diff --git a/Dockerfile.compliance-masonry b/Dockerfile.compliance-masonry new file mode 100644 index 00000000..302bb49a --- /dev/null +++ b/Dockerfile.compliance-masonry @@ -0,0 +1,10 @@ +FROM ubuntu:16.04 + +RUN apt-get update +RUN apt-get install curl git -y +RUN curl -L https://github.com/opencontrol/compliance-masonry/releases/download/v1.1.2/compliance-masonry_1.1.2_linux_amd64.tar.gz -o compliance-masonry.tar.gz +RUN tar -xf compliance-masonry.tar.gz +RUN cp compliance-masonry_1.1.2_linux_amd64/compliance-masonry /usr/local/bin + +RUN mkdir -p /app +WORKDIR /app diff --git a/README.md b/README.md index d7deb405..effca972 100644 --- a/README.md +++ b/README.md @@ -50,6 +50,16 @@ local development instructions below if you don't have the app setup locally): Updating the ERD requires Graphiz. Installation instructions are [here](http://voormedia.github.io/rails-erd/install.html). +### ATO Documentation + +As part of 18F's ATO process, you may need to update the Compliance Masonry documentation. + +With docker-compose, all you need to run is: + +``` +docker-compose run compliance-masonry compliance-masonry get +``` + ## Local Development See the [local development docs](docs/local_development.md) for information on diff --git a/compliance/component.yml b/compliance/component.yml index f29b094b..0598e393 100644 --- a/compliance/component.yml +++ b/compliance/component.yml @@ -107,8 +107,8 @@ satisfies: - text: > In addition to the controls provided by cloud.gov, the application tracks components through versioned library dependencies - (requirements.txt), as well as a listing of relevant cloud.gov services - (mentioned in the README and deploy.md) + (Gemfile), as well as a listing of relevant cloud.gov services + (mentioned in the README and docs/deployment.md) - standard_key: NIST-800-53 control_key: IA-2 # Identification and Authentication (Organizational # Users) @@ -139,28 +139,26 @@ satisfies: control_key: PL-8 # Information Security Architecture narrative: - text: > - In addition to cloud.gov controls, all data in the system comes from - Contract Officers and must be approved by a data administrator to - be visible to the general public. + In addition to cloud.gov controls, all data in the system is public. - standard_key: NIST-800-53 control_key: RA-5 # Vulnerability Scanning narrative: - text: > In addition to cloud.gov controls, the application layer is scanned with - both static and dynamic tooling. Before being merged into "master", all - custom code is automatically analyzed by "flake8" (a linting tool to - catch syntactic errors), "bandit" (a security-focused static analysis - tool), and a handful of custom, security-centric unit - tests. Code which does not meet these standards is generally not + both static and dynamic tooling. Before being merged into "develop" and + "master", all custom code is automatically analyzed by Brakeman + (static code analysis of Rails apps for known security vulnerabilities), + and a handful of custom, security-centric unit tests. + Code which does not meet these standards is generally not merged. We also employ Gemnasium to track our dependencies and Code Climate to warn of potentially concerning style. For static analysis, we've addressed all critical issues raised by evaluating the application with OWASP ZAP. references: - - verification_key: flake8 - - verification_key: bandit + - verification_key: hakiri - verification_key: gemnasium + - verification_key: brakeman - verification_key: code-climate - verification_key: owasp-zap - standard_key: NIST-800-53 @@ -169,18 +167,22 @@ satisfies: narrative: - text: > In addition to cloud.gov controls, the application layer is scanned with - both static and dynamic tooling. Before being merged into "master", all - custom code is automatically analyzed by "flake8" (a linting tool to - catch syntactic errors), "bandit" (a security-focused static analysis - tool), and a handful of custom, security-centric unit - tests. Code which does not meet these standards is generally not + both static and dynamic tooling. Before being merged into "develop" and + "master", all custom code is automatically analyzed by Brakeman + (static code analysis of Rails apps for known security vulnerabilities), + and a handful of custom, security-centric unit tests. + Code which does not meet these standards is generally not merged. We also employ Gemnasium to track our dependencies and Code Climate to warn of potentially concerning style. + + For static analysis, we've addressed all critical issues raised by + evaluating the application with OWASP ZAP. references: - - verification_key: flake8 - - verification_key: bandit + - verification_key: hakiri - verification_key: gemnasium + - verification_key: brakeman - verification_key: code-climate + - verification_key: owasp-zap - standard_key: NIST-800-53 control_key: SA-22 (1) # Unsupported System Components # Alternative Sources for Continued Support diff --git a/docker-compose.yml b/docker-compose.yml index 2e015bf7..ed8089bd 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -13,3 +13,8 @@ web: - "3000:3000" links: - db +compliance-masonry: + build: . + volumes: + - .:/app + dockerfile: Dockerfile.compliance-masonry diff --git a/opencontrol.yaml b/opencontrol.yaml new file mode 100644 index 00000000..ae14c74c --- /dev/null +++ b/opencontrol.yaml @@ -0,0 +1,24 @@ +schema_version: "1.0.0" +name: Micropurchase +metadata: + description: > + An platform for bidding and completing small IT projects for the government. + maintainers: + - alan.delevie@gsa.gov +components: + - ./compliance +certifications: + # paths +standards: + # paths +dependencies: + certifications: + # LATO + - url: https://github.com/18F/GSA-Certifications + revision: master + systems: + # Cloud.gov + - url: https://github.com/18F/cg-compliance + revision: master + standards: + # data diff --git a/opencontrols/certifications/FedRAMP-low.yaml b/opencontrols/certifications/FedRAMP-low.yaml new file mode 100644 index 00000000..99438c88 --- /dev/null +++ b/opencontrols/certifications/FedRAMP-low.yaml @@ -0,0 +1,129 @@ +name: FedRAMP-low +standards: + + NIST-800-53: + AC-1: {} + AC-14: {} + AC-17: {} + AC-18: {} + AC-19: {} + AC-2: {} + AC-20: {} + AC-22: {} + AC-3: {} + AC-7: {} + AC-8: {} + AT-1: {} + AT-2: {} + AT-3: {} + AT-4: {} + AU-1: {} + AU-11: {} + AU-12: {} + AU-2: {} + AU-3: {} + AU-4: {} + AU-5: {} + AU-6: {} + AU-8: {} + AU-9: {} + CA-1: {} + CA-2: {} + CA-2 (1): {} + CA-3: {} + CA-5: {} + CA-6: {} + CA-7: {} + CA-9: {} + CM-1: {} + CM-10: {} + CM-11: {} + CM-2: {} + CM-4: {} + CM-6: {} + CM-7: {} + CM-8: {} + CP-1: {} + CP-10: {} + CP-2: {} + CP-3: {} + CP-4: {} + CP-9: {} + IA-1: {} + IA-2: {} + IA-2 (1): {} + IA-2 (12): {} + IA-4: {} + IA-5: {} + IA-5 (1): {} + IA-5 (11): {} + IA-6: {} + IA-7: {} + IA-8: {} + IA-8 (1): {} + IA-8 (2): {} + IA-8 (3): {} + IA-8 (4): {} + IR-1: {} + IR-2: {} + IR-4: {} + IR-5: {} + IR-6: {} + IR-7: {} + IR-8: {} + MA-1: {} + MA-2: {} + MA-4: {} + MA-5: {} + MP-1: {} + MP-2: {} + MP-6: {} + MP-7: {} + PE-1: {} + PE-12: {} + PE-13: {} + PE-14: {} + PE-15: {} + PE-16: {} + PE-2: {} + PE-3: {} + PE-6: {} + PE-8: {} + PL-1: {} + PL-2: {} + PL-4: {} + PS-1: {} + PS-2: {} + PS-3: {} + PS-4: {} + PS-5: {} + PS-6: {} + PS-7: {} + PS-8: {} + RA-1: {} + RA-2: {} + RA-3: {} + RA-5: {} + SA-1: {} + SA-2: {} + SA-3: {} + SA-4: {} + SA-4 (10): {} + SA-5: {} + SA-9: {} + SC-1: {} + SC-12: {} + SC-13: {} + SC-15: {} + SC-20: {} + SC-21: {} + SC-22: {} + SC-39: {} + SC-5: {} + SC-7: {} + SI-1: {} + SI-12: {} + SI-2: {} + SI-3: {} + SI-4: {} + SI-5: {} diff --git a/opencontrols/certifications/FedRAMP-moderate.yaml b/opencontrols/certifications/FedRAMP-moderate.yaml new file mode 100644 index 00000000..be4b463a --- /dev/null +++ b/opencontrols/certifications/FedRAMP-moderate.yaml @@ -0,0 +1,328 @@ +name: FedRAMP-med +standards: + NIST-800-53: + AC-1: {} + AC-10: {} + AC-11: {} + AC-11 (1): {} + AC-12: {} + AC-14: {} + AC-17: {} + AC-17 (1): {} + AC-17 (2): {} + AC-17 (3): {} + AC-17 (4): {} + AC-17 (9): {} + AC-18: {} + AC-18 (1): {} + AC-19: {} + AC-19 (5): {} + AC-2: {} + AC-2 (1): {} + AC-2 (10): {} + AC-2 (12): {} + AC-2 (2): {} + AC-2 (3): {} + AC-2 (4): {} + AC-2 (5): {} + AC-2 (7): {} + AC-2 (9): {} + AC-20: {} + AC-20 (1): {} + AC-20 (2): {} + AC-21: {} + AC-22: {} + AC-3: {} + AC-4: {} + AC-4 (21): {} + AC-5: {} + AC-6: {} + AC-6 (1): {} + AC-6 (10): {} + AC-6 (2): {} + AC-6 (5): {} + AC-6 (9): {} + AC-7: {} + AC-8: {} + AT-1: {} + AT-2: {} + AT-2 (2): {} + AT-3: {} + AT-4: {} + AU-1: {} + AU-11: {} + AU-12: {} + AU-2: {} + AU-2 (3): {} + AU-3: {} + AU-3 (1): {} + AU-4: {} + AU-5: {} + AU-6: {} + AU-6 (1): {} + AU-6 (3): {} + AU-7: {} + AU-7 (1): {} + AU-8: {} + AU-8 (1): {} + AU-9: {} + AU-9 (2): {} + AU-9 (4): {} + CA-1: {} + CA-2: {} + CA-2 (1): {} + CA-2 (2): {} + CA-2 (3): {} + CA-3: {} + CA-3 (3): {} + CA-3 (5): {} + CA-5: {} + CA-6: {} + CA-7: {} + CA-7 (1): {} + CA-8: {} + CA-8 (1): {} + CA-9: {} + CM-1: {} + CM-10: {} + CM-10 (1): {} + CM-11: {} + CM-2: {} + CM-2 (1): {} + CM-2 (3): {} + CM-2 (7): {} + CM-2(2): {} + CM-3: {} + CM-4: {} + CM-5: {} + CM-5 (1): {} + CM-5 (3): {} + CM-5 (5): {} + CM-6: {} + CM-6 (1): {} + CM-7: {} + CM-7 (1): {} + CM-7 (2): {} + CM-7 (5): {} + CM-8: {} + CM-8 (1): {} + CM-8 (3): {} + CM-8 (5): {} + CM-9: {} + CP-1: {} + CP-10: {} + CP-10 (2): {} + CP-2: {} + CP-2 (1): {} + CP-2 (2): {} + CP-2 (3): {} + CP-2 (8): {} + CP-3: {} + CP-4: {} + CP-4 (1): {} + CP-6: {} + CP-6 (1): {} + CP-6 (3): {} + CP-7: {} + CP-7 (1): {} + CP-7 (2): {} + CP-7 (3): {} + CP-8: {} + CP-8 (1): {} + CP-8 (2): {} + CP-9: {} + CP-9 (1): {} + CP-9 (3): {} + IA-1: {} + IA-2: {} + IA-2 (1): {} + IA-2 (11): {} + IA-2 (12): {} + IA-2 (2): {} + IA-2 (3): {} + IA-2 (5): {} + IA-2 (8): {} + IA-3: {} + IA-4: {} + IA-4 (4): {} + IA-5: {} + IA-5 (1): {} + IA-5 (11): {} + IA-5 (2): {} + IA-5 (3): {} + IA-5 (4): {} + IA-5 (6): {} + IA-5 (7): {} + IA-6: {} + IA-7: {} + IA-8: {} + IA-8 (1): {} + IA-8 (2): {} + IA-8 (3): {} + IA-8 (4): {} + IR-1: {} + IR-2: {} + IR-3: {} + IR-3 (2): {} + IR-4: {} + IR-4 (1): {} + IR-5: {} + IR-6: {} + IR-6 (1): {} + IR-7: {} + IR-7 (1): {} + IR-7 (2): {} + IR-8: {} + IR-9: {} + IR-9 (1): {} + IR-9 (2): {} + IR-9 (3): {} + IR-9 (4): {} + MA-1: {} + MA-2: {} + MA-3: {} + MA-3 (1): {} + MA-3 (2): {} + MA-3 (3): {} + MA-4: {} + MA-4 (2): {} + MA-5: {} + MA-5 (1): {} + MA-6: {} + MP-1: {} + MP-2: {} + MP-3: {} + MP-4: {} + MP-5: {} + MP-5 (4): {} + MP-6: {} + MP-6 (2): {} + MP-7: {} + MP-7 (1): {} + PE-1: {} + PE-10: {} + PE-11: {} + PE-12: {} + PE-13: {} + PE-13 (2): {} + PE-13 (3): {} + PE-14: {} + PE-14 (2): {} + PE-15: {} + PE-16: {} + PE-17: {} + PE-2: {} + PE-3: {} + PE-4: {} + PE-5: {} + PE-6: {} + PE-6 (1): {} + PE-8: {} + PE-9: {} + PL-1: {} + PL-2: {} + PL-2 (3): {} + PL-4: {} + PL-4 (1): {} + PL-8: {} + PS-1: {} + PS-2: {} + PS-3: {} + PS-3 (3): {} + PS-4: {} + PS-5: {} + PS-6: {} + PS-7: {} + PS-8: {} + RA-1: {} + RA-2: {} + RA-3: {} + RA-5: {} + RA-5 (1): {} + RA-5 (2): {} + RA-5 (3): {} + RA-5 (5): {} + RA-5 (6): {} + RA-5 (8): {} + SA-1: {} + SA-10: {} + SA-10 (1): {} + SA-11: {} + SA-11 (1): {} + SA-11 (2): {} + SA-11 (8): {} + SA-2: {} + SA-3: {} + SA-4: {} + SA-4 (1): {} + SA-4 (10): {} + SA-4 (2): {} + SA-4 (8): {} + SA-4 (9): {} + SA-5: {} + SA-8: {} + SA-9: {} + SA-9 (1): {} + SA-9 (2): {} + SA-9 (4): {} + SA-9 (5): {} + SC-1: {} + SC-10: {} + SC-12: {} + SC-12 (2): {} + SC-12 (3): {} + SC-13: {} + SC-15: {} + SC-17: {} + SC-18: {} + SC-19: {} + SC-2: {} + SC-20: {} + SC-21: {} + SC-22: {} + SC-23: {} + SC-28: {} + SC-28 (1): {} + SC-39: {} + SC-4: {} + SC-5: {} + SC-6: {} + SC-7: {} + SC-7 (12): {} + SC-7 (13): {} + SC-7 (18): {} + SC-7 (3): {} + SC-7 (4): {} + SC-7 (5): {} + SC-7 (7): {} + SC-7 (8): {} + SC-8: {} + SC-8 (1): {} + SI-1: {} + SI-10: {} + SI-11: {} + SI-12: {} + SI-16: {} + SI-2: {} + SI-2 (2): {} + SI-2 (3): {} + SI-3: {} + SI-3 (1): {} + SI-3 (2): {} + SI-3 (7): {} + SI-4: {} + SI-4 (1): {} + SI-4 (16): {} + SI-4 (2): {} + SI-4 (23): {} + SI-4 (4): {} + SI-4 (5): {} + SI-4(14): {} + SI-5: {} + SI-6: {} + SI-7: {} + SI-7 (1): {} + SI-7 (7): {} + SI-8: {} + SI-8 (1): {} + SI-8 (2): {} diff --git a/opencontrols/certifications/LATO.yaml b/opencontrols/certifications/LATO.yaml new file mode 100644 index 00000000..e48fc2d5 --- /dev/null +++ b/opencontrols/certifications/LATO.yaml @@ -0,0 +1,28 @@ +name: LATO +standards: + NIST-800-53: + AC-2: {} + AC-3: {} + AC-6: {} + AU-2: {} + AU-6: {} + CA-8: {} + CM-2: {} + CM-3: {} + CM-6: {} + CM-8: {} + IA-2: {} + IA-2 (1): {} + IA-2 (2): {} + IA-2 (12): {} + PL-8: {} + RA-5: {} + SA-11 (1): {} + SA-22 (1): {} + SC-7: {} + SC-12 (1): {} + SC-13: {} + SC-28 (1): {} + SI-2: {} + SI-4: {} + SI-10: {} diff --git a/opencontrols/components/AC_Policy/component.yaml b/opencontrols/components/AC_Policy/component.yaml new file mode 100644 index 00000000..97ea3c9c --- /dev/null +++ b/opencontrols/components/AC_Policy/component.yaml @@ -0,0 +1,497 @@ +--- +documentation_complete: false +name: Access Control Policies for 18F +satisfies: +- control_key: AC-1 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - key: a + text: | + The 18F Program Office develops, documents, and disseminates + to all 18F staff the 18F Access Control Policy which addresses purpose, scope, + roles, responsibilities, management commitment, coordination among organizational + entities, compliance, and procedures to facilitate the implementation of + the access control policy and associated access controls. The 18F Access Control + Policy is listed within 18F’s private Github repository and the docs.cloud.gov + site that is accessible to all 18F staff. + - key: b + text: | + The 18F Program Office + will review and update the current 18F Access Control Policy at least every + 3 years and any documented access procedures at least annually. + standard_key: NIST-800-53 +- control_key: AC-2 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - key: a + text: | + The 18F Program identifies and selects the following types of + information system accounts to support organizational missions/business functions: + - key: b + text: | + 18F has established designated DevOps personnel as the assigned + account managers for all information system accounts relating to the infrastructure + and the cloud.gov platform. + System Owners, whose web applications and/or websites + reside on the cloud.gov platform, have the responsibility to assign an account + manager for their information systems. + - key: c + text: | + 18F establishes conditions + for group and role membership within the cloud.gov platform and its virtual + environment. + Conditions for groups and roles membership are based on an established + need to manage and access the virtual infrastructure and cloud.gov environments. + The user must meet the following conditions in order for the System Owner / Project + Manager to approve a group membership request: + * The user’s assigned role is required to access a particular group. + * The user has the requirements and understanding to assume permissions associated with the group. + * The user has completed the security role-based training. + * The user complies with any other group-specific conditions created by the system owner. + Once conditions have been met, the System Owner / Project Manager will request access within + GitHub, 18F’s tracking and ticketing system. Once approved, the 18F DevOps group + completes the request for group and role membership within its infrastructure + and cloud.gov platform. + - key: d + text: | + The 18F Program Office specifies authorized + users of the information system, group and role membership, and access authorizations + (i.e., privileges) and other attributes (as required) for each account. System + Owners / Project Managers provide the details of what type of access is needed + for an authorized authorized user. + All accounts will be documented within their + respective information systems, detailing their group and role membership, and + access authorizations. This documentation will be exported by DevOps and archived + for up to a year from the date of account creation by the managing 18F project + lead and cloud.gov Technical Point of Contact (Operating Environment) in accordance + with best business and security practices. + - key: e + text: | + 18F requires approvals by the project lead and system owners for requests to create information system + accounts. All accounts will be documented within the GitHub ticketing and tracking + system with their respective information systems, detailing their group, role + membership, and access authorizations. + - key: f + text: | + User account establishment, + activation, modification, disablement or removal requires approval by the managing + \ project lead and cloud.gov Information System Technical Point of Contact. + Accounts will be created, enabled, modified, disabled, and removed from AWS in accordance + with 18F policies, guidelines and established by the project lead and DevOps. + - key: g + text: | + 18F monitors the use of all information system accounts within + its environment. + - key: h + text: | + 18F notifies its DevOps account managers when accounts are no longer required, users are terminated or transferred, and when + individual’s information system usage or need-to-know changes within the cloud.gov + platform and virtual private cloud infrastructure. + The Project Manager or Information + System Owner will be notified when accounts have been terminated, disabled or + transferred based on the access request submitted via GitHub. Notification + will be sent via email or the GitHub ticketing and tracking system when changes + to user and system access occur. + - key: i + text: | + 18F authorizes access to its + information systems based on a valid access authorization from System Owners + and DevOps, intended system usage within the network environment, and other + attributes as required by the organization or associated missions/business functions. + This is documented within section 3 of the 18F Access Control Policy: Access + Management. + User and system access is provided only to those with an established + need to access and manage the virtual private cloud and cloud.gov environments. + * User group membership is restricted to the least privilege necessary for the user to accomplish their assigned duties. + * All user accounts are issued only to those who have gained approval by 18F DevOps. + Once approved, the DevOps team creates the user account and adds it to the appropriate role and organization + within its information systems. + 18F grants access to the information system + based on: + * A valid need-to-know/need-to-share that is determined by assigned official duties and satisfying all personnel security criteria. + * Intended system usage. + 18F requires proper identification for requests to establish information + system accounts, and it approves all such requests based on organizational or mission/business + function attributes. + - key: j + text: | + 18F reviews user and system accounts for compliance with account management requirements at least on an annual basis. + \ Currently, system and user accounts are being monitored manually on a monthly + basis and programmatically on a continuous basis. + - key: k + text: | + 18F establishes a process for reissuing shared/group account credentials when individuals are + removed from the group. 18F uses its GitHub tracking and ticketing system + for requests to reissue and remove individuals from group memberships within + its environment. + standard_key: NIST-800-53 +- control_key: AC-2 (1) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: | + cloud.gov integrates its user management application with enterprise single sign on systems. + cloud.gov automates user management by delegating user verification to a centralized system. + standard_key: NIST-800-53 +- control_key: AC-2 (2) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: This control is not applicable. cloud.gov does not contain any guest/anonymous, + group, or temporary user accounts. DevOps only creates individual user accounts + and grants role based access to users within cloud.gov. + standard_key: NIST-800-53 +- control_key: AC-2 (3) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: | + 18F manages information system identifiers for users and devices by: Disabling + the user identifier after ninety (90) days of inactivity for general user accounts + and thirty (30) days for administrator level accounts. + standard_key: NIST-800-53 +- control_key: AC-2 (5) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: | + The 18F Access Control Policy Section 3 + Session Lock states - 18F information systems prevents further access to the system by initiating a session lock after a period of 20 minutes or less of inactivity or upon receiving a request from a user. 18F information systems retain the session lock until the user reestablishes access using established identification and authentication procedures. + standard_key: NIST-800-53 +- control_key: AC-2 (7) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - key: a + text: | + cloud.gov UAA allows the creation of limited privileged accounts. + Roles are created by the administrators on a need by need basis. + Cloud Foundry roles are granularly granted depending on the requirements + of each organization within the platform. + - key: c + text: 18F removes users from privileged access rights when privileged + role assignments are no longer appropriate or have been requested by the system + owner and program manager. Removal of access is sent to the DevOps team through + a change request within the GitHub ticketing system. + standard_key: NIST-800-53 +- control_key: AC-2 (9) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: | + cloud.gov does not permit shared accounts. Every user requires their own account. + standard_key: NIST-800-53 +- control_key: AC-2 (10) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: | + cloud.gov does not permit shared accounts. Every user requires their own account. + standard_key: NIST-800-53 +- control_key: AC-3 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: | + 18F information systems enforce approved authorizations for logical access to information and system resources in accordance with the 18F Access Control Policy Section 3 Access Enforcement which states: + * 18F must enforce approved authorizations for logical access to its information systems in accordance with all applicable federal and 18F policies. + * 18F must provide access enforcement through the use of access control lists, access control matrices, and cryptography to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, domains) in the information system. + * 18F must employ access enforcement mechanisms at the application level, when necessary, to provide increased information security for the organization. + standard_key: NIST-800-53 +- control_key: AC-4 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: | + The information system enforces approved authorizations for controlling the flow + of information within the system and between interconnected systems based on the + 18F Access Control Policy Section 3 - Information Flow Enforcement which states: + * 18F enforces approved authorizations for controlling the flow of information + within its information systems and between interconnected systems in accordance + with applicable federal laws and 18F policies and procedures. + * 18F shall use flow control restrictions to include: keeping export controlled + information from being transmitted in the clear to the internet, blocking outside + traffic that claims to be from within the organization and not passing any web + requests to the internet that are not from the internal web proxy. + * 18F shall use boundary protection devices (e.g., proxies, gateways, guards, + encrypted tunnels, firewalls, and routers) that employ rule sets or establish + configuration settings that restrict information system services, provide a + packet-filtering capability based on header information, or message-filtering + capability based on content (e.g., using keyword searches or document characteristics. + standard_key: NIST-800-53 +- control_key: AC-5 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - key: a + text: | + 18F implements Identity and Access Management (IAM) + roles and individual user accounts for separation of duties at the AWS layer. + For Cloud Foundry access, cloud.gov uses UAA role based access controls (RBAC) to + maintain separation of duties. + - key: b + text: | + 18F documents separation of duties of AWS and Cloud Foundry users. All AWS IAM + users, groups and roles can be viewed within the AWS console. IAM users reports + are generated to show all separation of duties. Cloud Checkr also generates + a report of all IAM users within the 18F AWS environment. + - key: c + text: | + cloud.gov defines roles at each layer of the system. Authorization to each + of those roles is defined within the documentation of the setup and maintenance + of the layers. + standard_key: NIST-800-53 +- control_key: AC-6 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: |- + IAM policies are attached to the users, enabling centralized control of permissions + for users under 18F AWS Account to access services, buckets or objects. With IAM + policies, 18F only grants users within its own AWS account permission to access + its Amazon resources. + 18F AWS IAM policies are defined to grant only the required access for 18F staff + necessary to perform their functions. 