process assesses the privacy risk to individuals resulting from the sharing of personally identifiable information (PII).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003421">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization's privacy risk management process assesses the privacy risk to individuals resulting from the storing of personally identifiable information (PII).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003422">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization's privacy risk management process assesses the privacy risk to individuals resulting from the transmitting of personally identifiable information (PII).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003423">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization's privacy risk management process assesses the privacy risk to individuals resulting from the use of personally identifiable information (PII).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003424">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization's privacy risk management process assesses the privacy risk to individuals resulting from the disposal of personally identifiable information (PII).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003425">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization conducts Privacy Impact Assessments (PIAs) for information systems, programs, or other activities that pose a privacy risk in accordance with applicable law, OMB policy, or any existing organizational policies and procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-2 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003426">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization establishes privacy roles for contractors.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003427">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization establishes privacy responsibilities for contractors.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003428">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization establishes access requirements for contractors.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003429">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization establishes privacy roles for service providers.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003430">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization establishes privacy responsibilities for service providers.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003431">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization establishes access requirements for service providers.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003432">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization includes privacy requirements in contracts.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-3 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003433">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization includes privacy requirements in other acquisition-related documents.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-3 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003434">
- <status>deprecated</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the frequency for monitoring privacy controls and internal privacy policy to ensure effective implementation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-4" />
- </references>
- </cci_item>
- <cci_item id="CCI-003435">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the frequency for auditing privacy controls and internal privacy policy to ensure effective implementation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-4" />
- </references>
- </cci_item>
- <cci_item id="CCI-003436">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization monitors privacy controls, per organization-defined frequency, to ensure effective implementation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-4" />
- </references>
- </cci_item>
- <cci_item id="CCI-003437">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization monitors internal privacy policy to ensure effective implementation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-4" />
- </references>
- </cci_item>
- <cci_item id="CCI-003438">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization audits privacy controls, per organization-defined frequency, to ensure effective implementation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-4" />
- </references>
- </cci_item>
- <cci_item id="CCI-003439">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization audits internal privacy policy, per organization-defined frequency, to ensure effective implementation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-4" />
- </references>
- </cci_item>
- <cci_item id="CCI-003440">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops a comprehensive training and awareness strategy aimed at ensuring that personnel understand privacy responsibilities and procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-5 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003441">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization implements a comprehensive training and awareness strategy aimed at ensuring that personnel understand privacy responsibilities and procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-5 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003442">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization updates a comprehensive training and awareness strategy aimed at ensuring that personnel understand privacy responsibilities and procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-5 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003443">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the frequency, minimally annually, for administering its basic privacy training.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-5 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003444">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the frequency, minimally annually, for administering the targeted, role-based privacy training for personnel having responsibility for personally identifiable information (PII) or for activities that involve PII.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-5 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003445">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization administers basic privacy training per the organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-5 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003446">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization administers, per organization-defined frequency, targeted, role-based privacy training for personnel having responsibility for personally identifiable information (PII) or for activities that involve PII.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-5 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003447">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the frequency, minimally annually, on which personnel certify acceptance of responsibilities for privacy requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-5 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003448">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization ensures personnel certify (manually or electronically) acceptance of responsibilities for privacy requirements per organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-5 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003449">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops reports for the Office of Management and Budget (OMB), Congress, and other oversight bodies, as appropriate, to demonstrate accountability with specific statutory and regulatory privacy program mandates.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-6" />
- </references>
- </cci_item>
- <cci_item id="CCI-003450">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization disseminates reports to the Office of Management and Budget (OMB), Congress, and other oversight bodies, as appropriate, to demonstrate accountability with specific statutory and regulatory privacy program mandates.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-6" />
- </references>
- </cci_item>
- <cci_item id="CCI-003451">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization updates reports for the Office of Management and Budget (OMB), Congress, and other oversight bodies, as appropriate, to demonstrate accountability with specific statutory and regulatory privacy program mandates.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-6" />
- </references>
- </cci_item>
- <cci_item id="CCI-003452">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops reports for senior management and other personnel with responsibility for monitoring privacy program progress and compliance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-6" />
- </references>
- </cci_item>
- <cci_item id="CCI-003453">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization disseminates reports to senior management and other personnel with responsibility for monitoring privacy program progress and compliance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-6" />
- </references>
- </cci_item>
- <cci_item id="CCI-003454">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization updates reports for senior management and other personnel with responsibility for monitoring privacy program progress and compliance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-6" />
- </references>
- </cci_item>
- <cci_item id="CCI-003455">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization designs information systems to support privacy by automating privacy controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-7" />
- </references>
- </cci_item>
- <cci_item id="CCI-003456">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization, as part of the accurate accounting of disclosures of Privacy Act information held in each system of records under its control, includes the date of each disclosure of a record.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-8 a (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003457">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization, as part of the accurate accounting of disclosures of Privacy Act information held in each system of records under its control, includes the nature of each disclosure of a record.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-8 a (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003458">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization, as part of the accurate accounting of disclosures of Privacy Act information held in each system of records under its control, includes the purpose of each disclosure of a record.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-8 a (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003459">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization keeps an accurate accounting of disclosures of Privacy Act information held in each system of records under its control.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-8 a (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003460">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization, as part of the accurate accounting of disclosures of Privacy Act information held in each system of records under its control, includes the name and address of the person or agency to which the disclosure was made.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-8 a (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003461">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization retains the accounting of disclosures for the life of the record or five years after the disclosure is made, whichever is longer.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-8 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003462">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization makes the accounting of disclosures available to the person named in the record upon request.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="AR-8 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003463">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization confirms to the greatest extent practicable upon collection or creation of personally identifiable information (PII), the accuracy of that information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DI-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003464">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization confirms to the greatest extent practicable upon collection or creation of personally identifiable information (PII), the relevancy of that information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DI-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003465">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization confirms to the greatest extent practicable upon collection or creation of personally identifiable information (PII), the timeliness of that information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DI-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003466">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization confirms to the greatest extent practicable upon collection or creation of personally identifiable information (PII), the completeness of that information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DI-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003467">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization collects personally identifiable information (PII) directly from the individual to the greatest extent practicable.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DI-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003468">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the frequency on which it will check for, and correct as necessary, inaccurate or outdated personally identifiable information (PII) used by its programs or systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DI-1 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003469">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization checks for, and corrects as necessary, any inaccurate or outdated personally identifiable information (PII) used by its programs or systems on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DI-1 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003470">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization issues guidelines ensuring the quality of disseminated Privacy Act information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DI-1 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-003471">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization issues guidelines ensuring the utility of disseminated Privacy Act information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DI-1 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-003472">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization issues guidelines ensuring the objectivity of disseminated Privacy Act information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DI-1 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-003473">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization issues guidelines ensuring the integrity of disseminated Privacy Act information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DI-1 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-003474">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization issues guidelines maximizing the quality of disseminated Privacy Act information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DI-1 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-003475">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization issues guidelines maximizing the utility of disseminated Privacy Act information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DI-1 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-003476">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization issues guidelines maximizing the objectivity of disseminated Privacy Act information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DI-1 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-003477">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization issues guidelines maximizing the integrity of disseminated Privacy Act information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DI-1 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-003478">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization requests the individual or individual's authorized representative validate personally identifiable information (PII) during the collection process.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DI-1 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003479">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the frequency on which it will request the individual, or individual's authorized representative, revalidate that personally identifiable information (PII) collected is still accurate.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DI-1 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003480">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>On an organization-defined frequency, the organization requests the individual, or individual's authorized representative, revalidate that personally identifiable information (PII) collected is still accurate.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DI-1 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003481">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization documents processes to ensure the integrity of personally identifiable information (PII) through existing security controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DI-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003482">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization, when appropriate, establishes a Data Integrity Board.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DI-2 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003483">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization's Data Integrity Board oversees the organizational Computer Matching Agreements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DI-2 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003484">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization's Data Integrity Board ensures the Computer Matching Agreements comply with the computer matching provisions of the Privacy Act.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DI-2 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003485">
- <status>draft</status>
- <publishdate>2013-11-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization publishes Computer Matching Agreements on its public website.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DI-2 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003486">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization identifies the minimum personally identifiable information (PII) elements that are relevant and necessary to accomplish the legally authorized purpose of collection.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DM-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003487">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization limits the collection and retention of personally identifiable information (PII) to the minimum elements identified for the purposes described in the published privacy notice.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DM-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003488">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization limits the collection and retention of personally identifiable information (PII) to the minimum elements identified for the purposes which the individual has provided consent.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DM-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003489">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the frequency, minimally annually, for conducting reviews of its personally identifiable information (PII) holdings.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DM-1 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003490">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization conducts an initial evaluation of personally identifiable information (PII) holdings.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DM-1 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003491">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization establishes a schedule for regularly reviewing the personally identifiable information (PII) holdings on an organization-defined frequency to ensure that only PII identified in the notice is collected and retained.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DM-1 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003492">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization follows a schedule for regularly reviewing the personally identifiable information (PII) holdings on an organization-defined frequency to ensure that only PII identified in the notice is collected and retained.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DM-1 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003493">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization establishes a schedule for regularly reviewing the personally identifiable information (PII) holdings on an organization-defined frequency to ensure the PII continues to be necessary to accomplish the legally authorized purpose.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DM-1 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003494">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization follows a schedule for regularly reviewing the personally identifiable information (PII) holdings on an organization-defined frequency to ensure the PII continues to be necessary to accomplish the legally authorized purpose.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DM-1 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003495">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization, where feasible and within the limits of technology, locates and removes/redacts specified personally identifiable information (PII).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DM-1 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003496">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization, where feasible and within the limits of technology, uses anonymization and de-identification techniques to permit use of the retained Privacy Act information while reducing its sensitivity and reducing the risk resulting from disclosure.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DM-1 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003497">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the time period for retaining each collection of personally identifiable information (PII) that is required to fulfill the purpose(s) identified in the published privacy notice or required by law.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DM-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003498">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization retains each collection of personally identifiable information (PII) for the organization-defined time period to fulfill the purpose(s) identified in the published privacy notice or as required by law.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DM-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003499">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization disposes of, destroys, erases, and/or anonymizes the personally identifiable information (PII), regardless of the method of storage, in accordance with a NARA-approved record retention schedule.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DM-2 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003500">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization disposes of, destroys, erases, and/or anonymizes the personally identifiable information (PII), regardless of the method of storage, in a manner that prevents loss, theft, misuse, or unauthorized access.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DM-2 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003501">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the techniques or methods to be employed to ensure the secure deletion or destruction of personally identifiable information (PII) (including originals, copies, and archived records).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DM-2 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003502">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization uses organization-defined techniques or methods to ensure secure deletion or destruction of personally identifiable information (PII) (including originals, copies, and archived records).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DM-2 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003503">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization, where feasible, configures its information systems to record the date personally identifiable information (PII) is collected, created, or updated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DM-2 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003504">
- <status>deprecated</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization, where feasible, configures its information systems to record the date personally identifiable information (PII) is created.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DM-2 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003505">
- <status>deprecated</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization, where feasible, configures its information systems to record the date personally identifiable information (PII) is updated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DM-2 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003506">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization, where feasible, configures its information systems to record when personally identifiable information (PII) is to be deleted or archived under an approved record retention schedule.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DM-2 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003507">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops policies that minimize the use of personally identifiable information (PII) for testing.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DM-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003508">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops policies that minimize the use of personally identifiable information (PII) for training.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DM-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003509">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops policies that minimize the use of personally identifiable information (PII) for research.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DM-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003510">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops procedures that minimize the use of personally identifiable information (PII) for testing.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DM-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003511">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops procedures that minimize the use of personally identifiable information (PII) for training.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DM-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003512">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops procedures that minimize the use of personally identifiable information (PII) for research.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DM-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003513">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization implements controls to protect personally identifiable information (PII) used for testing.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DM-3 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003514">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization implements controls to protect personally identifiable information (PII) used for training.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DM-3 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003515">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization implements controls to protect personally identifiable information (PII) used for research.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DM-3 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003516">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization, where feasible, uses techniques to minimize the risk to privacy of using personally identifiable information (PII) for research.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DM-3 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003517">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization, where feasible, uses techniques to minimize the risk to privacy of using personally identifiable information (PII) for testing.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DM-3 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003518">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization, where feasible, uses techniques to minimize the risk to privacy of using personally identifiable information (PII) for training.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="DM-3 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003519">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization provides means, where feasible and appropriate, for individuals to authorize the collection of personally identifiable information (PII) prior to its collection.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IP-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003520">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization provides means, where feasible and appropriate, for individuals to authorize the use of personally identifiable information (PII) prior to its collection.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IP-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003521">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization provides means, where feasible and appropriate, for individuals to authorize the maintaining of personally identifiable information (PII) prior to its collection.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IP-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003522">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor />
- <definition>The organization provides means, where feasible and appropriate, for individuals to authorize sharing of personally identifiable information (PII) prior to its collection.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IP-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003523">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization provides appropriate means for individuals to understand the consequences of decisions to approve or decline the authorization of the collection of personally identifiable information (PII).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IP-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003524">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization provides appropriate means for individuals to understand the consequences of decisions to approve or decline the authorization of the use of personally identifiable information (PII).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IP-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003525">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization provides appropriate means for individuals to understand the consequences of decisions to approve or decline the authorization of the dissemination of personally identifiable information (PII).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IP-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003526">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization provides appropriate means for individuals to understand the consequences of decisions to approve or decline the authorization of the retention of personally identifiable information (PII).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IP-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003527">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization obtains consent, where feasible and appropriate, from individuals prior to any new uses or disclosure of previously collected personally identifiable information (PII).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IP-1 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003528">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization ensures that individuals are aware of all uses of personally identifiable information (PII) not initially described in the public notice that was in effect at the time the organization collected the PII.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IP-1 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-003529">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization ensures that individuals, where feasible, consent to all uses of personally identifiable information (PII) not initially described in the public notice that was in effect at the time the organization collected the PII.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IP-1 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-003530">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization implements mechanisms to support itemized or tiered consent for specific uses of personally identifiable information (PII) data.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IP-1 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003531">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization provides individuals the ability to have access to their personally identifiable information (PII) maintained in its system(s) of records.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IP-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003532">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization publishes rules and regulations governing how individuals may request access to records maintained in a Privacy Act system of records.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IP-2 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003533">
- <status>deprecated</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization publishes regulations governing how individuals may request access to records maintained in a Privacy Act system of records.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IP-2 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003534">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization publishes access procedures for Privacy Act systems of records in System of Records Notices (SORNs).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IP-2 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003535">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization adheres to Privacy Act requirements for the proper processing of Privacy Act requests.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IP-2 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-003536">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization adheres to OMB policies and guidance for the proper processing of Privacy Act requests.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IP-2 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-003537">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization provides a process for individuals to have inaccurate personally identifiable information (PII) maintained by the organization corrected or amended, as appropriate.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IP-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003538">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization establishes a process for disseminating corrections or amendments of the personally identifiable information (PII) to other authorized users of the PII, such as external information-sharing partners.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IP-3 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003539">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization establishes a process, where feasible and appropriate, to notify affected individuals that their personally identifiable information (PII) information has been corrected or amended.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IP-3 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003540">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization implements a process for receiving complaints, concerns, or questions from individuals about the organizational privacy practices.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IP-4" />
- </references>
- </cci_item>
- <cci_item id="CCI-003541">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization implements a process for responding to complaints, concerns, or questions from individuals about the organizational privacy practices.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IP-4" />
- </references>
- </cci_item>
- <cci_item id="CCI-003542">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the time period within which it must respond to complaints, concerns, or questions from individuals about the organizational privacy practices.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IP-4 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003543">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization responds to complaints, concerns, or questions from individuals about the organizational privacy practices within the organization-defined time period.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="IP-4 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003544">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the frequency on which it will update the inventory that contains a listing of all programs and information systems identified as collecting, using, maintaining, or sharing personally identifiable information (PII).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SE-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003545">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization establishes an inventory that contains a listing of all programs identified as collecting, using, maintaining, or sharing personally identifiable information (PII).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SE-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003546">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization establishes an inventory that contains a listing of all information systems identified as collecting, using, maintaining, or sharing personally identifiable information (PII).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SE-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003547">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization maintains an inventory that contains a listing of all programs identified as collecting, using, maintaining, or sharing personally identifiable information (PII).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SE-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003548">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization maintains an inventory that contains a listing of all information systems identified as collecting, using, maintaining, or sharing personally identifiable information (PII).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SE-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003549">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization updates, per organization-defined frequency, an inventory that contains a listing of all programs identified as collecting, using, maintaining, or sharing personally identifiable information (PII).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SE-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003550">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization updates, per organization-defined frequency, an inventory that contains a listing of all information systems identified as collecting, using, maintaining, or sharing personally identifiable information (PII).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SE-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003551">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the frequency for providing each update of the personally identifiable information (PII) inventory to the CIO or information security official.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SE-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003552">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization provides each update of the personally identifiable information (PII) inventory to the CIO or information security official, per organization-defined frequency, to support the establishment of information security requirements for all new or modified information systems containing PII.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SE-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003553">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization develops a Privacy Incident Response Plan.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SE-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003554">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization implements a Privacy Incident Response Plan.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SE-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003555">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization provides an organized and effective response to privacy incidents in accordance with the organizational Privacy Incident Response Plan.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SE-2 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003556">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization provides effective notice to the public regarding its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of personally identifiable information (PII).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="TR-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003557">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization provides effective notice to individuals regarding its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of personally identifiable information (PII).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="TR-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003558">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization provides effective notice to the public regarding its authority for collecting personally identifiable information (PII).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="TR-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003559">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization provides effective notice to individuals regarding its authority for collecting personally identifiable information (PII).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="TR-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003560">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization provides effective notice to the public regarding the choices, if any, individuals may have regarding how the organization uses personally identifiable information (PII).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="TR-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003561">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization provides effective notice to individuals regarding the choices, if any, individuals may have regarding how the organization uses personally identifiable information (PII).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="TR-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003562">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization provides effective notice to the public regarding the consequences of exercising or not exercising the choices regarding how the organization uses personally identifiable information (PII).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="TR-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003563">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization provides effective notice to individuals regarding the consequences of exercising or not exercising the choices regarding how the organization uses personally identifiable information (PII).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="TR-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003564">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization provides effective notice to the public regarding the ability of individuals to access personally identifiable information (PII).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="TR-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003565">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization provides effective notice to individuals regarding the ability to access personally identifiable information (PII).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="TR-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003566">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization provides effective notice to the public regarding the ability to have personally identifiable information (PII) amended or corrected if necessary.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="TR-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003567">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization provides effective notice to individuals regarding the ability to have personally identifiable information (PII) amended or corrected if necessary.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="TR-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003568">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization describes the personally identifiable information (PII) the organization collects.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="TR-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003569">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization describes the purpose(s) for which it collects the personally identifiable information (PII).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="TR-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003570">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization describes how the organization uses personally identifiable information (PII) internally.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="TR-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003571">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization describes whether the organization shares personally identifiable information (PII) with external entities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="TR-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003572">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization describes the categories of those external entities with whom personally identifiable information (PII) is shared.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="TR-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003573">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization describes the purposes for sharing personally identifiable information (PII) with external entities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="TR-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003574">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization describes whether individuals have the ability to consent to specific uses or sharing of personally identifiable information (PII).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="TR-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003575">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization describes how individuals may exercise their consent regarding specific uses or sharing of personally identifiable information (PII).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="TR-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003576">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization describes how individuals may obtain access to personally identifiable information (PII).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="TR-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003577">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization describes how the personally identifiable information (PII) will be protected.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="TR-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003578">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization revises its public notices to reflect changes in practice or policy that affect personally identifiable information (PII), before or as soon as practicable after the change.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="TR-1 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003579">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization revises its public notices to reflect changes in practice or policy that impact privacy, before or as soon as practicable after the change.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="TR-1 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003580">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization provides real-time notice and/or layered notice when it collects personally identifiable information (PII).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="TR-1 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003581">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization publishes System of Records Notices (SORNs) in the Federal Register, subject to required oversight processes, for systems containing personally identifiable information (PII).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="TR-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003582">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization keeps System of Records Notices (SORNs) current.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="TR-2 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003583">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization includes Privacy Act Statements on its forms that collect personally identifiable information (PII), or on separate forms that can be retained by individuals, to provide additional formal notice to individuals from whom the information is being collected.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="TR-2 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003584">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization publishes System of Records Notices (SORNs) on its public website.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="TR-2 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003585">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization ensures the public has access to information about its privacy activities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="TR-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003586">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization ensures the public is able to communicate with its Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="TR-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003587">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization ensures its privacy practices are publicly available through organizational websites or otherwise.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="TR-3 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003588">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization uses personally identifiable information (PII) internally only for the authorized purpose(s) identified in the Privacy Act and/or in public notices.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="UL-1" />
- </references>
- </cci_item>
- <cci_item id="CCI-003589">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization shares personally identifiable information (PII) externally, only for the authorized purposes identified in the Privacy Act and/or described in its notice(s) or for a purpose that is compatible with those purposes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="UL-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003590">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization, where appropriate, enters into Memoranda of Understanding, Memoranda of Agreement, Letters of Intent, Computer Matching Agreements, or similar agreements, with third parties that specifically describe the personally identifiable information (PII) covered.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="UL-2 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003591">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization, where appropriate, enters into Memoranda of Understanding, Memoranda of Agreement, Letters of Intent, Computer Matching Agreements, or similar agreements, with third parties that specifically enumerate the purposes for which the personally identifiable information (PII) may be used.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="UL-2 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003592">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization monitors its staff on the authorized sharing of personally identifiable information (PII) with third parties.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="UL-2 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003593">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization audits its staff on the authorized sharing of personally identifiable information (PII) with third parties.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="UL-2 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003594">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization trains its staff on the authorized sharing of personally identifiable information (PII) with third parties.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="UL-2 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003595">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization trains its staff on the consequences of unauthorized use or sharing of personally identifiable information (PII).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="UL-2 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003596">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization evaluates any proposed new instances of sharing personally identifiable information (PII) with third parties to assess whether the sharing is authorized.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="UL-2 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-003597">
- <status>draft</status>
- <publishdate>2013-11-08</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization evaluates any proposed new instances of sharing personally identifiable information (PII) with third parties to assess whether additional or new public notice is required.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="UL-2 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-003599">
- <status>draft</status>
- <publishdate>2016-06-07</publishdate>
- <contributor>DISA FSO</contributor>
- <definition>The organization defines the individuals or information systems to be the only recipients of organization-defined information, information system components, or devices, by employing organization-defined security safeguards.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 4" version="4" location="NIST" index="SC-37 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003601">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document an organization-level; mission/business process-level; and/or system-level access control policy that is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-1 a 1 (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003602">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document an organization-level; mission/business process-level; and/or system-level access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-1 a 1 (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003603">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminate the organization-level; mission/business process-level; and/or system-level access control policy that is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines to organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-1 a 1 (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003604">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document procedures to facilitate the implementation of the organization-level; mission/business process-level; and/or system-level access control policy and the associated access control.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-1 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-003605">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage the development and documentation of the access control policy and procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003606">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage the dissemination of the access control policy and procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003607">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the official designated to manage the development, documentation, and dissemination of the access control policy and procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003608">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current access control policy following organization-defined events.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-1 c 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-003609">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the events following reviewing and updating the current access control policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-1 c 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-003610">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current access control procedures following organization-defined events.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-1 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-003611">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the events following reviewing and updating the current access control procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-1 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-003612">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Define and document the types of accounts allowed and specifically prohibited for use within the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003613">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require organization-defined prerequisites and criteria for group membership.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003614">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require organization-defined prerequisites and criteria for role membership.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003615">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the prerequisites and criteria for group and role membership.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003616">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the attributes (as required) for each account.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 d 3" />
- </references>
- </cci_item>
- <cci_item id="CCI-003617">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Create, enable, modify, disable, and remove system accounts in accordance with organization-defined policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-003618">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Create, enable, modify, disable, and remove system accounts in accordance with organization-defined criteria.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-003619">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Create, enable, modify, disable, and remove system accounts in accordance with organization-defined prerequisites.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-003620">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the policy to be employed when creating, enabling, modifying, disabling, and removing information system accounts.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-003621">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the prerequisites to be employed when creating, enabling, modifying, disabling, and removing information system accounts.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-003622">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the criteria to be employed when creating, enabling, modifying, disabling, and removing information system accounts.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-003623">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles of whom to notify when accounts are no longer required; when users are terminated or transferred; and when system usage or need-to-know changes for an individual.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 h" />
- </references>
- </cci_item>
- <cci_item id="CCI-003624">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the time period of when to notify account managers for each situation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 h" />
- </references>
- </cci_item>
- <cci_item id="CCI-003625">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the attributes (as required) for each account.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 i 3" />
- </references>
- </cci_item>
- <cci_item id="CCI-003626">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Align account management processes with personnel termination and transfer processes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 l" />
- </references>
- </cci_item>
- <cci_item id="CCI-003627">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disable accounts when the accounts have expired.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 (3) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003628">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disable accounts when the accounts are no longer associated to a user.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 (3) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003629">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disable accounts when the accounts are in violation of organizational policy.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 (3) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003630">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Monitor changes to roles or attributes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 (7) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003631">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system accounts that can be dynamically activated.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003632">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Activate organization-defined system accounts dynamically.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003633">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system accounts that can be dynamically managed.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003634">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Manage organization-defined system accounts dynamically.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003635">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system accounts that can be dynamically deactivated.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003636">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Deactivate organization-defined system accounts dynamically.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003637">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the significant risks that may be discovered requiring disabled accounts of individuals.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-2 (13)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003638">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce organization-defined discretionary access control policies over defined subjects and objects where the policy specifies that a subject that has been granted access to information can pass the information to any other subjects or objects.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (4) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003639">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce organization-defined discretionary access control policies over defined subjects and objects where the policy specifies that a subject that has been granted access to information can grant its privileges to other subjects.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (4) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003640">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce organization-defined discretionary access control policies over defined subjects and objects where the policy specifies that a subject that has been granted access to information can change security attributes on subjects, objects, the system, or the system's components.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (4) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003641">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce organization-defined discretionary access control policies over defined subjects and objects where the policy specifies that a subject that has been granted access to information can choose the security attributes to be associated with newly created or revised objects.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (4) (d)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003642">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce organization-defined discretionary access control policies over defined subjects and objects where the policy specifies that a subject that has been granted access to information can change the rules governing access control.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (4) (e)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003643">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the organization-defined roles for which it will employ an audited override of automated access control mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (10)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003644">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Restrict direct access to data repositories containing organization-defined information types.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (11)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003645">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the information types of which to restrict direct access to data repositories.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (11)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003646">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require applications to assert, as part of the installation process, the access needed to the organization-defined system applications and functions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (12) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003647">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the organization-defined system applications and functions as required of the applications as part of the installation process.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (12) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003648">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require applications to provide an enforcement mechanism to prevent other-than-asserted access.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (12) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003649">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Approve access changed after initial installations of the application.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (12) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003650">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce attribute-based access control policy over defined subjects and objects based upon organization-defined attributes to assume access permissions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (13)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003651">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the attributes to assume access permissions for enforcing attribute-based access control policy.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (13)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003652">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce attribute-based control access over defined subjects and objects based upon organization-defined attributes to assume access permissions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (13)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003653">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the attributes to assume access permissions for enforcing attribute-based control access.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (13)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003654">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide organization-defined mechanisms to enable individuals to have access to the following elements of their personally identifiable information: organization-defined elements.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (14)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003655">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the mechanisms to be provided for access to elements of personally identifiable information.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (14)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003656">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the elements of personally identifiable information.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (14)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003657">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce organization-defined mandatory access control policy over the set of covered subjects and objects specified in the policy.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (15) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003658">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the mandatory access control policies that are to be enforced over all subjects and objects.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (15) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003659">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce organization-defined discretionary access control policy over the set of covered subjects and objects specified in the policy.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (15) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003660">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the discretionary access control policies the system is to enforce over subjects and objects.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-3 (15) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003661">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the privacy attributes to be used to enforce organization-defined information flow control policies.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003662">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the information flow control mechanisms to prevent the bypassing of encrypted information.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003663">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce information flow control using organization-defined privacy policy filters as a basis for flow control decisions for organization-defined information flows.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (8) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003664">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce information flow control using block; strip; modify and/or quarantine data after a filter processing failure in accordance with organization-defined security or privacy policy.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (8) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003665">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the security or privacy policy to be enforced using block; strip; modify and/or quarantine data after a filter processing failure.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (8) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003666">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the security or privacy policy filters implemented when transferring information between security domains.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (19)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003667">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>When transferring information between security domains, modify non-releasable information by implementing organization-defined modification action.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (23)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003668">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the modification action when transferring information between different security domains.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (23)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003669">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>When transferring information between different security domains, parse incoming data into an internal normalized format.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (24)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003670">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>When transferring information between different security domains, regenerate the data to be consistent with its intended specification.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (24)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003671">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>When transferring information between different security domains, sanitize data to minimize delivery of malicious content, command and control of malicious code, malicious code augmentation, and steganography encoded data; spillage of sensitive information in accordance with organization-defined policy.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (25)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003672">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the policy when transferring information between different security domains.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (25)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003673">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>When transferring information between different security domains, record and audit content filtering actions and results for the information being filtered.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (26)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003674">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>When transferring information between different security domains, implement content filtering solutions that provide redundant and independent filtering mechanisms for each data type.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (27)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003675">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>When transferring information between different security domains, implement a linear content filter pipeline that is enforced with discretionary and mandatory access controls.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (28)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003676">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>When transferring information between different security domains, employ content filter orchestration engines to ensure that content filtering mechanisms successfully complete execution without errors.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (29) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003677">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>When transferring information between different security domains, employ content filter orchestration engines to ensure that content filtering actions occur in the correct order and comply with organization-defined policy.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (29) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003678">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>When transferring information between different security domains, implement content filtering mechanisms using multiple processes.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (30)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003679">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>When transferring information between different security domains, prevent the transfer of failed content to the receiving domain.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (31)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003680">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>When transferring information between different security domains, the process that transfers information between filter pipelines does not filter message content.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (32) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003681">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>When transferring information between different security domains, the process that transfers information between filter pipelines validates filtering metadata.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (32) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003682">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>When transferring information between different security domains, the process that transfers information between filter pipelines ensures the content associated with the filtering metadata has successfully completed filtering.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (32) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003683">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>When transferring information between different security domains, the process that transfers information between filter pipelines transfers the content to the destination filter pipeline.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-4 (32) (d)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003684">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Identify and document organization defined duties of individuals requiring separation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-5 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003685">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the individuals or roles who authorize access to organization-defined security functions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-6 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003686">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the individuals or roles who authorize access to organization-defined security-relevant information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-6 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003687">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Limit the number of unsuccessful biometric logon attempts to an organization-defined number.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-7 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003688">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the number of allowed unsuccessful biometric logon attempts.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-7 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003689">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Allow the use of organization-defined authentication factors that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts have been exceeded.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-7 (4) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003690">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the authentication factors after a number of organization-defined consecutive invalid logon attempts have been executed.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-7 (4) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003691">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce a limit of organization-defined number consecutive invalid logon attempts through use of the alternative factors by a user during a organization-defined time period.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-7 (4) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003692">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the number enforced for logon attempts.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-7 (4) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003693">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Display an explicit message to users indicating that the session will end at an organization-defined time until end of session.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-12 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003694">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the time until end of session, indicating the session will end.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-12 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003695">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the user actions that can be performed on the system without identification or authentication consistent with organizational missions/business functions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-14 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003696">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines privacy attributes having organization-defined types of privacy attribute values which are associated with information in storage.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003697">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines privacy attributes having organization-defined types of privacy attribute values which are associated with information in process.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003698">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines privacy attributes, having organization-defined types of privacy attribute values, which are associated with information in transmission.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003699">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines privacy attribute values associated with organization-defined types of privacy attributes for information in storage.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003700">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines privacy attribute values associated with organization-defined types of privacy attributes for information in process.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003701">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines privacy attribute values associated with organization-defined types of privacy attributes for information in transmission.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003702">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Ensure that the privacy attribute associations are made with the information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003703">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Ensure that the privacy attribute associations are restrained with the information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003704">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish the following permitted organization-defined privacy attributes defined in AC-16a for organization-defined systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003705">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the privacy attributes that are permitted for organization-defined systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003706">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the attribute values or ranges permitted for each of the established privacy attributes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-003707">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Audit changes to the attributes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-003708">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review organization-defined security attributes for applicability on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-003709">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review organization-defined privacy attributes for applicability on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-003710">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the security and privacy attributes to be reviewed for applicability.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-003711">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency of which the security and privacy attributes will be reviewed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-003712">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Dynamically associate privacy attributes with organization-defined subjects in accordance with organization-defined privacy policies as information is created and combined.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003713">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Dynamically associate privacy attributes with organization-defined objects in accordance with organization-defined privacy policies as information is created and combined.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003714">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the privacy policies to adhere to when dynamically associating security attributes with organization-defined subjects and objects.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003715">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provides authorized individuals (or processes acting on behalf of individuals) the capability to change the value of associated privacy attributes.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003716">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provides authorized individuals (or processes acting on behalf of individuals) the capability to define the value of associated privacy attributes.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003717">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the privacy attributes for which the association and integrity to organization-defined subjects and objects is maintained.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003718">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Maintain the association of organization-defined privacy attributes to organization-defined subjects.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003719">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Maintain the association of organization-defined privacy attributes to organization-defined objects.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003720">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Maintain the integrity of organization-defined privacy attributes associated with organization-defined subjects.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003721">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Maintain the integrity of organization-defined privacy attributes associated with organization-defined objects.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003722">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the subjects with which organization-defined privacy attributes may be associated by authorized individuals (or processes acting on behalf of individuals).</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003723">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the objects with which organization-defined privacy attributes may be associated by authorized individuals (or processes acting on behalf of individuals).</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003724">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the privacy attributes authorized individuals (or processes acting on behalf of individuals) are permitted to associate with organization-defined subjects and objects.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003725">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide the capability to associate organization-defined privacy attributes with organization-defined subjects by authorized individuals (or processes acting on behalf of individuals).</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003726">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide the capability to associate organization-defined privacy attributes with organization-defined objects by authorized individuals (or processes acting on behalf of individuals).</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003727">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Displays privacy attributes in human-readable form on each object that the system transmits to output devices to identify organization-identified special dissemination, handling, or distribution instructions using organization-identified human-readable, standard naming conventions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003728">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Identifies special dissemination, handling, or distribution instructions for identifying privacy attributes on output.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003729">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Identifies human-readable, standard naming conventions for identifying privacy attributes on output.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003730">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the privacy policies to be followed by personnel when associating organization-defined privacy attributes with organization-defined subjects and objects.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003731">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the privacy attributes which are to be associated with organization-defined subjects and objects.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003732">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the subjects to be associated, and that association maintained, with organization-defined privacy attributes in accordance with organization-defined privacy policies.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003733">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the objects to be associated, and that association maintained, with organization-defined privacy attributes in accordance with organization-defined privacy policies.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003734">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require personnel to associate organization-defined privacy attributes with organization-defined subjects in accordance with organization-defined privacy policies.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003735">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require personnel to associate organization-defined privacy attributes with organization-defined objects in accordance with organization-defined privacy policies.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003736">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require personnel to maintain the association of organization-defined privacy attributes with organization-defined subjects in accordance with organization-defined privacy policies.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003737">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require personnel to maintain the association of organization-defined privacy attributes with organization-defined objects in accordance with organization-defined privacy policies.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003738">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide a consistent interpretation of privacy attributes transmitted between distributed system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003739">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the techniques and technologies to be implemented when associating security attributes to information.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003740">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the level of assurance to be provided when implementing organization-defined techniques and technologies in associating privacy attributes to information.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003741">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement organization-defined techniques and technologies with an organization-defined level of assurance in associating privacy attributes to information.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003742">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Change privacy attributes associated with information are reassigned only via re-grading mechanisms validated using organization-defined techniques or procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003743">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide authorized individuals the capability to define or change the type of privacy attributes available for association with subjects.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (10)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003744">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide authorized individuals the capability to define or change the value of privacy attributes available for association with subjects.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (10)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003745">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide authorized individuals the capability to define or change the type of privacy attributes available for association with objects.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (10)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003746">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide authorized individuals the capability to define or change the type of privacy attributes available for association with objects.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-16 (10)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003747">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement organization-defined mechanisms to authenticate organization-defined remote commands.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-17 (10)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003748">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the mechanisms used to authenticate organization-defined remote commands.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-17 (10)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003749">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the remote commands used for implementing organization-defined mechanisms.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-17 (10)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003750">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the terms and conditions for accessing the system from external systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-20 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-003751">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the controls asserted to be implemented on external systems allowing individuals to access the system from external systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-20 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-003752">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the terms and conditions for processing, storing, or transmitting organization-controlled information using external systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-20 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-003753">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the controls asserted to be implemented on external systems allowing individuals to process, store, or transmit organization-controlled information using external systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-20 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-003754">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Prohibit the use of organizationally-defined types of external systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-20 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003755">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the types of external systems that are prohibited.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-20 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003756">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after verification of the implementation of controls on the external system as specified in the organization's security policy and security plan.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-20 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003757">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after verification of the implementation of controls on the external system as specified in the organization's privacy policy and privacy plan.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-20 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003758">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the restrictions for the use of organization-controlled portable storage devices.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-20 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003759">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Prohibit the use of organization-controlled portable storage devices by authorized individuals on external systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-20 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003760">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the privacy attributes, not to include the identity of the user or process acting on behalf of the user, to be used as the basis for enforcing access control decisions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AC-24 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003761">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document an organization level, mission/business process-level, or system-level awareness and training policy that is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-1 a 1 (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003762">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage the development and documentation of the awareness and training policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003763">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage the dissemination of the awareness and training policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003764">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage the development and documentation of the awareness and training procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003765">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage the dissemination of the awareness and training procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003766">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide basic privacy awareness training to system users (including managers, senior executives, and contractors) when required by system changes or following organization-defined events.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-2 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-003767">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ organization-defined awareness techniques to increase the security awareness of system users.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-2 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003768">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ organization-defined awareness techniques to increase the privacy awareness of system users.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-2 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003769">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the awareness techniques for to increase security and privacy awareness of system uses.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-2 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003770">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Update literacy training and awareness content on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-2 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003771">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Update literacy training and awareness content following organization-defined event.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-2 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003772">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency for updating literacy training and awareness content.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-2 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003773">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the events following updating literacy training and awareness content.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-2 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003774">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-2 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-003775">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide literacy training on recognizing and reporting potential and actual instances of social engineering.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-2 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003776">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide literacy training on recognizing and reporting potential and actual instances of social mining.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-2 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003777">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide literacy training on recognize suspicious communications and anomalous behavior in organizational systems using organization-defined indicators of malicious code.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-2 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003778">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the indicators of malicious code used to recognize suspicious communications and anomalous behavior in organizational systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-2 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003779">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide literacy training on the advanced persistent threat.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-2 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003780">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide literacy training on the cyber threat environment.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-2 (6) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003781">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Reflect current cyber threat information in system operations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-2 (6) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003782">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the roles and responsibilities of the personnel providing role-based security and privacy training.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003783">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide role-based privacy training to personnel with organization-defined roles and responsibilities before authorizing access to the system, information, or performing assigned duties.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-3 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-003784">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide role-based privacy training to personnel with organization-defined roles and responsibilities when required by system changes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-3 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-003785">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Update role-based training content on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-3 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003786">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency of which the role-based training content is updated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-3 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003787">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Update role-based training content following organization-defined events.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-3 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003788">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the events following updating role-based training content.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-3 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003789">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Incorporate lessons learned from internal or external security incidents or breaches into role-based training.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-3 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003790">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide practical exercises in privacy training that reinforce training objectives.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-3 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003791">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency for providing training in the employment and operation of personally identifiable information processing and transparency controls to personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-3 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003792">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide organization-defined personnel or roles with initial training in the employment and operation of personally identifiable information processing and transparency controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-3 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003793">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles who are to be provided training in the employment and operation of personally identifiable information processing and transparency controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-3 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003794">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Document individual privacy training activities, including privacy awareness training and specific system privacy training.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-4 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003795">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Monitor individual information privacy training activities, including privacy awareness training and specific privacy training.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-4 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003796">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide feedback on organizational training results to organization-defined personnel on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-6" />
- </references>
- </cci_item>
- <cci_item id="CCI-003797">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency of which feedback is provided on organizational training results.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-6" />
- </references>
- </cci_item>
- <cci_item id="CCI-003798">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the organizational personnel or roles who provide feedback on organizational training results.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-6" />
- </references>
- </cci_item>
- <cci_item id="CCI-003799">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document an organization-level; mission/business process-level; and/or system-level audit and accountability policy that is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-1 a 1 (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003800">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage the development and documentation of the audit and accountability policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003801">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage the dissemination of the audit and accountability policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003802">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage the development and documentation of the audit and accountability procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003803">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage the dissemination of the audit and accountability procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003804">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the official designated for managing the development, documentation, and dissemination of the audit and accountability policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003805">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the official designated for managing the development, documentation, and dissemination of the audit and accountability procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003806">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current audit and accountability policy following organization-defined events.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-1 c 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-003807">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the events following reviewing and updating the current audit and accountability policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-1 c 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-003808">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current audit and accountability procedures following organization-defined events.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-1 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-003809">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the events following reviewing and updating the current audit and accountability procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-1 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-003810">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the event types selected for logging on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-2 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-003811">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency at which the event types selected for logging will be reviewed and updated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-2 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-003812">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Limit personally identifiable information contained in audit records to organization-defined elements identified in the privacy risk assessment.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-3 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003813">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the elements identified in the privacy risk assessment.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-3 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003814">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the time-period for the alert in the event of an audit process failure.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-5 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003815">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide an alternate audit logging capability in the event of a failure in primary audit logging capability that implements organization-defined alternate audit logging functionality.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-5 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003816">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the alternate audit logging functionality in the event of a failure in primary audit logging capability.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-5 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003817">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and analyze the potential impact of the organization-defined inappropriate or unusual activity.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-6 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003818">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Adjust the level of audit review and analysis within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-6 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003819">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Adjust the level of audit reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-6 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003820">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the automated mechanisms for integrating audit record review, analysis, and reporting processes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-6 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003821">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement the capability to centrally review and analyze audit records from multiple components within the system.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-6 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003822">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement an audit reduction capability that supports on-demand audit review and analysis.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-7 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003823">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement an audit reduction capability that supports on-demand reporting requirements.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-7 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003824">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement an audit reduction capability that supports after-the-fact investigations of incidents.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-7 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003825">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a report generation capability that supports on-demand audit review and analysis.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-7 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003826">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a report generation capability that supports on-demand reporting requirements.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-7 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003827">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a report generation capability that supports after-the-fact investigations of incidents.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-7 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003828">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement an audit reduction capability that does not alter original content or time ordering of audit records.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-7 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003829">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a report generation capability that does not alter original content or time ordering of audit records.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-7 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003830">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement the capability to process, sort, and search audit records for events of interest based on organization-defined audit fields within audit records.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-7 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003831">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-9 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003832">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to be alerted upon detection of unauthorized access, modification, or deletion of audit information.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-9 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003833">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Store audit information on a component running a different operating system than the system component being audited.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-9 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003834">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement the capability for organization-defined individuals or roles to change the auditing to be performed on organization-defined system components based on organization-defined selectable event criteria within organization-defined time thresholds.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-12 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003835">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide the capability for auditing the parameters of user query events for data sets containing personally identifiable information.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-12 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003836">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement the capability for auditing the parameters of user query events for data sets containing personally identifiable information.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-12 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003837">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>If an information disclosure is discovered, notify organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-13 b 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-003838">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to be notified if an information disclosure is discovered.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-13 b 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-003839">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>If an information disclosure is discovered, take organization-defined additional actions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-13 b 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-003840">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the additional actions to be taken if an information disclosure is discovered.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-13 b 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-003841">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Monitor open-source information and information sites using organization-defined automated mechanisms.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-13 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003842">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the automated mechanisms for monitoring open-source information.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-13 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003843">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ discovery techniques, processes, and tools to determine if external entities are replicating organizational information in an unauthorized manner.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-13 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003844">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement the capability for organization-defined users or roles to select a user session to record; view; hear; and/or log the content of a user session under organization-defined circumstances.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-14 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003845">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines users or roles who will provide and implement the capability to record; view; hear; and/or log the content of a user session under organization-defined circumstances.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-14 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003846">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the circumstances to record; view; hear; and/or log the content of a user session.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-14 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003847">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop, integrate, and use session auditing activities in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-14 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003848">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement the capability for authorized users to remotely view and hear content related to an established user session in real time.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AU-14 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003849">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminate an organization-level; mission/business process; system-level assessment, authorization, and monitoring policy that is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-1 a 1 (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003850">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to whom the assessment, authorization, and monitoring policy is to be disseminated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-1 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-003851">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage the development and documentation of the assessment, authorization, and monitoring policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003852">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage the development and documentation of the assessment, authorization, and monitoring procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003853">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage the dissemination of the assessment, authorization, and monitoring policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003854">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage the dissemination of the assessment, authorization, and monitoring procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003855">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current assessment, authorization, and monitoring policy following organization-defined events.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-1 c 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-003856">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the events following reviewing and updating the current assessment, authorization, and monitoring policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-1 c 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-003857">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current assessment and authorization procedures following organization-defined events.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-1 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-003858">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the events following reviewing and updating the current assessment, authorization, and monitoring procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-1 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-003859">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Select the appropriate assessor or assessment team for the type of assessment to be conducted.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003860">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-2 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003861">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Assess the controls in the systems and its environment of operation on an organization-defined frequency, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the privacy requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-2 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-003862">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Approve and manage the exchange of information between the system and other systems using interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; service level agreements; user agreement; and/or nondisclosure agreements with an organization-defined type of agreement.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003863">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Document, as part of each exchange agreement, the privacy requirements, controls and responsibilities for each system, and the impact level of the information communicated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-3 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003864">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Verify that individuals or systems transferring data between interconnecting systems have the requisite authorizations (i.e., write permissions or privileges) prior to accepting such data.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-3 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003865">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Identify transitive (downstream) information exchanges with other systems through the systems identified in CA-3a.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-3 (7) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003866">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Take measures to ensure that transitive (downstream) information exchanges cease when the controls on identified transitive (downstream) systems cannot be verified or validated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-3 (7) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003867">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the automated mechanisms to ensure the accuracy, currency, and availability of the plan of actions and milestones.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-5 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003868">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-6 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003869">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Ensure the authorizing official accepts the use of common controls inherited by the system, before commencing operations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-6 c 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-003870">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-6 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-003871">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ a joint authorization process for the system that includes multiple authorizing officials from the same organization conducting the authorization.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-6 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003872">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ a joint authorization process for the system that includes multiple authorizing officials with at least one authorizing official from an organization external to the organization conducting the authorization.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-6 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003873">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement continuous monitoring in accordance with the organization-level continuous monitoring strategy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-7" />