18F defines least privilege access to each user, + group, or role. + Security functions within the AWS infrastructure are explicitly defined within IAM to + include read-only permissions for any user functions. + 18F incorporate running the IAM Policy Simulator to test policies for least privilege access + for users and groups. + standard_key: NIST-800-53 +- control_key: AC-6 (1) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: Because cloud.gov is a PaaS all accessible functions are privileged functions. + Nevertheless, 18F team members use different accounts with increasing security + requirements for accessing Cloud Foundry as a user, Cloud Foundry as a administrator, + and AWS as an administrator. + standard_key: NIST-800-53 +- control_key: AC-6 (2) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: | + Security functions within the cloud.gov platform are limited to roles that can be taken + only by using BOSH, Concourse or UAA CLI. Non-security functions are performed using a + non-privileged Cloud Foundry account. + standard_key: NIST-800-53 +- control_key: AC-6 (5) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: 18F restricts privileged accounts such as administrator and root access + accounts to designated members within the 18F Devops and SecOps teams. Within + the virtual infrastructure the admin account is not used for privileged access. + It’s only used for billing and metrics. + standard_key: NIST-800-53 +- control_key: AC-6 (9) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: | + * Privileged access to the information system is using an audit trail through + the BOSH tasks command. This command shows all actions that an operator has + taken with the platform. Additionally, all logging activity is forwarded to + CloudWatch Logs. + * ELK (Logstash, Elasticsearch, Kibana) is used to collect, manage and display + all user activity within the cloud.gov platform. + standard_key: NIST-800-53 +- control_key: AC-6 (10) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: | + The cloud.gov platform has built-in role based access controls (RBAC). This + ensures that users can only view and affect the spaces for which they have been + granted access to. It also prevents non-privileged users from executing privileged + functions to include disabling, circumventing, or altering implemented security + safeguards/countermeasures. + Only designated Org Managers from the DevOps team can execute privileged functions + to the cloud.gov platform. All other accounts are non-privileged accounts. + Client agencies using cloud.gov are only permitted to change settings within their + associated Org account, spaces and roles. These accounts do not have access to the + underlying cloud.gov platform. + standard_key: NIST-800-53 +- control_key: AC-7 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - key: a + text: NA - User management is delegated to each organization's enterprise user management system. + - key: b + text: NA - User management is delegated to each organization's enterprise user management system. + standard_key: NIST-800-53 +- control_key: AC-8 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: Implementation in progress + standard_key: NIST-800-53 +- control_key: AC-10 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: NA - User management is delegated to each organization's enterprise user management system. + standard_key: NIST-800-53 +- control_key: AC-11 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - key: a + text: NA - User management is delegated to each organization's enterprise user management system. + - key: b + text: NA - User management is delegated to each organization's enterprise user management system. + standard_key: NIST-800-53 +- control_key: AC-11 (1) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: | + Every user interaction with the cloud.gov APIs requires a valid token. If a user session is locked + no cloud.gov actions are allowed. + standard_key: NIST-800-53 +- control_key: AC-12 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: | + Session termination is managed by UAA and set to expire within 15 minutes. + standard_key: NIST-800-53 +- control_key: AC-14 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - key: b + text: | + It is not possible for members of the 18F Devops and SecOps teams to access the 18F virtual + private cloud infrastructure without multifactor authentication and identification. All client + users of cloud.gov must login using authenticated credentials in order to access the system. + standard_key: NIST-800-53 +- control_key: AC-17 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - key: a + text: | + cloud.gov has a distributed administrator, operator, and management team. All remote actions are + allowed. + - key: b + text: | + AWS Security Groups are implemented to ensure that only users that have been granted access can + perform administrative actions. + standard_key: NIST-800-53 +- control_key: AC-17 (4) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - key: a + text: 18F authorizes the execution of privileged commands and access + to security-relevant information via remote access only for monitoring, managing, + and troubleshooting the 18F virtual infrastructure and cloud.gov platform. This + authorization is only given to specific members of the DevOps and SecOps teams. + All other members are excluded from this type of access. + standard_key: NIST-800-53 +- control_key: AC-18 (1) + covered_by: [] + implementation_status: none + narrative: + - text: Not Applicable for the Cloud Foundry Platform + standard_key: NIST-800-53 +- control_key: AC-18 + covered_by: [] + implementation_status: none + narrative: + - text: Not Applicable for the Cloud Foundry Platform + standard_key: NIST-800-53 +- control_key: AC-19 (5) + covered_by: [] + implementation_status: none + narrative: + - text: Not Applicable for the Cloud Foundry Platform + standard_key: NIST-800-53 +- control_key: AC-19 + covered_by: [] + implementation_status: none + narrative: + - text: Not Applicable for the Cloud Foundry Platform + standard_key: NIST-800-53 +- control_key: AC-20 + covered_by: [] + implementation_status: none + narrative: + - text: Not Applicable for the Cloud Foundry Platform + standard_key: NIST-800-53 +- control_key: AC-20 (2) + covered_by: [] + implementation_status: none + narrative: + - text: Not Applicable for the Cloud Foundry Platform + standard_key: NIST-800-53 +- control_key: AC-20 (1) + covered_by: [] + implementation_status: none + narrative: + - text: Not Applicable for the Cloud Foundry Platform + standard_key: NIST-800-53 +- control_key: AC-21 + covered_by: [] + implementation_status: none + narrative: + - text: Not applicable to the the cloud.gov platform. The cloud.gov platform is + for use of development of and deployment of web applications. This control would + be handled at the application level and is the responsibility of the application + system owner. + standard_key: NIST-800-53 +- control_key: AC-22 + covered_by: [] + implementation_status: none + narrative: + - text: Not applicable to the the cloud.gov platform. The cloud.gov platform is + for use of development of and deployment of web applications. This control would + be handled at the application level and is the responsibility of the application + system owner. + standard_key: NIST-800-53 +schema_version: "3.1.0" +verifications: +- key: POLICY_DOC + name: Policy Document + path: https://github.com/18F/compliance-docs/blob/master/AC-Policy.md + type: URL +- description: "GIVEN the github link - THEN the policy has been updated + within the last 180 days \n" + key: Policy_Update_Test + last_run: 2016-04-07 08:25:17.375257000 -05:00 + name: 18F Policies Update + path: BDD/policies.feature + test_passed: false + type: TEST diff --git a/opencontrols/components/AT_Policy/component.yaml b/opencontrols/components/AT_Policy/component.yaml new file mode 100644 index 00000000..f59fe992 --- /dev/null +++ b/opencontrols/components/AT_Policy/component.yaml @@ -0,0 +1,70 @@ +documentation_complete: false +name: Security Awareness Training Policy for 18F +satisfies: +- control_key: AT-3 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: The 18F Program office reviews AT-2 + standard_key: NIST-800-53 +- control_key: AT-1 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - key: a + text: | + The 18F Program Office develops, documents, and disseminates to all 18F staff + The 18F Security Awareness policy which addresses purpose, scope, roles, + responsibilities, management commitment, coordination among organizational + entities, and compliance and procedures to facilitate the implementation of the + security awareness access and training policy and associated security awareness + controls. The 18F accecss control policy is listed within its private Github + repository that is accessible to all 18F staff. + - key: b + text: | + The 18F Program Office will review and update the current 18F Security Awareness + and training control policy at least every 3 years and any documented access + procedures at least annually. + standard_key: NIST-800-53 +- control_key: AT-2 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: The 18F Program office reviews AT-2 + standard_key: NIST-800-53 +- control_key: AT-2 (2) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: The 18F Program office reviews AT-2 + standard_key: NIST-800-53 +- control_key: AT-4 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: | + Completed the development of the Awareness training policy specifically + for 18F program. ISSO support is looking into possible solutions for specific + security awareness training for 18F staff. currently reviewing the SEI training + programs for Secure DevOps and Online line Learning management system. + standard_key: NIST-800-53 +schema_version: 3.1.0 +system: 18F +verifications: +- key: POLICY_DOC + name: Policy Document + path: https://github.com/18F/compliance-docs/blob/master/AT-Policy.md + type: URL +- description: "GIVEN the github link - THEN the policy has been updated\ + \ within the last 180 days \n" + key: Policy_Update_Test + last_run: 2016-04-07 13:25:17.456091 + name: 18F Policies Update + path: BDD/policies.feature + test_passed: false + type: TEST diff --git a/opencontrols/components/AU_Policy/component.yaml b/opencontrols/components/AU_Policy/component.yaml new file mode 100644 index 00000000..4f75a4d3 --- /dev/null +++ b/opencontrols/components/AU_Policy/component.yaml @@ -0,0 +1,257 @@ +documentation_complete: false +name: Audit and Accountability Policy for 18F +satisfies: +- control_key: AU-1 + covered_by: + - verification_key: POLICY_DOC + implementation_status: complete + narrative: + - key: a + text: | + The 18F Program Office develops, documents, and disseminates to all 18F staff, + The 18F Audit and Accountability Policy which addresses purpose, scope, roles, + responsibilities, management commitment, coordination among organizational entities, + compliance and procedures to facilitate the implementation of the audit and + accountability policy and associated audit controls. The 18F Audit and Accountability + policy is listed within 18F's private Github repository and the docs.cloud.gov site + that is accessible to all 18F staff. + - key: b + text: | + The 18F Program Office will review and update the current 18F Audit control policy + at least every 3 years and any documented audit procedures at least annually. + standard_key: NIST-800-53 +- control_key: AU-2 + covered_by: + - verification_key: POLICY_DOC + implementation_status: complete + narrative: + - key: b + text: | + Audit logs will be made available to organizations for mutual support in + response to security breaches, system and user access, incident reporting and + continuous monitoring. 18F will generate and distribute audit reports, provide + customized dashboard access for audited events, and send audit log data to SIEM + and log analysis systems from its audit logging and metrics tools for the + cloud.gov platform and virtual infrastructure as needed. + - key: c + text: | + 18F retains audit logs according to NARA retention standards to provide support + for after-the-fact investigations of security incidents and to meet regulatory + and organizational information retention requirements. The log management + framework will provide the capability to retain logs for 90 days online and + one-year offline, with sufficient capacity as to mitigate the risk of exceeding + storage space. + + Specific Policies, Procedures, Points of Contact, and Guidance will be established + between 18F and other agencies to support after-the-fact investigations, by the + 18F Project Lead. + standard_key: NIST-800-53 +- control_key: AU-2 (3) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: | + The Devops and SecOps teams review all events that can be audited on a real time + basis using its event and monitoring solution for cloud.gov and through captured + user and event API calls within its virtual infrastructure. + standard_key: NIST-800-53 +- control_key: AU-3 (1) + covered_by: [] + implementation_status: none + + narrative: + - text: | + The Cloud.Gov information system generates audit records containing the following additional information: + session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received + and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or + identify the object or resource being acted upon. + + Cloudtrail can generate a subset of audit records containing additional information within the AWS infrastructure. + + EC2: + - Security Groups, Security Group Rules, Key Pairs, AMIs, Spot Instances, Reserved Instance, Instances, Volumes, + Snapshots, Placement Groups, Elastic Load Balancers (including attaching or detaching instances to them), + Network Interfaces, Elastic IPs + IAM: + - Account Aliases, Account Summaries, Access Keys, MFA Devices, Policies, Password Policies, Groups, Users + S3: + - Bucket Logging, Logging Target Bucket, Bucket Logging Prefix, Bucket Website Enabled, Bucket Website Index Document, + Bucket Website Error Document, Bucket Notifications Enabled, Public Buckets, Bucket Notifications, Bucket Lifecycle Rules, + Bucket Permissions + + Cloud.Gov can generate additional audit information such as + - remote_addr, remote_user, request_status, bytes_sent, http_referer, http_user_agent, gzip_ratio + standard_key: NIST-800-53 +- control_key: AU-4 + covered_by: [] + implementation_status: none + narrative: + - text: | + cloud.gov audit logs are stored within the elasticsearch component of + the ELK stack which is clusterd for redundancy and failover functions. This solutions + provide the capability to extend the audit storage capacity without the likelihood + of the capacity being exceeded. 18F plans to incorporate the use of the S3 cloud + service for greater storage capacity if needed. + standard_key: NIST-800-53 +- control_key: AU-5 + covered_by: [] + implementation_status: none + narrative: + - text: | + In progress + standard_key: NIST-800-53 +- control_key: AU-6 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - key: a + text: | + AWS Auditable Events: + DevOps and SecOps teams will conduct weekly manual and automated continuous + audits of authorized accounts and configurations. These audits will include + but are not limited to: + + Administrative Accounts + + * Virtual Private Cloud (VPC) + * Elastic Compute Cloud (EC2) + * Simple Storage Service (S3) + * Identity and Access Management (IAM) + * Elastic Block Store (EBS) + + Cloud Foundry Auditable Events: + By default, Loggregator streams logs to a terminal. 18F will drain logs to + a third-party log management service such as ELK and AWS CloudTrail Cloud + Foundry logs are captured in multiple tables and log files. These will be + reviewed weekly and if discovery of anomalous audit log content which appears + to indicate a breach are handled according to the GSA Security Incident + Handling Guide: CIO IT Security 01-02 Revision 7 (August 18, 2009) requirements. + - key: b + text: | + When a credible source to the GSA Agency provides information that causes + reason to enhance audit activities, develop and implement an enhanced auditing + use-case that will adequately enhance auditing practices in a fashion necessary + per the identified threat and following the Incident Reporting Procedures in + GSA IT Security Procedural Guide 01-02 (04/07/2015), Incident Response. The GSA + Agency may also, through analysis pertaining to the GSA Agency environment + provide additional audit measures that will require an increase in review, + analysis, and reporting for a necessary. + + Upon implementation, 18F will monitor information security news and alerts for + indications of a need to heighten information system security monitoring. + standard_key: NIST-800-53 +- control_key: AU-6 (1) + covered_by: + - verification_key: POLICY_DOC + narrative: + - text: | + Audit Monitoring, Analysis and Reporting + + * 18F establishes processes for regularly reviewing audit log information, and + reporting security issues if discovered. Reviews will occur at a minimum of + weekly. These processes should be integrated with processes for incident + response, in order to ensure standardization and cross-functional collaboration + * 18F employs automated mechanisms to integrate audit monitoring, analysis and + reporting into an overall process for investigation and response to suspicious + activities. + * 18F employs automated mechanisms to immediately alert security personnel of + inappropriate or unusual activities that have security implications. + standard_key: NIST-800-53 +- control_key: AU-6 (3) + covered_by: + - verification_key: POLICY_DOC + narrative: + - text: | + Audit Monitoring, Analysis and Reporting + * 18F establishes processes for regularly reviewing audit log information, and + reporting security issues if discovered. Reviews will occur at a minimum of + weekly. These processes should be integrated with processes for incident response, + in order to ensure standardization and cross-functional collaboration + * 18F employs automated mechanisms to integrate audit monitoring, analysis and + reporting into an overall process for investigation and response to suspicious + activities. + * 18F employs automated mechanisms to immediately alert security personnel of + inappropriate or unusual activities that have security implications. + standard_key: NIST-800-53 +- control_key: AU-7 + covered_by: [] + implementation_status: none + narrative: + - text: | + The ELK Stack logging and monitoring system provides additional audit + reduction and report generation capabilities for 18F DevOps and end users of the + cloud.gov platform. With the elasticsearch capability 18F DevOps and SecOps teams + can structure and customize audit logs queries to specific app instances, API + calls, system metrics, user access, system components, network traffic flow and + other functions. Kibana is used to generate customized dashboards and Logstash + to generate reports for analysis and review. + standard_key: NIST-800-53 +- control_key: AU-7 (1) + covered_by: [] + implementation_status: none + narrative: + - text: In Progress + standard_key: NIST-800-53 +- control_key: AU-8 + covered_by: [] + implementation_status: none + narrative: + - text: In Progress + standard_key: NIST-800-53 +- control_key: AU-8 (1) + covered_by: [] + implementation_status: none + narrative: + - text: In Progress + standard_key: NIST-800-53 +- control_key: AU-9 + covered_by: [] + implementation_status: none + narrative: + - text: | + Audit logs are stored and protected in specified S3 buckets and elasticsearch + clusters for cloud.gov. Access to logs are limited to designated 18F DevOps and + Security staff and logs cannot be modified without proper authorization to the + platform. Client agencies are restricted to access and view only their specified + audit logs pertaining to the corresponding Org and space accounts. + standard_key: NIST-800-53 +- control_key: AU-9 (2) + covered_by: [] + implementation_status: none + narrative: + - text: In Progress + standard_key: NIST-800-53 +- control_key: AU-9 (4) + covered_by: [] + implementation_status: none + narrative: + - text: In Progress + standard_key: NIST-800-53 +- control_key: AU-11 + covered_by: [] + implementation_status: none + narrative: + - text: In Progress + standard_key: NIST-800-53 +- control_key: AU-12 + covered_by: [] + implementation_status: none + narrative: + - text: In Progress + standard_key: NIST-800-53 +schema_version: 3.1.0 +verifications: +- key: POLICY_DOC + name: Policy Document + path: https://github.com/18F/compliance-docs/blob/master/AU-Policy.md + type: URL +- description: "GIVEN the github link - THEN the policy has been updated\ + \ within the last 180 days \n" + key: Policy_Update_Test + last_run: 2016-04-07 13:25:17.473505 + name: 18F Policies Update + path: BDD/policies.feature + test_passed: false + type: TEST diff --git a/opencontrols/components/ApplicationSecurityGroups/component.yaml b/opencontrols/components/ApplicationSecurityGroups/component.yaml new file mode 100644 index 00000000..4adb94ec --- /dev/null +++ b/opencontrols/components/ApplicationSecurityGroups/component.yaml @@ -0,0 +1,76 @@ +documentation_complete: false +name: Application Security Groups +references: +- name: ASG Documentation + path: https://docs.pivotal.io/pivotalcf/adminguide/app-sec-groups.html + type: URL +satisfies: +- control_key: AC-4 (21) + covered_by: [] + implementation_status: none + narrative: 'Cloud.Gov uses application security groups act as virtual firewalls + to control outbound traffic from the applications in deployment. Cloud.Gov evaluates + security groups and other network traffic rules in a strict priority order. Cloud + Foundry returns and allow, deny, or reject result for the first rule that matches + the outbound traffic request parameters, and does not evaluate any lower-priority + rules. Cloud Foundry evaluates the network traffic rules for an application in + the following order: + + Security Groups: The rules described by the Default Staging set, the Default Running + set, and all security groups bound to the space. + + ' + standard_key: NIST-800-53 +- control_key: SC-7 + covered_by: [] + implementation_status: none + narrative: "#### a \nCloud Foundry recommends that the use of Cloud Foundry ASGs\ + \ to specify egress access rules for your applications. This functionality enables\ + \ secure restricted application outbound traffic to predefined routes.\n \n" + standard_key: NIST-800-53 +- control_key: AC-4 + covered_by: [] + implementation_status: none + narrative: 'Cloud.Gov enforces security groups and other network traffic rules in + a strict priority order. Cloud.Gov returns an allow, deny, or reject result for + the first rule that matches the outbound traffic request parameters, and does + not evaluate any lower-priority rules + + Cloud.Gov implements network traffic rules using Linux iptables on the component + VMs. DevOps configures rules to prevent system access from external networks and + between internal components, and to restrict applications from establishing connections + over the DEA network interface. Cloud.Gov application security groups (ASG) consists + of a list of access rules to control application outbound traffic. + + DEA Network Properties allow DevOps to configure the allow_networks and deny_networks + parameters for DEAs to prohibit communication between system components and applications. + + ' + standard_key: NIST-800-53 +- control_key: AC-3 + covered_by: [] + implementation_status: none + narrative: '18F has created specific Cloud.Gov security groups associated with VPCs + to provide full control over inbound and outbound traffic. 18F has created a specific + set of VPCs (Live production and staging) for its Cloud.Gov implementation. All + VPCs have subnets used to separate and control IP address space within each individual + VPC. Subnets must be created in order to launch Availability Zone (AZ) specific + services within a VPC. 18F has setup VPC Peering between the Staging VPC and the + CF Live production VPC. + + ' + standard_key: NIST-800-53 +schema_version: 2.0 +verifications: +- description: "GIVEN I am using an admin account THEN I can view and print all the\ + \ ASGs \nGIVEN I am using an admin account WHEN I try to bind the application\ + \ security group with closed settings to the space THEN the security group is\ + \ bound \nGIVEN I am using an admin account WHEN I try to bind the application\ + \ security group with open settings to the space THEN the security group is bound\ + \ \n" + key: Security_Group_Tests + last_run: 2016-04-08 14:18:09.168398 + name: Application Security Groups + path: BDD/ASG.feature + test_passed: true + type: TEST diff --git a/opencontrols/components/BOSH/component.yaml b/opencontrols/components/BOSH/component.yaml new file mode 100644 index 00000000..68aab814 --- /dev/null +++ b/opencontrols/components/BOSH/component.yaml @@ -0,0 +1,75 @@ +documentation_complete: false +name: BOSH +references: +- name: Bosh source code + path: https://github.com/cloudfoundry/bosh + type: URL +- name: Bosh Documentation + path: https://bosh.io/docs + type: URL +satisfies: +- control_key: SA-11 (1) + covered_by: + - verification_key: STATIC_CODE_ANALYSIS + implementation_status: complete + narrative: 'Bosh uses CodeClimate as it''s primary static code analysis tool. The + results of the test are publicly avaiable. + + ' + standard_key: NIST-800-53 +- control_key: CM-2 + covered_by: [] + implementation_status: none + narrative: "18F utilizes the Cloud Foundry Secure Deployment best practices which\ + \ include the following:\nConfigure UAA clients and users using a standard BOSH\ + \ manifest for cloud Foundry Deployment. Limit and manage these clients and users\ + \ as you would any other kind of privileged account.\nDeploy within a VPC that\ + \ limits network traffic to individual VMs. This reduces the possibility of unauthorized\ + \ access to the VMs within your BOSH-managed cloud.\nEnable HTTPS for applications\ + \ and SSL database connections to protect sensitive data transmitted to and from\ + \ applications.\nEnsure that the jumpbox is secure, along with the load balancer\ + \ and NAT VM.\nEncrypt stored files and data within databases to meet data security\ + \ requirements. Deploy using industry standard encryption and the best practices\ + \ for your language or framework.\nProhibit promiscuous network interfaces on\ + \ the trusted network.\nReview and monitor data sharing and security practices\ + \ with third-party services that you use to provide additional functionality to\ + \ your application.\nStore SSH keys securely to prevent disclosure, and promptly\ + \ replace lost or compromised keys.\nUse Cloud Foundry\u2019s RBAC model to restrict\ + \ users\u2019 access to only what is necessary to complete their tasks.\nUse a\ + \ strong passphrase for both Cloud Foundry user account and SSH keys.\n\nStore\ + \ SSH keys securely to prevent disclosure, and promptly replace lost or compromised\ + \ keys.\nUse Cloud Foundry\u2019s RBAC model to restrict users\u2019 access to\ + \ only what is necessary to complete their tasks.\nUse a strong passphrase for\ + \ both Cloud Foundry user account and SSH keys.\n\nFor further information regarding\ + \ Cloud Foundry best practices please refer to:\nhttps://docs.cloudfoundry.org/devguide/deploy-apps/prepare-to-deploy.html\n\ + https://docs.cloudfoundry.org/concepts/security.html\n" + standard_key: NIST-800-53 +- control_key: SI-10 + covered_by: [] + implementation_status: complete + narrative: 'All 18F DevOps user input happens at the BOSH command line interface + (CLI) which requires specific syntax and parameters to be used in order to execute + job functions. Rules for checking the valid syntax of information system inputs + (e.g., character set, length, numerical range, acceptable values) are in place + to verify that inputs match specified definitions for format and content. Inputs + passed to interpreters are prescreened to prevent the content from being unintentionally + interpreted as commands. The extent to which the information system is able to + check the accuracy, completeness, validity, and authenticity of information is + guided by organizational policy and operational requirements. + + The data inputs as part of the Cloud Foundry are validated in several ways. The + validation is a series of steps put in place to ensure consistent data and to + protect the system from corruption, either malicious or accidental. The data validation + takes place in the same mechanism either through the web user interface (where + data validation errors are shown to the authenticated user to correct) or programmatically + through web service APIs. (where error messages are returned showing where data + is rejected). + + ' + standard_key: NIST-800-53 +schema_version: 2.0 +verifications: +- key: STATIC_CODE_ANALYSIS + name: Bosh source code static analysis + path: https://codeclimate.com/github/cloudfoundry/bosh + type: URL diff --git a/opencontrols/components/CA_Policy/component.yaml b/opencontrols/components/CA_Policy/component.yaml new file mode 100644 index 00000000..d3a1dbda --- /dev/null +++ b/opencontrols/components/CA_Policy/component.yaml @@ -0,0 +1,200 @@ +--- +schema_version: 3.1.0 +documentation_complete: false +name: Security Assessment and Authorization Policy for 18F +satisfies: +- control_key: CA-1 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - key: a + text: | + The 18F Program Office develops, documents, and disseminates to all 18F staff. The 18F Security Assessnet and authorization policy which addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance and procedures to facilitate the implementation of the security assessment and authroization policy and associated security assessnet controls. The 18F security assessnet and authorization policy is listed within its private Github repository that is accessible to all 18F staff. + - key: b + text: | + The 18F Program Office will review and update the current 18F Security Assessment policy at least every 3 years and any documented assessment procedures at least annually. + standard_key: NIST-800-53 +- control_key: CA-2 (3) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: | + 18F will accept the results of the cloud.gov assessment performed by the designated 3PAO and reviewed by the FedRAMP PMO office when the assessment meets the condtions for a Provisional ATO. + standard_key: NIST-800-53 +- control_key: CA-2 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - key: a + text: | + The 18F Program develops a security assessment plan that describes the scope of the assessment including: + + * Security controls and control enhancements under assessment + * Assessment procedures to be used to determine security control effectiveness + * Assessment environment, assessment team, and assessment roles and responsibilities + + cloud.gov is designed for compliance with the Federal Risk and Authroization Management Plan and has adopted the FedRAMP Assessment and Authorization program as the basis for its Security and Priavacy compliance activities. cloud.gov engages a FedRAMP Accredited Third Pary Assessment Organzation (3PAO) to develop a compliant security assessment plan. + - key: b + text: | + cloud.gov has engaged the 3PAO to assess the security controls in the information system at least annually to determine the extent to which the controls are implemented correctly, operation as intended, and producing the desired outcome with respoect to meeting the security requirements for the system. + - key: c + text: | + cloud.gov has engaged the 3PAO to produce a security assessment report that documents the issues, test activities, findings, and recommendations from the assessment. + - key: d + text: | + 18F will deliver all documents used in or created during the assessment to generate a complete FedRAMP Authorization package. The package is transmitted to the FedRAMP Program Management Office (PMO) for submission to the FedRAMP JAB + standard_key: NIST-800-53 +- control_key: CA-2 (2) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: 18F will enegage the 3PAO to conduct annual vulnerability assessments and penetration testing or when there are significant changes to its information systems to meet the FedRAMP continuous monitoring program objectives. All assessment activities will be planned, approved and announced before testing takes place. + standard_key: NIST-800-53 +- control_key: CA-2 (1) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: 18F has engaged an accredited 3PAO to conduct the independent assessment of security controls for the cloud.gov information system. + standard_key: NIST-800-53 +- control_key: CA-2 (2) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: cloud.gov implements continuous monitoring and vulnerability scanning that is conducted at least weekly. Manual penetration testing and red teaming is scheduled to happen in a yearly basis but it is an in-progress process. + standard_key: NIST-800-53 +- control_key: CA-2 (3) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: 18F will accept the assesment conducted by the 3PAO according to the FedRAMP P-ATO requirements in the Secure Repository. + standard_key: NIST-800-53 +- control_key: CA-3 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: The cloud.gov informaton system does not have any connections to other external information systems or interconnection security agreements (ISA) with other external agencies at this time. + standard_key: NIST-800-53 +- control_key: CA-3 (3) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: This control is not applicable to the cloud.gov information system and essentially would be inherited from the cloud infrastructure as a service level. cloud.gov does not connect to any other external information systems. + standard_key: NIST-800-53 +- control_key: CA-3 (5) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: This control is not applicable to the cloud.gov information system. cloud.gov currently does not have any connections to other external information systems. + standard_key: NIST-800-53 +- control_key: CA-5 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - key: a + text: | + 18F has developed a plan of action and milestones (POA&M) for the information system which documents the remediation actions to correct weaknesses found or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities. + + The majority of vulnerabilities are found during continuous monitoring activities including monthly vulnerability scanning, updates to cloud.gov systems components, static code analysis on applications and infrastucture and system monitoring tools. The 18F ISSOs are tasked with developing plans of actions and milestones for valid findings and vulnerabilities. The devops administrators are tasked to mitigate high findings within 30 days, moderate findings within 60 days and low findings within 120 days. + - key: b + text: The 18F ISSOs updates the cloud.gov plan of action and milestones at least monthly based on the findings from security controls assessments, security impacy analysis, and continuous monitoring activites. + standard_key: NIST-800-53 +- control_key: CA-6 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - key: a + text: 18F has assigned an Authorizing Official (AO) for the cloud.gov information system. The designated AO is listed in Section 4 of the system security plan. + - key: b + text: The Authorizing Official responsibilities include ensuring the cloud.gov information system is assessed and authorized before going to an operational state. Authorization descisions are based on the contenct of them. + - key: c + text: 18F updates the security authorzation of cloud.gov on an annual basis or when there are significant changes within the information system. Significant changes include, + standard_key: NIST-800-53 +- control_key: CA-7 + covered_by: [] + implementation_status: none + narrative: + - key: a + text: The organization-defined metrics are collected by a combination of AWS CloudWatch (in real time, CPU Utilization, Disk IO, Network In/Out), application logging policy (see AU-2) and a vulnerability scanner. + - key: b + text: AWS CloudWatch Metrics (CPU Utilization, Disk IO, Network In/Out) are collected in real time. Other metrics are collected in frequencies ranging between 5 minutes and 1 hour. Host vulnerability scans are run daily. + - key: c + text: Compliance with security controls that can be tested from the operating system level (eg. presence of configuration settings, etc) are monitored and automatically corrected as part of configuration management. Non-automated security processes are handled by the cloud.gov operations team. + - key: d + text: See CA-7(c) + - key: e + text: See CA-7(c) + - key: f + text: Response actions will use the mitigation strategy defined in RA-5(d). + - key: g + text: Reporting of the security status of the system will be provided by the cloud.gov team according to the Federal and FedRAMP requirements on a monthly basis. + standard_key: NIST-800-53 +- control_key: CA-7 (1) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: 18F will engage an accredited 3PAO to conduct the independent assessment of security controls for the cloud.gov information system on a yearly basis. + standard_key: NIST-800-53 +- control_key: CA-8 (1) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: GSA ISE will perform Penetration testing of the all 18F systems that are in the purview of GSA. All other penetration testing for the cloud.gov platform will be conducted by an Independent Third party assessor (3PAO) as requested. + standard_key: NIST-800-53 +- control_key: CA-8 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: |- + External Penetration testing + + External penetration testing activities are conducted by GSA OCISO on an annual basis. These activites are designed to perform the necessary vulnerability analysis against cloud.gov based on all necessary security requirements. The GSA OCISO follows the GSA CIO IT Security Procedural Guide, CIO-IT Security-11-51, Conducting Penetration Test Exercises when performing these tests. + + 18F must request permission from AWS using the AWS Vulnerability / Penetration Testing Request Form to conduct penetration test activities against its own Virtual Private Cloud infrastructure and follow the AWS Acceptable Use Policy. + Amazon requires customers to obtain authorization for penetration testing (or vulnerability assessments) both from or to their AWS resources. + + AWS Acceptable Use Policy, http://aws.amazon.com/aup/ + AWS Penetration testing, http://aws.amazon.com/security/penetration-testing/ + + GSA ISE performs penetration testing services for the GSA information systems hosted on the cloud.gov platform. It is also bound by the AWS penetration testing policy and procedures when conducting its penetration tests. + + Internal Penetration testing + + For internal penetration testing inside 18F's Virtual Private Cloud, 18F team members will conduct whitebox/greybox testing of the 18F environment using approved assessment tools. + + For compliance with NIST Publication 800-53 CA-8, Parameter 1 Penetration Testing of all 18F Infrastructure and Application Components will occur annually. Parameter 2 Penetration Testing of Publicly Accessible Infrastructure will be performed on the direction of the 18F . + standard_key: NIST-800-53 +- control_key: CA-9 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: In progress + standard_key: NIST-800-53 +verifications: +- key: POLICY_DOC + name: Policy Document + path: https://github.com/18F/compliance-docs/blob/master/CA-Policy.md + type: URL +- description: "GIVEN the github link - THEN the policy has been updated + within the last 180 days" + key: Policy_Update_Test + last_run: 2016-04-07 08:25:17.527067000 -05:00 + name: 18F Policies Update + path: BDD/policies.feature + test_passed: false + type: TEST diff --git a/opencontrols/components/CICloudGov/component.yaml b/opencontrols/components/CICloudGov/component.yaml new file mode 100644 index 00000000..89240c24 --- /dev/null +++ b/opencontrols/components/CICloudGov/component.yaml @@ -0,0 +1,24 @@ +documentation_complete: false +name: CI cloud.gov Concourse Pipeline +satisfies: +- control_key: SI-2 + covered_by: + - verification_key: CONCOURSE_PIPELINE + implementation_status: none + narrative: + - key: b + text: | + Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation. + - key: c + text: | + Installs security-relevant software and firmware updates within 30 days release of updates of the release of the updates. + - key: d + text: | + 18F incorporates flaw remediation into the its configuration management process. New versions of cloud.gov can easily recreated and deployed in the event of any system flaws. + standard_key: NIST-800-53 +schema_version: 3.1.0 +verifications: +- key: CONCOURSE_PIPELINE + name: CI cloud.gov Concourse Pipeline + path: https://ci.cloud.gov/pipelines/deploy-cf + type: URL diff --git a/opencontrols/components/CM_Policy/component.yaml b/opencontrols/components/CM_Policy/component.yaml new file mode 100644 index 00000000..e638aee3 --- /dev/null +++ b/opencontrols/components/CM_Policy/component.yaml @@ -0,0 +1,306 @@ +documentation_complete: false +name: Configuration Management Policy for 18F +satisfies: +- control_key: CM-1 + covered_by: [] + implementation_status: none + narrative: + - key: a + text: | + Agency Configuration Management Policy + + The GSA CM policy is defined in the GSA IT Security Policy (CIO P 2100.1), which addresses purpose, scope, roles, + responsibilities, and compliance for CM activities. + + The GSA Office of the CISO is responsible for publishing the above documents to System Program Managers and Information + System Security Officers and Managers (ISSO/Ms) on a centralized, agency-accessible website. + + CM procedures are documented in the GSA IT Security Procedural Guide: Managing Enterprise Risks (CIO IT Security-06-30). + + The 18F Program Office develops, documents, and disseminates to all 18F staff + + The 18F configuration management policy which addresses purpose, scope, roles, responsibilities, management commitment, + coordination among organizational entities, and compliance and procedures to facilitate the implementation of the + configuration management policy and associated configuration controls. The 18F security assessment and authorization + policy is listed within its private GitHub repository https://github.com/18F/compliance-docs/blob/master/CM-Policy.md + that is accessible to all 18F staff. + - key: b + text: | + The GSA Office of the CISO is responsible for reviewing and updating the above documents annually, and notifying + System Program Managers and Information System Security Officers and Managers (ISSO/Ms). + + The 18F Program Office will review and update the current 18F configuration management policy at least every 3 years + and any documented configuration procedures at least annually. + standard_key: NIST-800-53 +- control_key: CM-2 + covered_by: [] + implementation_status: none + narrative: + - text: | + For AWS Baseline Configurations: + + AWS Cloud Formation templates, CIS Level 1 benchmarks and any GSA/18F benchmarks such as hardening guidelines + and baselines are the approved baseline for all changes to the infrastructure and simplify provisioning and management + on AWS. They provide an automated method to assess the status of an operational infrastructure against an approved + baseline. + + Windows and Linux instances are based on the standard AWS AMI images in accordance with GSA configuration requirements. + + For cloud.gov Baseline Configurations: + + cloud.gov utilizes customized Ubuntu stemcells and deployment manifest yaml files for its baseline configurations. + The list of the configuration settings can be found at the following site https://docs.cloud.gov/ops/repos/ + + A stemcell is a versioned Operating System image wrapped with IaaS specific packaging. A typical stemcell contains + a bare minimum OS skeleton with a few common utilities pre-installed, a BOSH Agent, and a few configuration files + to securely configure the OS by default. With AWS, official stemcells are published as AMIs that can be used in the + 18F AWS account. Stemcells do not contain any specific information about any software that will be installed once + that stemcell becomes a specialized machine in the cluster; nor do they contain any sensitive information which + would make them unable to be shared with other BOSH users. The deployment manifest is a YAML file that defines + the components and properties of the deployment. + + Note: Additional OS/Device-specific industry standards and guidance may also be used whenever appropriate. It is + understood that when industry standards are adopted they may need to be adapted for the specific implementation + and if/where this has occurred it should be mentioned/referenced. 18F ensures that the most current, relevant + OS/Device-specific industry standards and guidance is maintained where appropriate to support cloud.gov configurations. + These best practice updates are captured during the annual review of the CM Policy which also incorporates 18 procedures. + standard_key: NIST-800-53 +- control_key: CM-2 (1) + covered_by: [] + implementation_status: none + narrative: + - key: a + text: | + The 18F PMO must review baseline configuration changes at a minimum on an annual basis and on an as needed basis as + a result of any significant change that impacts risk to the system, security audits or industry guidance. + - key: b + text: | + The 18F PMO reviews and updates the baseline configuration of the information system when required by the FedRAMP JAB + board. Significant change may result from, but are not limited to, multiple required changes occurring simultaneously, + changes that impact/modify security settings, and/or major component additions and/or upgrades. Such changes will go + through the 18F CM Process, presented to the FedRAMP assigned ISSO and if applicable, be submitted to the JAB for + review, vetting acceptability and to ensure ongoing acceptance of security control implementation(s). + - key: c + text: | + 18F reviews all baseline configurations when there is a significant change to the cloud.gov system architecture or + when its components undergo installation or upgrades. + standard_key: NIST-800-53 +- control_key: CM-2 (2) + covered_by: [] + implementation_status: none + narrative: + - text: | + Configuration management at the AWS level is managed through CloudFormation automation templates, AWS Config and + VisualOps. 18F maintains baseline configurations for VPC, EBS, EC2 instances and AMIs. AWS Cloud Formation templates + help maintains a strict configuration management scheme of the cloud.gov. Because these templates are text files, 18F + can simply track differences in these templates to track changes to its infrastructure. + + For cloud.gov, an operator initiates a new deployment using the BOSH CLI, the BOSH Director receives a version of the + deployment manifest and creates a new deployment using this manifest. Automated Configuration of cloud.gov platform + components is handled by the Concourse.ci, a continuous integration and deployment tool which utilizes the cloud.gov + customized Ubuntu stemcells and deployment manifest yaml files for its baseline configurations. + standard_key: NIST-800-53 +- control_key: CM-2 (3) + covered_by: [] + implementation_status: none + narrative: + - text: | + If there is any manual change on any part of the infrastructure Bosh and Terraform will correct the settings and + revert back to the known state. + standard_key: NIST-800-53 +- control_key: CM-2 (7) + covered_by: [] + implementation_status: none + narrative: + - key: a + text: | + This control is Not Applicable (NA) for the cloud.gov information system. Per Federal policy 18F employees are not + allowed to take equipment outside of the United States without explicit permission. + - key: b + text: | + This control is Not Applicable (NA) for the cloud.gov information system. Per Federal policy 18F employees are not + allowed to take equipment outside of the United States without explicit permission. + standard_key: NIST-800-53 +- control_key: CM-3 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - key: a + text: | + All Configuration Change control: + 18F provisions its infrastructure with AWS CloudFormation, the AWS CloudFormation + template describes exactly what resources are provisioned and their settings. + Because these templates are text files, 18F can simply track differences in + these templates to track changes to its infrastructure, similar to the way + developers control revisions to source code. + + 18F uses version control systems with its cloud formation templates to know + exactly what changes were made, who made them, and when. If at any point 18F + needs to reverse changes to infrastructure, you can use a previous version of + a template. + + 18F uses GitHub for additional tracking and documenting of authorized changes + within the infrastructure and applications including Cloud Foundry platform as + a service. Within GitHub, a diff function is used to compare and contrast any + changes made to configurations of Cloud Foundry. + - key: b + text: | + 18F reviews proposed configuration-controlled changes to all of its information + systems and infrastructure and approves or disapproves such changes with explicit + consideration for security impact analysis within the Virtual Private Cloud + environment. All reviews and approvals are conducted within 18Fs GitHub ticketing + and tracking system. + - key: c + text: | + 18F uses the following methods to document configuration change decisions + associated with its information systems. For changes related to the its + virtual infrastructure, 18F uses VisualOps and Cloud Checkr for real-time + configuration changes which are documented, approved and tracked within GitHub. + All Cloud Foundry configuration changes are documented, approved and tracked + within 18F's GitHub site. All configuration changes related to applications + and websites hosted within the 18F AWS and Cloud Foundry environment are + requested by the systems owner and approved by cloud.gov operators within the 18F GitHub + tracking systems. + - key: d + text: | + When configuration changes have been approved through 18F's GitHub + ticketing and tracking system, the cloud.gov operators team implements approved configuration-controlled + changes to the information system and then provides a status of the changes + completed and closes out the ticket. + - key: e + text: | + Records of configuration-controlled + changes are retained for at least 1 year in accordance with the 18F Configuration + Management policy and utilizing the 18F GitHub site and S3 to store all changes + requested, approved, disapproved, implemented and pending. + - key: f + text: | + Audits for the virtual infrastructure and Cloud Foundry platform as a + service and applications are conducted by cloud.gov operators, ISSOs and Cloud Foundry + project manager of all configuration-controlled changes to the information + system. These audits take place no less than once a month and are documented + in the GitHub ticketing and tracking system, per the 18F Configuration + management policy Section 3 which states + + 18F will conduct a monthly audit of information system which identifies and + eliminates unnecessary functions, ports, protocols, and/or services. + - key: g + text: | + 18F coordinates + and provides oversight for configuration change control activities through its + GitHub tracking and ticketing systems and Slack communications channel which + is integrated with GitHub that convenes whenever there are significant and pending + changes to the 18F security, cloud infrastructure and applications. + standard_key: NIST-800-53 +- control_key: CM-6 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - key: a + text: | + 18F uses established and documents configuration settings + for its information technology products employed within the Cloud Foundry platform + that reflect the most restrictive mode consistent with operational requirements. + 18F follows industry best practices and guidance provided in NIST Special Publication + 800-70, Security Configuration Checklist Program for IT Products + + Infrastructure documented configuration settings: + cloud.gov operators maintain the + baseline configuration for VPC, EBS and AMIs. Best practices, FISMA compliant + AMIs, and hardened cloud formation templates are utilized as there are no benchmarks + available. 18F uses the following approved FISMA ready baselines located at + https://github.com/fisma-ready + + Cloud Foundry documented configuration settings: + 18F follows Cloud Foundry best practices for configuring and implementing the + platform as a service. Configuration settings are documented within the deployment + manifest on the GitHub and Cloud Foundry websites. The following are approved + baseline configuration settings related to the Cloud Foundry platform as a service. + All documented configuration settings related to Cloud Foundry are located + at https://docs.18f.gov/ops/repos/. + - key: b + text: | + 18F Implements the configuration + settings based on its documented process and practices. cloud.gov operators implement the + configuration benchmarks identified in Part a, maintains the baseline configuration + for all cloud infrastructure and Cloud Foundry components and is responsible + for ensuring all systems are configured in accordance with applicable hardening + guides. + - key: c + text: | + cloud.gov operators document any exceptions to established baseline + configurations for all of 18F's virtual infrastructure and information systems. + 18F maintains exception documents which detail specific items from the established + configuration settings which cannot be applied to instances due to operational + requirements. + - key: d + text: | + 18F Monitors and controls changes to the configuration + settings in accordance with its documented configuration management policy and + procedures. + + All Configuration Change Control: + cloud.gov operators and 18F system owners maintain the baseline configurations within + 18F Virtual Private Cloud. Configuration will be reviewed in real-time using + automated methods and at least quarterly to ensure no unauthorized changes + were made to the baseline configuration. + + Internal vulnerability scans are performed at least on a quarterly basis in the + event that no enhancements or upgrades are performed. + standard_key: NIST-800-53 +- control_key: CM-8 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: | + 18F posts its current inventory of information systems on its dashboard + located at https://18f.gsa.gov/dashboard/. Several sources are used to capture + complete inventories of the virtual infrastructure and its information systems + while providing the level of granularity deemed necessary for tracking and reporting. + The AWS Management Console, VisualOps, Cloud Checkr, Github, and Nexpose are used + to provide additional enumeration capabilities. + + Cloud Checkr is currently deployed to facilitate asset management, along with + other operations activities, on a real-time ongoing basis. Components deployed + in the virtual infrastructure are accurately inventoried and can be filtered to + a specific informaton system groups as well as a group of web services or those + components that are related to a spcecific informaton system. + + The VisualOps Cloud management tool is used to provide a visual, real-time and + automated representation of the virtual infrastructure and applications within + the 18F environment. It also provides a global view of the 18F AWS account where + all regions and services can be seen in one place. + + The 18F GitHub repository also is used to show a current lists of components + that make up the cloud.gov inventory. It is located at https://docs.cloud.gov/ops/repos/ + + Nexpose maintains an inventory of all assets scanned within the 18F virtual Private + Cloud. This includes all information system within the VPCs and components within + the cloud.gov platform as a service. + + Bosh continuously maintains inventory of all instances and configuration + + cloud.gov operators review and update the information system component inventory + on a monthly basis and updates the inventory of information system whenever installations, + removals, and other changes are made. 18F will verify that all components within + the authorized boundary of the information system are either inventoried as part + of the system or recognized by another system as a component within that systems + inventory. + standard_key: NIST-800-53 +schema_version: 3.1.0 +verifications: +- key: POLICY_DOC + name: Policy Document + path: https://github.com/18F/compliance-docs/blob/master/CM-Policy.md + type: URL +- description: "GIVEN the github link - THEN the policy has been updated\ + \ within the last 180 days \n" + key: Policy_Update_Test + last_run: 2016-04-07 13:25:17.581078 + name: 18F Policies Update + path: BDD/policies.feature + test_passed: false + type: TEST diff --git a/opencontrols/components/CP_Policy/component.yaml b/opencontrols/components/CP_Policy/component.yaml new file mode 100644 index 00000000..fbf3818d --- /dev/null +++ b/opencontrols/components/CP_Policy/component.yaml @@ -0,0 +1,350 @@ +documentation_complete: false +name: Contingency Planning Policy for 18F +references: +- name: Policy Document + path: https://github.com/18F/compliance-docs/blob/master/CP-Policy.md + type: URL +satisfies: +- control_key: CP-1 + covered_by: [] + implementation_status: planned + narrative: + - key: a + text: | + Agency Contingency planning policy + + Contingency Planning policies and procedures is a common control provided by GSA Information Security Policy + and Compliance Division (ISP) of the OCISO. Contingency Planning Policy is included in CIO P 2100.1 - GSA IT + Security Policy, Chapter 4. Policy on Operational Controls. It states, "Contingency planning focuses on the + recovery and restoration of an IT system following a disruption. The contingency plan supports the agency Continuity of + Operations Plan (COOP) required by HSPD-20, “National Continuity Policy,” ensuring that Primary Mission-Essential + Functions continue to be performed during a wide range of emergencies. Contingency and continuity of support plans + must be developed and tested annually for all IT systems in accordance with OMB Circular No. A-130, NIST SP 800-34, + “Contingency Planning Guide for Information Technology Systems" + + GSA OCISO ISP also defined agency-wide contingency planning procedures in IT Security Procedural Guide: Contingency + Planning (CIO-IT Security-06-29) + + System Specific Expectation for Vendor/Contractor Operated System Systems: + + The 18F Program Office develops, documents, and disseminates to all 18F staff + The 18F configuration management policy which addresses purpose, scope, roles, responsibilities, management commitment, + coordination among organizational entities, and compliance and procedures to facilitate the implementation of the + Contingency Planning policy and associated controls. The 18F Contingency Planning policy is listed within its private + GitHub repository https://github.com/18F/compliance-docs/blob/master/CP-Policy.md that is accessible to all 18F staff. + - key: b + text: | + Agecy CP Policy + + The GSA Office of the CISO is responsible for reviewing and updating the above documents annually, and notifying System + Program Managers and Information System Security Officers and Managers (ISSO/Ms). + + The 18F Program Office will review and update the current 18F Contingency Planning policy at least every 3 years and + any documented configuration procedures at least annually. + standard_key: NIST-800-53 +- control_key: CP-2 + covered_by: [] + implementation_status: planned + narrative: + - key: a + text: | + Planned Implementation: + + 18F has developed a draft Contingency plan for the cloud.gov information system. 18F is currently in the process of + completing and finalizing the contingency plan for cloud.gov. + - key: b + text: | + Planned Implementation: + + 18F has developed a draft Contingency plan for the cloud.gov information system. 18F is currently in the process of + completing and finalizing the contingency plan for cloud.gov. + - key: c + text: | + Planned Implementation: + + 18F has developed a draft Contingency plan for the cloud.gov information system. 18F is currently in the process of + completing and finalizing the contingency plan for cloud.gov. + - key: d + text: | + Planned Implementation: + + 18F has developed a draft Contingency plan for the cloud.gov information system. 18F is currently in the process of + completing and finalizing the contingency plan for cloud.gov. + - key: e + text: | + Planned Implementation: + + 18F has developed a draft Contingency plan for the cloud.gov information system. 18F is currently in the process of + completing and finalizing the contingency plan for cloud.gov. + - key: f + text: | + Planned Implementation: + + 18F has developed a draft Contingency plan for the cloud.gov information system. 18F is currently in the process of + completing and finalizing the contingency plan for cloud.gov. + - key: g + text: | + Planned Implementation: + + 18F has developed a draft Contingency plan for the cloud.gov information system. 18F is currently in the process of + completing and finalizing the contingency plan for cloud.gov. + standard_key: NIST-800-53 +- control_key: CP-2 (1) + covered_by: [] + implementation_status: planned + narrative: + - text: | + Planned Implementation: + + 18F has developed a draft Contingency plan for the Cloud.Gov information system. 18F is currently in the process of completing and finalizing the contingency plan for Cloud.Gov. + standard_key: NIST-800-53 +- control_key: CP-2 (2) + covered_by: [] + implementation_status: planned + narrative: + - text: | + Planned Implementation: + + 18F has developed a draft Contingency plan for the Cloud.Gov information system. 18F is currently in the process of completing and finalizing the contingency plan for Cloud.Gov. + standard_key: NIST-800-53 +- control_key: CP-2 (3) + covered_by: [] + implementation_status: planned + narrative: + - text: | + Planned Implementation: + + 18F has developed a draft Contingency plan for the Cloud.Gov information system. 