- </references>
- </cci_item>
- <cci_item id="CCI-003874">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system-level metrics to be monitored.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-7 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003875">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish organization-defined frequencies for assessment of control effectiveness.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-7 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003876">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequencies for monitoring of control effectiveness.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-7 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003877">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequencies for assessment of control effectiveness.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-7 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003878">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop ongoing control assessments in accordance with the continuous monitoring strategy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-7 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003879">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a continuous monitoring program that includes reporting the privacy status to organization-defined personnel or roles on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-7 g" />
- </references>
- </cci_item>
- <cci_item id="CCI-003880">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency with which to report the privacy status to organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-7 g" />
- </references>
- </cci_item>
- <cci_item id="CCI-003881">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes effectiveness monitoring.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-7 (4) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003882">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes compliance monitoring.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-7 (4) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003883">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes change monitoring.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-7 (4) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003884">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ organization-defined actions to validate that policies are established.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-7 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003885">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ organization-defined actions to validate that implemented controls are operating in a consistent manner.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-7 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003886">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the actions used to validate policies.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-7 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003887">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Ensure the accuracy, currency, and availability of monitoring results for the system using organization-defined automated mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-7 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003888">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the automated mechanisms for ensuring accuracy, currency, and availability of monitoring results.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-7 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003889">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ a penetration testing process, on an organization-defined frequency, that includes announced or unannounced attempts to bypass or circumvent controls associated with physical access points to the facility.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-8 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003890">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency the penetration testing process will be employed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-8 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003891">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Document, for each internal connection, the privacy requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-9 (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003892">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Terminate internal system connections after organization-defined conditions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-9 (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003893">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the conditions for terminating internal system connections.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-9 (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003894">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review on an organization-defined frequency the continued need for each internal connection.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-9 (d)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003895">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency for reviewing each internal connection.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-9 (d)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003896">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Perform privacy compliance checks on constituent components prior to the establishment of the internal connection.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CA-9 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003897">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document an organization-level; mission/business process-level; and/or system-level configuration management policy that is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-1 a 1 (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003898">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the official to manage the development, documentation, and dissemination of the configuration management policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003899">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage the development and documentation of the configuration management policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003900">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage the dissemination of the configuration management policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003901">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the official to manage the development, documentation, and dissemination of the configuration management procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003902">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage the development and documentation of the configuration management procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003903">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage the dissemination of the configuration management procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003904">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the configuration management policy following organization-defined events.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-1 c 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-003905">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the events for when the policy will be reviewed and updated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-1 c 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-003906">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update, on an organization-defined frequency, the current configuration management procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-1 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-003907">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the configuration management procedures following organization-defined events.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-1 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-003908">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the events for when the procedures will be reviewed and updated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-1 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-003909">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document, under configuration control, a current baseline configuration of the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003910">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the baseline configuration of the system when system components are installed or upgraded.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-2 b 3" />
- </references>
- </cci_item>
- <cci_item id="CCI-003911">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the automated mechanisms for maintaining the currency, completeness, accuracy, and availability of the baseline configuration of the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-2 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003912">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Approve or disapprove configuration-controlled changes to the system, with explicit consideration for privacy impact analyses.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-3 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003913">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the automated mechanisms for documenting proposed changes to the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-3 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003914">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the automated mechanisms for notifying approval authorities of proposed changes to the system and request change proposal.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-3 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003915">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the automated mechanisms for highlighting proposed changes to the system that have not been approved or disapproved within an organization-defined time period.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-3 (1) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003916">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the automated mechanisms for prohibiting changes to the system until designated approvals are received.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-3 (1) (d)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003917">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the automated mechanisms for documenting all changes to the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-3 (1) (e)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003918">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the automated mechanisms for notifying organization-defined personnel when approved changes to the system are completed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-3 (1) (f)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003919">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the automated mechanisms to implement changes to the current system baseline.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-3 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003920">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the automated mechanisms to deploy the updated baselines across the installed base.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-3 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003921">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require an organization-defined privacy representative to be a member of the organization-defined configuration change control element.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-3 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003922">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the security representatives required to be members of the configuration change control element.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-3 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003923">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the privacy representatives required to be members of the configuration change control element.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-3 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003924">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the configuration change control element required for security and privacy representatives.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-3 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003925">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review changes to the system on an organization-defined frequency or when there are organization-defined circumstances to determine whether unauthorized changes have occurred.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-3 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003926">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency for reviewing changes to the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-3 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003927">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the circumstances for determining whether unauthorized changes to the system have occurred.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-3 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003928">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Prevent or restrict changes to the configuration of the system under organization-defined circumstances.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-3 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003929">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the circumstances for preventing or restricting changes to the configuration of the system.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-3 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003930">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Analyze changes to the system to determine potential privacy impacts prior to change implementation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-4" />
- </references>
- </cci_item>
- <cci_item id="CCI-003931">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>When analyzing changes to the system, looks for security impacts due to flaws, weaknesses, incompatibility, or intentional malice.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-4 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003932">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>After system changes, verify that the impacted controls are implemented correctly, meeting the privacy requirements for the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-4 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003933">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>After system changes, verify that the impacted controls are operating as intended, meeting the privacy requirements for the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-4 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003934">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>After system changes, verify that the impacted controls are producing the desired outcome with regard to meeting the privacy requirements for the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-4 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003935">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Define and document physical access restrictions associated with changes to the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-5" />
- </references>
- </cci_item>
- <cci_item id="CCI-003936">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Define and document logical access restrictions associated with changes to the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-5" />
- </references>
- </cci_item>
- <cci_item id="CCI-003937">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the automated mechanisms to enforce access restrictions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-5 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003938">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Automatically generate audit records of the enforcement actions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-5 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003939">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency with which to review and reevaluate system privileges.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-5 (5) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003940">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and reevaluate system privileges per an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-5 (5) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003941">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using organization-defined common secure configurations.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-6 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003942">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the common secure configurations for establishing and documenting configuration settings within the system, that reflect the most restrictive mode consistent with operational requirements.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-6 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003943">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Monitor changes to the configuration settings in accordance with organizational policies.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-6 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-003944">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Monitor changes to the configuration settings in accordance with organizational procedures.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-6 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-003945">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Control changes to the configuration settings in accordance with organizational policies.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-6 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-003946">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Control changes to the configuration settings in accordance with organizational procedures.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-6 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-003947">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the automated mechanisms for managing, applying, and verifying configuration settings.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-6 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003948">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the mission essential capabilities for configuring the system.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-7 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003949">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require that organization-defined user-installed software in a confined physical or virtual machine environment with limited privileges.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-7 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003950">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the user-installed software required for executing in a confined physical or virtual machine environment with limited privileges.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-7 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003951">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Allow execution of binary or machine-executable code only in confined physical or virtual machine environments and with the explicit approval of organization-defined personnel or roles when such code is obtained from sources with limited or no warranty.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-7 (7) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003952">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles who allow execution of binary or machine-executable code only in confined physical or virtual machine environments when such code is obtained from sources with limited or no warranty.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-7 (7) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003953">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Allow execution of binary or machine-executable code only in confined physical or virtual machine environments and with the explicit approval of organization-defined personnel or roles when such code is without the provision of source code.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-7 (7) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003954">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles who allow execution of binary or machine-executable code only in confined physical or virtual machine environments when such code is without the provision of source code.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-7 (7) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003955">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Prohibit the use of binary or machine-executable code from sources with limited or no warranty or without the provision of source code.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-7 (8) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003956">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Allow exceptions only for compelling mission or operational requirements and with the approval of the authorizing official.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-7 (8) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003957">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Identify organization-defined hardware components authorized for system use.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-7 (9) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003958">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the hardware components to be identified for authorized system use.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-7 (9) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003959">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Prohibit the use or connection of unauthorized hardware components.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-7 (9) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003960">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the list of authorized hardware components on an organization-defined frequency.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-7 (9) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003961">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency the hardware components are reviewed and updated.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-7 (9) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003962">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document an inventory of system components that accurately reflects the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-8 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-003963">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document an inventory of system components that includes all components within the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-8 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-003964">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document an inventory of system components that does not include duplicate accounting of components or components assigned to any other system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-8 a 3" />
- </references>
- </cci_item>
- <cci_item id="CCI-003965">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document an inventory of system components that is at the level of granularity deemed necessary for tracking.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-8 a 4" />
- </references>
- </cci_item>
- <cci_item id="CCI-003966">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document an inventory of system components that is at the level of granularity deemed necessary for reporting.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-8 a 4" />
- </references>
- </cci_item>
- <cci_item id="CCI-003967">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document an inventory of system components that includes organization-defined information deemed necessary to achieve effective system component accountability.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-8 a 5" />
- </references>
- </cci_item>
- <cci_item id="CCI-003968">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the automated mechanisms for maintaining the currency, completeness, accuracy, and availability of the inventory of the system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-8 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003969">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the automated mechanisms for detecting the presence of unauthorized hardware, software, and firmware components within the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-8 (3) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003970">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the automated mechanisms for supporting the tracking of system components by geographic location.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-8 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003971">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document a configuration management plan for the system that addresses roles, responsibilities, and configuration management processes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-9 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003972">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document a configuration management plan for the system that addresses roles, responsibilities, and configuration management procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-9 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003973">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document a configuration management plan for the system that establishes a process for identifying configuration items throughout the system development life cycle.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-9 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003974">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document a configuration management plan for the system that establishes a process for managing the configuration of the configuration items.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-9 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003975">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document a configuration management plan for the system that defines the configuration items for the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-9 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003976">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document a configuration management plan for the system that places the configuration items under configuration management.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-9 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003977">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document a configuration management plan for the system that is reviewed and approved by organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-9 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-003978">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles for those who review and approve the configuration management plan.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-9 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-003979">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a configuration management plan for the system that is reviewed and approved by organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-9 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-003980">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Allow user installation of software only with explicit privileged status.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-11 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003981">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce and monitor compliance with software installation policies using organization-defined automated mechanisms.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-11 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003982">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Identify and document the location of the organization-defined information on which the information is processed and stored.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-12 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003983">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Identify and document the specific system components on which the organization-defined information is processed and stored.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-12 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003984">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the information on which the location and specific system components are processed and stored.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-12 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-003985">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Identify and document the users who have access to the system where the information is processed and stored.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-12 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003986">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Identify and document the users who have access to the system components where the information is processed and stored.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-12 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003987">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Document changes to the location (i.e., system or system components) where the information is processed and stored.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-12 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-003988">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Use automated tools to identify organization-defined information by information type on organization-defined components to ensure adequate controls are in place to protect organizational information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-12 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003989">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the information by information type for identifying automated tools.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-12 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003990">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system components used to ensure controls are in place to protect organizational information and individual privacy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-12 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003991">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document a map of system data actions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-13" />
- </references>
- </cci_item>
- <cci_item id="CCI-003992">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Prevent the installation of organization-defined software and firmware components without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-14" />
- </references>
- </cci_item>
- <cci_item id="CCI-003993">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the software and firmware for preventing installation without verification that the component has been digitally signed.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CM-14" />
- </references>
- </cci_item>
- <cci_item id="CCI-003994">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document an organizational-level; mission/business process-level; and/or system-level contingency planning policy that is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-1 a 1 (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003995">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminate an organizational-level; mission/business process-level; and/or system-level contingency planning policy to organization-defined personnel or roles that is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-1 a 1 (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-003996">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage development and documentation of the contingency planning policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003997">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage dissemination of the contingency planning policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003998">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the official designated to manage the development, documentation, and dissemination of the contingency policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-003999">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage the development and documentation of the contingency planning procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004000">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage the dissemination of the contingency procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004001">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the official designated to manage the development, documentation, and dissemination of the contingency procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004002">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current contingency planning policy following organization-defined events.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-1 c 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-004003">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the events with which to review and update the current contingency planning policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-1 c 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-004004">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current contingency planning procedures following organization-defined events.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-1 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004005">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the events with which to review and update the current contingency planning procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-1 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004006">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop a contingency plan for the system that addresses maintaining essential mission functions despite a system disruption, compromise, or failure.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-2 a 4" />
- </references>
- </cci_item>
- <cci_item id="CCI-004007">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop a contingency plan for the system that addresses maintaining essential business functions despite a system disruption, compromise, or failure.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-2 a 4" />
- </references>
- </cci_item>
- <cci_item id="CCI-004008">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop a contingency plan for the system that addresses the sharing of contingency information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-2 a 6" />
- </references>
- </cci_item>
- <cci_item id="CCI-004009">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-2 g" />
- </references>
- </cci_item>
- <cci_item id="CCI-004010">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update contingency training content on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-3 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004011">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency the contingency training content will be reviewed and updated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-3 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004012">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update contingency training content following organization-defined events.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-3 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004013">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the events for which the contingency training content will be reviewed and updated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-3 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004014">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the automated mechanisms to test the contingency plan.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-4 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004015">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ organization-defined mechanisms to organization-defined system or system component to disrupt and adversely affect the system or system component.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-4 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004016">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the mechanisms employed to disrupt and adversely affect the system or system component.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-4 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004017">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system or system component used to employ organization-defined mechanisms.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-4 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004018">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish an alternate storage site, including necessary agreements to permit the retrieval of system backup information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-6 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004019">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Request Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and/or alternate telecommunications services are provided by a common carrier.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-8 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004020">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system components to conduct backups of user level information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-9 (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004021">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Conduct backups of system documentation, including privacy-related documentation, per an organization-defined frequency that is consistent with recovery time and recovery point objectives.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-9 (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004022">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Protect the confidentiality of backup information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-9 (d)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004023">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Protect integrity of backup information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-9 (d)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004024">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Protect the availability of backup information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-9 (d)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004025">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement cryptographic mechanisms to prevent unauthorized disclosure of organization-defined backup information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-9 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004026">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement cryptographic mechanisms to prevent unauthorized modification of organization-defined backup information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-9 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004027">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the backup information which is protected by cryptographic mechanisms preventing unauthorized disclosure and modification.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-9 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004028">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide for the recovery and reconstitution of the system to a known state within an organization-defined time-period consistent with recovery time and recovery point objectives after a disruption, compromise, or failure.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-10" />
- </references>
- </cci_item>
- <cci_item id="CCI-004029">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the time-period consistent with recovery time and recovery point objectives for the recovery and reconstitution of the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-10" />
- </references>
- </cci_item>
- <cci_item id="CCI-004030">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Protect system components used for recovery and reconstitution.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="CP-10 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004031">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles the organization-level; mission/business process-level; and/or system-level identification and authorization policy is disseminated to.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-1 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-004032">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document an organization-level; mission/business process-level; and/or system-level identification and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination, among organizational entities, and compliance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-1 a 1 (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004033">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document an organization-level; mission/business process-level; and/or system-level identification and authorization policy that is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-1 a 1 (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004034">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document the procedures to facilitate the implementation of the identification and authorization policy and the associated identification and authentication controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-1 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004035">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage development and documentation of the identification and authentication policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004036">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage dissemination of the identification and authentication policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004037">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage development and documentation of the identification and authentication procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004038">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage dissemination of the identification and authentication procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004039">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the official designated to managing the development, documentation, and dissemination of the identification and authentication policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004040">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the official designated to managing the development, documentation, and dissemination of the identification and authentication procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004041">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current identification and authentication policy following organization-defined events.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-1 c 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-004042">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the events following reviewing and updating the current identification and authentication policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-1 c 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-004043">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current identification and authentication procedures following organization-defined events.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-1 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004044">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the events following reviewing and updating the current identification and authentication procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-1 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004045">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require users to be individually authenticated before granting access to the shared accounts or resources.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-2 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004046">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement multi-factor authentication for local; network; and/or remote access to privileged accounts; and/or non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-2 (6) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004047">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement multi-factor authentication for local; network; and/or remote access to privileged accounts; and/or non-privileged accounts such that the device meets organization-defined strength of mechanism requirements.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-2 (6) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004048">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the strength of mechanism requirements for implementing multi-factor authentication.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-2 (6) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004049">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the dynamic identifier policy for managing individual identifiers dynamically.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-4 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004050">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Generate pairwise pseudonymous identifiers.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-4 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004051">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Maintain the attributes for each uniquely identified individual, device, or service in organization-defined protected central storage.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-4 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004052">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the protected central storage for maintaining the attributes for each uniquely individual, device or service.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-4 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004053">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Manage system authenticators by establishing administrative procedures for lost/compromised or damaged authenticators.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-004054">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Manage system authenticators by implementing administrative procedures for lost/compromised or damaged authenticators.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-004055">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Manage system authenticators by changing default authenticators prior to first use.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-004056">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the events for when to change or refresh authenticators.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-004057">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency for updating commonly used, expected, or compromised passwords, when they are suspected of being compromised directly or indirectly.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004058">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>For password-based authentication, maintain a list of commonly used, expected, or compromised passwords on an organization-defined frequency.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004059">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>For password-based authentication, update the list of passwords on an organization-defined frequency.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004060">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>For password-based authentication, update the list of passwords when organizational passwords are suspected to have been compromised directly or indirectly.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004061">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>For password-based authentication, verify when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a).</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004062">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>For password-based authentication, store passwords using an approved salted key derivation function, preferably using a keyed hash.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 (1) (d)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004063">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>For password-based authentication, require immediate selection of a new password upon account recovery.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 (1) (e)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004064">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>For password-based authentication, allow user selection of long passwords and passphrases, including spaces and all printable characters.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 (1) (f)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004065">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>For password-based authentication, employ automated tools to assist the user in selecting strong password authenticators.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 (1) (g)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004066">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>For password-based authentication, enforce organization-defined composition and complexity rules.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 (1) (h)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004067">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the composition and complexity rules to be enforced.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 (1) (h)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004068">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>For public key-based authentication, implement a local cache of revocation data to support path discovery and validation.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 (2) (b) (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004069">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Ensure that the unencrypted static authenticators are not embedded in applications or other forms of static storage.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004070">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Use organization-defined external organizations to federate credentials.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004071">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the external organizations used to federate credentials.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004072">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the binding rules for binding identities and authenticators.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 (10)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004073">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Use only General Services Administration-approved and validated products and services for identity, credential, and access management.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 (15)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004074">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require that the issuance of organization-defined types of and/or specific authenticators be conducted in person or by a trusted external party before the organization-defined registration authority with authorization by organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 (16)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004075">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines types of and/or specific authenticators to be conducted in person or by a trusted external party before the organization-defined registration authority.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 (16)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004076">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the registration authority who conducts the issuance of organization-defined types of and/or specific authenticators.