18F is currently in the process of completing and finalizing the contingency plan for Cloud.Gov. + standard_key: NIST-800-53 +- control_key: CP-2 (8) + covered_by: [] + implementation_status: planned + narrative: + - text: | + Planned Implementation: + + 18F has developed a draft Contingency plan for the Cloud.Gov information system. 18F is currently in the process of completing and finalizing the contingency plan for Cloud.Gov. + standard_key: NIST-800-53 +- control_key: CP-3 + covered_by: [] + implementation_status: planned + narrative: + - text: | + Planned Implementation: + + 18F will provide contingency training to information system users consistent with assigned roles and responsibilities: + within 10 days of assuming a contingency role or responsibility, when required by information system changes and will + provide contingency training on an annual basis thereafter. + standard_key: NIST-800-53 +- control_key: CP-4 + covered_by: [] + implementation_status: planned + narrative: + - key: a + text: | + Planned Implementation: + + 18F will test the contingency plan for the Cloud.Gov information system on an annual basis using FedRAMP + functional test procedures for a moderate baseline system to determine the effectiveness of the plan and the + organizational readiness to execute the plan + narrative: + - key: b + text: | + Planned Implementation: + + After exercises are completed, the disaster recovery team reviews the exercise results and initiate corrective actions + if necessary. If a disaster recovery test finding leads to a change to Cloud.Gov’s IT infrastructure, 18F will require + the change to be documented, tested and approved by going through 18F’s change control process. + narrative: + - key: c + text: | + Planned Implementation: + + After exercises are completed, the disaster recovery team reviews the exercise results and initiate corrective actions + if necessary. If a disaster recovery test finding leads to a change to Cloud.Gov’s IT infrastructure, 18F will require + the change to be documented, tested and approved by going through 18F’s change control process. + standard_key: NIST-800-53 +- control_key: CP-4 (1) + covered_by: [] + implementation_status: planned + narrative: + - text: | + Planned Implementation: + + 18F will coordinate testing of contingency plans and related plans is coordinated with individuals that have incident + response capabilities, as the group of personnel tasked with contingency plan testing is also involved with incident response + and other related plans. + standard_key: NIST-800-53 +- control_key: CP-6 + covered_by: [] + implementation_status: planned + narrative: + - key: a + text: | + cloud.gov will leverage the AWS IaaS for its Alternate storage site capabilities. This implementation employs the use of + multiple Availability Zones within one AWS Region, which constitute a built-in alternate storage site capability for data + stored in Amazon S3 and Amazon RDS databases. S3 uses multiple availability zones by default, and RDS databases deployed + by this package are replicated across multiple availability zones. + - key: b + text: | + Through leveraging the AWS infrastructure as a service 18F ensures that the alternate storage site provides information + security safeguards equivalent to that of the primary site for Cloud.Gov. The multiple AWS availability zones employed + by Amazon S3 storage and Amazon RDS replication provide identical security safeguards. + standard_key: NIST-800-53 +- control_key: CP-6 (1) + covered_by: [] + implementation_status: planned + narrative: + - text: | + cloud.gov leverages the use of the AWS IaaS. The replication of S3 and RDS databases across Availability Zones within + one AWS Region constitutes a built-in multi-storage site capability to automatically mitigate typical network, power, + and hardware outages. Optional configuration of storage replication across multiple geographic AWS Regions address + organizational requirements related to major regional disasters. + standard_key: NIST-800-53 +- control_key: CP-6 (3) + covered_by: [] + implementation_status: planned + narrative: + - text: | + 18F will identify it’s on premise locations from which there could be an accessibility issue, and devise contingency + operations for accessing its AWS resources from other locations. 18F will implement any failover to cloud.gov implementations + it has deployed in alternate AWS regions for public-facing systems, using services such as Amazon Route 53 DNS. + + All Availability zones and Regions are accessible via the same means: AWS console and remote API calls can be made from + other networks across the public Internet, provided the appropriate credentials are supplied. + standard_key: NIST-800-53 +- control_key: CP-7 + covered_by: [] + implementation_status: planned + narrative: + - key: a + text: | + The cloud.gov information system will be leveraging the established alternate processing sites within the AWS IaaS + including necessary agreements to permit the transfer and resumption of cloud.gov operations for essential + missions/business functions when the primary processing capabilities are unavailable. + - key: b + text: | + The cloud.gov information system is leveraging the AWS infrastructure as a service to implement the use of multiple AWS + Availability Zones within one AWS region which are dynamically in place and available to support resumption of operations. + - key: c + text: | + The use of multiple AWS availability zones employed by the AWS infrastructure as a service provides identical security + safeguards equivalent to that of the primary site. + standard_key: NIST-800-53 +- control_key: CP-7 (1) + covered_by: [] + implementation_status: planned + narrative: + - text: | + 18F and the cloud.gov information system leverages the replication of EC2 and RDS instances across Availability Zones + in conjunction with Elastic Load Balancing constitutes a built-in multi-processing site capability to automatically + mitigate typical network, power, and hardware outages. To address 18F and FedRAMP requirements related to major + regional disasters, AWS supports the ability to place processing systems in multiple geographic regions. + standard_key: NIST-800-53 +- control_key: CP-7 (2) + covered_by: [] + implementation_status: planned + narrative: + - text: | + 18F and the cloud.gov information system will leverage AWS Availability zones and Regions. AWS console and remote + API calls can be made from other networks across the public Internet, provided the appropriate credentials are + supplied. + standard_key: NIST-800-53 +- control_key: CP-7 (3) + covered_by: [] + implementation_status: planned + narrative: + - text: | + Inherited: + 18F and the Cloud.Gov information system will leverage AWS Availability Zones and Regions to include priority of + service provisions identical to the others. + standard_key: NIST-800-53 +- control_key: CP-8 + covered_by: [] + implementation_status: planned + narrative: + - text: | + Inherited: + To permit the resumption of information system operations for essential missions and business functions without + impact to consumers/customers, 18F has provisioned and leveraged redundant, always-on, internet connections through + the AWS Infrastructure as a service. 18F has accepted the AWS service agreement to provide always-on internet + connections which assure continuous service. + standard_key: NIST-800-53 +- control_key: CP-8 (1) + covered_by: [] + implementation_status: planned + narrative: + - key: a + text: | + 18F has provisioned and leveraged redundant, primary and alternate telecommunications always-on, internet connections + through the AWS Infrastructure as a service. 18F has accepted the AWS service agreement to provide always-on internet + connections which assure continuous service. + - key: b + text: | + 18F does not require telecommunications services used for national security emergency preparedness. + standard_key: NIST-800-53 +- control_key: CP-9 + covered_by: [] + implementation_status: planned + narrative: + - key: a + text: | + Planned Implementation: + 18F will update the draft contingency plan for Cloud.Gov. + - key: b + text: | + Planned Implementation: + 18F will update the draft contingency plan for Cloud.Gov. + - key: c + text: | + Planned Implementation: + 18F will update the draft contingency plan for Cloud.Gov. + - key: d + text: | + Planned Implementation: + 18F will update the draft contingency plan for Cloud.Gov. + standard_key: NIST-800-53 +- control_key: CP-9 (1) + covered_by: [] + implementation_status: planned + narrative: + - text: | + Planned Implementation: + 18F will test backup tests backup information at least annually to verify media reliability and information integrity + standard_key: NIST-800-53 +- control_key: CP-9 (3) + covered_by: [] + implementation_status: planned + narrative: + - text: | + cloud.gov utilizes Amazon Web Services as the redundant storage, Processing and back up sites for all 18F systems + including its platform as a service Cloud. Amazon Web Services (AWS) handles durability, availability and monitoring + of some regional and global services (e.g. IAM, Cloud Front, Cloud Search, Dynamo DB, Amazon S3, and Route 53). + standard_key: NIST-800-53 +- control_key: CP-10 + covered_by: [] + implementation_status: planned + narrative: + - text: | + Planned Implementation: + 18F will provide for the recovery and reconstitution of the information system to a known state after a disruption, + compromise, or failure. + standard_key: NIST-800-53 +- control_key: CP-10 (2) + covered_by: [] + implementation_status: none + narrative: + - text: | + This control is not applicable to the cloud.gov information system. cloud.gov is not transaction based. + standard_key: NIST-800-53 +schema_version: 3.1.0 +system: 18F +verifications: +- description: "GIVEN the github link - THEN the policy has been updated\ + \ within the last 180 days \n" + key: Policy_Update_Test + last_run: 2016-04-07 13:25:17.622244 + name: 18F Policies Update + path: BDD/policies.feature + test_passed: false + type: TEST diff --git a/opencontrols/components/CloudCheckr/component.yaml b/opencontrols/components/CloudCheckr/component.yaml new file mode 100644 index 00000000..5f221b5c --- /dev/null +++ b/opencontrols/components/CloudCheckr/component.yaml @@ -0,0 +1,127 @@ +documentation_complete: false +name: Cloud Checkr +references: +- name: Cloud Checkr Site + path: http://cloudcheckr.com/ + type: URL +satisfies: +- control_key: AC-2 + covered_by: [] + implementation_status: none + narrative: + - key: j + text: | + User accounts will be monitored monthly and accounts will be disabled after 90 days of inactivity; this will be a manual review process every 30 days. 18F is in the process of automating this account management process through the use of implementing AWS OSQuery to trigger alerts when user accounts are inactive of a 90-day period. + standard_key: NIST-800-53 +- control_key: AC-2 (3) + covered_by: [] + implementation_status: none + narrative: + - text: | + User accounts will be monitored monthly and accounts will be disabled + after 90 days of inactivity; this will be a manual review process every 30 days. + 18F generates a credential report that lists all IAM users and the status of their + credentials, including passwords, access keys, and MFA devices. + standard_key: NIST-800-53 +- control_key: AC-2 (4) + covered_by: [] + implementation_status: none + narrative: + - text: | + #TODO + 18F has implemented CloudWatch for its system account monitoring. It monitors resources in near real-time, including EC2 instances, EBS volumes, Elastic Load Balancers, and RDS DB instances. Metrics such as CPU utilization, latency, and request counts are provided automatically for these AWS resources. It allows 18F to supply logs or custom application and system metrics, such as memory usage, transaction volumes, or error rates. + + CloudTrail captures all IAM API calls from command-line tools, the AWS SDK, and the AWS Management Console. Monitoring data is retained for two weeks, even if AWS resources have been terminated. This enables 18F to quickly look back at the metrics preceding an event of interest. + + Metrics are accessed in either the EC2 tab or the CloudWatch tab of the AWS Management Console. SecOps personnel monitors the use of all infrastructure accounts through Cloud Checkr + standard_key: NIST-800-53 +- control_key: AC-2 (7) + covered_by: [] + implementation_status: none + narrative: + - key: b + text: | + 18F monitors all privileged role assignments to the VPS through the IAM console, CloudTrail audit logs and Cloud Watch alerts. 18F uses Cloud Checkr to provide centralized monitoring and alerting within its VPC. + standard_key: NIST-800-53 +- control_key: AC-2 (12) + covered_by: [] + implementation_status: none + narrative: + - key: a + text: | + 18F has implemented Cloud Checkr as a way to monitor information system accounts. CloudCheckr monitors the 18F AWS infrastructure and alerts the DevOps and SecOps when certain conditions are met. The CloudTrail Built-In Alerts allows 18F to monitor for a recommended predefined set of CloudTrail events. + These events include: + * Any security-related event + * CloudTrail disabled + * Credentials report generated + * EBS snapshot deleted + * EC2 instance terminated + * Failed login to AWS Management Console + * IAM access key created + * IAM access key deleted + * IAM password policy changed + * IAM policy assigned + * IAM policy modified + * Resource-based policy modified + * Role Assumed + * Root account access key created + * Root account used + * Security group assigned + * Security group modified + * Successful login to AWS Management Console + * Unauthorized access attempt + - key: b + text: | + Cloud Checkr reports atypical usage of information system accounts to designated 18F SecOps and Devops teams. Monitoring and intrusion information contained within Cloud Checkr and Cloudtrail logs are sent to 18F security personnel. The logs are protected from unauthorized access by limiting access to authorized privileged users only. + standard_key: NIST-800-53 +- control_key: AC-6 (9) + covered_by: [] + implementation_status: none + narrative: + - text: | + All privileged user account activity and API calls to cloud.gov are + audited by CloudTrail and monitored by CloudWatch. CloudTrail provides a log of + all requests for AWS resources within the 18F AWS account. For each event recorded, + 18F can see what service was accessed, what action was performed, any parameters + for the action, and who made the request. Cloudtrail also shows whether it was + as the AWS root account user or an IAM user, or whether it was with temporary + security credentials for a role or federated user. + standard_key: NIST-800-53 +- control_key: AC-17 (1) + covered_by: [] + implementation_status: none + narrative: + - text: | + Cloud Checkr provides a unified view of all infrastructure monitoring which captures all remote activities within 18F virtual infrastructure. The log files are organized by AWS Account ID, region, service name, date, and time. CloudTrail can be configured to aggregate log files from multiple regions into a single Amazon S3 bucket. From there, 18F Devops and SecOps teams view the logs files within Cloud Checkr to perform security analysis and detect user behavior patterns. + standard_key: NIST-800-53 +- control_key: AU-2 + covered_by: [] + implementation_status: none + narrative: + - key: d + text: | + 18F has implemented Cloudtrail and Cloudwatch for its account and system monitoring. It provides visibility into user activity by recording API calls made on an AWS account. CloudTrail captures and records important information about each API call for the list of auditable events: + * User - the IAM user name of the person who was interacting with your AWS account. + * IP Address - the IP Address where the interactions originated from. + * Event Name - the type of interaction that occurred. + * Service - the AWS Service that was interacted with. + * Time - the date and time that the event occurred. + * Region - the AWS Region(s) where the interactions occurred. + * Resource ID - the resource ID from the event. + standard_key: NIST-800-53 +- control_key: AU-3 + covered_by: [] + implementation_status: none + narrative: + - text: | + CloudTrail Log File Name Format CloudTrail uses the following file name format for the log file objects it uploads to your S3 bucket: AccountID_CloudTrail_RegionName_YYYYMMDDTHHmmZ_UniqueString.FileNameFormat YYYY, MM, DD, HH, and mm are the digits of the year, month, day, hour, and minute (respectively) when the log file was delivered. Hours are in 24-hour format. The Z indicates that the time is in UTC. + standard_key: NIST-800-53 +- control_key: CM-3 + covered_by: [] + implementation_status: none + narrative: + - key: c + text: | + For changes related to the virtual infrastructure, 18F uses VisualOps and Cloud Checkr for real-time configuration changes which are documented, approved and tracked within GitHub. All Cloud Foundry configuration changes are documented, approved and tracked within 18F's GitHub site. + standard_key: NIST-800-53 +schema_version: 3.1.0 diff --git a/opencontrols/components/CloudController/component.yaml b/opencontrols/components/CloudController/component.yaml new file mode 100644 index 00000000..04d977ed --- /dev/null +++ b/opencontrols/components/CloudController/component.yaml @@ -0,0 +1,168 @@ +documentation_complete: false +name: Cloud Controller +satisfies: +- control_key: SA-11 (1) + covered_by: + - verification_key: STATIC_CODE_ANALYSIS + implementation_status: complete + narrative: 'The Cloud Controller uses CodeClimate as it''s primary static code analysis + tool. The results of the test are publicly avaiable. + + ' + standard_key: NIST-800-53 +- control_key: AC-6 + covered_by: + - verification_key: CF_ROLES + - verification_key: CF_ROLES_CODE + - verification_key: CF_ROLES_CODE_SPECS + implementation_status: none + narrative: 'Cloud.Gov uses feature flags which allows an administrator to turn on + or off sub-sections, or features, of an application without deploying new code. + + 18F uses Orgs, Spaces, and Roles to implement least privileged access to the platform + as a service. Cloud.Gov uses role-based access control (RBAC), with each role + granting permissions in either an org or a space. + + ' + standard_key: NIST-800-53 +- control_key: AC-5 + covered_by: [] + implementation_status: none + narrative: "#### a \nThe Cloud Controller is used to create invidual user accounts\ + \ and roles within the PaaS for separation of duty functions. The following is\ + \ a list of roles a user can assume within the Cloud.Gov platform.\n* Org Manager\ + \ - Managers or other users who need to administer the account\n* Org Auditor\ + \ - Can view but not edit user information and org quota usage information\n*\ + \ Space Manager - managers or other users who need to administer a space\n* Space\ + \ Developer - application developers or other users who need to manage applications\ + \ and services in a space\n* Space Auditor\t- Can view but not edit the space\n\ + \ \n#### b \nThe Cloud Controller API has an enpoint for viewing extensive\ + \ information about user roles.\n \n" + standard_key: NIST-800-53 +- control_key: AC-6 (10) + covered_by: [] + implementation_status: none + narrative: 'The Cloud.Gov platform has built-in Role based access controls (RBAC). + This ensures that users can only view and affect the spaces for which they have + been granted access to. It also prevents non-privileged users from executing privileged + functions to include disabling, circumventing, or altering implemented security + safeguards/countermeasures. + + Only designated Org Managers from the DevOps team can execute privileged functions + to the Cloud.Gov platform. All other accounts are non-prilviledged accounts. + + Client agencies using Cloud.Gov are only permitted to change settings within their + associated Org account, spaces and roles. These accounts do not have access to + the underlying Cloud.Gov Platform. + + ' + standard_key: NIST-800-53 +- control_key: AC-14 + covered_by: [] + implementation_status: none + narrative: "#### a \nThere are no permitted actions without identification and\ + \ authentication to Cloud.Gov. The Cloud Controller rejects any broker registration\ + \ that does not contain a username and password. The Cloud Controller authenticates\ + \ every request with the Service Broker API using HTTP or HTTPS, depending on\ + \ which protocol you specify during broker registration.\n \n" + standard_key: NIST-800-53 +- control_key: SI-10 + covered_by: [] + implementation_status: complete + narrative: 'The UAA uses a Restful API with set endpoint and parameters. Users depending + on thier authorized access can only make request to specific endpoint that activate + specific functions that take a limited and defined set of parameters. + + ' + standard_key: NIST-800-53 +- control_key: AC-2 + covered_by: + - verification_key: CF_ROLES + - verification_key: CF_ROLES_CODE + - verification_key: CF_ROLES_CODE_SPECS + implementation_status: none + narrative: "#### a \nCloud Foundry user and role accounts are managed and maintained\ + \ through the Cloud Controller. Cloud Foundry uses role-based access control with\ + \ each role granting permissions in either an organization or an application space.\ + \ The Following types are used:\n* Org Manager\n* Org Auditor\n* Space Manager\n\ + * Space Developer\n* Space Auditor\n \n" + standard_key: NIST-800-53 +- control_key: AC-2 (9) + covered_by: [] + implementation_status: none + narrative: 'This control is not applicable. Group accounts are not allowed within + the 18F VPC and the Cloud.Gov PaaS + + ' + standard_key: NIST-800-53 +- control_key: AU-3 + covered_by: + - verification_key: EVENTS_ENDPOINT + implementation_status: none + narrative: 'Cloud Foundry stores detailed events which can be accessed through the + CF API. A list the events is avaiable in the API documentation. + + ' + standard_key: NIST-800-53 +schema_version: 2.0 +verifications: +- key: CF_ROLES_CODE_SPECS + name: Cloud Controller Role Implmentation Specs + path: https://github.com/cloudfoundry/cloud_controller_ng/blob/master/spec/unit/lib/cloud_controller/membership_spec.rb + type: URL +- key: STATIC_CODE_ANALYSIS + name: Cloud Controller source code static analysis + path: https://codeclimate.com/github/cloudfoundry/cloud_controller_ng + type: URL +- key: EVENTS_ENDPOINT + name: CF Events Endpoint + path: https://apidocs.cloudfoundry.org/228/events/list_all_events.html + type: URL +- key: CF_ROLES_CODE + name: Cloud Controller Role Implmentation + path: https://docs.cloudfoundry.org/concepts/roles.html + type: URL +- key: CF_ROLES + name: Cloud Controller Role Documentation + path: https://ocs.cloudfoundry.org/concepts/roles.html + type: URL +- description: 'GIVEN I am using a space auditor account WHEN I view my audit logs + THEN I find "27" events ' + key: Audit_Log_Tests + last_run: 2016-04-08 14:18:40.782585 + name: Viewing Audits -- @1.6 Action-Results for auditing + path: BDD/CloudController.feature + test_passed: true + type: TEST +- description: 'GIVEN I am using an admin account WHEN I look at the audit logs THEN + audit logs have timestamp THEN audit logs have type of event THEN audit logs have + actor THEN audit logs have actee ' + key: Log_Content_Test + last_run: 2016-04-08 14:18:40.869894 + name: Logs have timestamp, types of event, actor, and actee + path: BDD/CloudController.feature + test_passed: true + type: TEST +- description: "GIVEN I am using account WHEN I try to create an org THEN\ + \ the org \nGIVEN I am using account WHEN I try to update an\ + \ org name THEN the org name \nGIVEN I am using account WHEN\ + \ I try to delete an org THEN the org \nGIVEN I am using account\ + \ WHEN I try to create a space THEN the space \nGIVEN I am using \ + \ account WHEN I try to update a space name THEN the space name \nGIVEN\ + \ I am using account WHEN I try to delete a space THEN the space \ + \ \nGIVEN I am using account WHEN I try to create an app THEN the app\ + \ \nGIVEN I am using account WHEN I try to delete an app THEN\ + \ the app \nGIVEN I am using account WHEN I try to create a\ + \ user THEN the user \nGIVEN I am using account WHEN I try\ + \ to give a user access to a \"\" THEN the user \nGIVEN I\ + \ am using account WHEN I try to delete a user THEN the user \ + \ \nGIVEN I am using account WHEN I view my audit logs THEN I find \"\ + \" events \nGIVEN I am using an admin account WHEN I look at the audit\ + \ logs THEN audit logs have timestamp THEN audit logs have type of event THEN\ + \ audit logs have actor THEN audit logs have actee \n" + key: User_Role_Tests + last_run: 2016-04-08 14:18:41.973438 + name: Cloud Controller Features + path: BDD/CloudController.feature + test_passed: true + type: TEST diff --git a/opencontrols/components/CloudFormation/component.yaml b/opencontrols/components/CloudFormation/component.yaml new file mode 100644 index 00000000..a6d8eb30 --- /dev/null +++ b/opencontrols/components/CloudFormation/component.yaml @@ -0,0 +1,49 @@ +documentation_complete: false +name: Cloud Formation +references: +- name: What is AWS CloudFormation? + path: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html + type: URL +satisfies: +- control_key: CM-2 + covered_by: [] + implementation_status: none + narrative: 'DevOps maintain baseline configurations for VPC, EBS, EC2 instances + and AMIs. AWS Cloud Formation templates help 18F maintain a strict configuration + management scheme of the cloud infrastructure. If an error or misconfiguration + of the infrastructure or associated security mechanism (security groups, NACLs) + is detected, the administrators can analyze the current infrastructure templates; + compare with previous versions, and redeploy the configurations to a known and + approved state. + + AWS Cloud Formation templates are the approved baseline for all changes to the + infrastructure and simplify provisioning and management on AWS. They provide an + automated method to assess the status of an operational infrastructure against + an approved baseline. + + Linux instances are based on the standard AWS AMI images with configuration to + GSA requirements based on secure configurations documented in CM-6. + + DevOps maintain copies of the latest Production Software Baseline, which includes + the following elements: Manufacturer, Type, Version number, Software, Databases, + and Stats. + + ' + standard_key: NIST-800-53 +- control_key: CM-3 + covered_by: [] + implementation_status: none + narrative: '- 18F provisions its infrastructure with AWS CloudFormation, the AWS + CloudFormation template describes exactly what resources are provisioned and their + settings. Because these templates are text files, 18F can simply track differences + in these templates to track changes to its infrastructure, similar to the way + developers control revisions to source code. + + - 18F uses several version control systems(i.e. AWS Config, AWS Service Catalog) + with its templates to know exactly what changes were made, who made them, and + when. If at any point 18F needs to reverse changes to infrastructure, you can + use a previous version of a template. + + ' + standard_key: NIST-800-53 +schema_version: 2.0 diff --git a/opencontrols/components/DEA/component.yaml b/opencontrols/components/DEA/component.yaml new file mode 100644 index 00000000..87ef2803 --- /dev/null +++ b/opencontrols/components/DEA/component.yaml @@ -0,0 +1,25 @@ +documentation_complete: false +name: DEA +satisfies: +- control_key: AC-4 (21) + covered_by: [] + implementation_status: none + narrative: 'The DEA manages the Warder Containers and controls both outbound and + inbound network rules + + ' + standard_key: NIST-800-53 +- control_key: SC-7 + covered_by: [] + implementation_status: none + narrative: "#### a \nCloud Foundry Boundary Protection\nCloud Foundry implements\ + \ network traffic rules using Linux iptables on the component VMs. Operators can\ + \ configure rules to prevent system access from external networks and between\ + \ internal components, and to restrict applications from establishing connections\ + \ over the DEA network interface.\nSpoofing- If an IP, MAC, or ARP spoofing attack\ + \ bypasses the physical firewall for the deployment, Cloud Foundry network traffic\ + \ rules help prevent the attack from accessing application containers. Cloud Foundry\ + \ uses application isolation, operating system restrictions, and encrypted connections\ + \ to further mitigate risk.\n \n" + standard_key: NIST-800-53 +schema_version: 2.0 diff --git a/opencontrols/components/EC2/component.yaml b/opencontrols/components/EC2/component.yaml new file mode 100644 index 00000000..57929bdd --- /dev/null +++ b/opencontrols/components/EC2/component.yaml @@ -0,0 +1,33 @@ +documentation_complete: false +name: EC2 +references: +- name: EC2 Documentation + path: https://aws.amazon.com/ec2/ + type: URL +satisfies: +- control_key: SC-7 + covered_by: [] + implementation_status: none + narrative: "#### a \nThe AWS network provides significant protection against traditional\ + \ network security issues, and 18F can implement further protection. The following\ + \ are a few examples:\nDistributed Denial Of Service (DDoS) Attacks. AWS API endpoints\ + \ are hosted on large, Internet-scale, infrastructure. Proprietary DDoS mitigation\ + \ techniques are used. Additionally, AWS\u2019s networks are multi-homed across\ + \ a number of providers to achieve Internet access diversity.