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 (16)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004077">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles who authorize the issuance of organization-defined types of and/or specific authenticators.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 (16)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004078">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ presentation attack detection mechanisms for biometric-based authentication.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 (17)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004079">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ organization-defined password managers to generate and manage passwords.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 (18) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004080">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the password managers employed to generate and manage passwords.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 (18) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004081">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Protect the passwords using organization-defined controls.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 (18) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004082">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the controls for protecting the passwords.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-5 (18) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004083">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Accept only external credentials that are NIST compliant.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-8 (2) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004084">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Document and maintain a list of accepted external authenticators.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-8 (2) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004085">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Conform to organization-defined identity management profiles for identity management.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-8 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004086">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the identity management profiles for conforming to the profiles for identity management.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-8 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004087">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the policy for accepting and verifying federated or PKI credentials.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-8 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004088">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement organization-defined measures to disassociate user attributes or identifier assertion relationships among individuals.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-8 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004089">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement organization-defined measures to disassociate user attributes or identifier assertion relationships among credential service providers.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-8 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004090">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement organization-defined measures to disassociate user attributes or identifier assertion relationships among relying parties.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-8 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004091">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the measures to be implemented to disassociate user attributes or identifier assertion relationships among individuals, credential service providers, and relying parties.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-8 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004092">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Identity proof users that require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-12 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004093">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Identity proof users that require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable guidelines.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-12 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004094">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Resolve user identities to a unique individual.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-12 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004095">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Collect identity evidence.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-12 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-004096">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Validate identity evidence.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-12 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-004097">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Verify identity evidence.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-12 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-004098">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require that the registration process to receive an account for logical access includes supervisor or sponsor authorization.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-12 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004099">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require evidence of individual identification be presented to the registration authority.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-12 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004100">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require that the presented identity evidence be validated through organizational defined methods of validation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-12 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004101">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require that the presented identity evidence be verified through organizational defined methods of verification.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-12 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004102">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the methods of validation required for presenting identity evidence.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-12 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004103">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the methods of verification required for presenting identity evidence.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-12 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004104">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require that the validation of identity evidence be conducted in person before a designated registration authority.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-12 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004105">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require that the verification of identity evidence be conducted in person before a designated registration authority.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-12 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004106">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require that a registration code or notice of proofing be delivered through an out-of-band channel to verify the users address (physical or digital) of record.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-12 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004107">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Accept externally-proofed identities at an organization-defined identity assurance level.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-12 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004108">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the identity assurance level by accepting externally-proofed identities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IA-12 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004109">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document an organization-level; mission/business process-level; and/or system-level incident response policy that is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-1 a 1 (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004110">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage the incident response policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004111">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage the incident response procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004112">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the official designated to manage the incident response policy and procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004113">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current incident response policy following organization-defined events.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-1 c 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-004114">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the events for reviewing and updating the current incident response policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-1 c 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-004115">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current incident response procedures following organization-defined events.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-1 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004116">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the events for reviewing and updating the current incident response procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-1 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004117">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the automated mechanisms to provide an incident response training environment.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-2 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004118">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide incident response training on how to identify and respond to a breach, including the organization's process for reporting a breach.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-2 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004119">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the automated mechanisms to test the incident response capability.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-3 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004120">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Use qualitative data from testing to determine the effectiveness of incident response processes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-3 (3) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004121">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Use quantitative data from testing to determine the effectiveness of incident response processes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-3 (3) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004122">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Use qualitative data from testing to continuously improve incident response processes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-3 (3) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004123">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Use quantitative data from testing to continuously improve incident response processes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-3 (3) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004124">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Use qualitative data from testing to provide incident response measures and metrics that are accurate.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-3 (3) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004125">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Use quantitative data from testing to provide incident response measures and metrics that are accurate.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-3 (3) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004126">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Use qualitative data from testing to provide incident response measures and metrics that are consistent.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-3 (3) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004127">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Use quantitative data from testing to provide incident response measures and metrics that are consistent.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-3 (3) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004128">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Use qualitative data from testing to provide incident response measures and metrics that are in a reproducible format.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-3 (3) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004129">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Use quantitative data from testing to provide incident response measures and metrics that are in a reproducible format.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-3 (3) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004130">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Incorporate lessons learned from ongoing incident handling activities into incident response procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-4 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-004131">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Incorporate lessons learned from ongoing incident handling activities into incident response training.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-4 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-004132">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Incorporate lessons learned from ongoing incident handling activities into incident response testing.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-4 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-004133">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Ensure the rigor of incident handling activities are comparable and predictable across the organization.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-4 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-004134">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Ensure the intensity of incident handling activities are comparable and predictable across the organization.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-4 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-004135">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Ensure the scope of incident handling activities are comparable and predictable across the organization.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-4 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-004136">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Ensure the results of incident handling activities are comparable and predictable across the organization.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-4 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-004137">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the automated mechanisms for supporting the incident handling process.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-4 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004138">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the types of dynamic reconfiguration for system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-4 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004139">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the classes of incidents to identify actions in response to those incidents.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-4 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004140">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the actions to take in response to organization-defined classes of incidents to ensure continuation of organizational mission and business functions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-4 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004141">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Coordinate an incident handling capability for insider threats that includes organization-defined entities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-4 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004142">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the organizational entities for coordinating an incident handling capability for insider threats.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-4 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004143">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish and maintain an integrated incident response team that can be deployed to any location identified by the organization in an organization-defined time period.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-4 (11)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004144">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the time period for establishing and maintaining an integrated incident response team that can be deployed to any location identified by the organization.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-4 (11)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004145">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Analyze malicious code and/or other residual artifacts remaining in the system after the incident.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-4 (12)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004146">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Analyze anomalous or suspected adversarial behavior in or related to organization-defined environments or resources.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-4 (13)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004147">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the environments or resources for analyzing anomalous or suspected adversarial behavior.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-4 (13)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004148">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish and maintain a security operations center.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-4 (14)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004149">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Manage public relations associated with an incident.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-4 (15) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004150">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ measures to repair the reputation of the organization.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-4 (15) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004151">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Track incidents using organization-defined automated mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-5 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004152">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Collect incident information using organization-defined automated mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-5 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004153">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Analyze incident information using organization-defined automated mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-5 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004154">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the automated mechanisms to track, collect, and analyze incident information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-5 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004155">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the automated mechanisms for reporting incidents.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-6 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004156">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide incident information to the provider of the product or service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-6 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004157">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop an incident response plan that addresses the sharing of incident information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-8 a 8" />
- </references>
- </cci_item>
- <cci_item id="CCI-004158">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency organization-defined personnel or roles will review and approve the incident response plan.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-8 a 9" />
- </references>
- </cci_item>
- <cci_item id="CCI-004159">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop an incident response plan that explicitly designates responsibility for incident response to organization-defined entities, personnel, or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-8 a 10" />
- </references>
- </cci_item>
- <cci_item id="CCI-004160">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Include a process to determine if notice to individuals or other organizations, including oversight organizations, is needed, in the Incident Response Plan for breaches involving Personally Identifiable Information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-8 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004161">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Include an assessment process to determine the extent of the harm, embarrassment, inconvenience, or unfairness to affected individuals and any mechanisms to mitigate such harms in the Incident Response Plan for breaches involving Personally Identifiable Information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-8 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004162">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Include identification of applicable privacy requirements in the Incident Response Plan for breaches involving Personally Identifiable Information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-8 (1) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004163">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Respond to information spills by assigning organization-defined personnel or roles with responsibility for responding to information spills.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-9 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004164">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles who will respond to information spills.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="IR-9 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004165">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document an organization-level; mission/business process-level; and/or system-level maintenance policy that is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-1 a 1 (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004166">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage the development, documentation, and dissemination of the maintenance policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004167">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage the development, documentation, and dissemination of the maintenance procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004168">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the official who will manage the development, documentation, and dissemination of the maintenance policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004169">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the official who will manage the development, documentation, and dissemination of the maintenance procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004170">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current maintenance policy following organization-defined events.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-1 c 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-004171">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the events following reviewing and updating the current maintenance policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-1 c 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-004172">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current maintenance procedures following organization-defined events.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-1 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004173">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the events following reviewing and updating the current maintenance procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-1 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004174">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Schedule replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004175">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Document replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004176">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review records of replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004177">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Approve all maintenance activities, whether performed on site or remotely.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-2 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004178">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Monitor all maintenance activities, whether performed on site or remotely.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-2 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004179">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Approve all maintenance activities, whether the system or system components are serviced on site or removed to another location.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-2 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004180">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Monitor all maintenance activities, whether the system or system components are serviced on site or removed to another location.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-2 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004181">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the information to be removed from associated media.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-2 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-004182">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Schedule maintenance, repair, and replacement actions for the system using organization-defined automated mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-2 (2) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004183">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Conduct maintenance, repair, and replacement actions for the system using organization-defined automated mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-2 (2) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004184">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Document maintenance, repair, and replacement actions for the system using organization-defined automated mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-2 (2) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004185">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Produce up-to date, accurate, and complete records of all replacement actions requested, scheduled, in process, and completed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-2 (2) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004186">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review previously approved system maintenance tools on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-3 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004187">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency for reviewing previously approved system maintenance tools.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-3 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004188">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Monitor the use of maintenance tools that execute with increased privilege.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-3 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004189">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Inspect the maintenance tools to ensure the latest software updates and patches are installed.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-3 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004190">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Terminate session when nonlocal maintenance is completed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-4 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-004191">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Terminate network connection when nonlocal maintenance is completed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-4 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-004192">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Protect nonlocal maintenance sessions by separating the maintenance session from other network sessions with the system by logically separated communications paths.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-4 (4) (b) (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004193">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the cryptographic mechanisms for protecting the integrity and confidentiality of nonlocal maintenance and diagnostic communications.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-4 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004194">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop organization-defined alternate controls in the event a system component cannot be sanitized, removed, or disconnected from the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-5 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004195">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement organization-defined alternate controls in the event a system component cannot be sanitized, removed, or disconnected from the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-5 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004196">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines alternate controls in the event a system component cannot be sanitized, removed, or disconnected from the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-5 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004197">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the automated mechanisms for transferring predictive maintenance data to a maintenance system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-6 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004198">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Restrict or prohibit field maintenance on organization-defined systems or system components to organization-defined trusted maintenance facilities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-7" />
- </references>
- </cci_item>
- <cci_item id="CCI-004199">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems or system components which restrict or prohibit field maintenance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-7" />
- </references>
- </cci_item>
- <cci_item id="CCI-004200">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the trusted maintenance facilities which the systems or system components restrict or prohibit field maintenance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MA-7" />
- </references>
- </cci_item>
- <cci_item id="CCI-004201">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document an organization-level; mission/business process-level; and/or system-level media protection policy that is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-1 a 1 (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004202">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage the development and documentation of the media protection policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004203">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage the dissemination of the media protection policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004204">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage development and documentation of the media protection procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004205">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage dissemination of the media protection procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004206">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the official designated to manage the development, documentation, and dissemination of the media protection policy and procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004207">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current media protection policy following organization-defined events.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-1 c 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-004208">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the events following reviewing and updating the current media policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-1 c 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-004209">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current media protection procedures following organization-defined events.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-1 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004210">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the events following reviewing and updating the current media procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-1 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004211">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Physically control and securely store organization-defined types of digital and/or non-digital media within organization-defined controlled areas.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-4 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004212">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Securely store organization-defined types of digital and/or non-digital media within organization-defined controlled areas.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-4 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004213">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Protect system media types defined in MP-4a until the media are destroyed or sanitized using approved equipment.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-4 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004214">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Protect system media types defined in MP-4a until the media are destroyed or sanitized using approved techniques.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-4 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004215">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Protect system media types defined in MP-4a until the media are destroyed or sanitized using approved procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-4 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004216">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the automated mechanisms which restrict access to media storage areas and log access attempts and access granted.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-4 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004217">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Protect organization-defined types of system media during transport outside of controlled areas using organization-defined controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-5 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004218">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Control organization-defined types of system media during transport outside of controlled areas using organization-defined controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-5 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004219">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Test sanitization equipment in accordance with the organization-defined frequency to ensure that the intended sanitization is being achieved.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-6 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004220">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Test sanitization procedures in accordance with the organization-defined frequency to ensure that the intended sanitization is being achieved.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-6 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004221">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish an organization-defined system media downgrading process that includes employing downgrading mechanisms with strength and integrity commensurate with the security category or classification of the information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-8 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004222">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system media downgrading process that includes employing downgrading mechanisms with strength and integrity commensurate with the security category or classification of the information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-8 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004223">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Verify that the system media downgrading process is commensurate with the security category and/or classification level of the information to be removed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-8 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004224">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Verify that the system media downgrading process is commensurate with the access authorizations of the potential recipients of the downgraded information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-8 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004225">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Identify organization-defined system media requiring downgrading.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-8 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-004226">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system media requiring downgrading.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-8 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-004227">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Test downgrading equipment on an organization-defined frequency to ensure that intended downgrading actions are being achieved.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-8 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004228">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Test downgrading procedures on an organization-defined frequency to ensure that intended downgrading actions are being achieved.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="MP-8 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004229">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document an organization-level; mission/business process-level; and/or system-level physical and environmental protection policy that is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-1 a 1 (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004230">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage the development and documentation of the physical and environmental protection policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004231">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage the dissemination of the physical and environmental protection policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004232">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage development and documentation of the physical and environmental protection procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004233">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage dissemination of the physical and environmental protection procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004234">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the official who will manage the physical and environmental policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004235">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the official who will manage the physical and environmental procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004236">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current physical and environmental protection policy following organization-defined events.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-1 c 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-004237">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the events following reviewing and updating the current physical and environmental protection policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-1 c 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-004238">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current physical and environmental protection procedures following organization-defined events.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-1 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004239">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the events following reviewing and updating the current physical and environmental protection procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-1 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004240">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce physical access authorizations at organization-defined entry points to the facility where the system resides.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004241">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Enforce physical access authorizations at organization-defined exit points to the facility where the system resides.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004242">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Control ingress to the facility where the information system resides using one or more organization-defined physical access control systems or devices or guards.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-3 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004243">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Control egress to the facility where the information system resides using one or more organization-defined physical access control systems or devices or guards.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-3 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004244">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Limit access using physical barriers.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-3 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004245">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ access control vestibules at organization-defined locations within the facility.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-3 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004246">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the locations within the facility where the access control vestibules are employed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-3 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004247">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Link individual identity to receipt of output from output devices.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-5 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004248">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the automated mechanisms for recognizing organization-defined classes or types of intrusions and initiating organization-defined response actions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-6 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004249">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review video recordings on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-6 (3) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004250">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency with which to review video recordings.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-6 (3) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004251">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Report anomalies in visitor access records to organization-defined personnel.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-8 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-004252">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel who are to report anomalies in visitor access records.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-8 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-004253">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the automated mechanisms for maintaining and reviewing visitor access records.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-8 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004254">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Limit personally identifiable information contained in visitor access records to the organization-defined elements identified in the privacy risk assessment.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-8 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004255">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the elements identified in the privacy risk assessment.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-8 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004256">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system or individual system components that provide the capability of shutting off power in emergency situations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-10 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004257">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the automatic environmental controls for preventing potentially harmful fluctuations to the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-14 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004258">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles who employ environmental control monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-14 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004259">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Detect the presence of water near the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-15 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004260">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Alert organization-defined personnel or roles of the presence of water near the system using organization-defined automated mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-15 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004261">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the automated mechanisms for detecting the presence of water and alerting organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-15 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004262">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Determine and document the organization-defined alternate work sites allowed for use by employees.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-17 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004263">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide a means for employees to communicate with information security personnel in case of incidents.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-17 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-004264">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Protect system components, associated data communications, and networks in accordance with national Emissions Security policies based on the security category or classification of the information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-19 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004265">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Protect system components, associated data communications, and networks in accordance with national Emissions Security procedures based on the security category or classification of the information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-19 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004266">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ organization-defined protective measures against electromagnetic pulse damage for organization-defined systems and system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-21" />
- </references>
- </cci_item>
- <cci_item id="CCI-004267">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the protective measure employed against electromagnetic pulse damage for organization-defined systems and system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-21" />
- </references>
- </cci_item>
- <cci_item id="CCI-004268">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems and system components in which organization-defined protective measures are employed against electromagnetic pulse damage.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-21" />
- </references>
- </cci_item>
- <cci_item id="CCI-004269">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Mark organization-defined system hardware components indicating the impact or classification level of the information permitted to be processed, stored, or transmitted by the hardware component.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-22" />
- </references>
- </cci_item>
- <cci_item id="CCI-004270">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system hardware components which are marked, indicating the impact or classification level of the information permitted to be processed, stored, or transmitted by the hardware component.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-22" />
- </references>
- </cci_item>
- <cci_item id="CCI-004271">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Plan the location or site of the facility where the system resides considering physical and environmental hazards.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-23 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004272">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>For existing facilities, consider the physical and environmental hazards in the organizational risk management strategy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PE-23 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004273">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document an organization-level; mission/business process-level; and or system-level planning policy that is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-1 a 1 (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004274">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage the development and documentation of the planning policy and procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004275">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage the dissemination of the planning policy and procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004276">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current planning policy following organization-defined events.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-1 c 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-004277">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current planning procedures following organization-defined events.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-1 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004278">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop security and privacy plans for the system that identify the individuals that fulfill system roles and responsibilities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-2 a 4" />
- </references>
- </cci_item>
- <cci_item id="CCI-004279">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop security and privacy plans for the system that identify the information types processed, stored, and transmitted by the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-2 a 5" />
- </references>
- </cci_item>
- <cci_item id="CCI-004280">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop security and privacy plans for the system that describe any specific threats to the system that are of concern to the organization.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-2 a 7" />
- </references>
- </cci_item>
- <cci_item id="CCI-004281">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop security and privacy plans for the system that provide the results of a privacy risk assessment for the systems processing personally identifiable information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-2 a 8" />
- </references>
- </cci_item>
- <cci_item id="CCI-004282">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop security and privacy plans for the system that include risk determinations for security and privacy architecture and design decisions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-2 a 13" />
- </references>
- </cci_item>
- <cci_item id="CCI-004283">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop security and privacy plans for the system that include security- and privacy-related activities affecting the system that require planning and coordination with organization-defined individuals or groups.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-2 a 14" />
- </references>
- </cci_item>
- <cci_item id="CCI-004284">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish the rules describing the responsibilities and expected behavior, for security, for individuals requiring access to the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-4 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004285">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish the rules describing the responsibilities and expected behavior, for privacy, for individuals requiring access to the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-4 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004286">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide the rules describing the responsibilities and expected behavior, for information and system usage, for individuals requiring access to the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-4 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004287">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide the rules describing the responsibilities and expected behavior, for security, for individuals requiring access to the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-4 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004288">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide the rules describing the responsibilities and expected behavior, for privacy, for individuals requiring access to the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-4 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004289">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency individuals are required to read and re-acknowledge the rules of behavior whenever the rules are revised or updated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-4 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-004290">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Include in the rules of behavior, restrictions on use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-4 (1) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004291">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop a security Concept of Operations (CONOPS) for the system describing how the organization intends to operate the system from the perspective of information privacy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-7 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004292">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop privacy architectures for the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-8 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004293">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop privacy architectures for the system that describes the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-8 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-004294">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop security architectures for the system that describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-8 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004295">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop privacy architectures for the system that describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-8 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004296">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop privacy architectures for the system that describe how the architectures are integrated into and support the enterprise architecture.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-8 a 3" />
- </references>
- </cci_item>
- <cci_item id="CCI-004297">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop privacy architectures for the system that describe any assumptions about, and dependencies on, external systems and services.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-8 a 4" />
- </references>
- </cci_item>
- <cci_item id="CCI-004298">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Reflect planned privacy architecture changes in the privacy plans.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-8 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-004299">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Reflect planned privacy architecture changes in the privacy Concept of Operations (CONOPS).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-8 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-004300">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Reflect planned privacy architecture changes in the privacy organizational procurements and acquisitions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-8 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-004301">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Design the privacy architecture for the system using a defense-in-depth approach that allocates organization-defined controls to organization-defined locations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-8 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004302">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Design the privacy architecture for the system using a defense-in-depth approach that allocates organization-defined controls to organization-defined architectural layers.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-8 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004303">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the controls to be allocated to organization-defined locations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-8 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004304">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the controls to be allocated to organization-defined architectural layers.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-8 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004305">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the locations to which the system allocates organization-defined controls in the privacy architecture.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-8 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004306">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the architectural layers to which the system allocates organization-defined controls in the privacy architecture.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-8 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004307">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Design the privacy architecture for the system using a defense-in-depth approach that ensures that the allocated controls operate in a coordinated and mutually reinforcing manner.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-8 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004308">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the controls that are allocated to the organization-defined locations and architectural layers.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-8 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004309">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the locations and architectural layers that are obtained from different suppliers.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-8 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004310">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Select a control baseline for the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-10" />
- </references>
- </cci_item>
- <cci_item id="CCI-004311">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Tailor the selected control baseline by applying specified tailoring actions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PL-11" />
- </references>
- </cci_item>
- <cci_item id="CCI-004312">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the organization-wide information security program plan following organization-defined events.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004313">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the events for reviewing and updating the organization-wide information security program plan.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004314">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Include the resources needed to implement the information security programs in capital planning and investment requests.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004315">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Include the resources needed to implement the information privacy programs in capital planning and investment requests.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004316">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Prepare documentation required for addressing information security programs in capital planning and investment requests in accordance with applicable laws, Executive Orders, directives, policies, regulations, and standards.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-3 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004317">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Prepare documentation required for addressing information privacy programs in capital planning and investment requests in accordance with applicable laws, Executive Orders, directives, policies, regulations, and standards.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-3 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004318">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Make available for expenditure, the planned information privacy resources.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-3 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-004319">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a process to ensure that plans of action and milestones for the privacy program and the associated organizational systems are maintained.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-4 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-004320">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a process to ensure that plans of action and milestones for the privacy program and associated organizational systems are developed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-4 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-004321">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a process to ensure that plans of action and milestones for the supply chain risk management programs and the associated organizational systems are maintained.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-4 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-004322">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a process to ensure that plans of action and milestones for the supply chain risk management programs and the associated organizational systems are developed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-4 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-004323">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a process to ensure that plans of action and milestones for the privacy program and associated organizational systems document the remedial information privacy actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-4 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004324">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a process to ensure that plans of action and milestones for the supply chain risk management program and associated organizational systems document the remedial information supply chain risk management actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-4 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004325">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a process to ensure that plans of action and milestones for the security program and associated organizational systems are reported in accordance with established reporting requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-4 a 3" />
- </references>
- </cci_item>
- <cci_item id="CCI-004326">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a process to ensure that plans of action and milestones for the privacy program and associated organizational systems are reported in accordance with established reporting requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-4 a 3" />
- </references>
- </cci_item>
- <cci_item id="CCI-004327">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a process to ensure that plans of action and milestones for the supply chain risk management program and associated organizational systems are reported in accordance with established reporting requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-4 a 3" />
- </references>
- </cci_item>
- <cci_item id="CCI-004328">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop an inventory of organizational systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-5" />
- </references>
- </cci_item>
- <cci_item id="CCI-004329">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Update, on an organization-defined frequency, an inventory of organizational systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-5" />
- </references>
- </cci_item>
- <cci_item id="CCI-004330">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency with which to update the inventory of organizational systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-5" />
- </references>
- </cci_item>
- <cci_item id="CCI-004331">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish an inventory of all systems, applications, and projects that process personally identifiable information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-5 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004332">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Maintain an inventory of all systems, applications, and projects that process personally identifiable information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-5 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004333">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Update on an organization-defined frequency, an inventory of all systems, applications, and projects that process personally identifiable information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-5 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004334">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency of which an inventory of all systems, applications, and projects that process personally identifiable information will be updated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-5 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004335">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop the results of information privacy measures of performance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-6" />
- </references>
- </cci_item>
- <cci_item id="CCI-004336">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Monitor the results of information privacy measures of performance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-6" />
- </references>
- </cci_item>
- <cci_item id="CCI-004337">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Report on the results of information privacy measures of performance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-6" />
- </references>
- </cci_item>
- <cci_item id="CCI-004338">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop an enterprise architecture with consideration for information privacy and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-7" />
- </references>
- </cci_item>
- <cci_item id="CCI-004339">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Maintain an enterprise architecture with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-7" />
- </references>
- </cci_item>
- <cci_item id="CCI-004340">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Maintain an enterprise architecture with consideration for information privacy and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-7" />
- </references>
- </cci_item>
- <cci_item id="CCI-004341">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Offload organization-defined non-essential functions or services to other systems, system components, or an external provider.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-7 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004342">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the non-essential functions or services to be offloaded to other systems, system components, or an external provider.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-7 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004343">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Address information privacy issues in the development and documentation of a critical infrastructure and key resources protection plan.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-8" />
- </references>
- </cci_item>
- <cci_item id="CCI-004344">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Address information privacy issues in the updating of a critical infrastructure and key resources protection plan.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-8" />
- </references>
- </cci_item>
- <cci_item id="CCI-004345">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop a comprehensive strategy to manage privacy risk to individuals resulting from the authorized processing of personally identifiable information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-9 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004346">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Manage the security state of organizational systems and the environments in which those systems operate through authorization processes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-10 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004347">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Manage the privacy state of organizational systems and the environments in which those systems operate through authorization processes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-10 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004348">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Define organizational mission and business processes with consideration for information privacy and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-11 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004349">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Determine personally identifiable information processing needs arising from the defined mission and business processes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-11 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004350">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and revise the mission and business processes on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-11 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-004351">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency at which the mission and business processes are reviewed and revised.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-11 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-004352">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish a privacy workforce development and improvement program.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-13" />
- </references>
- </cci_item>
- <cci_item id="CCI-004353">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a process for ensuring that organizational plans for conducting privacy testing activities associated with organizational systems are developed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-14 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-004354">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a process for ensuring that organizational plans for conducting privacy testing activities associated with organizational systems are maintained.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-14 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-004355">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a process for ensuring that organizational plans for conducting privacy training activities associated with organizational systems are developed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-14 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-004356">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a process for ensuring that organizational plans for conducting privacy training activities associated with organizational systems are maintained.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-14 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-004357">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a process for ensuring that organizational plans for conducting privacy monitoring activities associated with organizational systems are developed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-14 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-004358">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a process for ensuring that organizational plans for conducting privacy monitoring activities associated with organizational information systems are maintained.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-14 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-004359">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a process for ensuring that organizational plans for conducting privacy testing associated with organizational systems continue to be executed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-14 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004360">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a process for ensuring that organizational plans for conducting privacy training associated with organizational systems continue to be executed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-14 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004361">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a process for ensuring that organizational plans for conducting privacy monitoring activities associated with organizational systems continue to be executed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-14 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004362">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish and institutionalize contact with selected groups and associations within the privacy community to facilitate ongoing privacy education and training for organizational personnel.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-15 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004363">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish and institutionalize contact with selected groups and associations within the privacy community to maintain currency with recommended privacy practices, techniques, and technologies.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-15 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004364">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish and institutionalize contact with selected groups and associations within the privacy community to share current privacy information including threats, vulnerabilities, and incidents.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-15 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-004365">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ automated means to maximize the effectiveness of sharing threat intelligence information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-16 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004366">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish policy to ensure that the requirements for the protection of Controlled Unclassified Information that is processed, stored or transmitted on external systems, are implemented in accordance with applicable laws, Executive Orders, directives, policies, regulations, and standards.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-17 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004367">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish procedures to ensure that the requirements for the protection of Controlled Unclassified Information that is processed, stored or transmitted on external systems, are implemented in accordance with applicable laws, Executive Orders, directives, policies, regulations, and standards.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-17 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004368">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the policy for Controlled Unclassified Information on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-17 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004369">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency in which the policy for Controlled Unclassified information is reviewed and updated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-17 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004370">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the procedures for Controlled Unclassified Information on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-17 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004371">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency in which the procedures for Controlled Unclassified information is reviewed and updated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-17 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004372">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop an organization-wide privacy program plan that provides an overview of the agency's privacy program.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-18 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004373">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminate an organization-wide privacy program plan that provides an overview of the agency's privacy program.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-18 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004374">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop an organization-wide privacy program plan that provides an overview of the agency's privacy program and includes a description of the structure of the privacy program and the resources dictated to the privacy program.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-18 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-004375">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminate an organization-wide privacy program plan that provides an overview of the agency's privacy program and includes a description of the structure of the privacy program and the resources dictated to the privacy program.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-18 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-004376">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop an organization-wide privacy program plan that provides an overview of the agency's privacy program and provides an overview of the requirements for the privacy program.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-18 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004377">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminate an organization-wide privacy program plan that provides an overview of the agency's privacy program and provides an overview of the requirements for the privacy program.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-18 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004378">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop an organization-wide privacy program plan that provides an overview of the agency's privacy program and a description of the privacy program management controls and common controls in place or planned for meeting those requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-18 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004379">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminate an organization-wide privacy program plan that provides an overview of the agency's privacy program and a description of the privacy program management controls and common controls in place or planned for meeting those requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-18 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004380">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop an organization-wide privacy program plan that provides an overview of the agency's privacy program and includes the role of the Senior Agency Official for Privacy and the identification and assignment of the roles of other privacy officials and staff and their responsibilities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-18 a 3" />
- </references>
- </cci_item>
- <cci_item id="CCI-004381">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminate an organization-wide privacy program plan that provides an overview of the agency's privacy program and includes the role of the Senior Agency Official for Privacy and the identification and assignment of the roles of other privacy officials and staff and their responsibilities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-18 a 3" />
- </references>
- </cci_item>
- <cci_item id="CCI-004382">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop an organization-wide privacy program plan that provides an overview of the agency's privacy program and describes management commitment, compliance, and the strategic goals and objectives of the privacy program.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-18 a 4" />
- </references>
- </cci_item>
- <cci_item id="CCI-004383">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminate an organization-wide privacy program plan that provides an overview of the agency's privacy program and describes management commitment, compliance, and the strategic goals and objectives of the privacy program.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-18 a 4" />
- </references>
- </cci_item>
- <cci_item id="CCI-004384">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop an organization-wide privacy program plan that provides an overview of the agency's privacy program and reflects coordination among organizational entities responsible for the different aspects of privacy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-18 a 5" />
- </references>
- </cci_item>
- <cci_item id="CCI-004385">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminate an organization-wide privacy program plan that provides an overview of the agency's privacy program and reflects coordination among organizational entities responsible for the different aspects of privacy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-18 a 5" />
- </references>
- </cci_item>
- <cci_item id="CCI-004386">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop an organization-wide privacy program plan that provides an overview of the agency's privacy program and is approved by a senior official with responsibility and accountability for the privacy risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-18 a 6" />
- </references>
- </cci_item>
- <cci_item id="CCI-004387">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminate an organization-wide privacy program plan that provides an overview of the agency's privacy program and is approved by a senior official with responsibility and accountability for the privacy risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-18 a 6" />
- </references>
- </cci_item>
- <cci_item id="CCI-004388">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Update the plan on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-18 a 6" />
- </references>
- </cci_item>
- <cci_item id="CCI-004389">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Update the plan to address changes in federal privacy laws and policy and organizational changes and problems identified during plan implementation or privacy control assessments.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-18 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004390">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Appoint a Senior Agency Official for Privacy with the authority, mission, accountability, and resources to coordinate applicable privacy requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-19" />
- </references>
- </cci_item>
- <cci_item id="CCI-004391">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Appoint a Senior Agency Official for Privacy with the authority, mission, accountability, and resources to develop applicable privacy requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-19" />
- </references>
- </cci_item>
- <cci_item id="CCI-004392">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Appoint a Senior Agency Official for Privacy with the authority, mission, accountability, and resources to implement applicable privacy requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-19" />
- </references>
- </cci_item>
- <cci_item id="CCI-004393">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Appoint a Senior Agency Official for Privacy with the authority, mission, accountability, and resources to manage privacy risks through the organization-wide privacy program.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-19" />
- </references>
- </cci_item>
- <cci_item id="CCI-004394">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Maintain a central resource webpage on the organization's principle public website that serves as a central source of information about the organization's privacy plan.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-20" />
- </references>
- </cci_item>
- <cci_item id="CCI-004395">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Ensure that the public has access to information about organizational privacy activities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-20 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004396">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Ensure that the public can communicate with its Senior Agency Official for Privacy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-20 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004397">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Ensure that organizational privacy practices and reports are publicly available.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-20 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004398">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ publicly facing email addresses and/or phone lines to enable the public to provide feedback and/or direct questions to privacy offices regarding privacy practices.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-20 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-004399">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and post privacy policies on all external-facing websites, mobile applications, and other digital services that are written in plain language.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-20 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004400">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and post privacy policies on all external-facing websites, mobile applications, and other digital services that are organized in a way that is easy to understand and navigate.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-20 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004401">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and post privacy policies on all external-facing websites, mobile applications, and other digital services that provide information needed by the public to make an informed about whether and how to interact with the organization.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-20 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004402">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and post privacy policies on all external-facing websites, mobile applications, and other digital services that are updated whenever the organization makes a substantive change to the practices it describes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-20 (1) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004403">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and post privacy policies on all external-facing websites, mobile applications, and other digital services that includes a time/date stamp to inform the public of the date of the most recent changes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-20 (1) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004404">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop an accurate accounting of disclosures of personally identifiable information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-21 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004405">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Maintain an accurate accounting of disclosures of personally identifiable information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-21 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004406">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop an accurate accounting of disclosures of personally identifiable information, including date, nature, and purpose of each disclosure of a record.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-21 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-004407">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Maintain an accurate accounting of disclosures of personally identifiable information, including date, nature, and purpose of each disclosure of a record.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-21 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-004408">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop an accurate accounting of disclosures of personally identifiable information, including name and address, or other contact information of the individual or organization to which the disclosure was made.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-21 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004409">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Maintain an accurate accounting of disclosures of personally identifiable information, including name and address, or other contact information of the individual or organization to which the disclosure was made.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-21 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004410">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-21 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004411">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Make the accounting of disclosures available to the individual to whom the personally identifiable information relates upon request.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-21 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-004412">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document organization-wide policies for reviewing for the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-22 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004413">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document organization-wide procedures for reviewing for the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-22 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004414">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document organization-wide policies for correcting or deleting inaccurate or outdated personally identifiable information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-22 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004415">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document organization-wide procedures for correcting or deleting inaccurate or outdated personally identifiable information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-22 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004416">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document organization-wide policies for disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-22 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-004417">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document organization-wide procedures for disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-22 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-004418">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document organization-wide policies for appeals of adverse decisions on correction or deletion requests.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-22 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-004419">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document organization-wide procedures for appeals of adverse decisions on correction or deletion requests.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-22 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-004420">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish a Data Governance Body consisting of organization-defined roles with organization-defined responsibilities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-23" />
- </references>
- </cci_item>
- <cci_item id="CCI-004421">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the roles that are established by the Data Governance Body.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-23" />
- </references>
- </cci_item>
- <cci_item id="CCI-004422">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the responsibilities the Data Governance Body establishes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-23" />
- </references>
- </cci_item>
- <cci_item id="CCI-004423">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish a Data Integrity Board to review proposals to conduct or participate in a matching program.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-24 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004424">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish a Data Integrity Board to conduct an annual review of all matching programs in which the agency has participated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-24 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004425">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document policies that address the use of personally identifiable information for internal testing, training, and research.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-25 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004426">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document procedures that address the use of personally identifiable information for internal testing, training, and research.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-25 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004427">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement policies that address the use of personally identifiable information for internal testing, training, and research.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-25 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004428">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement procedures that address the use of personally identifiable information for internal testing, training, and research.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-25 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004429">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Limit or minimize the amount of personally identifiable information used for internal testing, training, and research purposes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-25 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004430">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Authorize the use of personally identifiable information when such information is required for internal testing, training, and research.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-25 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-004431">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update policies on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-25 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-004432">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency of which the policies should be reviewed and updated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-25 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-004433">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update procedures on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-25 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-004434">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency of which the procedures should be reviewed and updated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-25 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-004435">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a process for receiving and responding to complaints, concerns or questions from individuals about the organizational security practices.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-26" />
- </references>
- </cci_item>
- <cci_item id="CCI-004436">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a process for receiving and responding to complaints, concerns or questions from individuals about the organizational privacy practices.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-26" />
- </references>
- </cci_item>
- <cci_item id="CCI-004437">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement mechanisms that are easy to use.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-26 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004438">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement mechanisms that are readily available by the public.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-26 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004439">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement all information necessary for successfully filing complaints.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-26 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004440">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement tracking mechanisms to ensure all complaints received are reviewed and appropriately addressed within an organization-defined time period.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-26 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-004441">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the time period of which the tracking mechanisms to ensure all complaints received are reviewed and addressed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-26 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-004442">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement acknowledgement of receipt of complaints, concerns, or questions from individuals within an organization-defined time period.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-26 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-004443">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the time period for acknowledging the receipt of complaints, concerns, or questions from individuals.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-26 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-004444">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement response to complaints, concerns, or questions from individuals within an organization-defined time period.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-26 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-004445">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the time period for response to complaints, concerns, or questions from individuals.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-26 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-004446">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop organization-defined privacy reports.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-27" />
- </references>
- </cci_item>
- <cci_item id="CCI-004447">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the privacy reports that are to be developed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-27" />
- </references>
- </cci_item>
- <cci_item id="CCI-004448">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminate privacy reports to organization-defined oversight bodies to demonstrate accountability with statutory, regulatory, and policy privacy program mandates.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-27 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-004449">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop privacy reports for organization-defined officials and other personnel with responsibility for monitoring privacy program progress and compliance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-27 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004450">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminate privacy reports for organization-defined officials and other personnel with responsibility for monitoring privacy program compliance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-27 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004451">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the officials responsible for monitoring privacy program compliance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-27 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004452">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update privacy reports on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-27 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004453">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency of which the privacy reports are reviewed and updated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-27 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004454">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Identify and document assumptions affecting risk assessments, risk response, and risk monitoring.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-28 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-004455">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Identify and document constraints affecting risk assessments, risk response, and risk monitoring.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-28 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004456">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Identify and document priorities and trade-offs considered by the organization for managing risk.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-28 a 3" />
- </references>
- </cci_item>
- <cci_item id="CCI-004457">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Identify and document the organizational risk tolerance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-28 a 4" />
- </references>
- </cci_item>
- <cci_item id="CCI-004458">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Distribute the results of risk framing activities to organization-defined personnel.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-28 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004459">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel to distribute the results of risk framing activities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-28 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004460">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update risk framing considerations on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-28 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-004461">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency for reviewing and updating risk framing considerations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-28 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-004462">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Appoint a Senior Accountable Official for Risk Management to align organizational information security management processes with strategic, operational, and budgetary planning processes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-29 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004463">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Appoint a Senior Accountable Official for Risk Management to align organizational information privacy management processes with strategic, operational, and budgetary planning processes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-29 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004464">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish a Risk Executive (function) to view and analyze risk from an organization-wide perspective.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-29 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004465">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish a Risk Executive (function) to ensure management of risk is consistent across the organization.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-29 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004466">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop an organization-wide strategy for managing supply chain risks associated with the development of systems, system components, and system services.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-30 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004467">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop an organization-wide strategy for managing supply chain risks associated with the acquisition of systems, system components, and system services.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-30 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004468">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop an organization-wide strategy for managing supply chain risks associated with the maintenance of systems, system components, and system services.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-30 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004469">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop an organization-wide strategy for managing supply chain risks associated with the disposal of systems, system components, and system services.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-30 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004470">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement the supply chain risk management strategy consistently across the organization.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-30 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004471">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the supply chain risk management strategy on an organization-defined frequency or as required, to address organizational changes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-30 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-004472">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency of which the supply chain risk management strategy will be reviewed and updated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-30 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-004473">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop an organization-wide continuous monitoring strategy establishing organization-defined metrics to be monitored.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-31 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004474">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement continuous monitoring programs that include establishing organization-wide metrics to be monitored.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-31 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004475">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the metrics for developing and implementing continuous monitoring programs.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-31 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004476">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop an organization-wide continuous monitoring strategy establishing organization-defined frequencies for monitoring.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-31 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004477">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop an organization-wide continuous monitoring strategy establishing organization-defined frequencies for assessment of control effectiveness.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-31 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004478">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequencies for developing and implementing continuous monitoring programs for monitoring.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-31 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004479">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement continuous monitoring programs that include establishing organization-wide frequencies for monitoring.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-31 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004480">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement continuous monitoring programs that include establishing organization-wide frequencies for assessment of control effectiveness.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-31 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004481">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequencies for developing and implementing continuous monitoring programs for assessment of control effectiveness.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-31 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004482">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop an organization-wide continuous monitoring strategy for ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-31 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-004483">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement continuous monitoring programs that include ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-31 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-004484">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop an organization-wide continuous monitoring strategy for correlation and analysis of information generated by control assessments and monitoring.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-31 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-004485">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement continuous monitoring programs that include correlation and analysis of information generated by control assessments and monitoring.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-31 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-004486">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop an organization-wide continuous monitoring strategy for response actions to address results of the analysis of control assessment and monitoring information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-31 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-004487">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement continuous monitoring programs that include response actions to address results of the analysis of control assessment and monitoring information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-31 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-004488">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop an organization-wide continuous monitoring strategy for reporting the security status of organizational systems to organization-defined personnel or roles on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-31 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-004489">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop an organization-wide continuous monitoring strategy for reporting the privacy status of organizational systems to organization-defined personnel or roles on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-31 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-004490">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement continuous monitoring programs that include reporting the security status of organizational systems to organization-defined personnel or roles on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-31 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-004491">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement continuous monitoring programs that include reporting the privacy status of organizational systems to organization-defined personnel or roles on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-31 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-004492">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles for whom to report the security status of organizational systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-31 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-004493">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles for whom to report the privacy status of organizational systems.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-31 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-004494">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency of reporting the security status of organizational systems to organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-31 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-004495">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency of reporting the privacy status of organizational systems to organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-31 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-004496">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Analyze organization-defined systems or system components supporting mission essential services or functions to ensure that the information resources are being used consistent with their intended purpose.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-32" />
- </references>
- </cci_item>
- <cci_item id="CCI-004497">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems or system components that are used to analyze mission essential services or functions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PM-32" />
- </references>
- </cci_item>
- <cci_item id="CCI-004498">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document an organization-level; mission/business process-level; and/or system-level personnel security policy that is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-1 a 1 (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004499">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage the development and documentation of the personnel security policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004500">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage the dissemination of the personnel security policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004501">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the official who will manage the personnel security policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004502">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage development and documentation of the personnel security procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004503">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage the dissemination of the personnel security procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004504">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the official who will manage the personnel security procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004505">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current personnel security policy following organization-defined events.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-1 c 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-004506">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the events following reviewing and updating the current personnel security policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-1 c 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-004507">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current personnel security procedures following organization-defined events.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-1 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004508">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the events following reviewing and updating the current personnel security procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-1 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004509">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Verify that individuals accessing a system processing, storing, or transmitting organization-defined information types meet organization-defined citizenship requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-3 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004510">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the information types that meet the organization-defined citizenship requirement.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-3 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004511">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the citizenship requirements for individuals accessing a system, storing, or transmitting organization-defined information types.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-3 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004512">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the automated mechanisms for notifying organization-defined personnel or roles of individual termination actions; and/or disable access to system resources.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-4 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004513">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Verify that individuals requiring access to organizational information sign appropriate access agreements prior to being granted access.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-6 c 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-004514">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Verify that individuals requiring access to organizational systems sign appropriate access agreements prior to being granted access.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-6 c 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-004515">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Verify that individuals requiring access to organizational information re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or in accordance with organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-6 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004516">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Verify that individuals requiring access to organizational systems re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or in accordance with organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-6 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004517">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency for individuals requiring access to organizational information to re-sign access agreements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-6 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004518">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency for individuals requiring access to organizational systems to re-sign access agreements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-6 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004519">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require external providers to comply with personnel security policies established by the organization.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-7 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004520">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require external providers to comply with personnel security procedures established by the organization.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-7 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004521">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ a formal sanctions process for individuals failing to comply with established information security policies.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-8 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004522">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ a formal sanctions process for individuals failing to comply with established information security procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-8 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004523">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Incorporate security roles and responsibilities into organizational position descriptions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-9" />