\nMan in the Middle\ + \ (MITM) Attacks. All of the AWS APIs are available via SSL-protected endpoints\ + \ which provide server authentication. Amazon EC2 AMIs automatically generate\ + \ new SSH host certificates on first boot and log them to the instance\u2019s\ + \ console. 18F can then use the secure APIs to call the console and access the\ + \ host certificates before logging into the instance for the first time. 18F uses\ + \ SSL for all interactions with AWS.\nIP Spoofing. Amazon EC2 instances cannot\ + \ send spoofed network traffic. The AWS-controlled, host-based firewall infrastructure\ + \ will not permit an instance to send traffic with a source IP or MAC address\ + \ other than its own.\n\nAmazon EC2 provides a complete firewall solution; this\ + \ mandatory inbound firewall is configured in a default deny-all mode and Amazon\ + \ EC2 customers must explicitly open the ports needed to allow inbound traffic.\ + \ The traffic may be restricted by protocol, by service port, as well as by source\ + \ IP address (individual IP or Classless Inter-Domain Routing (CIDR) block).\n\ + The firewall is configured in groups permitting different groups of instances\ + \ to have different rules.\n \n" + standard_key: NIST-800-53 +schema_version: 2.0 diff --git a/opencontrols/components/ELKStack/component.yaml b/opencontrols/components/ELKStack/component.yaml new file mode 100644 index 00000000..696c8d67 --- /dev/null +++ b/opencontrols/components/ELKStack/component.yaml @@ -0,0 +1,77 @@ +documentation_complete: false +name: ELKStack +references: +- name: Reference Name + path: https://www.elastic.co/webinars/introduction-elk-stack + type: URL +satisfies: +- control_key: AC-2 + covered_by: [] + implementation_status: none + narrative: + - key: g + text: | + The UAA API interface is used to monitor privileged/non privileged user accounts within the cloud.gov It lists Cloud Foundry instance users. By default it returns information about each user account including GUID, name, permission groups, activity status, and metadata. + + 18F uses the ELK stack to provide a visual way to monitor all user and system accounts within cloud.gov by interfacing with cloud.gov API calls to its internal system components (i.e. Loggregator, Cloud Controller, DEA, Warden, Metrics Collector) + standard_key: NIST-800-53 +- control_key: AC-2 (4) + covered_by: [] + implementation_status: none + narrative: + - text: | + cloud.gov provides an audit trail through the bosh tasks command which shows all actions that an operator has taken with the platform. It also records an audit trail of all relevant API invocations of an app. The CLI command cf events returns this information. + + ELK ( Logstash, Elasticsearch, Kibana) a front end component for loggregator is used to automatically audit all actions within the cloud.gov platform. By binding an instance of the service to, cloud.gov applications logs will be drained to a Logstash syslog receiver and stored in Elasticsearch to perform real-time data analytics with Kibana as the interface for search and visualization. + standard_key: NIST-800-53 +- control_key: AC-2 (7) + covered_by: [] + implementation_status: none + narrative: + - key: b + text: | + 18F monitors all privileged access API calls through the Cloud Foundry command line interface and BOSH command line interface within cloud.gov. These API calls are monitored through ELK. + standard_key: NIST-800-53 +- control_key: AC-2 (12) + covered_by: [] + implementation_status: none + narrative: + - key: a + text: | + Information system account activities are monitored via ELK + - key: b + text: | + ELK reports atypical usage of information system accounts to designated Infrastructure and cloud.gov operators teams. + standard_key: NIST-800-53 +- control_key: AC-6 (9) + covered_by: [] + implementation_status: none + narrative: + - text: | + The ELK (elasticsearch, Logstash, Kibana) is used to collect, manage and display all auditing of privileged functions within the cloud.gov platform. + standard_key: NIST-800-53 +- control_key: AC-17 (1) + covered_by: [] + implementation_status: none + narrative: + - text: | + The Cloud Controller authenticates every request with the Service Broker API using HTTP or HTTPS. The cloud.gov operators only uses the BOSH Command Line Interface (CLI) to log into the cloud.gov jumpbox using SSH as a remote connection. These remote connections are monitored by the cloud.gov Cloud Controller which send this data to the ELK logging and monitoring visualization tool stack. + standard_key: NIST-800-53 +- control_key: AU-2 + covered_by: [] + implementation_status: none + narrative: + - key: a + text: | + cloud.gov provides an audit trail through the bosh tasks command. This command shows all actions that an operator has taken with the platform. Additionally, operators can redirect Cloud Foundry component logs to a Logstash syslog server using the `syslog_daemon_config` property in the `metron_agent` job of cf-release. + + For end users, cloud.gov records an audit trail of all relevant API invocations of and app. The CLI command cf events returns this information. + standard_key: NIST-800-53 +- control_key: AU-3 + covered_by: [] + implementation_status: none + narrative: + - text: | + The cloud.gov platform as a service generates audit logs from its Loggregator component and is passed through the ELK stack to produce audit records which contain sufficient information to establish at a minimum: what type of event occurred, when (date and time the event occurrence) the source of the event the outcome (success or failure) of the event the identity of any user/subject associated with the event + standard_key: NIST-800-53 +schema_version: 3.1.0 diff --git a/opencontrols/components/IAM/component.yaml b/opencontrols/components/IAM/component.yaml new file mode 100644 index 00000000..6665ee7a --- /dev/null +++ b/opencontrols/components/IAM/component.yaml @@ -0,0 +1,135 @@ +documentation_complete: false +name: Identity and Access Management +references: +- name: AWS Identity and Access Management (IAM) + path: https://aws.amazon.com/iam/ + type: URL +satisfies: +- control_key: AC-2 (5) + covered_by: [] + implementation_status: none + narrative: "Account log out is set to 15 minutes of inactivity within the Identity and Access Management (IAM) console + per account within the organization's virtual infrastructure. + " + standard_key: NIST-800-53 +- control_key: AC-2 (1) + covered_by: [] + implementation_status: none + narrative: "AWS infrastructure as a service Management Life Cycle is automated to + use AWS CLI scripts. The organization's AWS Virtual Private Cloud (VPC) can use the AWS Command Line + Interface (CLI) to automate the account management LifeCycle within its envoriment. + The organization uses the AWS Identity and Access Management (IAM) console for semi-automated + automated account manamgemt. + " + standard_key: NIST-800-53 +- control_key: AC-6 + covered_by: [] + implementation_status: none + narrative: "Identity and Access Management (IAM) policies are attached to the users, enabling centralized control + of permissions for users under the organization's AWS Account to access services, buckets or + objects. With IAM policies, the organization only grant users + within its own AWS account permission to access its Amazon resources. + + AWS IAM policies are defined to grant only the required access for the organizational staff + necessary to perform their functions. The organization defines least privilege access to each + user, group or role. + + Security functions within the AWS infrastructure are explicitly defined within + IAM to include read-only permissions for any user functions. + + The organization incorporates running the IAM Policy Simulator to test policies for least privilege + access for users and groups. + " + standard_key: NIST-800-53 +- control_key: AC-6 (1) + covered_by: [] + implementation_status: none + narrative: "The organization explicitly authorizes access to administrative and security functions + of its virtual infrastructure and residing platforms to designated individuals + within the organization's SecOps and DevOps team. No other authorizations to security and administrative + information is granted to individuals outside these teams. + " + standard_key: NIST-800-53 +- control_key: AC-2 (2) + covered_by: [] + implementation_status: none + narrative: "This control is not applicable. All Temporary accounts are handled by + associating resources with Identity and Access Management (IAM) Roles. There are no guest/anonymous, group, or + temporary user accounts in the organization's AWS environment. + " + standard_key: NIST-800-53 +- control_key: AC-5 + covered_by: [] + implementation_status: none + narrative: "#### a \nThe organization implements Identity and Access Management (IAM) Policies\ + \ roles and individual user accounts for separation of duties. IAM policies\ + \ are attached to the users, enabling centralized control of permissions for users\ + \ under AWS Account.\n \n#### b \nThe organization documents separation of duties of\ + \ AWS users. All AWS IAM users, groups and roles can be viewed\ + \ wthin the AWS console. IAM users reports are generated to show all separation\ + \ of duties. \n + " + standard_key: NIST-800-53 +- control_key: AC-14 + covered_by: [] + implementation_status: none + narrative: "#### a \nThere are no administrative actions than can be performed\ + \ within the organization's Virtual Private Cloud (VPC) without multifactor authentication. Per AWS,\ + \ privileged users can not gain access to the AWS console without identification and authorization\ + \ to its a VPC.\n \n#### b \nIt is not possible for members of the 18F Devops\ + \ and SecOps teams to aceess the organization's VPC infrastructure without\ + \ muitifactor authetication. \n \n + " + standard_key: NIST-800-53 +- control_key: AC-3 + covered_by: [] + implementation_status: none + narrative: "The organization follows best practices by implementing the majority of the following:\n\ + \ - Create the organization's individual accounts for anyone that requires access to the virtual\ + \ infrastructure or APIs or use Identity and Access Management (IAM) federation from enterprise identity management\ + \ system\n - Use groups or roles to assign permissions to IAM users\n\ + \ - Enable multi factor authentication for all IAM users\n - Use roles for applications\ + \ that run on EC2 instances\n - Delegate by using roles instead of sharing credentials\n\ + \ - Rotate credentials regularly\n - Store SSH keys securely to prevent disclosure,\ + \ and promptly replace lost or compromised keys.\n + " + standard_key: NIST-800-53 +- control_key: AC-2 + covered_by: [] + implementation_status: none + narrative: "#### a \nAWS accounts are managed through AWS Identity and Access Management\ + \ (IAM). Only users with a need to operate the AWS management console are provided\ + \ individual AWS user accounts. The following types are used:\n * User-\ + \ Individual IAM accounts\n * System- system and application account not\ + \ used for interactive access\nThere are no guest/anonymous, groups, or temporary\ + \ user accounts in the organization's environment\n \n#### k \nThe organization does not allow shared/group\ + \ account credentials within the AWS environment. All users have individual accounts\ + \ to access the AWS environment. The organization has created specific policies that allow\ + \ individual users to assume a role within the AWS environment.\n \n + " + standard_key: NIST-800-53 +- control_key: AC-6 (5) + covered_by: [] + implementation_status: none + narrative: "The organization restricts privileged accounts such as administrator and root access\ + \ accounts to designated members within the Devops and SecOps teams. Within\ + \ the virtual infrastructure the admin account is not used for privileged access.\ + \ It\u2019s only used for billing and metrics.\n + " + standard_key: NIST-800-53 +- control_key: IA-2 + covered_by: [] + implementation_status: none + narrative: "All users have individually unique identifiers to access and authenticate + to the AWS environment through the AWS management console. The organization's AWS Identity and + Access Management (IAM) users are placed into IAM roles based on their assigned roles and permissions + + Additional temporary permission are delegated with the IAM roles usually for applications + that run on EC2 Instances in order to access AWS resources all user accounts for + staff are maintained within the organization's AWS environment. + + Shared or group authenticators are not utilized, Service accounts are implemented + as Managed Services Accounts within AWS. + " + standard_key: NIST-800-53 +schema_version: 2.0 diff --git a/opencontrols/components/IA_Policy/component.yaml b/opencontrols/components/IA_Policy/component.yaml new file mode 100644 index 00000000..ee16ac3d --- /dev/null +++ b/opencontrols/components/IA_Policy/component.yaml @@ -0,0 +1,221 @@ +--- +documentation_complete: false +name: Identification and Authentication Policy for 18F +satisfies: +- control_key: IA-1 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - key: a + text: | + The 18F Program Office develops, documents, and disseminates to all 18F staff the 18F Identification and Authentication Policy which addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, compliance, and procedures to facilitate the implementation of the identification and authentication policy and associated identification controls. The 18F Identification and Authentication Policy is listed within 18F's private GitHub repository and the docs.cloud.gov site that is accessible to all 18F staff. + - key: b + text: | + The 18F Program Office will review and update the current 18F Identification and Authentication Policy at least every three years and any documented identification and authentication procedures at least annually. + standard_key: NIST-800-53 +- control_key: IA-2 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: | + The cloud.gov platform delegates authentication to either the GSA enterprise system or GitHub for any administrator access. + standard_key: NIST-800-53 +- control_key: IA-2 (1) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: | + Multifactor authentication is enforced both in the GSA enterprise login system and GitHub. + standard_key: NIST-800-53 +- control_key: IA-2 (2) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: | + Non-privileged accounts can be delegated to enterprise user systems that have multifactor authentication. + standard_key: NIST-800-53 +- control_key: IA-2 (5) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: | + NA - Local access is treated the same as remote access. See IA-2 (1). + standard_key: NIST-800-53 +- control_key: IA-2 (3) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: | + NA - Only individual authentication is allowed. + standard_key: NIST-800-53 +- control_key: IA-2 (8) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: | + cloud.gov implements UAA which has session tokens and CSRF prevention that prevents replay attacks. + standard_key: NIST-800-53 +- control_key: IA-2 (11) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: | + NA - cloud.gov delegates authentication to multiple separate single sign on (SSO) systems which implement multifactor in multiple ways. + standard_key: NIST-800-53 +- control_key: IA-2 (12) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: | + NA - cloud.gov delegates authentication to multiple separate single sign on (SSO) system which implement multifactor that may or may not include PIV cards. + standard_key: NIST-800-53 +- control_key: IA-3 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: | + cloud.gov monitors and tracks all network connections using AWS VPC flow logs, router access logs, and application access logs. cloud.gov assigns each connection a unique identifier and tracks it across queries. + standard_key: NIST-800-53 +- control_key: IA-4 + covered_by: [] + implementation_status: none + narrative: + - text: | + The 18F Identification and Authentication Policy section 3 Identifier Management states: + Identifier Management: + 18F manages information system identifiers for users and devices by: + * Receiving authorization from a designated organizational official to assign a user or device identifier. + * Selecting an identifier that uniquely identifies an individual or device. + * Assigning the user identifier to the intended party or the device identifier to the intended device. + * Preventing reuse of user or device identifiers for one (1). + * Disabling the user identifier after ninety (90) days of inactivity for general user accounts and thirty (30) days for administrator level accounts. + standard_key: NIST-800-53 +- control_key: IA-4 (4) + covered_by: [] + implementation_status: none + narrative: + - text: | + 18F manages individual identifiers that uniquely identify individuals as employees, contractors, or foreign nationals. + standard_key: NIST-800-53 +- control_key: IA-5 + covered_by: [] + implementation_status: none + narrative: + - text: | + NA - cloud.gov delegates authentication to an enterprise single sign on (SSO) system. + standard_key: NIST-800-53 +- control_key: IA-5 (1) + covered_by: [] + implementation_status: none + narrative: + - text: | + NA - cloud.gov delegates authentication to an enterprise single sign on (SSO) system. + standard_key: NIST-800-53 +- control_key: IA-5 (2) + covered_by: [] + implementation_status: none + narrative: + - text: | + NA - cloud.gov delegates authentication to an enterprise single sign on (SSO) system. + standard_key: NIST-800-53 +- control_key: IA-5 (3) + covered_by: [] + implementation_status: none + narrative: + - text: | + NA - cloud.gov delegates authentication to an enterprise single sign on (SSO) system. + standard_key: NIST-800-53 +- control_key: IA-5 (4) + covered_by: [] + implementation_status: none + narrative: + - text: | + NA - cloud.gov delegates authentication to an enterprise single sign on (SSO) system. + standard_key: NIST-800-53 +- control_key: IA-5 (6) + covered_by: [] + implementation_status: none + narrative: + - text: | + NA - cloud.gov delegates authentication to an enterprise single sign on (SSO) system. + standard_key: NIST-800-53 +- control_key: IA-5 (7) + covered_by: [] + implementation_status: none + narrative: + - text: | + NA - cloud.gov delegates authentication to an enterprise single sign on (SSO) system. + standard_key: NIST-800-53 +- control_key: IA-5 (11) + covered_by: [] + implementation_status: none + narrative: + - text: | + NA - cloud.gov delegates authentication to an enterprise single sign on (SSO) system. + standard_key: NIST-800-53 +- control_key: IA-7 + covered_by: [] + implementation_status: none + narrative: + - text: | + NA - cloud.gov delegates authentication to an enterprise single sign on (SSO) system. + standard_key: NIST-800-53 +- control_key: IA-8 + covered_by: [] + implementation_status: none + narrative: + - text: | + Every user has an individual account and their source is tracked to the main authentication system. + standard_key: NIST-800-53 +- control_key: IA-8 (1) + covered_by: [] + implementation_status: none + narrative: + - text: | + PIV verification is subject to the delegated enterprise SSO system. + standard_key: NIST-800-53 +- control_key: IA-8 (2) + covered_by: [] + implementation_status: none + narrative: + - text: | + NA - cloud.gov does not accept third-party credentials. + standard_key: NIST-800-53 +- control_key: IA-8 (3) + covered_by: [] + implementation_status: none + narrative: + - text: | + NA - cloud.gov does not accept third-party credentials. + standard_key: NIST-800-53 +- control_key: IA-8 (4) + covered_by: [] + implementation_status: none + narrative: + - text: | + NA - cloud.gov delegates authentication to an enterprise single sign on (SSO) system. + standard_key: NIST-800-53 +schema_version: 3.1.0 +system: 18F +verifications: +- key: POLICY_DOC + name: Policy Document + path: https://github.com/18F/compliance-docs/blob/master/IA-Policy.md + type: URL +- description: "GIVEN the github link - THEN the policy has been updated within the last 180 days" + key: Policy_Update_Test + last_run: 2016-04-07 08:25:17.630024000 -05:00 + name: 18F Policies Update + path: BDD/policies.feature + test_passed: false + type: TEST diff --git a/opencontrols/components/IR_Policy/component.yaml b/opencontrols/components/IR_Policy/component.yaml new file mode 100644 index 00000000..eb5743c5 --- /dev/null +++ b/opencontrols/components/IR_Policy/component.yaml @@ -0,0 +1,217 @@ +--- +schema_version: 3.1.0 +documentation_complete: false +name: Incident Response for cloud.gov +satisfies: +- control_key: IR-1 + covered_by: [] + implementation_status: complete + narrative: + - key: a + text: | + cloud.gov developed an Incident Response Guide documenting the procedures required by the 18F and GSA Incident Response Policy. + The guide is disseminated to the whole cloud.gov team to ensure everyone is aware of its existence and contents. + The incident response guide is publicly available at https://docs.cloud.gov/ops/security-ir/ and it is continually updated based on changes to the team and the platform. + - key: b + text: | + 18F reviews and iterates on the Incident Response Guide at least every three years. cloud.gov reviews and iterates on the Incident Response Guide at least annually. + standard_key: NIST-800-53 +- control_key: IR-2 + covered_by: [] + implementation_status: planned + narrative: + - key: a + text: | + cloud.gov will make incident response training available to the whole cloud.gov team and will require that at least all operators take it. + - key: b + text: | + If the cloud.gov system changes in a radical way, the cloud.gov team will adapt the incident response training to meet the needs of the new system. cloud.gov operators will be required to take the training again. + - key: c + text: | + cloud.gov requires all operators to take the incident response training at least once a year. + standard_key: NIST-800-53 +- control_key: IR-3 + covered_by: [] + implementation_status: planned + narrative: + - text: | + cloud.gov will create test plans and exercises in accordance to NIST 800-61 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf), and it will present these to the cloud.gov Authorizing Official for their approval. + cloud.gov will test its incident response capabilities and related exercises annually. + standard_key: NIST-800-53 +- control_key: IR-3 (2) + covered_by: [] + implementation_status: complete + narrative: + - text: | + cloud.gov will coordinate with 18F Infrastructure and GSA IT to conduct these exercises in the most effective manner. + standard_key: NIST-800-53 +- control_key: IR-4 + covered_by: [] + implementation_status: partial + narrative: + - key: a + text: | + cloud.gov implements automated processes to detect and analyze malicious activity within the platform. + If these processes detect malicious activity, they automatically report the activity to the cloud.gov operations team, which is able to use automated tools to eradicate the threat and recover to a known state. + cloud.gov uses a service-oriented architecture that allows natural containment and separation. + - key: b + text: | + The cloud.gov team works as a whole on both contingency planning and incident handling. From operations to communication, everyone is involved. + - key: c + text: | + After the conclusion of each event response, the cloud.gov team schedules a retrospective and captures the output of the session in a document available at https://github.com/18F/cg-postmortems/wiki. + - key: FedRAMP req + text: | + All cloud.gov team members have been cleared according to at least tier 1 non-sensitive federal security or an equivalent for contractors. + standard_key: NIST-800-53 +- control_key: IR-4 (1) + covered_by: [] + implementation_status: partial + narrative: + - text: | + cloud.gov implements automated processes such as ClamAV and Tripwire to detect anomalies. When these processes detect an anomaly, they escalate an alert using PagerDuty. + The incident response process is automatically tracked using Slack. + standard_key: NIST-800-53 +- control_key: IR-5 + covered_by: [] + implementation_status: complete + narrative: + - text: | + The cloud.gov team tracks all incidents, not just security incidents, using the cloud.gov postmortem wiki: https://github.com/18F/cg-postmortems/wiki. The team also reports security incidents to GSA IT, which also tracks them. + standard_key: NIST-800-53 +- control_key: IR-6 + covered_by: [] + implementation_status: partial + narrative: + - key: a + text: | + GSA and 18F require the cloud.gov team to report all suspected security incidents to 18F Infrastructure and GSA IT within the hour of being detected. + - key: b + text: | + The cloud.gov team reports all security activity to 18F Infrastructure and GSA IT according to FedRAMP Incident Communications Procedure. + standard_key: NIST-800-53 +- control_key: IR-6 (1) + covered_by: [] + implementation_status: partial + narrative: + - text: | + cloud.gov uses automated tools to capture logs and audit trails that allow the communication of security incidents easy and effective. + standard_key: NIST-800-53 +- control_key: IR-7 + covered_by: [] + implementation_status: complete + narrative: + - text: | + 18F provides assistance with security response resources to teams requiring incident response support. + standard_key: NIST-800-53 +- control_key: IR-7 (1) + covered_by: [] + implementation_status: complete + narrative: + - text: | + 18F uses internal documentation and Slack to best communicate and automate incident response. + standard_key: NIST-800-53 +- control_key: IR-7 (2) + covered_by: [] + implementation_status: partial + narrative: + - key: a + text: | + 18F has direct channels to any external provider of infrastructure and works with them to ensure good cooperation and general application of best practices according to each environment. + - key: b + text: | + When working with external providers during an incident response, all parties have to be identified and cleared before access is granted to any system. + standard_key: NIST-800-53 +- control_key: IR-8 + covered_by: [] + implementation_status: partial + narrative: + - key: a + text: | + The cloud.gov team has developed both an Incident Response Guide and checklist to implement incident response capabilities. + Given the small size of the cloud.gov team, the structure of the incident response process is clear and concise; it assigns the first responder to the event the role of Incident Commander. + The Incident Response Guide provides clear guidance on what steps to take on each situation and how reporting should be handled. + The Incident Response Guide empowers the Incident Commander to leverage as many resources from GSA and 18F as needed during the response process. + The Incident Response Guide is continually reviewed and updated by the cloud.gov team and approved annually by the Authorizing Official. + - key: b + text: | + The Incident Response Guide is distributed to the whole of the cloud.gov team. + - key: c + text: | + The Incident Response Guide is continually reviewed and updated by the cloud.gov team. + - key: d + text: | + The Incident Response Guide is continually reviewed and updated by the cloud.gov team in response to system and organizational updates. + - key: e + text: | + The cloud.gov team distributes changes to the Incident Response Guide to the whole cloud.gov team. + - key: f + text: | + The Incident Response Guide is stored in GitHub as a public open source file. The branch from which the document is generated is a protected branch forbidding the unauthorized deletion of revision history. Moreover, the cloud.gov team has both configured the repository and provided team policies to ensure strict controls on who has authority to approve changes to this guide. + standard_key: NIST-800-53 +- control_key: IR-9 + covered_by: [] + implementation_status: partial + narrative: + - key: a + text: | + As a cloud service provider, cloud.gov does not deal with sensitive information directly but allows users to manage their information on the system. + cloud.gov treats all information uploaded by users with the same level of moderate sensitivity once it is in a cloud.gov service. + - key: b + text: | + Because of the cloud.gov architecture, information spillage is not possible without being in a situation of a security breach. Any information spillage will be alerted according to the Incident Response Guide. + - key: c + text: | + cloud.gov uses a service-oriented architecture as well as offering isolated services for users to store data. + - key: d + text: | + Because of the cloud.gov architecture, information spillage is not possible without being in a situation of a security breach. cloud.gov team members are instructed to follow the Incident Response Guide in this case. + - key: e + text: | + Because of the cloud.gov architecture, information spillage is not possible without being in a situation of a security breach. cloud.gov team members are instructed to follow the Incident Response Guide in this case. + - key: f + text: | + Because of the cloud.gov architecture, information spillage is not possible without being in a situation of a security breach. cloud.gov team members are instructed to follow the Incident Response Guide in this case. + standard_key: NIST-800-53 +- control_key: IR-9 (1) + covered_by: [] + implementation_status: planned + narrative: + - text: | + According to the cloud.gov Incident Response Guide, the first responder to an incident will have the responsibility to respond to the information spill. + standard_key: NIST-800-53 +- control_key: IR-9 (2) + covered_by: [] + implementation_status: complete + narrative: + - text: | + Because of the cloud.gov architecture, information spillage is not possible without being in a situation of a security breach. cloud.gov team members are instructed to follow the Incident Response Guide in this case. + standard_key: NIST-800-53 +- control_key: IR-9 (3) + covered_by: [] + implementation_status: complete + narrative: + - text: | + Because of the cloud.gov architecture, information spillage is not possible without being in a situation of a security breach. cloud.gov team members are instructed to follow the Incident Response Guide in this case. + standard_key: NIST-800-53 +- control_key: IR-9 (4) + covered_by: [] + implementation_status: complete + narrative: + - text: | + All cloud.gov team members have been cleared according to at least tier 1 non-sensitive federal security or an equivalent for contractors. + standard_key: NIST-800-53 +system: 18F +verifications: +- key: POLICY_DOC + name: Policy Document + path: https://github.com/18F/compliance-docs/blob/master/IR-Policy.md + type: URL +- description: | + GIVEN the github link - THEN the policy has been updated within the last 180 days + key: Policy_Update_Test + last_run: 2016-04-07 08:25:17.644608000 -05:00 + name: 18F Policies Update + path: BDD/policies.feature + test_passed: false + type: TEST diff --git a/opencontrols/components/JumpBox/component.yaml b/opencontrols/components/JumpBox/component.yaml new file mode 100644 index 00000000..cc81a8b4 --- /dev/null +++ b/opencontrols/components/JumpBox/component.yaml @@ -0,0 +1,74 @@ +documentation_complete: false +name: JumpBox +satisfies: +- control_key: AC-17 + covered_by: [] + implementation_status: none + narrative: + - text: | + cloud.gov remote access is not available outside of the 18F environment. 