- </references>
- </cci_item>
- <cci_item id="CCI-004524">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Incorporate privacy roles and responsibilities into organizational position descriptions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PS-9" />
- </references>
- </cci_item>
- <cci_item id="CCI-004525">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document organization-level; mission/business process-level; and/or system level personally identifiable information processing and transparency policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-1 a 1 (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004526">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminate organization-level; mission/business process-level; and/or system level personally identifiable information processing and transparency policy to organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004527">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to whom the organization-level; mission/business process-level; and/or system level personally identifiable information processing and transparency policy is to be disseminated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-1 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004528">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document organization-level; mission/business process-level; and/or system level personally identifiable information processing and transparency policy that is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-1 a 1 (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004529">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document procedures to facilitate the implementation of the personally identifiable information processing and transparency policy and the associated personally identifiable information processing and transparency controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-1 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004530">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage the development and documentation of the personally identifiable information processing and transparency policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004531">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage the development and documentation of the personally identifiable information processing and transparency procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004532">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the official designated to manage the development, documentation, and dissemination of the personally identifiable information processing and transparency policy and procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004533">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current personally identifiable information processing and transparency policy on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-1 c 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-004534">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current personally identifiable information processing and transparency policy following organization-defined events.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-1 c 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-004535">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the events following reviewing and updating the current personally identifiable processing and transparency policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-1 c 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-004536">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current personally identifiable information processing and transparency procedures on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-1 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004537">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current personally identifiable information processing and transparency procedures following organization-defined events.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-1 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004538">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the events following reviewing and updating the current personally identifiable processing and transparency procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-1 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004539">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Determine and document the organization-defined authority that permits the organization-defined processing of personally identifiable information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004540">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the authority who will permit the organization-defined processing of personally identifiable information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004541">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the processing of the personally identifiable information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004542">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Restrict the organization-defined processing of personally identifiable information to only that which is authorized.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-2 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004543">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the processing of the personally identifiable information to only that which is authorized.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-2 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004544">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Attach data tags containing organization-defined authorized processing to organization-defined elements of personally identifiable information.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-2 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004545">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the authorized processing which will attach data tags to organization-defined elements of personally identifiable information.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-2 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004546">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the elements of personally identifiable information containing organization-defined authorized processing.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-2 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004547">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Manage enforcement of the authorized processing of personally identifiable information using organization-defined automated mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-2 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004548">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the automated mechanisms for managing enforcement of the authorized processing of personally identifiable information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-2 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004549">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Identify and document the organization-defined purpose(s) for processing personally identifiable information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004550">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the purpose(s) of identifying and documenting personally identifiable information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004551">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Describe the purpose(s) in the public privacy notices and policies of the organization.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-3 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004552">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Restrict the organization-defined processing of personally identifiable information to only that which is compatible with the identified purpose(s).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-3 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-004553">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the processing of personally identifiable information to only that which is compatible with the identified purpose(s).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-3 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-004554">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Monitor changes in processing personally identifiable information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-3 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-004555">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement organization-defined mechanisms to ensure that any changes are made in accordance with organization-defined requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-3 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-004556">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the mechanisms for ensuring any changes are made in accordance with organization-defined requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-3 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-004557">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the requirements for implementing organization-defined mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-3 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-004558">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Attach data tags containing organization-defined processing purposes to organization-defined elements of personally identifiable information.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-3 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004559">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the elements of personally identifiable information containing organization-defined processing purposes.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-3 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004560">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Track processing purposes of personally identifiable information using organization-defined automated mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-3 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004561">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement organization-defined tools or mechanisms for individuals to consent to the processing of their personally identifiable information prior to its collection that facilitate individuals' informed decision-making.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-4" />
- </references>
- </cci_item>
- <cci_item id="CCI-004562">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the tools or mechanisms for individuals to consent to the processing of their personally identifiable information prior to its collection that facilitate individuals' informed decision-making.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-4" />
- </references>
- </cci_item>
- <cci_item id="CCI-004563">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide organization-defined mechanisms to allow individuals to tailor processing permissions to selected elements of personally identifiable information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-4 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004564">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the mechanisms for allowing individuals to tailor processing permissions to selected elements of personally identifiable information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-4 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004565">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Present organization-defined consent mechanisms to individuals at an organization-defined frequency and in conjunction with organization-defined personally identifiable information processing.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-4 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004566">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency for presenting organization-defined consent mechanisms to individuals.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-4 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004567">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the consent mechanisms needed by individuals on an organization-defined frequency, with organization-defined personally identifiable information processing.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-4 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004568">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personally identifiable information processing needed for presenting organization-defined consent mechanisms to individuals.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-4 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004569">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement organization-defined tools or mechanisms for individuals to revoke consent to the processing of their personally identifiable information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-4 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004570">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the tools or mechanisms for individuals to revoke consent to the processing of their personally identifiable information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-4 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004571">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide notice to individuals about the processing of personally identifiable information that is available to individuals upon first interacting with an organization, and subsequently at an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-5 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004572">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency for providing notice to individuals about the processing of personally identifiable information that is available to individuals upon first interacting with an organization.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-5 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004573">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide notice to individuals about the processing of personally identifiable information is clear and easy-to-understand, expressing information about personally identifiable information processing in plain language.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-5 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004574">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide notice to individuals about the processing of personally identifiable information that identifies the authority that authorizes the processing of personally identifiable information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-5 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-004575">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide notice to individuals about the processing of personally identifiable information that identifies the purposes for which personally identifiable information is to be processes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-5 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-004576">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide notice to individuals about the processing of personally identifiable information that includes organization-defined information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-5 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-004577">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the information that includes providing notice to individuals about the processing of personally identifiable information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-5 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-004578">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Present notice of personally identifiable information processing to individuals at a time and location where the individual provides personally identifiable information or in conjunction with a data action or organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-5 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004579">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency for presenting notice of personally identifiable information processing to individuals at a time and location where the individual provides personally identifiable information or in conjunction with a data action.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-5 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004580">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Include Privacy Act statements on forms that collect information that will be maintained in a Privacy Act system of records, or provide Privacy Act statements on separate forms that can be retained by individuals.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-5 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004581">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>For systems that process information that will be maintained in a Privacy Act system of records: draft system of records notices in accordance with OMB guidance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-6 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004582">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>For systems that process information that will be maintained in a Privacy Act system of records: submit new and significantly modified system of records notices to the OMB and appropriate committees for advance review.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-6 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004583">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>For systems that process information that will be maintained in a Privacy Act system of records: publish system of records notices in the Federal Register.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-6 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004584">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>For systems that process information that will be maintained in a Privacy Act system of records: keep system of records notices accurate, up-to-date, and scoped in accordance with policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-6 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-004585">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review all routine uses published in the system of records notice at an organization-defined frequency to ensure continued accuracy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-6 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004586">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency for reviewing all routine uses in published in the system of records notice.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-6 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004587">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review all routine uses published in the system of records notice at an organization-defined frequency to ensure that routine uses continue to be compatible with the purpose for which the information was collected.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-6 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004588">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review all Privacy Act exemptions claimed for the system of records at organization-defined frequency to ensure they remain appropriate and necessary with law.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-6 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004589">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review all Privacy Act exemptions claimed for the system of records at organization-defined frequency to ensure they have been promulgated as regulations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-6 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004590">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review all Privacy Act exemptions claimed for the system of records at organization-defined frequency to ensure that they are accurately described in the system of records notice.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-6 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004591">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency for reviewing all Privacy Act exemptions claimed for the system of records.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-6 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004592">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Apply organization-defined processing conditions for specific categories of personally identifiable information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-7" />
- </references>
- </cci_item>
- <cci_item id="CCI-004593">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the processing conditions for applying specific categories of personally identifiable information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-7" />
- </references>
- </cci_item>
- <cci_item id="CCI-004594">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>When a system processes Social Security numbers: eliminate unnecessary collection, maintenance, and use of Social Security numbers, and explore alternatives to their use as a personal identifier.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-7 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004595">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>When a system processes Social Security numbers: do not deny any individuals any right, benefit, or privilege provided by law because of such individuals' refusal to disclose his or her Social Security number.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-7 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004596">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>When a system processes Social Security numbers: inform any individual who is asked to disclose his or Social Security number whether that disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of it.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-7 (1) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004597">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Prohibit the processing of information describing how any individual exercises rights guaranteed by the First Amendment unless expressly authorized by statue or by the individual or unless pertinent to and within the scope of an authorized law enforcement activity.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-7 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004598">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>When a system or organization processes information for the purpose of conducting a matching program: obtain approval from the Data Integrity Board to conduct the matching program.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-8 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004599">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>When a system or organization processes information for the purpose of conducting a matching program: develop and enter into a computer matching agreement.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-8 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004600">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>When a system or organization processes information for the purpose of conducting a matching program: publish a matching notice in the Federal Register.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-8 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-004601">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>When a system or organization processes information for the purpose of conducting a matching program: independently verify the information produced by the matching program before taking adverse action against an individual, if required.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-8 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-004602">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>When a system or organization processes information for the purpose of conducting a matching program: provide individuals with notice and an opportunity to contest the findings before taking adverse action against an individual.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="PT-8 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-004603">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document an organization-level; mission/business process-level; system-level risk assessment policy that is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-1 a 1 (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004604">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminate an organization-level; mission/business process-level; system-level risk assessment policy that is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines, to organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-1 a 1 (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004605">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage the development and documentation of the risk assessment policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004606">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage the dissemination of the risk assessment policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004607">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage development and documentation of the risk assessment procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004608">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage dissemination of the risk assessment procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004609">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the official designated to manage the development, documentation, and dissemination of the risk assessment policy and procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004610">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current risk assessment policy following organization-defined events.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-1 c 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-004611">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the events following reviewing and updating the current risk assessment policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-1 c 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-004612">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current risk assessment procedures following organization-defined events.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-1 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004613">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the events following reviewing and updating the current risk assessment procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-1 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004614">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Categorize the system and information it processes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004615">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Categorize the system and information it stores.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004616">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Categorize the system and information it transmits.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004617">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Conduct a impact-level categorization of organizational systems to obtain additional granularity on system impact levels.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-2 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004618">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Conduct a risk assessment, including identifying threats to the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-3 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-004619">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Conduct a risk assessment, including identifying vulnerabilities in the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-3 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-004620">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Conduct a risk assessment, including determining the likelihood and impact of adverse effects on individuals arising from the processing of personally-identifiable information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-3 a 3" />
- </references>
- </cci_item>
- <cci_item id="CCI-004621">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Integrate risk assessment results from the organization.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-3 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004622">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Integrate risk management decisions from the organization.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-3 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004623">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Integrate mission or business process perspectives with system-level risk assessments.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-3 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004624">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Assess supply chain risks associated with organization-defined systems, system components, and system services.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-3 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004625">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems, system-components, and system services for assessing supply chain risks.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-3 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004626">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Update the supply chain risk assessment on an organization-defined frequency when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-3 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004627">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency for updating the supply chain assessment.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-3 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004628">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Use all-source intelligence to assist in the analysis of risk.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-3 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004629">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Determine the current cyber threat environment on an ongoing basis using organization-defined means.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-3 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004630">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the means for determining the current threat environment.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-3 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004631">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ organization-defined advanced automation and analytics capabilities to predict and identify risks to organization-defined systems or system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-3 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004632">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the advanced automation and analytics capabilities for predicting and identifying risks to organization-defined systems or system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-3 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004633">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems or system components for employing advanced automation and analytics capabilities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-3 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004634">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: formatting checklists and test procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-5 b 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004635">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: measuring vulnerability impact.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-5 b 3" />
- </references>
- </cci_item>
- <cci_item id="CCI-004636">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-5 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-004637">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the automated mechanisms for comparing the results of multiple vulnerability scans.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-5 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004638">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system in which will be identified for determining if a vulnerability has been exploited.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-5 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004639">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the time period for reviewing historic audit logs to determine if a vulnerability identified has been exploited.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-5 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004640">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-5 (11)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004641">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Respond to findings from security assessments.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-7" />
- </references>
- </cci_item>
- <cci_item id="CCI-004642">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Respond to findings from privacy assessments.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-7" />
- </references>
- </cci_item>
- <cci_item id="CCI-004643">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Respond to findings from monitoring.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-7" />
- </references>
- </cci_item>
- <cci_item id="CCI-004644">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Respond to findings from audits in accordance with organizational risk tolerance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-7" />
- </references>
- </cci_item>
- <cci_item id="CCI-004645">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Conduct privacy impact assessments for systems, programs, or other activities before developing or procuring information technology that processes personally identifiable information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-8 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004646">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Conduct privacy impact assessments for systems, programs, or other activities before initiating a new collection of personally identifiable information that will be processes using information technology.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-8 b 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-004647">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Conduct privacy impact assessments for systems, programs, or other activities before initiating a new collection of personally identifiable information that includes personally identifiable information permitting the physical or virtual (online) contacting of a specific individual, if identical questions have been posed to, or identical reporting requirements imposed on, ten or more persons, other than agencies, instrumentalities, or employees of the Federal Government.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-8 b 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004648">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Identify critical system components and functions by performing a criticality analysis for organization-defined systems, system components, or system services at organization-defined decision points in the system development life cycle.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-9" />
- </references>
- </cci_item>
- <cci_item id="CCI-004649">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system, system components, or system services to perform a criticality analysis for identifying critical system components and functions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-9" />
- </references>
- </cci_item>
- <cci_item id="CCI-004650">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the decision points in the system development life cycle at which organization-defined system, system components, or system services to perform a criticality analysis for identifying critical system components and functions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-9" />
- </references>
- </cci_item>
- <cci_item id="CCI-004651">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish and maintain a cyber threat hunting capability to search for indicators of compromise in organizational systems.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-10 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-004652">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish and maintain a cyber threat hunting capability to detect, track, and disrupt threats that evade existing controls.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-10 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004653">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ the threat hunting capability on an organization-defined frequency.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-10 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004654">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency for employing the threat hunting capability.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="RA-10 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004655">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document an organization-level; mission/business process-level; and/or system-level system and services acquisition policy that is consistent with applicable laws, Executive Orders, directives, regulations, polices, standards, and guidelines.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-1 a 1 (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004656">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage development and documentation of the system and services acquisition policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004657">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage dissemination of the system and services acquisition policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004658">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the official designated to manage development and documentation of the system and services acquisition policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004659">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage the development and documentation of the system and services acquisition procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004660">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage the dissemination of the system and services acquisition procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004661">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the official designated to manage the system and services acquisition procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004662">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current system and services acquisition policy following organization-defined events.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-1 c 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-004663">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the events following reviewing and updating the current system and services acquisition policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-1 c 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-004664">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current system and services acquisition procedures following organization-defined events.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-1 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004665">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the events following reviewing and updating the current system and services acquisition procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-1 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004666">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Determine the high-level information privacy requirements for the system or system service in mission and business process planning.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004667">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish a discrete line item for information privacy in organizational programming documentation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-2 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-004668">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish a discrete line item for information privacy in organizational budgeting documentation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-2 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-004669">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Acquire the system using an organization-defined system development life cycle that incorporates information security considerations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004670">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Acquire the system using an organization-defined system development life cycle that incorporates information privacy considerations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004671">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop the system using an organization-defined system development life cycle that incorporates information security considerations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004672">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop the system using an organization-defined system development life cycle that incorporates information privacy considerations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004673">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Manage the system using an organization-defined system development life cycle that incorporates information privacy considerations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004674">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines a system development life cycle that is used to develop the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004675">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines a system development life cycle that is used to acquire the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004676">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Define and document information system privacy roles and responsibilities throughout the system development life cycle.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-3 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004677">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Identify individuals having information system privacy roles and responsibilities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-3 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-004678">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Integrate the organizational information privacy risk management process into system development life cycle activities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-3 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-004679">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Protect system preproduction environments commensurate with risk throughout the system development life cycle for the system, system component, or system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-3 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004680">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Approve the use of live data in preproduction environments for the system, system component, or system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-3 (2) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004681">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Document the use of live data in preproduction environments for the system, system component, or system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-3 (2) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004682">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Control the use of live data in preproduction environments for the system, system component, or system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-3 (2) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004683">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Protect preproduction environments for the system, system component, or system service at the same impact or classification level as any live data in use within the preproduction environments.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-3 (2) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004684">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Plan for a technology refresh schedule to support the system throughout the system development life cycle.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-3 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004685">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement technology refresh schedule to support the system throughout the system development life cycle.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-3 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004686">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the organization-defined contract language for including the requirements, descriptions, and criteria in the acquisition contract for the system, system component, or system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-4" />
- </references>
- </cci_item>
- <cci_item id="CCI-004687">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Include the privacy functional requirements, explicitly or by reference, using standardized contract language; and/or organization-defined contract language in the acquisition contract for the information system, system component, or information system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-4 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004688">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Include the privacy assurance requirements, explicitly or by reference, using standardized contract language; and/or organization-defined contract language in the acquisition contract for the information system, system component, or information system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-4 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-004689">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Include the controls needed to satisfy security requirements, explicitly or by reference, using standardized contract language; and/or organization-defined contract language in the acquisition contract for the information system, system component, or information system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-4 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-004690">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Include the controls needed to satisfy privacy requirements, explicitly or by reference, using standardized contract language; and/or organization-defined contract language in the acquisition contract for the information system, system component, or information system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-4 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-004691">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Include the privacy documentation requirements, explicitly or by reference, using standardized contract language; and/or organization-defined contract language in the acquisition contract for the information system, system component, or information system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-4 e" />
- </references>
- </cci_item>
- <cci_item id="CCI-004692">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Include the requirements for protecting security documentation, explicitly or by reference, using standardized contract language; and/or organization-defined contract language in the acquisition contract for the information system, system component, or information system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-4 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-004693">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Include the requirements for protecting privacy documentation, explicitly or by reference, using standardized contract language; and/or organization-defined contract language in the acquisition contract for the information system, system component, or information system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-4 f" />
- </references>
- </cci_item>
- <cci_item id="CCI-004694">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Include the allocation of responsibility or identification of parties responsible for information security, explicitly or by reference, using standardized contract language; and/or organization-defined contract language in the acquisition contract for the information system, system component, or information system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-4 h" />
- </references>
- </cci_item>
- <cci_item id="CCI-004695">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Include the allocation of responsibility or identification of parties responsible for information privacy, explicitly or by reference, using standardized contract language; and/or organization-defined contract language in the acquisition contract for the information system, system component, or information system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-4 h" />
- </references>
- </cci_item>
- <cci_item id="CCI-004696">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Include the allocation of responsibility or identification of parties responsible for supply chain risk management, explicitly or by reference, using standardized contract language; and/or organization-defined contract language in the acquisition contract for the information system, system component, or information system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-4 h" />
- </references>
- </cci_item>
- <cci_item id="CCI-004697">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to demonstrate the use of a system development life cycle process that includes organization-defined systems engineering methods.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-4 (3) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004698">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems engineering methods for demonstrating the use of a system development life cycle process.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-4 (3) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004699">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to demonstrate the use of a system development life cycle process that includes organization-defined system security engineering methods and/or privacy engineering methods.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-4 (3) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004700">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system security engineering methods and/or privacy engineering methods for demonstrating the use of a system development life cycle process.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-4 (3) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004701">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to demonstrate the use of a system development life cycle process that includes organization-defined software development methods; testing; evaluation, assessment, verification, and validation methods, and quality control processes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-4 (3) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004702">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the software development methods; testing; evaluation, assessment, verification, and validation methods, and quality control processes for demonstrating the use of a system development life cycle process.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-4 (3) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004703">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Include organization-defined Privacy Act requirements in the acquisition contract for the operation of a system of records on behalf of an organization to accomplish an organizational mission or function.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-4 (11)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004704">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the Privacy Act requirements to include in the acquisition contract.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-4 (11)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004705">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Include organizational data ownership requirements in the acquisition contract.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-4 (12) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004706">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require all data to be removed from the contractor's system and returned to the organization within an organization-defined time frame.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-4 (12) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004707">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the time frame for returning the data removed from the contractor's system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-4 (12) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004708">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Obtain or develop administrator documentation for the system, system component, or system services that describes effective use and maintenance of privacy functions and mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-5 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004709">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Obtain or develop user documentation for the system, system component, or system service that describes user-accessible privacy functions and mechanisms and how to effectively use those functions and mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-5 b 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-004710">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Obtain or develop user documentation for the system, system component, or system service that describes methods for user interaction which enables individuals to protect individual privacy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-5 b 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004711">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Obtain or develop user documentation for the system, system component, or system service that describes user responsibilities in maintaining the privacy of individuals.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-5 b 3" />
- </references>
- </cci_item>
- <cci_item id="CCI-004712">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems security and privacy engineering principles applied to the specification of the system and system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8" />
- </references>
- </cci_item>
- <cci_item id="CCI-004713">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems security engineering principles applied to the design of the system and system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8" />
- </references>
- </cci_item>
- <cci_item id="CCI-004714">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems security engineering principles applied to the development of the system and system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8" />
- </references>
- </cci_item>
- <cci_item id="CCI-004715">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems security engineering principles applied to the implementation of the system and system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8" />
- </references>
- </cci_item>
- <cci_item id="CCI-004716">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems security engineering principles applied to the modification of the system and system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8" />
- </references>
- </cci_item>
- <cci_item id="CCI-004717">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement the security design principle of clear abstractions.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004718">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement the security design principle of least common mechanism in organization-defined systems or system components.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004719">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems or system components which will implement the security design principle of least common mechanism.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004720">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement the security design principles of modularity and layering in organization-defined systems or system components.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004721">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems or system components which will implement the security design principles of modularity and layering.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004722">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement the security design principle of partially ordered dependencies in organization-defined systems or system components.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004723">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems or system components which will implement the security design principle of partially ordered dependencies.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004724">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement the security design principle of efficiently mediated access in organization-defined systems or system components.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004725">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems or system components which will implement the security design principle of efficiently mediated access.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004726">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement the security design principle of minimized sharing in organization-defined systems or system components.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004727">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems or system components which will implement the security design principle of minimized sharing.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004728">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement the security design principle of reduced complexity in organization-defined systems or system components.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004729">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems or system components which will implement the security design principle of reduced complexity.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004730">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement the security design principle of secure evolvability in organization-defined systems or system components.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004731">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems or system components which will implement the security design principle of secure evolvability.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004732">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement the security design principle of trusted components in organization-defined systems or system components.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004733">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems or system components which will implement the security design principle of trusted components.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004734">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement the security design principle of hierarchical trust in organization-defined systems or system components.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (10)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004735">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems or system components which will implement the security design principle of hierarchical trust.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (10)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004736">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement the security design principle of inverse modification threshold in organization-defined systems or system components.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (11)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004737">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems or system components which will implement the security design principle of inverse modification threshold.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (11)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004738">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement the security design principle of hierarchical protection in organization-defined systems or system components.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (12)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004739">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems or system components which will implement the security design principle of hierarchical protection.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (12)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004740">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement the security design principle of minimized security elements in organization-defined systems or system components.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (13)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004741">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems or system components which will implement the security design principle of minimized security elements.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (13)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004742">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement the security design principle of least privilege in organization-defined systems or system components.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (14)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004743">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems or system components which will implement the security design principle of least privilege.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (14)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004744">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement the security design principle of predicate permission in organization-defined systems or system components.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (15)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004745">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems or system components which will implement the security design principle of predicate permission.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (15)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004746">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement the security design principle of self-reliant trustworthiness in organization-defined systems or system components.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (16)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004747">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems or system components which will implement the security design principle of self-reliant trustworthiness.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (16)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004748">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement the security design principle of secure distributed composition in organization-defined systems or system components.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (17)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004749">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems or system components which will implement the security design principle of secure distributed composition.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (17)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004750">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement the security design principle of trusted communication channels in organization-defined systems or system components.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (18)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004751">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems or system components which will implement the security design principle of trusted communication channels.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (18)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004752">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement the security design principle of continuous protection in organization-defined systems or system components.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (19)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004753">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems or system components which will implement the security design principle of continuous protection.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (19)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004754">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement the security design principle of secure metadata management in organization-defined systems or system components.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (20)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004755">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems or system components which will implement the security design principle of secure metadata management.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (20)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004756">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement the security design principle of self-analysis in organization-defined systems or system components.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (21)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004757">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems or system components which will implement the security design principle of self-analysis.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (21)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004758">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement the security design principle of accountability and traceability in organization-defined systems or system components.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (22)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004759">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems or system components which will implement the security design principle of accountability and traceability.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (22)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004760">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement the security design principle of secure defaults in organization-defined systems or system components.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (23)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004761">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems or system components which will implement the security design principle of secure defaults.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (23)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004762">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement the security design principle of secure failure and recovery in organization-defined systems or system components.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (24)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004763">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems or system components which will implement the security design principle of secure failure and recovery.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (24)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004764">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement the security design principle of economic security in organization-defined systems or system components.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (25)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004765">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems or system components which will implement the security design principle of economic security.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (25)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004766">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement the security design principle of performance security in organization-defined systems or system components.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (26)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004767">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems or system components which will implement the security design principle of performance security.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (26)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004768">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement the security design principle of human factored security in organization-defined systems or system components.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (27)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004769">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems or system components which will implement the security design principle of human factored security.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (27)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004770">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement the security design principle of acceptable security in organization-defined systems or system components.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (28)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004771">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems or system components which will implement the security design principle of acceptable security.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (28)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004772">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement the security design principle of repeatable and documented procedures in organization-defined systems or system components.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (29)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004773">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems or system components which will implement the security design principle of repeatable and documented procedures.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (29)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004774">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement the security design principle of procedural rigor in organization-defined systems or system components.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (30)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004775">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems or system components which will implement the security design principle of procedural rigor.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (30)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004776">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement the security design principle of secure system modification in organization-defined systems or system components.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (31)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004777">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems or system components which will implement the security design principle of secure system modification.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (31)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004778">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement the security design principle of sufficient documentation in organization-defined systems or system components.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (32)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004779">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems or system components which will implement the security design principle of sufficient documentation.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (32)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004780">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement the privacy principle of minimization using organization-defined processes.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (33)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004781">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the processes for implementing the privacy principle of minimization.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-8 (33)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004782">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require that providers of external system services comply with organizational privacy requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-9 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004783">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require that providers of external system services employ organization-defined controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-9 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004784">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the controls for complying with organizational security and privacy requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-9 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004785">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Define and document organizational oversight with regard to external system services.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-9 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004786">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Define and document user roles and responsibilities with regard to external system services.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-9 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004787">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish trust relationships with external service providers based on organization-defined privacy requirements, properties, factors, or conditions defining acceptable trust relationships.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-9 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004788">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Document trust relationships with external service providers based on organization-defined privacy requirements, properties, factors, or conditions defining acceptable trust relationships.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-9 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004789">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Maintain trust relationships with external service providers based on organization-defined privacy requirements, properties, factors, or conditions defining acceptable trust relationships.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-9 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004790">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines privacy requirements, properties, factors, or conditions defining acceptable trust relationships with external service providers.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-9 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004791">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Maintain exclusive control of cryptographic keys for encrypted material stored or transmitted through an external system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-9 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004792">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide the capability to check the integrity of organizational information while it resides in the external system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-9 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004793">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Restrict the geographic location of information processing and data storage to facilities located within the legal jurisdictional boundary of the United States.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-9 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004794">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to document the potential privacy impacts of approved changes to the system, component, or service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-10 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-004795">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require organization-defined security and privacy representatives to be included in the organization-defined configuration change management and control process.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-10 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004796">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the security and privacy representatives to be included the organization-defined configuration change management and control process.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-10 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004797">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the configuration change management and control process required for the organization-defined security and privacy representatives.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-10 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004798">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service, at all post-design phases of the system development life cycle, to develop a plan for ongoing security control assessment.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-11 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004799">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to implement a plan for ongoing privacy control assessment.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-11 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004800">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency that the unit, integration, system, and/or regression testing/evaluation is performed at an organization-defined depth and coverage.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-11 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004801">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Use the following contextual information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-11 (2) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004802">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-11 (2) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004803">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ the following tools and methods.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-11 (2) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004804">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the tools and methods to be employed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-11 (2) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004805">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Conduct the modeling and analyses as the following level of rigor.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-11 (2) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004806">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the breadth and depth of modeling and analyses the level of rigor will be conducted.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-11 (2) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004807">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Produces evidence that meets the following acceptance criteria.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-11 (2) (d)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004808">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the acceptance criteria that meets the requirement for producing evidence.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-11 (2) (d)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004809">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require an independent agent satisfying organization-defined independence criteria to verify the correct implementation of the developer privacy assessment plan.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-11 (3) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004810">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require an independent agent satisfying organization-defined independence criteria to verify the evidence produced during privacy testing and evaluation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-11 (3) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004811">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the independence criteria the independent agent must satisfy prior to verifying the correct implementation of the developer privacy assessment plan and the evidence produced during privacy testing and evaluation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-11 (3) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004812">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to perform penetration testing at an organization-defined breadth and depth of testing.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-11 (5) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004813">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to perform penetration testing under organization-defined constraints.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-11 (5) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004814">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to employ interactive application security testing tools to identify flaws.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-11 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004815">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to employ interactive application security testing tools to document the results.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-11 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004816">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to follow a documented development process that explicitly addresses privacy requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-004817">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review the development process in accordance with organization-defined frequency to determine if the development process selected and employed can satisfy organization-defined privacy requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004818">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review the development standards in accordance with organization-defined frequency to determine if the development standards selected and employed can satisfy organization-defined privacy requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004819">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review the development tools in accordance with organization-defined frequency to determine if the development tools selected and employed can satisfy organization-defined privacy requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004820">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review the development tool options/configurations in accordance with organization-defined frequency to determine if the development tool options and tool configurations selected and employed can satisfy organization-defined privacy requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004821">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency on which to review the development process, standards, tools, and tool options/configurations to determine if the process, standards, tools, and tool options and tool configurations selected and employed can satisfy organization-defined privacy requirements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004822">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the privacy requirements that must be satisfied by conducting a review of the development process, standards, tools, and tool options and tool configurations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004823">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to select a privacy tracking tool for use during the development process.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004824">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to employ a privacy tracking tool for use during the development process.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004825">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to perform a criticality analysis at the organization-defined decision points in the system development life cycle.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 (3) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004826">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to perform a criticality analysis at an organization-defined breadth/depth of criticality analysis.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 (3) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004827">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency for performing an automated vulnerability analysis using organization-defined tools.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 (7) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004828">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency for determining the exploitation potential for discovered vulnerabilities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 (7) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004829">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency for determining potential risk mitigations for delivered vulnerabilities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 (7) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004830">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency for delivering the outputs of the tools and results of the vulnerability analysis to organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 (7) (d)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004831">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to implement an incident response plan.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 (10)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004832">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to test an incident response plan.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 (10)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004833">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system or system component to archive the system or component to be released or delivered together with the corresponding evidence supporting the final privacy review.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 (11)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004834">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system or system component to minimize the use of personally identifiable information in development and test environments.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-15 (12)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004835">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to provide organization-defined training on the correct use and operation of the implemented privacy functions, controls, and/or mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-16" />
- </references>
- </cci_item>
- <cci_item id="CCI-004836">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the training the developer of the system, system component, or information system service is required to provide on the correct use and operation of the implemented privacy functions, controls, and/or mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-16" />
- </references>
- </cci_item>
- <cci_item id="CCI-004837">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to produce a privacy architecture.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17" />
- </references>
- </cci_item>
- <cci_item id="CCI-004838">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to produce a privacy architecture that is consistent with and supportive of the organization's privacy architecture which is established within and is an integrated part of the organization's enterprise architecture.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004839">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to produce a privacy architecture that accurately and completely describes the required privacy functionality.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004840">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to produce a privacy architecture that accurately and completely describes the allocation of privacy controls among physical and logical components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004841">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to produce a privacy architecture that expresses how individual privacy functions, mechanisms, and services work together to provide required privacy capabilities and a unified approach to protection.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-004842">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system to produce, as an integral part of the development process, a formal policy model describing the organization-defined elements of organizational privacy policy to be enforced.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004843">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the elements of organizational privacy policy to be described in the formal policy model for enforcement on the system, system component, or system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004844">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Require the developer of the system, system component, or system service to prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational privacy policy when implemented.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004845">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Design organization-defined critical systems or system components with coordinated behavior to implement organization-defined capabilities, by system or component.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004846">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the critical systems or system components for implementing organization-defined capabilities, by system or component.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004847">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the capabilities, by system or component, for designing organization-defined critical systems or system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004848">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Use different designs for organization-defined critical systems or system components to satisfy a common set of requirements or to provide equivalent functionality.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004849">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the critical systems or system components for satisfying a common set of requirements or to provide equivalent functionality.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-17 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004850">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ design; modification; augmentation; and/or reconfiguration on organization-defined systems or system components supporting mission essential services or functions to increase the trustworthiness in those systems or components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-23" />
- </references>
- </cci_item>
- <cci_item id="CCI-004851">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems or system components for supporting mission essential services or functions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SA-23" />
- </references>
- </cci_item>
- <cci_item id="CCI-004852">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document an organization-level; mission/business process-level; and/or system-level system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-1 a 1 (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004853">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document an organization-level; mission/business process-level; and/or system-level a system and communications protection policy that is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-1 a 1 (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004854">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document system and communications protection procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-1 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004855">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage the development and documentation of the system and communications protection policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004856">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage the development and documentation of the system and communications protection procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004857">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage the dissemination of the system and communications protection policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004858">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage the dissemination of the system and communications protection procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004859">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the official to manage the development, documentation, and dissemination of the system and communications protection policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004860">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the official to manage the development, documentation, and dissemination of the system and communications protection procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004861">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current system and communications protection policy following organization-defined events.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-1 c 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-004862">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the events following reviewing and updating the current system and communications protection policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-1 c 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-004863">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current system and communications protection procedures following organization-defined events.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-1 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004864">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the events following reviewing and updating the current system and communications protection procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-1 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004865">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Store state information from applications and software separately.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-2 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004866">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ organization-defined controls by type of denial-of-service to achieve the denial-of-service objective.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-5 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004867">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the controls by type of denial-of-service event by employing the controls to achieve the denial-of-service objective.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-5 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004868">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational privacy architecture.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-004869">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Prevent unauthorized exchange of control plane traffic with external networks.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (4) (f)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004870">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (4) (g)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004871">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Filter unauthorized control plane traffic from external networks.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (4) (h)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004872">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems that will deny network communications traffic by default and allow network communications traffic by exception.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004873">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the safeguards to prevent split tunneling for remote devices connecting to organizational systems.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004874">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Conduct exfiltration tests at an organization-defined frequency.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (10) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004875">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency to conduct exfiltration tests.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (10) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004876">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>For systems that process personally identifiable information, apply organization-defined processing rules to data elements of personally identifiable information.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (24) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004877">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines processing rules to be applied to data elements of personally identifiable information.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (24) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004878">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>For systems that process personally identifiable information, monitor for permitted processing at the external boundary of the system and at key internal boundaries within the system.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (24) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004879">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>For systems that process personally identifiable information, document each processing exception.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (24) (c)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004880">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>For systems that process personally identifiable information, review and remove exceptions that are no longer supported.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (24) (d)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004881">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Prohibit the direct connection of organization-defined unclassified national security system to an external network without the use of organization-defined boundary protection device.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (25)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004882">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the unclassified national security system that is prohibited from connecting to an external network without the use of organization-defined boundary protection device.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (25)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004883">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the boundary protection device that prohibits the direct connection of organization-defined unclassified national security system to an external system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (25)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004884">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Prohibit the direct connection of a classified national security system to an external network without the use of organization-defined boundary protection device.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (26)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004885">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the boundary protection device that prohibits the direct connection of a classified national security system to an external system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (26)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004886">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Prohibit the direct connection of organization-defined unclassified non-national security system to an external network without the use of organization-defined boundary protection device.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (27)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004887">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the unclassified non-national security system that is prohibited from connecting to an external network without the use of organization-defined boundary protection device.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (27)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004888">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the boundary protection device that prohibits the direct connection of organization-defined unclassified non-national security system to an external system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (27)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004889">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Prohibit the direct connection of organization-defined system to a public network.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (28)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004890">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system that prohibits the direct connection to a public network.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (28)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004891">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (29)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004892">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the critical system components to implement physically or logically separate subnetworks.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-7 (29)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004893">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement organization-defined protection distribution system to prevent unauthorized disclosure of information, and/or detect changes to information during transmission.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-8 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004894">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the protected distribution system for preventing unauthorized disclosure of information, and/or detect changes to information during transmission.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-8 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004895">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Permit users to invoke the trusted communications path for communications between the user and the organization-defined security functions, including at a minimum, authentication and re-authentication.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-11 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004896">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Initiates the trusted communications path for communications between the organization-defined security functions of the system and the user.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-11 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004897">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the security functions to be initiated between the system and the user for trusted communications path for communications.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-11 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004898">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines requirements for certificates that are issued for producing, controlling, and distributing asymmetric cryptographic keys.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-12 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004899">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Maintain physical control of cryptographic keys when store information is encrypted by external service providers.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-12 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004900">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Determine the organization-defined cryptographic uses.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-13 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004901">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Associate organization-defined privacy attributes with information exchanged between systems.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-16" />
- </references>
- </cci_item>
- <cci_item id="CCI-004902">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Associate organization-defined privacy attributes with information exchanged between system components.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-16" />
- </references>
- </cci_item>
- <cci_item id="CCI-004903">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the privacy attributes to associate with the information being exchanged between systems and between system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-16" />
- </references>
- </cci_item>
- <cci_item id="CCI-004904">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Verify the integrity of transmitted privacy attributes.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-16 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004905">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement anti-spoofing mechanisms to prevent adversaries from falsifying the security attributes indicating the successful application of the security process.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-16 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004906">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement organization-defined mechanisms or techniques to bind security attributes to transmitted information.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-16 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004907">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement organization-defined mechanisms or techniques to bind privacy attributes to transmitted information.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-16 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004908">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the mechanisms or techniques for binding security and privacy attributes to transmitted information.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-16 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004909">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Include only approved trust anchors in trust stores or certificate stores managed by the organization.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-17 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004910">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide protected storage for cryptographic keys with organization-defined safeguards and/or hardware protected key store.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-28 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004911">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the safeguards for providing protected storage for cryptographic keys.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-28 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004912">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Partition privileged functions into separate physical domains.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-32 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004913">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Takes organization-defined actions in response to identified faults, errors, or compromises.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-36 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004914">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines actions to take in response to identified faults, errors, or compromises.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-36 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004915">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Synchronize the organization-defined duplicate systems or system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-36 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004916">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the duplicate systems or system components to be synchronized.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-36 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004917">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines sensors to facilitate an individual's awareness that personally identifiable information is being collected.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-42 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004918">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines measures to facility an individual's awareness that personally identifiable information is being collected.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-42 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004919">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ organization-defined measures to facilitate an individual's awareness that personally identifiable information is being collected by organization-defined sensors.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-42 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004920">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines sensors that are configured to minimize the collection of information about individuals that is not needed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-42 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004921">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ organization-defined sensors that are configured to minimize the collection of information about individuals that is not needed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-42 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004922">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Synchronize system clocks within and between systems or system components.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-45" />
- </references>
- </cci_item>
- <cci_item id="CCI-004923">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Compare the internal system clocks on an organization-defined frequency with organization-defined authoritative time source.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-45 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004924">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency for comparing the internal system clocks with organization-defined authoritative time source.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-45 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004925">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the time source used for comparing the internal system clocks.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-45 (1) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004926">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Synchronize the internal system clocks to the authoritative time source when the time difference is greater than organization-defined time period.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-45 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004927">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the time period for synchronizing the internal system clocks to the authoritative time source.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-45 (1) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004928">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Identify a secondary authoritative time source that is in a different geographic region than the primary authoritative time source.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-45 (2) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004929">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Synchronize the internal system clocks to the secondary authoritative time source if the primary authoritative time source is unavailable.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-45 (2) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004930">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a policy enforcement mechanism physically or logically between the physical and/or network interfaces for the connecting security domains.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-46" />
- </references>
- </cci_item>
- <cci_item id="CCI-004931">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish organization-defined alternate communications paths for system operations organizational command and control.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-47" />
- </references>
- </cci_item>
- <cci_item id="CCI-004932">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Relocate organization-defined sensors and monitoring capabilities to organization-defined locations under organization-defined conditions or circumstances.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-48" />
- </references>
- </cci_item>
- <cci_item id="CCI-004933">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the sensors and monitoring capabilities to be relocated to organization-defined locations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-48" />
- </references>
- </cci_item>
- <cci_item id="CCI-004934">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the locations of which the organization-defined sensors and monitoring capabilities will be relocated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-48" />
- </references>
- </cci_item>
- <cci_item id="CCI-004935">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the conditions or circumstances of which the organization-defined sensors and monitoring capabilities are relocated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-48" />
- </references>
- </cci_item>
- <cci_item id="CCI-004936">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Dynamically relocate organization-defined sensors and monitoring capabilities to organization-defined locations under organization-defined conditions or circumstances.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-48 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004937">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the sensors and monitoring capabilities to be dynamically relocated to organization-defined locations.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-48 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004938">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the locations of which the organization-defined sensors and monitoring capabilities will be dynamically relocated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-48 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004939">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the conditions or circumstances of which the organization-defined sensors and monitoring capabilities are dynamically relocated.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-48 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004940">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement hardware-enforced separation and policy enforcement mechanisms between organization-defined security domains.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-49" />
- </references>
- </cci_item>
- <cci_item id="CCI-004941">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the security domains for implementing hardware-enforced separation and policy enforcement mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-49" />
- </references>
- </cci_item>
- <cci_item id="CCI-004942">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement software-enforced separation and policy enforcement mechanisms between organization-defined security domains.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-50" />
- </references>
- </cci_item>
- <cci_item id="CCI-004943">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the security domains for implementing software-enforced separation and policy enforcement mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SC-50" />
- </references>
- </cci_item>