18F DevOps personnel are the only group who connects to information system remotely using SSH (22) through the jump box (bastion Host) to execute BOSH CLI commands. The JumpBox is a virtual machine (VM) that acts as a single access point for the BOSH Director and deployed VMs. For resilience there are at least 2 jump boxes. Allowing access through jump boxes and disabling direct access to the other VMs is a common security measure 18F incorporates. + + The jumbox only serves as a means to execute BOSH CLI commands for the platform. It cannot access any applications or websites hosted on top of the platform. + + JumpBoxes are logged in in the same way an EC2 instances is logged into. The system has both a firewall and user ssh key logins. + + The 18F Access Control Policy Section 3 - Remote Access states: + + * 18F shall define, document and enforce requirements, usage restrictions and implementation guidance for each allowed remote access method. + * Remote and Virtual Private Network (VPN) access shall require multi-factor authentication. + * Access shall be authorized before a connection may be established. + * 18F shall monitor for unauthorized remote access and shall take appropriate action if unauthorized access is discovered. + * Remote access shall employ cryptography to protect session confidentiality and integrity. + * Remote access shall be routed through a limited number of managed access control points. + * Privileged commands and access to security-relevant information via remote access shall only be permitted as described in the System Security Plan (SSP). + standard_key: NIST-800-53 +- control_key: AC-17 (2) + covered_by: [] + implementation_status: complete + narrative: + - text: | + 18F DevOps teams remotely access the cloud.gov jumpbox using SSH version 2. There are no other remote connections to the platform. Client end users login to the their Org environment through the CF-Deck within the cloud.gov portal. The cloud.gov Portal uses TLS v1.2 connections and AES 128 bit encryption for all access. + standard_key: NIST-800-53 +- control_key: AC-17 (3) + covered_by: [] + implementation_status: complete + narrative: + - text: | + cloud.gov remote access connections are managed through jumpbox Virtual machines within the cloud.gov VPC. The remote connections are SSH sessions using the BOSH CLI API. There are no other remote connections to the platform as stated in AC-17(2) + standard_key: NIST-800-53 +- control_key: AC-17 (4) + covered_by: [] + implementation_status: none + narrative: + - text: | + 18F authorizes the execution of privileged commands and access to security-relevant information via remote access only for monitoring, managing, and troubleshooting the 18F virtual infrastructure and cloud.gov platform. This authorization is only given to specific members of the DevOps and SecOps teams. All other members are excluded from this type of access. + + Since the cloud.gov platform resides within the 18F virtual infrastructure, 18F DevOps must use the SSH remote access method to troubleshoot issues and update services that are only resolved by logging into the cloud.gov jumpboxes. The jumpbox itself a virtual machine deployed within the cloud.gov virtual private cloud. It is the only access point for designated DevOps members to run privileged commands that affect the entire platform. No other privileged remote access is available to the information system. + standard_key: NIST-800-53 +- control_key: AC-17 (9) + covered_by: [] + implementation_status: none + narrative: + - text: | + Access keys and user accounts can be revoked using IAM. Sessions terminate after 10 minutes. + standard_key: NIST-800-53 +- control_key: IA-2 (1) + covered_by: [] + narrative: + - text: | + cloud.gov currently does not have MFA capabilities implemented for users; however, any administrative actions taken on the platform requires authentication via encrypted ssh keys which are limited to specific users on the jumpbox. + standard_key: NIST-800-53 +- control_key: IA-2 (3) + covered_by: [] + narrative: + - text: | + Any administrative actions taken on the platform requires authentication via encrypted ssh keys which are limited to specific users on the jumpbox. + standard_key: NIST-800-53 +- control_key: IA-2 (8) + covered_by: [] + implementation_status: none + narrative: + - text: | + Access keys and user accounts can be revoked using IAM. Sessions terminate after 10 minutes. + standard_key: NIST-800-53 +schema_version: 3.1.0 diff --git a/opencontrols/components/Loggregator/component.yaml b/opencontrols/components/Loggregator/component.yaml new file mode 100644 index 00000000..494cfdf5 --- /dev/null +++ b/opencontrols/components/Loggregator/component.yaml @@ -0,0 +1,56 @@ +documentation_complete: false +name: Loggregator +references: +- name: Loggregator code + path: https://github.com/cloudfoundry/loggregator + type: URL +- name: Cloud Foundry Logging + path: https://docs.cloudfoundry.org/running/managing-cf/logging.html + type: URL +satisfies: +- control_key: AU-3 (1) + covered_by: [] + implementation_status: none + narrative: 'Loggregator captures and generates logs for incomming and outgoing TCP, + UDP, ICMP logs in addition to logs generated by applications deployed on Cloud + Foundry. + + ' + standard_key: NIST-800-53 +- control_key: AU-2 + covered_by: [] + implementation_status: none + narrative: "#### a \nCloud.Gov provides an audit trail through the bosh tasks command.\ + \ This command shows all actions that an operator has taken with the platform.\ + \ Additionally, operators can redirect Cloud Foundry component logs to a Logstash\ + \ syslog server using the syslog_daemon_config property in the metron_agent job\ + \ of cf-release.\nFor end users, Cloud.Gov records an audit trail of all relevant\ + \ API invocations of and app. The CLI command cf events returns this information.\n\ + \ \n#### b \nCloud.Gov provides an audit trail through the bosh tasks command.\ + \ This command shows all actions that an operator has taken with the platform.\ + \ For users, Cloud Foundry records an audit trail of all relevant API invocations\ + \ of and app. The CLI command cf events returns this information.\nLoggregator,\ + \ the component responsible for logging, provides a stream of log output from\ + \ 18F applications and system components that interact with a hosted app during\ + \ updates and execution.\n \n" + standard_key: NIST-800-53 +- control_key: AU-7 + covered_by: [] + implementation_status: none + narrative: 'Loggregator, the Cloud Foundry component responsible for logging, provides + a stream of log output from your application and from Cloud Foundry system components + that interact with your app during updates and execution. + + By default, Loggregator streams logs to your terminal. If you want to persist + more than the limited amount of logging information that Loggregator can buffer, + you can drain logs to a third-party log management service. See Third-Party Log + Management Services. + + Cloud Foundry gathers and stores logs in a best-effort manner. If a client is + unable to consume log lines quickly enough, the Loggregator buffer may need to + overwrite some lines before the client has consumed them. a syslog drain or a + CLI tail can usually keep up with the flow of application logs. + + ' + standard_key: NIST-800-53 +schema_version: 2.0 diff --git a/opencontrols/components/MA_Policy/component.yaml b/opencontrols/components/MA_Policy/component.yaml new file mode 100644 index 00000000..b88867cf --- /dev/null +++ b/opencontrols/components/MA_Policy/component.yaml @@ -0,0 +1,160 @@ +documentation_complete: false +name: System Maintenance Policy for 18F +satisfies: +- control_key: MA-1 + covered_by: [] + implementation_status: complete + narrative: + - key: a + text: | + Agency System Maintenance Policy Implementation + + System Maintenance Policy is included in CIO P 2100.1 - GSA IT Security Policy, Chapter 4. Policy on Operational Controls. + It states, "The availability and usability of GSA equipment and software must be maintained and safeguarded to enable agency + objectives to be accomplished." + + GSA OCISO ISP also defined agency-wide system maintenance procedures in IT Security Procedural Guide: + Maintenance (CIO-IT Security-10-50) + + 18F follows the GSA System Maintenance policy for its information systems hosted within GSA facilities. The Cloud.Gov information + system is hosted with the AWS GovCloud and will be in purview of the hosting site’s Maintenance policy and procedures + - key: b + text: | + The GSA Office of the CISO is responsible for reviewing and updating the above documents annually, and notifying System Program + Managers and Information System Security Officers and Managers (ISSO/Ms). + standard_key: NIST-800-53 +- control_key: MA-2 + covered_by: [] + implementation_status: complete + narrative: + - key: a + text: | + This control is inherited from the AWS GovCloud FedRAMP implementation. + - key: b + text: | + This control is inherited from the AWS GovCloud FedRAMP implementation. + - key: c + text: | + This control is inherited from the AWS GovCloud FedRAMP implementation. + - key: d + text: | + This control is inherited from the AWS GovCloud FedRAMP implementation. + - key: e + text: | + This control is inherited from the AWS GovCloud FedRAMP implementation. + - key: f + text: | + This control is inherited from the AWS GovCloud FedRAMP implementation. + standard_key: NIST-800-53 +- control_key: MA-3 + covered_by: [] + implementation_status: complete + narrative: + - text: | + This control is inherited from the AWS GovCloud FedRAMP implementation. + standard_key: NIST-800-53 +- control_key: MA-3 (1) + covered_by: [] + implementation_status: complete + narrative: + - text: | + This control is inherited from the AWS GovCloud FedRAMP implementation. + standard_key: NIST-800-53 +- control_key: MA-3 (2) + covered_by: [] + implementation_status: complete + narrative: + - text: | + This control is inherited from the AWS GovCloud FedRAMP implementation. + standard_key: NIST-800-53 +- control_key: MA-3 (3) + covered_by: [] + implementation_status: complete + narrative: + - key: a + text: | + This control is inherited from the AWS GovCloud FedRAMP implementation. + - key: b + text: | + This control is inherited from the AWS GovCloud FedRAMP implementation. + - key: c + text: | + This control is inherited from the AWS GovCloud FedRAMP implementation. + - key: d + text: | + This control is inherited from the AWS GovCloud FedRAMP implementation. + standard_key: NIST-800-53 +- control_key: MA-4 + covered_by: [] + implementation_status: complete + narrative: + - key: a + text: | + This control is inherited from the AWS GovCloud FedRAMP implementation. + - key: b + text: | + This control is inherited from the AWS GovCloud FedRAMP implementation. + - key: c + text: | + This control is inherited from the AWS GovCloud FedRAMP implementation. + - key: d + text: | + This control is inherited from the AWS GovCloud FedRAMP implementation. + - key: e + text: | + This control is inherited from the AWS GovCloud FedRAMP implementation. + standard_key: NIST-800-53 +- control_key: MA-4 (2) + covered_by: [] + implementation_status: complete + narrative: + - text: | + This control is inherited from the AWS GovCloud FedRAMP implementation. + standard_key: NIST-800-53 +- control_key: MA-5 + covered_by: [] + implementation_status: complete + narrative: + - key: a + text: | + This control is inherited from the AWS GovCloud FedRAMP implementation. + - key: b + text: | + This control is inherited from the AWS GovCloud FedRAMP implementation. + - key: c + text: | + This control is inherited from the AWS GovCloud FedRAMP implementation. + standard_key: NIST-800-53 +- control_key: MA-5 (1) + covered_by: [] + implementation_status: complete + narrative: + - key: a + text: | + This control is inherited from the AWS GovCloud FedRAMP implementation. + - key: b + text: | + This control is inherited from the AWS GovCloud FedRAMP implementation. + standard_key: NIST-800-53 +- control_key: MA-6 + covered_by: [] + implementation_status: complete + narrative: + - text: | + This control is inherited from the AWS GovCloud FedRAMP implementation. + standard_key: NIST-800-53 +schema_version: 3.1.0 +system: 18F +verifications: +- key: POLICY_DOC + name: Policy Document + path: https://github.com/18F/compliance-docs/blob/master/MA-Policy.md + type: URL +- description: "GIVEN the github link - THEN the policy has been updated\ + \ within the last 180 days \n" + key: Policy_Update_Test + last_run: 2016-04-07 13:25:17.652660 + name: 18F Policies Update + path: BDD/policies.feature + test_passed: false + type: TEST diff --git a/opencontrols/components/MP_Policy/component.yaml b/opencontrols/components/MP_Policy/component.yaml new file mode 100644 index 00000000..c28fd9ab --- /dev/null +++ b/opencontrols/components/MP_Policy/component.yaml @@ -0,0 +1,116 @@ +documentation_complete: false +name: Media Protection Policy for 18F +references: +- name: Policy Document + path: https://github.com/18F/compliance-docs/blob/master/MP-Policy.md + type: URL +satisfies: +- control_key: MP-1 + covered_by: [] + implementation_status: complete + narrative: + - key: a + text: | + Agency Media Protection Policy. Media Protection Policy is included in CIO P 2100.1 - GSA IT Security Policy, Chapter 4. Policy on Operational Controls. It states, "All GSA data from information system media, both digital and non-digital must be sanitized in accordance with methods described in IT Security Procedural Guide: Media Protection Guide, OCIO-IT Security-06-32, before disposal or transfer outside of GSA. + GSA OCISO ISP also defined agency-wide media protection procedures in IT Security Procedural Guide: Media Protection Guide (CIO-IT Security-06-32) 18F follows the GSA Media Protection policy for its information systems hosted within GSA facilities. The Cloud.Gov information system is hosted with the AWS GovCloud and will be in purview of the hosting site’s Media Protection policy and procedures. + - key: b + text: | + The GSA Office of the CISO is responsible for reviewing and updating the above documents annually, and notifying System Program Managers and Information System Security Officers and Managers (ISSO/Ms). + The GSA OCISO has determined MP-1 to be an Enterprise-Wide Common Control and is provided by the OCISO ISP. For specific details, please refer to the GSA IT FY-15 Information Security Program Plan Version 1.0. + standard_key: NIST-800-53 +- control_key: MP-2 + covered_by: [] + implementation_status: complete + narrative: + - text: | + This control is not Applicable to the Cloud.Gov Platform. There are no physical media devices used and Cloud.Gov information system components are virtualized. All network hardware and server components are the responsibility of the underlying Infrastructure as a service provider. + standard_key: NIST-800-53 +- control_key: MP-3 + covered_by: [] + implementation_status: complete + narrative: + - key: a + text: | + This control is not Applicable to the Cloud.Gov Platform. There are no physical media devices used and Cloud.Gov information system components are virtualized. Cloud.Gov data does not contain PII or information from the customer. All network hardware and server components are the responsibility of the underlying Infrastructure as a service provider. + - key: b + text: | + This control is not Applicable to the Cloud.Gov Platform. There are no physical media devices used and Cloud.Gov information system components are virtualized. Cloud.Gov data does not contain PII or information from the customer. All network hardware and server components are the responsibility of the underlying Infrastructure as a service provider. + standard_key: NIST-800-53 +- control_key: MP-4 + covered_by: [] + implementation_status: complete + narrative: + - key: a + text: | + This control is not Applicable to the Cloud.Gov Platform. There are no physical media devices used and Cloud.Gov information system components are virtualized. All network hardware and server components are the responsibility of the underlying Infrastructure as a service provider. + - key: b + text: | + This control is not Applicable to the Cloud.Gov Platform. There are no physical media devices used and Cloud.Gov information system components are virtualized. All network hardware and server components are the responsibility of the underlying Infrastructure as a service provider. + standard_key: NIST-800-53 +- control_key: MP-5 + covered_by: [] + implementation_status: complete + narrative: + - key: a + text: | + This control is not Applicable to the Cloud.Gov Platform. There are no physical media devices used and Cloud.Gov information system components are virtualized. All network hardware and server components are the responsibility of the underlying Infrastructure as a service provider. + - key: b + text: | + This control is not Applicable to the Cloud.Gov Platform. There are no physical media devices used and Cloud.Gov information system components are virtualized. All network hardware and server components are the responsibility of the underlying Infrastructure as a service provider. + - key: c + text: | + This control is not Applicable to the Cloud.Gov Platform. There are no physical media devices used and Cloud.Gov information system components are virtualized. All network hardware and server components are the responsibility of the underlying Infrastructure as a service provider. + - key: d + text: | + This control is not Applicable to the Cloud.Gov Platform. There are no physical media devices used and Cloud.Gov information system components are virtualized. All network hardware and server components are the responsibility of the underlying Infrastructure as a service provider. + standard_key: NIST-800-53 +- control_key: MP-5 (4) + covered_by: [] + implementation_status: complete + narrative: + - text: | + This control is not applicable to the Cloud.Gov Platform. There are no physical media devices used and Cloud.Gov information system components are virtualized. All network hardware and server components are the responsibility of the underlying Infrastructure as a service provider. + standard_key: NIST-800-53 +- control_key: MP-6 + covered_by: [] + implementation_status: complete + narrative: + - key: a + text: | + This control is not Applicable to the Cloud.Gov Platform. There are no physical media devices used and Cloud.Gov information system components are virtualized. All network hardware and server components are the responsibility of the underlying Infrastructure as a service provider. + - key: b + text: | + This control is not Applicable to the Cloud.Gov Platform. There are no physical media devices used and Cloud.Gov information system components are virtualized. All network hardware and server components are the responsibility of the underlying Infrastructure as a service provider. + standard_key: NIST-800-53 +- control_key: MP-6 (2) + covered_by: [] + implementation_status: complete + narrative: + - text: | + This control is not Applicable to the Cloud.Gov Platform. There are no physical media devices used and Cloud.Gov information system components are virtualized. All network hardware and server components are the responsibility of the underlying Infrastructure as a service provider. + standard_key: NIST-800-53 +- control_key: MP-7 + covered_by: [] + implementation_status: complete + narrative: + - text: | + This control is not Applicable to the Cloud.Gov Platform. There are no physical media devices used and Cloud.Gov information system components are virtualized. All network hardware and server components are the responsibility of the underlying Infrastructure as a service provider. + standard_key: NIST-800-53 +- control_key: MP-7 (1) + covered_by: [] + implementation_status: complete + narrative: + - text: | + This control is not Applicable to the Cloud.Gov Platform. There are no physical media devices used and Cloud.Gov information system components are virtualized. All network hardware and server components are the responsibility of the underlying Infrastructure as a service provider + standard_key: NIST-800-53 +schema_version: 3.1.0 +system: 18F +verifications: +- description: "GIVEN the github link - THEN the policy has been updated\ + \ within the last 180 days \n" + key: Policy_Update_Test + last_run: 2016-04-07 13:25:17.675575 + name: 18F Policies Update + path: BDD/policies.feature + test_passed: false + type: TEST diff --git a/opencontrols/components/MultiFactor/component.yaml b/opencontrols/components/MultiFactor/component.yaml new file mode 100644 index 00000000..6fc5c810 --- /dev/null +++ b/opencontrols/components/MultiFactor/component.yaml @@ -0,0 +1,34 @@ +documentation_complete: false +name: Multi-Factor Authentication +references: +- name: Multi-Factor Authentication Documentation + path: https://aws.amazon.com/iam/details/mfa/ + type: URL +satisfies: +- control_key: IA-2 (1) + covered_by: [] + narrative: 'AWS multifactor authentication (MFA) for privileged users of the AWS + console is implemented. This service has been configured for 18F administrative + accounts in IAM. Multifactor authentication adds an extra layer of security for + login access to the AWS management console. 18F users are prompted for a username + and password, as well as the authentication code from their MFA device. + + ' + standard_key: NIST-800-53 +- control_key: IA-3 + covered_by: [] + implementation_status: none + narrative: 'The underlying AWS infrastructure does not permit unauthenticated privileged + user access for console or API access. + + ' + standard_key: NIST-800-53 +- control_key: IA-2 (2) + covered_by: [] + narrative: 'AWS multi-factor authentication (MFA) for non-privileged users of the + AWS console is implemented. With MFA enabled, all users are prompted for a username + and password, as well as the authentication code from their MFA device. + + ' + standard_key: NIST-800-53 +schema_version: 2.0 diff --git a/opencontrols/components/PE_Policy/component.yaml b/opencontrols/components/PE_Policy/component.yaml new file mode 100644 index 00000000..ef6a691c --- /dev/null +++ b/opencontrols/components/PE_Policy/component.yaml @@ -0,0 +1,224 @@ +documentation_complete: false +name: Physical and Environmental Protection Policy for 18F +satisfies: +- control_key: PE-1 + covered_by: [] + implementation_status: none + narrative: + - key: a + text: | + Agency Physical and Environmental Policy + Physical and Environmental Policy is included in CIO P 2100.1 - GSA IT Security Policy, Chapter 4. Policy on Operational Controls. + It states, "Physical and environmental security controls must be commensurate with the level of risk and must be sufficient to safeguard IT resources against possible loss, theft, destruction, accidental damage, hazardous conditions, fire, malicious actions, and natural disasters." + GSA OCISO ISP also defined agency-wide access control procedures in IT Security Procedural Guide: Access Control (CIO-IT Security-01-07) + All physical and Environmental Security Controls for the Cloud.Gov information system are managed and inherited by the AWS Infrastructure as a Service layer. + - key: b + text: | + All physical and Environmental Security Controls for the Cloud.Gov information system are managed and inherited by the AWS Infrastructure as a Service layer. + standard_key: NIST-800-53 +- control_key: PE-2 + covered_by: [] + implementation_status: none + narrative: + - key: a + text: | + All physical and Environmental Security Controls for the Cloud.Gov information system are managed and inherited by the AWS Infrastructure as a Service layer. + - key: b + text: | + All physical and Environmental Security Controls for the Cloud.Gov information system are managed and inherited by the AWS Infrastructure as a Service layer. + - key: c + text: | + All physical and Environmental Security Controls for the Cloud.Gov information system are managed and inherited by the AWS Infrastructure as a Service layer. + - key: d + text: | + All physical and Environmental Security Controls for the Cloud.Gov information system are managed and inherited by the AWS Infrastructure as a Service layer. + standard_key: NIST-800-53 +- control_key: PE-3 + covered_by: [] + implementation_status: none + narrative: + - key: a + text: | + All physical and Environmental Security Controls for the Cloud.Gov information system are managed and inherited by the AWS Infrastructure as a Service layer. + - key: b + text: | + All physical and Environmental Security Controls for the Cloud.Gov information system are managed and inherited by the AWS Infrastructure as a Service layer. + - key: c + text: | + All physical and Environmental Security Controls for the Cloud.Gov information system are managed and inherited by the AWS Infrastructure as a Service layer. + - key: d + text: | + All physical and Environmental Security Controls for the Cloud.Gov information system are managed and inherited by the AWS Infrastructure as a Service layer. + - key: e + text: | + All physical and Environmental Security Controls for the Cloud.Gov information system are managed and inherited by the AWS Infrastructure as a Service layer. + - key: f + text: | + All physical and Environmental Security Controls for the Cloud.Gov information system are managed and inherited by the AWS Infrastructure as a Service layer. + - key: g + text: | + All physical and Environmental Security Controls for the Cloud.Gov information system are managed and inherited by the AWS Infrastructure as a Service layer. + standard_key: NIST-800-53 +- control_key: PE-4 + covered_by: [] + implementation_status: none + narrative: + - text: | + All physical and Environmental Security Controls for the Cloud.Gov information system are managed and inherited by the AWS Infrastructure as a Service layer. + standard_key: NIST-800-53 +- control_key: PE-5 + covered_by: [] + implementation_status: none + narrative: + - text: | + All physical and Environmental Security Controls for the Cloud.Gov information system are managed and inherited by the AWS Infrastructure as a Service layer. + standard_key: NIST-800-53 +- control_key: PE-6 + covered_by: [] + implementation_status: none + narrative: + - key: a + text: | + All physical and Environmental Security Controls for the Cloud.Gov information system are managed and inherited by the AWS Infrastructure as a Service layer. + - key: b + text: | + All physical and Environmental Security Controls for the Cloud.Gov information system are managed and inherited by the AWS Infrastructure as a Service layer. + - key: c + text: | + All physical and Environmental Security Controls for the Cloud.Gov information system are managed and inherited by the AWS Infrastructure as a Service layer. + standard_key: NIST-800-53 +- control_key: PE-6 (1) + covered_by: [] + implementation_status: none + narrative: + - text: | + All physical and Environmental Security Controls for the Cloud.Gov information system are managed and inherited by the AWS Infrastructure as a Service layer. + standard_key: NIST-800-53 +- control_key: PE-8 + covered_by: [] + implementation_status: none + narrative: + - key: a + text: | + All physical and Environmental Security Controls for the Cloud.Gov information system are managed and inherited by the AWS Infrastructure as a