- <cci_item id="CCI-004944">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document an organization-level; mission/business process-level; and/or system level system and information integrity policy that is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-1 a 1 (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004945">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage the development and documentation of the system and information integrity policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004946">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage the dissemination of the system and information integrity policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004947">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage the development and documentation of the system and information integrity procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004948">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage the dissemination of the system and information integrity procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004949">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the official designated for managing the development, documentation, and dissemination of the system and information integrity policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004950">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the official designated for managing the development, documentation, and dissemination of the system and information integrity procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004951">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current system and information integrity policy following organization-defined events.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-1 c 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-004952">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the events following reviewing and updating the current system and information integrity policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-1 c 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-004953">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current system and information integrity procedures following organization-defined events.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-1 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004954">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the events following reviewing and updating the current system and information integrity procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-1 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004955">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Determine if system components have applicable security-related software updates installed using organization-defined mechanisms on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-2 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004956">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Determine if system components have applicable security-related firmware updates installed using organization-defined mechanisms on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-2 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004957">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines a frequency for installing security-relevant software updates using organization-defined automated mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-2 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004958">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines a frequency for installing security-relevant firmware updates using organization-defined automated mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-2 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004959">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the automated mechanisms for determining if system components have applicable security-related software updates installed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-2 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004960">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the automated mechanisms for determining if system components have applicable security-related firmware updates installed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-2 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004961">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ automated patch management tools to facilitate flaw remediation to the organization-defined system components.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-2 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004962">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system components on which patch management tools to facilitate flaw remediation are employed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-2 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004963">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement signature based and/or non-signature based malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004964">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-3 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004965">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-3 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004966">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Configure malicious code protection mechanisms to send alerts to organization-defined personnel in response to malicious code detection.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-3 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-004967">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Analyze detected events and anomalies.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-004968">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ automated mechanisms to support near real-time analysis of events.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004969">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ automated mechanisms to integrate intrusion detection mechanisms into access control mechanisms.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004970">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ automated mechanisms to integrate intrusion detection mechanisms into flow control mechanisms.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004971">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Determine criteria for unusual or unauthorized activities or conditions for inbound communications traffic.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (4) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004972">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Determine criteria for unusual or unauthorized activities or conditions for outbound communications traffic.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (4) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004973">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the unusual or unauthorized activities or conditions that will be monitored for inbound communications traffic.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (4) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004974">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the unusual or unauthorized activities or conditions that will be monitored for outbound communications traffic.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (4) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004975">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Test intrusion monitoring mechanisms at an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004976">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency for testing intrusion monitoring mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (9)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004977">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the encrypted communications traffic that is to be visible to organization-defined system monitoring mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (10)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004978">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system monitoring mechanisms that will have visibility into organization-defined encrypted communications traffic.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (10)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004979">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Make provisions so that organization-defined encrypted communications traffic is visible to organization-defined system monitoring mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (10)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004980">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to receive alerts when indications of inappropriate or unusual activities with security or privacy occur.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (12)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004981">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Correlate information from monitoring mechanisms employed throughout the system.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (16)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004982">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide visibility into network traffic at external and key internal system interfaces to optimize the effectiveness of monitoring devices.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-4 (25)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004983">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the automated mechanisms for broadcasting security alert and advisory information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-5 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004984">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the privacy functions that require verification of correct operation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-6 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004985">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Verify correct operation of organization-defined privacy functions.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-6 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-004986">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency at which it will verify correct operation of organization-defined privacy functions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-6 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004987">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system transitional states when the system will verify correct operation of organization-defined privacy functions.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-6 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004988">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Perform verification of the correct operation of organization-defined privacy functions: when the system is in an organization-defined transitional state; upon command by a user with appropriate privileges; and/or on an organization-defined frequency.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-6 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004989">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Alert organization-defined personnel or roles of failed privacy verification tests.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-6 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-004990">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles to be notified when privacy verification tests fail.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-6 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-004991">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines alternative action(s) to be taken when anomalies in the operation of organization-defined privacy functions are discovered.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-6 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-004992">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Shut the system down, restart the system, and/or initiate organization-defined alternative action(s) when anomalies in the operation of the organization-defined privacy functions are discovered.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-6 d" />
- </references>
- </cci_item>
- <cci_item id="CCI-004993">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement automated mechanisms to support the management of distributed privacy function testing.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-6 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004994">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Report the results of privacy function verification to organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-6 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004995">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles that are to receive reports on the results of privacy function verification.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-6 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004996">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Take organization-defined actions when unauthorized changes to the software, firmware, and information are detected.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-7 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004997">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the actions to be taken when unauthorized changes to the software, firmware, and information are detected.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-7 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-004998">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement organization-defined controls for application self-protection at runtime.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-7 (17)" />
- </references>
- </cci_item>
- <cci_item id="CCI-004999">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the controls to be implemented for runtime application self-protection.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-7 (17)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005000">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Update spam protection mechanisms when new releases are available in accordance with organizational configuration management policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-8 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-005001">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Update spam protection mechanisms when new releases are available in accordance with organizational configuration management procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-8 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-005002">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency for updating spam protection mechanisms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-8 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005003">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Prevent untrusted data injections.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-10 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005004">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Limit personally identifiable information being processed in the information life cycle to the organization-defined elements of personally identifiable information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-12 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005005">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the elements of personally identifiable information being processed in the information life cycle.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-12 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005006">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Use organization-defined techniques to minimize the use of personally identifiable information for research, testing, or training, in accordance with the privacy risk assessment.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-12 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005007">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the techniques for minimizing the use of personally identifiable information for research, testing, or training.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-12 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005008">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Use organization-defined techniques to dispose of, destroy, or erase information following the retention period.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-12 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005009">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the percentage of the mean time to failure used to manually initiate transfer between active and standby system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-13 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005010">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the action to be taken when system failures are detected.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-13 (4) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005011">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Refresh organization-defined information on an organization-defined frequency, or generate organization-defined information on demand.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-14 (2) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005012">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the information to be refreshed on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-14 (2) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005013">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency at which to refresh organization-defined information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-14 (2) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005014">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the information to be generated on demand.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-14 (2) (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005015">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Delete information when no longer needed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-14 (2) (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005016">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Refresh connections to the system on demand.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-14 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005017">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Terminate connections after completion of a request, or a period of non-use.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-14 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005018">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Check the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle, on an organization-defined frequency.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-18 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-005019">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency for checking the accuracy, relevance, timeliness, and completeness of personally identifiable information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-18 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-005020">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Correct or delete inaccurate or outdated personally identifiable information.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-18 b 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-005021">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Correct or delete personally identifiable information that is inaccurate or outdated, incorrectly determined regarding impact, or incorrectly de-identified using organization-defined mechanisms.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-18 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005022">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the automated mechanisms for identifying inaccurate or outdated, incorrectly determined regarding impact, or incorrectly de-identified personally identifiable information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-18 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005023">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ data tags to automate the correction or deletion of personally identifiable information across the information life cycle within organizational systems.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-18 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005024">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Collect personally identifiable information directly from the individual.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-18 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005025">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Correct or delete personally identifiable information upon request by individuals or their designated representatives.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-18 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005026">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Notify organization-defined recipients of personally identifiable information that the personally identifiable information has been corrected or deleted.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-18 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005027">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the recipients of personally identifiable information who are to be notified when the personally identifiable information is corrected or deleted.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-18 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005028">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Notify individuals that the personally identifiable information has been corrected or deleted.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-18 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005029">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Remove the following elements of personally identifiable information from datasets.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-19 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-005030">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the elements of personally identifiable information to be removed from datasets.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-19 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-005031">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Evaluate organization-defined frequency for effectiveness of de-identification.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-19 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-005032">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency for evaluating for effectiveness of de-identification.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-19 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-005033">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>De-identify the dataset upon collection by not collecting personally identifiable information.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-19 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005034">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Prohibit archiving personally identifiable information elements if those elements in a dataset will not be needed after the dataset is archived.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-19 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005035">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Remove personally identifiable information elements from a dataset prior to its release if those elements in the dataset do not need to be part of the data release.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-19 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005036">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Remove, mask, encrypt, hash, or replace direct identifiers in a dataset.</definition>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-19 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005037">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Manipulate numerical data, contingency tables, and statistical findings so that no individual or organization is identifiable in the results of the analysis.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-19 (5)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005038">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Prevent disclosure of personally identifiable information by adding non-deterministic noise to the results of mathematical operations before the results are reported.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-19 (6)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005039">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Perform de-identification using validated algorithms and software that is validated to implement the algorithms.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-19 (7)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005040">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Perform a motivated intruder test on the de-identified dataset to determine if the identified data remains or if the de-identified data can be re-identified.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-19 (8)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005041">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Embed data or capabilities in the following systems or system components to determine if organizational data has been exfiltrated or improperly removed from the organization.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-20" />
- </references>
- </cci_item>
- <cci_item id="CCI-005042">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems or system components used to determine if organizational data has been exfiltrated or improperly removed from the organization.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-20" />
- </references>
- </cci_item>
- <cci_item id="CCI-005043">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Refresh organization-defined information on an organization-defined frequency, or generate organization-defined information on demand.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-21" />
- </references>
- </cci_item>
- <cci_item id="CCI-005044">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the information to be refreshed on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-21" />
- </references>
- </cci_item>
- <cci_item id="CCI-005045">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequencies for refreshing organization-defined information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-21" />
- </references>
- </cci_item>
- <cci_item id="CCI-005046">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Identify the following alternate sources of information for organization-defined essential functions and services.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-22 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-005047">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the alternative information sources for identifying organization-defined essential functions and services.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-22 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-005048">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Use an alternate information source for the execution of essential functions or services on organization-defined systems or system components when the primary source of information is corrupted or unavailable.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-22 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-005049">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems or system components used as an alternate information source for the execution of essential functions or services when the primary source of information is corrupted or unavailable.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-22 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-005050">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Based on organization-defined circumstances, fragment the following information.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-23 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-005051">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the information for fragmentation.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-23 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-005052">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the circumstances for fragmenting organization-defined information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-23 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-005053">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Based on organization-defined circumstances, distribute the fragmented information across the following systems or system components.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-23 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-005054">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems or system components used to distribute fragmented information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-23 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-005055">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the circumstances for distributing fragmented information across organization-defined systems or system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SI-23 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-005056">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Disseminate an organization-level, mission/business process-level, and/or system-level supply chain risk management policy to organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-1 a 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-005057">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document an organization-level, mission/business process-level, and/or system-level supply chain risk management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-1 a 1 (a)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005058">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document organization-level, mission/business process-level, and/or system-level supply chain risk management policy that is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-1 a 1 (b)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005059">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-1 a 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-005060">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage the development and documentation of the supply chain risk management policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-005061">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage the development and documentation of the supply chain risk management procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-005062">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage the dissemination of the supply chain risk management policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-005063">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Designate an organization-defined official to manage the dissemination of the supply chain risk management procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-1 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-005064">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current supply chain risk management policy on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-1 c 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-005065">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency for reviewing and updating the current supply chain risk management policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-1 c 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-005066">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current supply chain risk management policy following organization-defined events.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-1 c 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-005067">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the events following reviewing and updating the current supply chain risk management policy.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-1 c 1" />
- </references>
- </cci_item>
- <cci_item id="CCI-005068">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current supply chain risk management procedures on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-1 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-005069">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency for reviewing and updating the current supply chain risk management procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-1 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-005070">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the current supply chain risk management procedures following organization-defined events.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-1 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-005071">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the events following reviewing and updating the current supply chain risk management procedures.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-1 c 2" />
- </references>
- </cci_item>
- <cci_item id="CCI-005072">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the following systems, system components, or system services.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-005073">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems, system components, or system services that a plan for managing supply chain risks are developed.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-2 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-005074">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Review and update the supply chain risk management plan on an organization-defined frequency, or as required, to address threat, organizational or environmental changes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-2 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-005075">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency for reviewing and updating the supply chain risk management plan.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-2 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-005076">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Protect the supply chain risk management plan from unauthorized disclosure and modification.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-2 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-005077">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish a supply chain risk management team consisting of organization-defined personnel, roles, and responsibilities to lead and support the following SCRM activities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-2 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005078">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the supply chain risk management activities that will be led by a supply chain risk management team consisting of organization-defined personnel, roles, and responsibilities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-2 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005079">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel, roles, and responsibilities who lead and support organization-defined supply chain risk management activities.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-2 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005080">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish a process of processes to identify and address weaknesses or deficiencies in the supply chain elements of organization-defined system or system components in coordination with organization-defined supply chain personnel.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-005081">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system or system processes which establish a process or processes for identifying and addressing weaknesses or deficiencies in the supply chain elements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-005082">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the supply chain personnel who, in coordination, establish a process or processes for identifying and addressing weaknesses or deficiencies in the supply chain elements.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-005083">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish a process of processes to identify and address weaknesses or deficiencies in the processes of organization-defined system or system components in coordination with organization-defined supply chain personnel.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-005084">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system or system processes which establish a process or processes for identifying and addressing weaknesses or deficiencies in the supply chain processes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-005085">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the supply chain personnel who, in coordination, establish a process or processes for identifying and addressing weaknesses or deficiencies in the supply chain processes.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-3 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-005086">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ the following controls to protect against supply chain risks to the system, system component, or system service.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-3 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-005087">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Limit the harm or consequences from supply chain-related events.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-3 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-005088">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the supply chain controls employed for protecting against supply chain risks to the system, system component, or system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-3 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-005089">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Document the selected and implemented supply chain processes and controls in security and privacy plans, supply chain risk management plan, or organization-defined document.</definition>
- <type>policy</type>
- <type>technical</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-3 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-005090">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the document which contains supply chain processes and controls.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-3 c" />
- </references>
- </cci_item>
- <cci_item id="CCI-005091">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ a diverse set of sources for the following system components and services.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-3 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005092">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system or system components and services which employ a diverse set of sources.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-3 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005093">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ the following controls to limit harm from potential adversaries identifying and targeting the organizational supply chain.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-3 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005094">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the controls to be employed to limit harm from potential adversaries identifying and targeting the organizational supply chain.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-3 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005095">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Ensure that the controls included in the contracts of prime contractors are also included in the contracts of subcontractors.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-3 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005096">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Document valid provenance of the following systems, system components, and associated data.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-4" />
- </references>
- </cci_item>
- <cci_item id="CCI-005097">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Monitor valid provenance of the following systems, system components, and associated data.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-4" />
- </references>
- </cci_item>
- <cci_item id="CCI-005098">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Maintain valid provenance of the following systems, system components, and associated data.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-4" />
- </references>
- </cci_item>
- <cci_item id="CCI-005099">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems, system components, and associated data for documenting, monitoring, and maintaining valid provenance.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-4" />
- </references>
- </cci_item>
- <cci_item id="CCI-005100">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish and maintain unique identification of the following supply chain elements, processes, and personnel associated with the identified system and critical system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-4 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005101">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the supply chain elements, processes, and personnel associated with organization-defined systems and critical system components for establishing and maintaining unique identification.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-4 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005102">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish and maintain unique identification of the following systems and critical components for tracking through the supply chain.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-4 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005103">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the systems and critical system components for tracking through the supply chain.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-4 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005104">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ the following controls to validate that the system or system component received is genuine.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-4 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005105">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ the following controls to validate that the system or system component received has not been altered.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-4 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005106">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the controls for validating that the system or system component received is genuine.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-4 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005107">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the controls for validating that the system or system component received has not been altered.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-4 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005108">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ organization-defined controls to ensure the integrity of the system and system components by validating the internal composition and provenance of critical or mission essential technologies, products, and services.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-4 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005109">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the controls for ensuring the integrity of the system and system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-4 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005110">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Conduct organization-defined analysis to ensure the integrity of the system and system components by validating the internal composition and provenance of critical or mission essential technologies, products, and services.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-4 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005111">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the analysis for ensuring the integrity of the system and system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-4 (4)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005112">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-5" />
- </references>
- </cci_item>
- <cci_item id="CCI-005113">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the acquisition strategies, contract tools, and procurement methods for protecting against, identifying, and mitigating supply chain risks.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-5" />
- </references>
- </cci_item>
- <cci_item id="CCI-005114">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ the following controls to ensure an adequate supply of organization-defined critical system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-5 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005115">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the controls for ensuring an adequate supply of organization-defined critical system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-5 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005116">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the critical system components that the organization-defined controls ensure an adequate supply of.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-5 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005117">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Access the system, system component, or system service prior to selection, acceptance, modification, or update.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-5 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005118">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Access and review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-6" />
- </references>
- </cci_item>
- <cci_item id="CCI-005119">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency for assessing and reviewing the supply chain risks.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-6" />
- </references>
- </cci_item>
- <cci_item id="CCI-005120">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ organizational analysis, independent third-party analysis, organizational testing, and/or independent third-party testing of the following supply chain elements, processes, and actors associated with the system, system component, or system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-6 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005121">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the supply chain elements, processes, and actors for employing organizational analysis, independent third-party analysis, organizational testing, and/or independent third-party testing.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-6 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005122">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ the following Operations Security (OPSEC) controls to protect supply chain-related information for the system, system component, or system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-7" />
- </references>
- </cci_item>
- <cci_item id="CCI-005123">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the Operations Security (OPSEC) controls that protect supply chain-related information for the system, system component, or system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-7" />
- </references>
- </cci_item>
- <cci_item id="CCI-005124">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the notification of supply chain compromises, results of assessments or audits, and/or organization-defined information.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-8" />
- </references>
- </cci_item>
- <cci_item id="CCI-005125">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the information for establishing agreements and procedures with entities involved in the supply chain for the system, system component, or system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-8" />
- </references>
- </cci_item>
- <cci_item id="CCI-005126">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Implement a tamper protection program for the system, system component, or system service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-9" />
- </references>
- </cci_item>
- <cci_item id="CCI-005127">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Employ anti-tamper technologies, tool, and techniques throughout the system development life cycle.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-9 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005128">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Inspect the following systems or system components at random, at organization-defined frequency, and/or upon organization-defined indications of need for inspection to detect tampering.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-10" />
- </references>
- </cci_item>
- <cci_item id="CCI-005129">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency for inspecting systems or system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-10" />
- </references>
- </cci_item>
- <cci_item id="CCI-005130">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the indications of need for inspection for detecting tampering.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-10" />
- </references>
- </cci_item>
- <cci_item id="CCI-005131">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system or system components which will be inspected at random, at organization-defined frequency, and/or upon organization-defined indications of need for inspection to detect tampering.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-10" />
- </references>
- </cci_item>
- <cci_item id="CCI-005132">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document anti-counterfeit policy that include the means to detect and prevent counterfeit components from entering the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-11 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-005133">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Develop and document anti-counterfeit procedures that include the means to detect and prevent counterfeit components from entering the system.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-11 a" />
- </references>
- </cci_item>
- <cci_item id="CCI-005134">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Report counterfeit system components to source of counterfeit component, organization-defined external reporting organizations, and/or organization-defined personnel or roles.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-11 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-005135">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the external reporting organizations who report counterfeit system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-11 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-005136">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles who report counterfeit system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-11 b" />
- </references>
- </cci_item>
- <cci_item id="CCI-005137">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Train organization-defined personnel or roles to detect counterfeit system components including hardware, software, and firmware.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-11 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005138">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the personnel or roles who are trained to detect counterfeit system components (including hardware, software, and firmware).</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-11 (1)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005139">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Maintain configuration control over the following system components awaiting service or repair.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-11 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005140">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Maintain configuration control over serviced or repaired components awaiting return to service.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-11 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005141">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the system components awaiting service or repair.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-11 (2)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005142">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Scan for counterfeit system components on an organization-defined frequency.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-11 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005143">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the frequency for which the counterfeit system components are scanned.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-11 (3)" />
- </references>
- </cci_item>
- <cci_item id="CCI-005144">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Dispose of organization-defined data, documentation, tools, or system components using the following techniques and methods.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-12" />
- </references>
- </cci_item>
- <cci_item id="CCI-005145">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the data, documentation, tools, or system components which are to be disposed of using organization-defined techniques and methods.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-12" />
- </references>
- </cci_item>
- <cci_item id="CCI-005146">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Defines the techniques or methods used to dispose of organization-defined data, documentation, tools, or system components.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="SR-12" />
- </references>
- </cci_item>
- <cci_item id="CCI-005147">
- <status>draft</status>
- <publishdate>2022-03-01</publishdate>
- <contributor>DISA</contributor>
- <definition>Provide basic privacy literacy training to system users (including managers, senior executives, and contractors) as part of initial training for new users.</definition>
- <type>policy</type>
- <references>
- <reference creator="NIST" title="NIST SP 800-53 Revision 5" version="5" location="NIST" index="AT-2 a 1" />
- </references>
- </cci_item>
- </cci_items>
-</cci_list>`;
diff --git a/libs/hdf-converters/src/utils/global.ts b/libs/hdf-converters/src/utils/global.ts
index 0588002478..ee30d8a14e 100644
--- a/libs/hdf-converters/src/utils/global.ts
+++ b/libs/hdf-converters/src/utils/global.ts
@@ -5,23 +5,6 @@ import {
} from 'inspecjs';
import * as _ from 'lodash';
import {createLogger, format, transports} from 'winston';
-import {data as NistCciMappingData} from '../mappings/NistCciMappingData';
-
-// DEFAULT_NIST_TAG is applicable to all automated configuration tests.
-// SA-11 (DEVELOPER SECURITY TESTING AND EVALUATION) - RA-5 (VULNERABILITY SCANNING)
-export const DEFAULT_STATIC_CODE_ANALYSIS_NIST_TAGS = ['SA-11', 'RA-5'];
-
-export const DEFAULT_STATIC_CODE_ANALYSIS_CCI_TAGS =
- DEFAULT_STATIC_CODE_ANALYSIS_NIST_TAGS.map((tag) => NistCciMappingData[tag]);
-
-// REMEDIATION_NIST_TAG the set of default applicable NIST 800-53 controls for ensuring up-to-date packages.
-// SI-2 (FLAW REMEDIATION) - RA-5 (VULNERABILITY SCANNING)
-export const DEFAULT_UPDATE_REMEDIATION_NIST_TAGS = ['SI-2', 'RA-5'];
-
-// Applicable to dependency management
-export const DEFAULT_INFORMATION_SYSTEM_COMPONENT_MANAGEMENT_NIST_TAGS = [
- 'CM-8'
-];
// The "Types" field of ASFF only supports a maximum of 2 slashes, and will get replaced with this text. Note that the default AWS CLI doesn't support UTF-8 encoding
export const FROM_ASFF_TYPES_SLASH_REPLACEMENT = /{{{SLASH}}}/gi;
diff --git a/libs/hdf-converters/src/veracode-mapper.ts b/libs/hdf-converters/src/veracode-mapper.ts
index f1384b5b62..1baebaf3d4 100644
--- a/libs/hdf-converters/src/veracode-mapper.ts
+++ b/libs/hdf-converters/src/veracode-mapper.ts
@@ -8,7 +8,7 @@ import {
parseXml
} from './base-converter';
import {CweNistMapping} from './mappings/CweNistMapping';
-import {getCCIsForNISTTags} from './mappings/CciNistMapping';
+import {NIST2CCI} from './mappings/CciNistMapping';
const STATIC_FLAWS = 'staticflaws.flaw';
const SEVERITY = 'detailedreport.severity';
const FILE_PATH_VALUE = 'file_paths.file_path.@_.value';
@@ -364,8 +364,7 @@ function controlMappingCwe(
cweid: {transformer: formatCweData},
cweDescription: {transformer: formatCweDesc},
cci: {
- transformer: (data: Record<string, unknown>) =>
- getCCIsForNISTTags(nistTag(data))
+ transformer: (data: Record<string, unknown>) => NIST2CCI(nistTag(data))
},
nist: {transformer: nistTag}
},
diff --git a/libs/hdf-converters/src/xccdf-results-mapper.ts b/libs/hdf-converters/src/xccdf-results-mapper.ts
index fbf652fa20..6190ea582a 100644
--- a/libs/hdf-converters/src/xccdf-results-mapper.ts
+++ b/libs/hdf-converters/src/xccdf-results-mapper.ts
@@ -9,11 +9,9 @@ import {
parseHtml,
parseXml
} from './base-converter';
-import {CciNistMapping} from './mappings/CciNistMapping';
-import {
- conditionallyProvideAttribute,
- DEFAULT_STATIC_CODE_ANALYSIS_NIST_TAGS
-} from './utils/global';
+import {conditionallyProvideAttribute} from './utils/global';
+import {DEFAULT_STATIC_CODE_ANALYSIS_NIST_TAGS} from './mappings/CciNistMappingData';
+import {NIST2CCI} from './mappings/CciNistMapping';
const IMPACT_MAPPING: Map<string, number> = new Map([
['critical', 0.9],
@@ -22,8 +20,6 @@ const IMPACT_MAPPING: Map<string, number> = new Map([
['low', 0.3]
]);
-const CCI_NIST_MAPPING = new CciNistMapping();
-
function asArray<T>(arg: T | T[]): T[] {
if (Array.isArray(arg)) {
return arg;
@@ -151,21 +147,7 @@ function extractCci(input: IIdent | IIdent[]): string[] {
}
function nistTag(input: IIdent | IIdent[]): string[] {
- return _.uniq(
- CCI_NIST_MAPPING.nistFilter(
- extractCci(input),
- DEFAULT_STATIC_CODE_ANALYSIS_NIST_TAGS,
- false
- ).concat(
- asArray(input)
- .filter((x) => !!x)
- .map((x) => x.text)
- .map(parse_nist)
- .filter((x) => !!x)
- .filter(is_control)
- .map((x) => x.canonize())
- )
- );
+ return NIST2CCI(extractCci(input), DEFAULT_STATIC_CODE_ANALYSIS_NIST_TAGS);
}
/**
diff --git a/libs/hdf-converters/src/zap-mapper.ts b/libs/hdf-converters/src/zap-mapper.ts
index 9e93203429..f8ce358bca 100644
--- a/libs/hdf-converters/src/zap-mapper.ts
+++ b/libs/hdf-converters/src/zap-mapper.ts
@@ -8,8 +8,8 @@ import {
parseHtml
} from './base-converter';
import {CweNistMapping} from './mappings/CweNistMapping';
-import {DEFAULT_STATIC_CODE_ANALYSIS_NIST_TAGS} from './utils/global';
-import {getCCIsForNISTTags} from './mappings/CciNistMapping';
+import {DEFAULT_STATIC_CODE_ANALYSIS_NIST_TAGS} from './mappings/CciNistMappingData';
+import {NIST2CCI} from './mappings/CciNistMapping';
const CWE_NIST_MAPPING = new CweNistMapping();
@@ -133,7 +133,7 @@ export class ZapMapper extends BaseConverter {
tags: {
cci: {
path: 'cweid',
- transformer: (cwe: string) => getCCIsForNISTTags(nistTag(cwe))
+ transformer: (cwe: string) => NIST2CCI(nistTag(cwe))
},
nist: {path: 'cweid', transformer: nistTag},
cweid: {path: 'cweid'},
diff --git a/libs/inspecjs/src/nist.ts b/libs/inspecjs/src/nist.ts
index 38c95a2576..884091b879 100644
--- a/libs/inspecjs/src/nist.ts
+++ b/libs/inspecjs/src/nist.ts
@@ -36,7 +36,7 @@ function default_partial_config(
return {...DEFAULT_CANONIZATION_CONFIG, ...c};
}
-/** Represents a single nist control, or group of controls if the sub specs are vague enoug. */
+/** Represents a single nist control, or group of controls if the sub specs are vague enough. */
export class NistControl {
/** The sequence of sub-specifiers making up the "parts" of the nist tags
* E.g. in "SI-7 (14)(b)", we would have ["SI", "7", "14", "b"]
@@ -113,7 +113,7 @@ export class NistControl {
}
/**
- * Quick accessor to the leading family letters for the nsit control
+ * Quick accessor to the leading family letters for the nist control
*/
get family(): string | undefined {
if (this.subSpecifiers.length) {