Service layer. + - key: b + text: | + All physical and Environmental Security Controls for the Cloud.Gov information system are managed and inherited by the AWS Infrastructure as a Service layer. + standard_key: NIST-800-53 +- control_key: PE-9 + covered_by: [] + implementation_status: none + narrative: + - text: | + All physical and Environmental Security Controls for the Cloud.Gov information system are managed and inherited by the AWS Infrastructure as a Service layer. + standard_key: NIST-800-53 +- control_key: PE-10 + covered_by: [] + implementation_status: none + narrative: + - key: a + text: | + All physical and Environmental Security Controls for the Cloud.Gov information system are managed and inherited by the AWS Infrastructure as a Service layer. + - key: b + text: | + All physical and Environmental Security Controls for the Cloud.Gov information system are managed and inherited by the AWS Infrastructure as a Service layer. + - key: c + text: | + All physical and Environmental Security Controls for the Cloud.Gov information system are managed and inherited by the AWS Infrastructure as a Service layer. + standard_key: NIST-800-53 +- control_key: PE-11 + covered_by: [] + implementation_status: none + narrative: + - text: | + All physical and Environmental Security Controls for the Cloud.Gov information system are managed and inherited by the AWS Infrastructure as a Service layer. + standard_key: NIST-800-53 +- control_key: PE-12 + covered_by: [] + implementation_status: none + narrative: + - text: | + All physical and Environmental Security Controls for the Cloud.Gov information system are managed and inherited by the AWS Infrastructure as a Service layer. + standard_key: NIST-800-53 +- control_key: PE-13 + covered_by: [] + implementation_status: none + narrative: + - text: | + All physical and Environmental Security Controls for the Cloud.Gov information system are managed and inherited by the AWS Infrastructure as a Service layer. + standard_key: NIST-800-53 +- control_key: PE-13 (2) + covered_by: [] + implementation_status: none + narrative: + - text: | + All physical and Environmental Security Controls for the Cloud.Gov information system are managed and inherited by the AWS Infrastructure as a Service layer. + standard_key: NIST-800-53 +- control_key: PE-13 (3) + covered_by: [] + implementation_status: none + narrative: + - text: | + All physical and Environmental Security Controls for the Cloud.Gov information system are managed and inherited by the AWS Infrastructure as a Service layer. + standard_key: NIST-800-53 +- control_key: PE-14 + covered_by: [] + implementation_status: none + narrative: + - key: a + text: | + All physical and Environmental Security Controls for the Cloud.Gov information system are managed and inherited by the AWS Infrastructure as a Service layer. + - key: b + text: | + All physical and Environmental Security Controls for the Cloud.Gov information system are managed and inherited by the AWS Infrastructure as a Service layer. + standard_key: NIST-800-53 +- control_key: PE-14 (2) + covered_by: [] + implementation_status: none + narrative: + - text: | + All physical and Environmental Security Controls for the Cloud.Gov information system are managed and inherited by the AWS Infrastructure as a Service layer. + standard_key: NIST-800-53 +- control_key: PE-15 + covered_by: [] + implementation_status: none + narrative: + - text: | + All physical and Environmental Security Controls for the Cloud.Gov information system are managed and inherited by the AWS Infrastructure as a Service layer. + standard_key: NIST-800-53 +- control_key: PE-16 + covered_by: [] + implementation_status: none + narrative: + - text: | + All physical and Environmental Security Controls for the Cloud.Gov information system are managed and inherited by the AWS Infrastructure as a Service layer. + standard_key: NIST-800-53 +- control_key: PE-17 + covered_by: [] + implementation_status: none + narrative: + - key: a + text: | + All physical and Environmental Security Controls for the Cloud.Gov information system are managed and inherited by the AWS Infrastructure as a Service layer. + - key: b + text: | + All physical and Environmental Security Controls for the Cloud.Gov information system are managed and inherited by the AWS Infrastructure as a Service layer. + - key: c + text: | + All physical and Environmental Security Controls for the Cloud.Gov information system are managed and inherited by the AWS Infrastructure as a Service layer. + standard_key: NIST-800-53 +schema_version: 3.1.0 +system: 18F +verifications: +- key: POLICY_DOC + name: Policy Document + path: https://github.com/18F/compliance-docs/blob/master/PE-Policy.md + type: URL +- description: "GIVEN the github link - THEN the policy has been updated\ + \ within the last 180 days \n" + key: Policy_Update_Test + last_run: 2016-04-07 13:25:17.684945 + name: 18F Policies Update + path: BDD/policies.feature + test_passed: false + type: TEST diff --git a/opencontrols/components/PL_Policy/component.yaml b/opencontrols/components/PL_Policy/component.yaml new file mode 100644 index 00000000..fecb1dd1 --- /dev/null +++ b/opencontrols/components/PL_Policy/component.yaml @@ -0,0 +1,72 @@ +documentation_complete: false +name: Security Planning Policy for 18F +satisfies: +- control_key: PL-1 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - key: a + text: | + Agency Security Policy and Procedures + + Security Planning Policy is included in CIO P 2100.1 - GSA IT Security Policy, Chapter 3. Policy on Management + Controls. It states, "All information systems must be covered by a security plan in accordance with the current + version of NIST SP 800-18 Revision 1 “Guide for Developing Security Plans for Information Technology Systems." + + GSA OCISO ISP also defined agency-wide security assessment and authorization procedures in IT Security Procedural + Guide: Managing Enterprise Risk, Security Assessment and Authorization, Planning and Risk Assessment (CIO-IT + Security-06-30) + + 18F Program Policy + + The 18F Program Office develops, documents, and disseminates to all 18F staff, + The 18F Security Planning Policy which addresses purpose, scope, roles, responsibilities, management + commitment, coordination among organizational entities, and compliance and procedures to facilitate the + implementation of the security planning if information systems and associated planning controls. The 18F Audit + and Accountability policy is listed within 18F’s private GitHub repository https://github.com/18F/compliance-docs/blob/master/PL-Policy.md + that is accessible to all 18F staff. + - key: b + text: | + The GSA Office of the CISO is responsible for reviewing and updating the above documents annually, and notifying + System Program Managers and Information System Security Officers and Managers (ISSO/Ms). + + The 18F Program Office will review and update the current 18F Security Planning Policy at least every 3 years and + any documented procedures at least annually. + standard_key: NIST-800-53 +- control_key: PL-8 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - key: a + text: | + 18F has developed the system security plan (SSP) for Cloud Foundry PaaS containing the information security architecture for the information system that: + - Describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information + - Describes how the information security architecture is integrated into and supports the enterprise architecture + - Describes any information security assumptions about, and dependencies on, external services + - key: b + text: | + 18F Reviews and updates the information security architecture within the System Security plans and the 18F GitHub repository on an annual basis or when a significant change takes place to reflect updates in the enterprise architecture. + + Due to the dynamic and elastic nature of cloud computing, 18F monitors real-time updates of its information security architecture using its infrastructure management and visual security consoles. + - key: c + text: | + 18F ensures that planned information security architecture changes are reflected in the security plan and organizational procurements/acquisitions. + 18F follows the risk management framework (RMF) which includes conducting annual risk assessments for its information systems and infrastructure. Any changes are then updated in systems security plans, plan of actions and milestones POA&Ms, security assessment reports (SAR) + standard_key: NIST-800-53 +schema_version: 3.1.0 +system: 18F +verifications: +- key: POLICY_DOC + name: policy document + path: https://github.com/18f/compliance-docs/blob/master/PL-Policy.md + type: url +- description: "GIVEN the github link - THEN the policy has been updated\ + \ within the last 180 days \n" + key: Policy_Update_Test + last_run: 2016-04-07 13:25:17.693033 + name: 18F Policies Update + path: BDD/policies.feature + test_passed: false + type: TEST diff --git a/opencontrols/components/PS_Policy/component.yaml b/opencontrols/components/PS_Policy/component.yaml new file mode 100644 index 00000000..b3055a26 --- /dev/null +++ b/opencontrols/components/PS_Policy/component.yaml @@ -0,0 +1,170 @@ +--- +documentation_complete: false +name: Personnel Security Policy for 18F +satisfies: +- control_key: PS-1 + covered_by: [] + implementation_status: complete + narrative: + - key: a + text: | + Agency Personnel Security Policy and Procedures + + Personnel Security Policy is included in CIO P 2100.1 - GSA IT Security Policy, Chapter 4. Policy on Operational Controls. It states, "Developing, implementing, and overseeing personnel security controls for access to personally identifiable information." + + 18F Program Office Personnel Security Policy + + The 18F Program Office develops, documents, and disseminates to all 18F staff, the 18F Personnel Security Planning which addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance and procedures to facilitate the implementation of the personnel security if information systems and associated planning controls. The 18F Audit and Accountability policy is listed within 18F’s GitHub repository https://github.com/18F/compliance-docs/blob/master/PS-Policy.md that is accessible to all 18F staff. + - key: b + text: | + The GSA Office of the CISO is responsible for reviewing and updating the above documents annually, and notifying System Program Managers and Information System Security Officers and Managers (ISSO/Ms). + The 18F Program Office will review and update the current 18F Personnel Security Policy at least every 3 years and any documented procedures at least annually. + standard_key: NIST-800-53 +- control_key: PS-2 + covered_by: [] + implementation_status: complete + narrative: + - key: a + text: | + Position Risk Designation is a Common Control provided by OCHCO Personnel Security Officer. The OHRM is responsible for developing and implementing position categorization (including third-party controls), access agreements, and personnel screening, termination, and transfers. + - key: b + text: | + Position Risk Designation is a Common Control provided by OCHCO Personnel Security Officer. The OHRM is responsible for developing and implementing position categorization (including third-party controls), access agreements, and personnel screening, termination, and transfers. + - key: c + text: | + Position Risk Designation is a Common Control provided by OCHCO Personnel Security Officer. The OHRM is responsible for developing and implementing position categorization (including third-party controls), access agreements, and personnel screening, termination, and transfers. + standard_key: NIST-800-53 +- control_key: PS-3 + covered_by: [] + implementation_status: complete + narrative: + - key: a + text: | + Personnel Screening is a Common Control provided by the Office of Personnel Management (OPM) and Department of Homeland Security (DHS). Screening (and re-screening) of individuals are provided by OPM and DHS (and their agents) prior to authorizing access to the GSA information systems. + - key: b + text: | + Personnel Screening is a Common Control provided by the Office of Personnel Management (OPM) and Department of Homeland Security (DHS). Screening (and re-screening) of individuals are provided by OPM and DHS (and their agents) prior to authorizing access to the GSA information systems. + - key: c + text: | + Personnel Screening is a Common Control provided by the Office of Personnel Management (OPM) and Department of Homeland Security (DHS). Screening (and re-screening) of individuals are provided by OPM and DHS (and their agents) prior to authorizing access to the GSA information systems. + standard_key: NIST-800-53 +- control_key: PS-3 (3) + covered_by: [] + implementation_status: complete + narrative: + - key: a + text: | + Personnel Screening is a Common Control provided by the Office of Personnel Management (OPM) and Department of Homeland Security (DHS). Screening (and re-screening) of individuals are provided by OPM and DHS (and their agents) prior to authorizing access to the GSA information systems. + - key: b + text: | + Personnel Screening is a Common Control provided by the Office of Personnel Management (OPM) and Department of Homeland Security (DHS). Screening (and re-screening) of individuals are provided by OPM and DHS (and their agents) prior to authorizing access to the GSA information systems. + standard_key: NIST-800-53 +- control_key: PS-4 + covered_by: [] + implementation_status: complete + narrative: + - key: a + text: | + Disabling, termination and conducting of exit interviews are initiated and facilitated by the supervisor/CO/COR of an individual. Retrieval of all information system-related property which includes HDPS-12 cards, authentication tokens (USB for privileged access), laptops, etc. is a common control provided by IO. More information can be found in the GSA IT Security Procedural Guide 03-23, Termination and Transfer + cloud.gov disables access to accounts within the same day of termination. + - key: b + text: | + cloud.gov revokes all access associated to the individual the same day of termination. + - key: c + text: | + Disabling, termination and conducting of exit interviews are initiated and facilitated by the supervisor/CO/COR of an individual. Retrieval of all information system-related property which includes HDPS-12 cards, authentication tokens (USB for privileged access), laptops, etc. is a common control provided by IO. More information can be found in the GSA IT Security Procedural Guide 03-23, Termination and Transfer + - key: d + text: | + Disabling, termination and conducting of exit interviews are initiated and facilitated by the supervisor/CO/COR of an individual. Retrieval of all information system-related property which includes HDPS-12 cards, authentication tokens (USB for privileged access), laptops, etc. is a common control provided by IO. More information can be found in the GSA IT Security Procedural Guide 03-23, Termination and Transfer + - key: e + text: | + Disabling, termination and conducting of exit interviews are initiated and facilitated by the supervisor/CO/COR of an individual. Retrieval of all information system-related property which includes HDPS-12 cards, authentication tokens (USB for privileged access), laptops, etc. is a common control provided by IO. More information can be found in the GSA IT Security Procedural Guide 03-23, Termination and Transfer + - key: f + text: | + Disabling, termination and conducting of exit interviews are initiated and facilitated by the supervisor/CO/COR of an individual. Retrieval of all information system-related property which includes HDPS-12 cards, authentication tokens (USB for privileged access), laptops, etc. is a common control provided by IO. More information can be found in the GSA IT Security Procedural Guide 03-23, Termination and Transfer + standard_key: NIST-800-53 +- control_key: PS-5 + covered_by: [] + implementation_status: complete + narrative: + - key: a + text: | + Review of ongoing operational need for current logical and physical access by individuals are initiated and facilitated by supervisor/CO/COR. Retrieval of all information system-related property which includes HDPS-12 cards, authentication tokens (USB for privileged access), laptops, etc. is a common control provided by IO. + cloud.gov revokes privileged access if an individual is reassigned or transferred outside of the team. + - key: b + text: | + cloud.gov initiates the revoking process within the same day of an individual being transferred outside of the team. + - key: c + text: | + cloud.gov modifies permissions granted to individuals to correspond any changes in the individual requirements. + - key: d + text: | + 18F notifies cloud.gov operators within 5 days of a formal transfer action. + standard_key: NIST-800-53 +- control_key: PS-6 + covered_by: [] + implementation_status: planned + narrative: + - key: a + text: | + cloud.gov develops and documents access agreements for all users accessing the system. + - key: b + text: | + cloud.gov reviews and updates the agreements at least once a year. + - key: c + text: | + cloud.gov requires all users being granted access to accept the agreement every time they enter the system. + standard_key: NIST-800-53 +- control_key: PS-7 + covered_by: [] + implementation_status: complete + narrative: + - key: a + text: | + GSA establishes personnel security requirements for third-party providers. + - key: b + text: | + GSA requires third-party providers to comply with GSA policies, undergo background checks and attend security trainings. + - key: c + text: | + GSA documents the security requirements as part of the procurement process with third parties. + - key: d + text: | + GSA requires that all third-parties notify the Contracting Officers of any activity on the third-party's personnel within a day. + - key: e + text: | + GSA monitors compliance from providers at least monthly. + standard_key: NIST-800-53 +- control_key: PS-8 + covered_by: [] + implementation_status: planned + narrative: + - key: a + text: | + GSA employs a formal sanctions process for personnel failing to comply with established information security policies and procedures + - key: b + text: | + 18F notifies 18F Security Office (SSO) within the amount of time that it takes to verify that a security breach as occurred when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction. + parameters: + - key: PS-8 # [Assignment: organization-defined personnel or roles] + text: | + 18F Security Office (SSO) + - key: PS-8 # [Assignment: organization-defined time period] + text: | + the amount of time that it takes to verify that a security breach as occurred + standard_key: NIST-800-53 +schema_version: 3.1.0 +system: 18F +verifications: +- key: POLICY_DOC + name: policy document + path: https://github.com/18f/compliance-docs/blob/master/PS-Policy.md + type: url +- description: "GIVEN the github link - THEN the policy has been updated + within the last 180 days \n" + key: Policy_Update_Test + last_run: 2016-04-07 08:25:17.707361000 -05:00 + name: 18F Policies Update + path: BDD/policies.feature + test_passed: false + type: TEST diff --git a/opencontrols/components/RA_Policy/component.yaml b/opencontrols/components/RA_Policy/component.yaml new file mode 100644 index 00000000..e387d6a2 --- /dev/null +++ b/opencontrols/components/RA_Policy/component.yaml @@ -0,0 +1,46 @@ +documentation_complete: false +name: Risk Assessment Policy for 18F +satisfies: +- control_key: RA-1 + covered_by: [] + implementation_status: none + narrative: + - text: | + 18F Policy + standard_key: NIST-800-53 +- control_key: RA-5 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - key: a + text: | + 18F Conducts monthly Operating System (OS) and web application scanning; quarterly database scanning; and, OS and Web application scanning with every code release. 18F conducts internal vulnerability scanning of its VPC and private subnets within the 18F Virtual Private Cloud. + - key: b + text: | + 18F vulnerability scanning tools utilize techniques that promote interoperability such as Common Vulnerability Scoring System v2 (CVSS2), Common Platform Enumeration (CPE), and Common Vulnerability Enumeration (CVE) and OWASP TOP 10 vulnerabilities. + - key: c + text: | + 18F Analyzes vulnerability scan reports from its vulnerability scanning tools assessments at least weekly and appropriate actions taken on discovery of vulnerabilities within the 18F Cloud Infrastructure and applications and from security control assessments conducted on its information systems. + - key: d + text: | + High-risk vulnerabilities are mitigated within thirty days (30); moderate risk vulnerabilities mitigated within ninety days (90). If the recommended steps will adversely impact functionality or performance, the ISSO/ISSM will reviews changes and mitigating controls with 18F DevOps as well as the Cloud Foundry system owners. + - key: e + text: | + 18F shares information obtained from the vulnerability scanning process and security control assessments with designated System Owners, DevOps, GSA SecOps, ISSM and the Authorizing Official (AO) to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). + standard_key: NIST-800-53 +schema_version: 3.1.0 +system: 18F +verifications: +- key: POLICY_DOC + name: policy document + path: https://github.com/18f/compliance-docs/blob/master/RA-policy.md + type: url +- description: "GIVEN the github link - THEN the policy has been updated\ + \ within the last 180 days \n" + key: Policy_Update_Test + last_run: 2016-04-07 13:25:17.715124 + name: 18F Policies Update + path: BDD/policies.feature + test_passed: false + type: TEST diff --git a/opencontrols/components/S3/component.yaml b/opencontrols/components/S3/component.yaml new file mode 100644 index 00000000..5ac73d83 --- /dev/null +++ b/opencontrols/components/S3/component.yaml @@ -0,0 +1,13 @@ +documentation_complete: false +name: S3 +satisfies: +- control_key: AU-4 + covered_by: [] + implementation_status: none + narrative: 'Administrators can define the amount of storage dedicated to audit record + storage on their instances. Using S3 bucket will ensure storage of audit events + will never be exceeded. + + ' + standard_key: NIST-800-53 +schema_version: 2.0 diff --git a/opencontrols/components/SA_Policy/component.yaml b/opencontrols/components/SA_Policy/component.yaml new file mode 100644 index 00000000..aba8eb55 --- /dev/null +++ b/opencontrols/components/SA_Policy/component.yaml @@ -0,0 +1,397 @@ +schema_version: 3.1.0 +documentation_complete: false +name: System and Services Acquisition Policy for 18F +satisfies: +- control_key: SA-1 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - key: a + text: |- + Agency System Maintenance Policy Implementation + + System Maintenance Policy is included in CIO P 2100.1 - GSA IT Security Policy, Chapter 4. Policy on Operational Controls. It states, "The availability and usability of GSA equipment and software must be maintained and safeguarded to enable agency objectives to be accomplished." + + GSA OCISO ISP also defined agency-wide system maintenance procedures in IT Security Procedural Guide: Maintenance (CIO-IT Security-10-50). + + 18F follows the GSA System Maintenance policy for its information systems hosted within GSA facilities. The cloud.gov information system is hosted with the AWS GovCloud and will be in purview of the hosting site’s Maintenance policy and procedures. + - key: b + text: |- + The GSA Office of the CISO is responsible for reviewing and updating the above documents annually, and notifying System Program Managers and Information System Security Officers and Managers (ISSO/Ms). The GSA OCISO has determined SA-1 to be an Enterprise-Wide Common Control and is provided by the OCISO ISP. For specific details, please refer to the GSA IT FY-15 Information Security Program Plan Version 1.0. + standard_key: NIST-800-53 +- control_key: SA-2 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - key: a + text: |- + The cloud.gov team does two-week sprints. Before each sprint, we look at open tasks and prioritize, including security needs. The team also hires for security expertise specifically. + - key: b + text: |- + Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process + - key: c + text: |- + Establishes a discrete line item for information security in organizational programming and budgeting documentation. + standard_key: NIST-800-53 +- control_key: SA-3 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - key: a + text: | + 18F practices the Scrumban process when developing new features or fixing existing issues, including security fixes and enhancements for cloud.gov. Each feature or issue is assigned to a card in the system, where it goes through a process of being identified, prioritized, explored, delivered, and finally demonstrated. Each card is reviewed by the team as a whole throughout its lifecycle to identify any security risks or concerns, which are recorded on the card as "acceptance criteria" that must be addressed before development is complete. + + Once development is complete, a team member submits the code to our version control system as a "pull request", where at least one other team member further reviews it before merging it into the code base. The team then deploys new features into our staging area where they undergo further security review and stakeholder acceptance testing, as well as automated acceptance tests. + - key: b + text: | + The cloud.gov operations team is broken into several sub-teams with different areas of responsibility and expertise. Security is a foremost concern for members of all teams. The cloud.gov operations team is primarily focused on implementing security policies at the platform level. + - key: c + text: | + Each member of the cloud.gov operations team has the necessary security background to properly handle sensitive data, such as security keys and certificates, and to evaluate the security implications associated with configuration changes. The cloud.gov operations team controls access to cloud.gov and its components through the access control tools appropriate for its components, including AWS security groups, Cloud Foundry roles, and GitHub team membership. + - key: d + text: | + The cloud.gov operations team continually monitors the configurations of the various components of cloud.gov to ensure they meet the requirements for protecting sensitive data. + standard_key: NIST-800-53 + # parameters TODO +- control_key: SA-4 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - key: a + text: |- + System and Services Acquisition Policy is included in CIO P 2100.1 - GSA IT Security Policy, Chapter 5. Policy on Technical Controls. It states, "GSA system program managers and contracting officers shall ensure that the appropriate security requirements of this order are included in task orders and contracts for all IT systems designed, developed, implemented, and operated by a contractor on behalf of the government, including systems operating in a Cloud Computing environment including but not limited to Software as a Service (SaaS)." + + GSA OCISO ISP also defined agency-wide system and services acquisition procedures in IT Security Procedural Guide: Security Language for IT Acquisition Efforts (CIO-IT Security-09-48) + - key: b + text: |- + System and Services Acquisition Policy is included in CIO P 2100.1 - GSA IT Security Policy, Chapter 5. Policy on Technical Controls. It states, "GSA system program managers and contracting officers shall ensure that the appropriate security requirements of this order are included in task orders and contracts for all IT systems designed, developed, implemented, and operated by a contractor on behalf of the government, including systems operating in a Cloud Computing environment including but not limited to Software as a Service (SaaS)." + + GSA OCISO ISP also defined agency-wide system and services acquisition procedures in IT Security Procedural Guide: Security Language for IT Acquisition Efforts (CIO-IT Security-09-48) + - key: c + text: |- + System and Services Acquisition Policy is included in CIO P 2100.1 - GSA IT Security Policy, Chapter 5. Policy on Technical Controls. It states, "GSA system program managers and contracting officers shall ensure that the appropriate security requirements of this order are included in task orders and contracts for all IT systems designed, developed, implemented, and operated by a contractor on behalf of the government, including systems operating in a Cloud Computing environment including but not limited to Software as a Service (SaaS)." + + GSA OCISO ISP also defined agency-wide system and services acquisition procedures in IT Security Procedural Guide: Security Language for IT Acquisition Efforts (CIO-IT Security-09-48) + - key: d + text: |- + System and Services Acquisition Policy is included in CIO P 2100.1 - GSA IT Security Policy, Chapter 5. Policy on Technical Controls. It states, "GSA system program managers and contracting officers shall ensure that the appropriate security requirements of this order are included in task orders and contracts for all IT systems designed, developed, implemented, and operated by a contractor on behalf of the government, including systems operating in a Cloud Computing environment including but not limited to Software as a Service (SaaS)." + + GSA OCISO ISP also defined agency-wide system and services acquisition procedures in IT Security Procedural Guide: Security Language for IT Acquisition Efforts (CIO-IT Security-09-48) + - key: e + text: |- + System and Services Acquisition Policy is included in CIO P 2100.1 - GSA IT Security Policy, Chapter 5. Policy on Technical Controls. It states, "GSA system program managers and contracting officers shall ensure that the appropriate security requirements of this order are included in task orders and contracts for all IT systems designed, developed, implemented, and operated by a contractor on behalf of the government, including systems operating in a Cloud Computing environment including but not limited to Software as a Service (SaaS)." + + GSA OCISO ISP also defined agency-wide system and services acquisition procedures in IT Security Procedural Guide: Security Language for IT Acquisition Efforts (CIO-IT Security-09-48) + - key: f + text: |- + System and Services Acquisition Policy is included in CIO P 2100.1 - GSA IT Security Policy, Chapter 5. Policy on Technical Controls. It states, "GSA system program managers and contracting officers shall ensure that the appropriate security requirements of this order are included in task orders and contracts for all IT systems designed, developed, implemented, and operated by a contractor on behalf of the government, including systems operating in a Cloud Computing environment including but not limited to Software as a Service (SaaS)." + + GSA OCISO ISP also defined agency-wide system and services acquisition procedures in IT Security Procedural Guide: Security Language for IT Acquisition Efforts (CIO-IT Security-09-48) + - key: g + text: |- + System and Services Acquisition Policy is included in CIO P 2100.1 - GSA IT Security Policy, Chapter 5. Policy on Technical Controls. It states, "GSA system program managers and contracting officers shall ensure that the appropriate security requirements of this order are included in task orders and contracts for all IT systems designed, developed, implemented, and operated by a contractor on behalf of the government, including systems operating in a Cloud Computing environment including but not limited to Software as a Service (SaaS)." + + GSA OCISO ISP also defined agency-wide system and services acquisition procedures in IT Security Procedural Guide: Security Language for IT Acquisition Efforts (CIO-IT Security-09-48) + standard_key: NIST-800-53 +- control_key: SA-4 (1) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: |- + GSA OCISO ISP also defined agency-wide system and services acquisition procedures in IT Security Procedural Guide: Security Language for IT Acquisition Efforts (CIO-IT Security-09-48) + standard_key: NIST-800-53 +- control_key: SA-4 (2) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: |- + GSA OCISO ISP also defined agency-wide system and services acquisition procedures in IT Security Procedural Guide: Security Language for IT Acquisition Efforts (CIO-IT Security-09-48) + parameters: + # This parameter can be a reference to the fact that we are complying with the FedRAMP controls. + # [Selection (one or more): security-relevant external system interfaces; high-level design; low-level design; source code or hardware schematics;] + - key: SA-4 (2) + text: | + [Selection (one or more): security-relevant external system interfaces; high-level design; low-level design; source code or hardware schematics; [Assignment: organization-defined design/implementation information] + # Parameter for [Assignment: organization-defined design/implementation information]. Need value for this text. + - key: SA-4 (2) + text: | + [Assignment: organization-defined design/implementation information] + # This parameter can be a reference to the Configuration Management/GitHub process. + - key: SA-4 (2) + text: | + [Assignment: organization-defined design/implementation information] + # Parameter for [Assignment: organization-defined level of detail] + - key: SA-4 (2) + text: | + 18F + standard_key: NIST-800-53 +- control_key: SA-4 (8) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: |- + clould.gov developed a continous monitoring plan and requires all system components to adhere to it. + parameters: + # This parameter can be a reference to Configuration Management plan. + # [Assignment: organization-defined level of detail] + - key: SA-4 (8) + text: | + continous monitoring plan + standard_key: NIST-800-53 +- control_key: SA-4 (9) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + # Do we require application design documents + narrative: + - text: |- + 18F utilizes an agile development process which means that changes are made early and often. Functions, ports and protocols are part of this process. + cloud.gov enables developers to be flexible on what functions are used but customers can only open one port per application. + standard_key: NIST-800-53 +- control_key: SA-4 (10) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + # Possibly covered by GSA identification policies + narrative: + - text: |- + cloud.gov delegates identity verification to customer's single sign on services. + standard_key: NIST-800-53 +- control_key: SA-5 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - key: a + text: |- + The cloud.gov team maintains documentation for cloud.gov in the GitHub repositories for the components of the system and at https://docs.cloud.gov. + The "Contributing" section describes secure deployment and operation of cloud.gov. + All known vulnerabilities are patched and documented in the GitHub repositories. + - key: b + text: |- + Best practices for secure usage of cloud.gov are available and continuously updated at https://docs.cloud.gov. + - key: c + text: |- + Anyone can file a report of incomplete or unavailable documentation using GitHub issues attached to https://github.com/18F/cg-docs or to the repositories that store various cloud.gov components. + The cloud.gov team responds to those issues and the creates documentation required. + - key: d + text: |- + Because cloud.gov documentation does not contain sensitive information, documentation is publicly accessible in GitHub and at https://docs.cloud.gov. + Changes to that documentation can only be accepted by authorized individuals on the cloud.gov team through GitHub team membership. + - key: e + text: |- + The cloud.gov team maintains documentation for cloud.gov in the GitHub repositories for the components of the system and at https://docs.cloud.gov. + The team directs new members to this documentation, and expects team members to be aware of its contents. + standard_key: NIST-800-53 +- control_key: SA-8 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: |- + cloud.gov uses the Cloud Foundry secure deployment best practices, which include the following: + - Configure UAA clients and users using a standard BOSH manifest for Cloud Foundry Development. + - cloud.gov develops and maintains documentation on the baseline configuration of the information system that include network topology, system architecture, application, web, and server components along with software standards. + - Cloud Foundry protects the information system from security threats by minimizing network surface area, applying security controls, isolating applications and data in containers, and encrypting connections. + - It also implements role-based access controls, applying and enforcing permissions to isolate user to their space. Baseline configurations settings are reviewed on a continual basis to to comply with federal mandates and compliance standards. + - cloud.gov documents changes to the baseline configuration in GitHub for review. Part of this process includes a thorough security analysis of the proposed change prior to the configuration change being implemented on the operational system. + - cloud.gov deploys with every application a standard set of tools for security and monitoring of each application to identify security issues. + For more details please refer to 18F Configuration Management Policy and security controls CM-2, CM-3, and CM-6. + standard_key: NIST-800-53 +- control_key: SA-9 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - key: a + text: | + As a government system, cloud.gov requires that all external services comply with all applicable federal software requirements. + The infrastructure utilized by cloud.gov is AWS GovCloud, which is FedRAMP certified. + - key: b + text: | + GSA procurement practices defines all monitoring requirements for external information systems. + - key: c + text: | + cloud.gov employs continuous monitoring for both internal and external information systems. + parameters: + # This parameter can be a reference to the fact that we are complying with the FedRAMP controls. + - key: SA-9 + text: | + FedRAMP Security Controls Baseline + # This parameter can be a reference to the Configuration Management plan/process. + - key: SA-9 + text: | + Federal/FedRAMP Continuous Monitoring requirements + standard_key: NIST-800-53 +- control_key: SA-9 (1) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - key: a + text: | + GSA complies with federal regulations requiring agencies to evaluate risk prior to acquiring any tool or service. + - key: b + text: | + The GSA Office of the CIO approves any information security services. The FedRAMP JAB will take over that responsibility once cloud.gov receives its approval. + standard_key: NIST-801-53 +- control_key: SA-9 (2) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: |- + GSA requires that any external service receives an Authority to Operate which includes identification of all functions, protocols, etc. + standard_key: NIST-800-53 +- control_key: SA-9 (4) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: |- + GSA requires that any external service receives an Authority to Operate which includes alignment of organizational interests. + parameters: + # This can be a reference to the FedRAMP process again since AWS Govcloud is also FedRamp certified. + # [Assignment: organization-defined security safeguards] + - key: SA-9 (4) + text: | + All external systems where Federal information is processed or stored + standard_key: NIST-800-53 +- control_key: SA-9 (5) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: |- + cloud.gov restricts the location of all user data to AWS GovCloud and related services. + parameters: + # This is a reference to AWS GovCloud + - key: SA-9 (5) + text: | + all user data and information + # This is a reference to AWS GovCloud Avaliability Zone + - key: SA-9 (5) + text: | + AWS GovCloud + # This is a reference to FedRAMP + - key: SA-9 (5) + text: | + FedRAMP approval + standard_key: NIST-800-53 +- control_key: SA-10 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - key: a + text: |- + Configuration and deployment of the cloud.gov platform is managed using the BOSH project. BOSH releases and deployment manifests are stored in GitHub; sensitive credentials are stored in Amazon S3 and are protected using both client- and server-side encryption. + - key: b + text: |- + Changes to BOSH configuration are tracked in GitHub. Documentation is stored alongside deployment manifests and updated as configuration is changed; high-level documentation is also available at https://docs.cloud.gov. + - key: c + text: |- + All proposed configuration changes are reviewed by members of the cloud.gov team. Proposed changes must pass unit, integration, and acceptance tests before being deployed. + - key: d + text: |- + Configuration changes are made through pull requests in GitHub, which need to include documentation of all of the relevant context, as specified in 18F-wide policy here: https://github.com/18F/development-guide/tree/master/git_protocol#write-a-feature + - key: e + text: |- + BOSH stemcell images and BOSH deployment artifacts are updated regularly, so that upstream security updates are applied. + standard_key: NIST-800-53 +- control_key: SA-10 (1) + covered_by: + - verification_key: DEPLOYMENT_TESTING + narrative: + - text: |- + Deployment artifacts are stored and distributed by BOSH along with SHA-1 hashes to allow verification of file integrity. + standard_key: NIST-800-53 +- control_key: SA-11 + covered_by: + - verification_key: DEPLOYMENT_TESTING + narrative: + - key: a + # https://18f.slack.com/archives/cloud-gov/p1465929760000146 + text: |- + The security assessment plan is created by the FedRAMP Accredited Third Pary Assessment Organzation (3PAO). It will It will be used for annual assessments conducted by the 3PAO for continuous monitoring of cloud.gov. + - key: b + text: |- + cloud.gov performs unit and integration testing on the sytem on each deployment. + - key: c + text: |- + Testing is done automatically and tracked using tools like Nessus, OWASP and Concourse. + - key: d + text: |- + The process of remediation is by implementing changes to the configuration on configuration management, redeploying and testing. + - key: e + text: |- + Flaws are identified by automated tools and false positives are marked as such. + parameters: + - key: SA-11 + text: unit and integration + - key: SA-11 + text: cloud.gov + standard_key: NIST-800-53 +- control_key: SA-11 (1) + covered_by: + - verification_key: DEPLOYMENT_TESTING + narrative: + - text: |- + The Cloud Foundry community uses Code Climate on platform components such as BOSH and Cloud Controller. The results of the scans are publicly available and can be run by 18F at any time. + standard_key: NIST-800-53 +- control_key: SA-11 (2) + covered_by: + - verification_key: DEPLOYMENT_TESTING + narrative: + - text: |- + cloud.gov requires the developer of the information system, system component, or information system service to perform threat and vulnerability analyses and subsequent testing/evaluation of the as-built system, component, or service. + standard_key: NIST-800-53 +- control_key: SA-11 (8) + covered_by: + - verification_key: DEPLOYMENT_TESTING + narrative: + - text: |- + cloud.gov requires the developer of the information system, system component, or information system service to employ dynamic code analysis tools to identify common flaws and document the results of the analysis. + standard_key: NIST-800-53 +- control_key: SA-22 (1) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: |- + 18F will replace information system components when support for the components is no longer available from the developer, vendor, or manufacturer; and will provide justification and documented approval for the continued use of unsupported system components required to satisfy mission/business needs. + + Cloud Foundry Platform as a Service system replacement: + + A system and software inventory is run nightly, and the DevOps team reviews the inventory weekly to ensure that all software inventoried is accurate and currently supported. This process includes: + + * Verify that the software license support expiration date is not within six months. 18F uses the open source version of Cloud Foundry which uses the open source Apache 2.0 license. + * Ensure that the software version is still supported. + * Refer to the vendor's support website to verify that support does not have an \u201CEnd of Life\u201D date of less than six months. + + Since 18F is using the open source version of Cloud Foundry, an additional task will be issued to upgrade the Cloud Foundry suite to the latest versions. DevOps will review the GitHub cloudfoundry/cf-release repository for implementation of the updated version. + standard_key: NIST-800-53 +system: 18F +verifications: +- key: DEPLOYMENT_TESTING + name: Cloud Foundry Code Analysis + path: https://runtime.ci.cf-app.com/pipelines/cf-release?groups=cf-release + type: URL +- key: POLICY_DOC + name: policy document + path: https://github.com/18f/compliance-docs/blob/master/SA-Policy.md + type: url +- description: GIVEN the github link - THEN the policy has been updated within the last 180 days + key: Policy_Update_Test + last_run: 2016-04-07 13:25:17.730678 + name: 18F Policies Update + path: BDD/policies.feature + test_passed: false + type: TEST diff --git a/opencontrols/components/SC_Policy/component.yaml b/opencontrols/components/SC_Policy/component.yaml new file mode 100644 index 00000000..432dd111 --- /dev/null +++ b/opencontrols/components/SC_Policy/component.yaml @@ -0,0 +1,433 @@ +--- +schema_version: 3.1.0 +documentation_complete: false +name: System and Communications Protection Policy for cloud.gov +satisfies: +- control_key: SC-1 + covered_by: [] + implementation_status: partial + narrative: + - key: a + text: | + System and Communications Protection Policy is included in CIO P 2100.1 - GSA IT Security Policy, Chapter 5. Policy on Technical Controls. It states, "All network devices that are either owned, managed, maintain a connection to a GSA facility, and/or handle GSA data shall be strategically positioned behind a GSA firewall to provide analysis/correlation, management structure, and minimize threats presented by external attacks. + + The 18F program includes a library of security policies that address federal and non-federal requirements. These policies guide and govern the actions of 18F employees and contractors in conducting any United States business. + + The 18F security assessment, communications, and authorization policy is listed within its GitHub repository that is accessible to all 18F staff. + + 18F helps develop, document, and disseminate policy information to 18F staff members. + + This 18F policy contains a protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. + + 18F's "Before You Ship" guide facilitates the implementation of the system and communications protection policy and associated system and communications protection controls. + + See https://github.com/18F/before-you-ship/ for more information. + - key: b + text: | + Reviews and updates the current System and Communications Protection Policy every three years. + + The 18F program includes a library of security policies that address federal and non-federal requirements. These policies guide and govern the actions of 18F employees and contractors in conducting any United States business. + + The 18F security assessment, communications, and authorization policy is listed within its GitHub repository that is accessible to all 18F staff. + standard_key: NIST-800-53 +- control_key: SC-2 + covered_by: [] + implementation_status: complete + narrative: + - key: b + text: | + 18F implements subnetworks for publicly accessible system components that are logically separated from internal organizational networks. System management functionality to cloud.gov infrastructure is hosted on AWS FedRAMP Certificated Cloud Service Provider (CSP) and is accessible only to 18F Administrative teams through AWS IAM specified roles. This is a Service Provider and Customer Responsibility. + standard_key: NIST-800-53 +- control_key: SC-4 + covered_by: [] + implementation_status: complete + narrative: + - text: | + cloud.gov system architecture prevents unauthorized and unintended information transfer via shared system resources. cloud.gov uses Cloud Foundry components to protect users and shared resources from security threats by minimizing network surface area, applying security controls, isolating customer applications and data in containers, and encrypting connections. + standard_key: NIST-800-53 +- control_key: SC-5 + covered_by: [] + implementation_status: complete + narrative: + - text: | + Refer to the 18F policy statement for the types of denial of service (DoS) to protect our systems against. Policy https://github.com/18f/compliance-docs/blob/master/SC-Policy.md + + cloud.gov limits the effects of Volume Based and Protocol DoS type attacks by utilizing the following groups of technical measures: + + 18F administrative staff maintains hardened Amazon Managed Images (AMI) and Cloud Foundry custom buildpacks with the latest patches and updates. + + Buildpacks provide framework and runtime support for applications that are deployed on cloud.gov. The AMI and custom buildpacks are maintained and secured within 18F's software repository, GitHub. + + cloud.gov also uses AWS's IaaS services with well-formed Virtual Private Cloud (VPC) firewall rules to reduce the attack surface, while service resiliency is maintained by utilizing AWS Availability Zones, Elastic Load Balancing, and Auto Scaling services. + + Cloud Foundry's security components limit the effects of an attack at the Application Layer. It limits DoS attacks on this layer through resource starvation and reduction of the attack surface even further with well-formed application security groups which control the traffic flowing from hosted applications. + + These tools combined with SOC staffing are responsible for maintaining system security. + parameters: + - key: a + text: | + 18F policy statement + - key: b + text: | + 18F policy statement + standard_key: NIST-800-53 +- control_key: SC-6 + covered_by: [] + implementation_status: complete + narrative: + - text: | + cloud.gov protects the availability of resources by allocating + volatile and non-volatile storage, bandwidth, and availability by using automated + AWS features such as Elastic Load Balancing and Auto Scaling technology at the + infrastructure layer and Cloud Foundry's application lifecycle manager components, + Cloud Controller and Droplet Execution Agent (DEA), at the application layers. + + 18F safeguards are in place if resources are reaching their limits with multiple sets of + resource monitoring tools: Cloud Foundry's built-in health monitoring system, New Relic, + CloudWatch, and ELK, which combined provide real-time alerts and visibility into critical + systems and applications. + parameters: + - key: a + text: | + volatile and non-volatile storage, bandwidth, availability of applications + - key: b + text: | + by priority and quota + - key: c + text: | + See system description for list of safeguards + standard_key: NIST-800-53 +- control_key: SC-7 + covered_by: [] + implementation_status: none + narrative: + - key: a + text: | + 18F monitors and controls communications at the external boundary of the system and at key internal boundaries within the system. + - key: b + text: | + 18F implements subnetworks for publicly accessible system components that are logically separated from internal organizational networks by using a well-formed Virtual Private Cloud. VPC is a virtual network dedicated to your AWS account which is logically isolated from other virtual networks in the AWS cloud. + cloud.gov VPC has selected its IP address range, created subnets, and configured route tables, network gateways, and security settings logically separated from any other internal organization networks. + - key: c + text: | + 18F staff connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with organizational security architecture. + parameters: + - key: b + text: | + logically + standard_key: NIST-800-53 +- control_key: SC-7 (3) + covered_by: [] + implementation_status: complete + narrative: + - text: | + 18F limits the number of external network connections to the information system through the use of AWS network security groups which restrict types of network connections. AWS API authenticated service keys and managed SSH keys restrict PU access to the systems. + + cloud.gov Cloud Foundry components run on AWS AMI that exist within AWS VPCs. In this configuration, the only access points visible on a public network are load balancers that map to one or more Cloud Foundry routers. + standard_key: NIST-800-53 +- control_key: SC-7 (4) + covered_by: [] + implementation_status: none + narrative: + - key: a + text: | + Implements a managed interface for each external telecommunication service. + - key: b + text: | + 18F establishes a traffic flow policy for each managed interface as AWS VPC security groups. + - key: c + text: | + 18F protects the confidentiality and integrity of the information being transmitted across each interface by using TLS for HTTP based connection. + - key: d + text: | + 18F documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need. + - key: e + text: | + 18F reviews exceptions to the traffic flow policy at least annually and removes exceptions that are no longer supported by an explicit mission/business need. + parameters: + - key: e + text: | + at least annually + standard_key: NIST-800-53 +- control_key: SC-7 (5) + covered_by: [] + implementation_status: none + narrative: + - text: | + cloud.gov's managed interfaces at the AWS security control group definitions deny network traffic by default and allow network communications traffic by exception. + standard_key: NIST-800-53 +- control_key: SC-7 (7) + covered_by: [] + implementation_status: none + narrative: + - text: | + VPNs and split tunneling are not an applicable use when accessing this system. 18F adminitrative staff gain access to this system through AWS multi-factor authentication to perform administrative functions and duties. + standard_key: NIST-800-53 +- control_key: SC-7 (8) + covered_by: [] + implementation_status: none + narrative: + - text: | + cloud.gov doesn't require authenticated proxy servers at managed interfaces. 18F administrative staff gain access to this system through the AWS IAM multi-factor authentication process to perform adminitrative functions and duties at the IaaS layer to administer any managed interfaces. + parameters: + - key: a + text: | + N/A + - key: b + text: | + N/A + standard_key: NIST-800-53 +- control_key: SC-7 (12) + covered_by: [] + implementation_status: none + narrative: + - key: b + text: | + Host-based boundary protection for application services hosted on cloud.gov are provided by CF components. + + Cloud Foundry Application Security Groups (ASGs) control the traffic flowing out of applications. Each CF application uses a dedicated Linux container, and each container includes a dedicated virtual network interface. Application security groups are a collection of ‘allow’ rules that can be made with global or application specific assignments enabling access to be set on individual application requirements. These requirements are added through whitelisting, and whitelisting is layered on top of a series of container-centric lock-downs, allowing limited access to other applications and services. + parameters: + - key: a + text: | + N/A + - key: b + text: | + N/A + standard_key: NIST-800-53 +- control_key: SC-7 (13) + covered_by: [] + implementation_status: none + narrative: + - key: b + text: | + 18F practices defense in depth in layers. Sensistive security tools are logically isolated by well defined VPC boundries between internal system boundaries. Additionally third-party approved tools are used which are accessed via authenticated API keys over encrypted connections such as HTTPS. + parameters: + - key: a + text: | + Nessus, Tripwire, OWASP ZAP, ELK stack, Pagerduty, Code Climate, Cloudability, CloudTrail, CloudWatch + key: a + text: | + standard_key: NIST-800-53 +- control_key: SC-7 (18) + covered_by: [] + implementation_status: none + narrative: + - key: b + text: | + 18F doesn't operate any control interfaces outside of what's provided by AWS CSP. In the event of an operational failure of a boundary protection device, AWS CSP teams should respond to this event and notify the 18F DevOps team. + standard_key: NIST-800-53 +- control_key: SC-8 + covered_by: [] + implementation_status: none + narrative: + - text: | + cloud.gov provides integrity and confidentiality protection over data in transit by applying HTTPS to all public interfaces connecting to the service. See how HTTPS (TLS) https://tools.ietf.org/html/rfc5246 for details. + parameters: + - key: SC-8 + text: | + confidentiality and integrity + standard_key: NIST-800-53 +- control_key: SC-8 (1) + covered_by: [] + implementation_status: none + narrative: + - text: | + cloud.gov implements cryptographic mechanisms to prevent unauthorized disclosure of information and detect changes to information during transmission only as shown in SC-8. + See FedRAMP AWS CSP SSP for further details. + parameters: + - key: SC-8-1 + text: | + N/A + standard_key: NIST-800-53 +- control_key: SC-10 + covered_by: [] + implementation_status: complete + narrative: + - text: | + cloud.gov's RAS access terminates immediately at the end of the session. + parameters: + - key: SC-10 + text: | + immediately + standard_key: NIST-800-53 +- control_key: SC-12 + covered_by: + - verification_key: KEY_ROTATION + implementation_status: complete + narrative: + - text: | + Authorized federal staff rotate, encrypt, and backup keys monthly. Privileged users access the keys only with two-factor authentication and a decryption passphrase. In the rare case that both the keys and the decryption passphrase for the backup are lost or compromised, new keys can be rotated in by authorized staff, while maintaining availability of information. + standard_key: NIST-800-53 +- control_key: SC-12 (2) + covered_by: [] + implementation_status: partial + narrative: + - text: | + cloud.gov controls and distributes symmetric cryptographic keys using [NIST FIPS-compliant] key management technology and processes. + standard_key: NIST-800-53 +- control_key: SC-12 (3) + covered_by: [] + implementation_status: complete + narrative: + - text: | + cloud.gov doesn't produce, control, or distribute asymmetric cryptographic keys. + parameters: + - key: SC-12-3 + text: N/A + standard_key: NIST-800-53 +- control_key: SC-13 + covered_by: [] + implementation_status: complete + narrative: + - text: | + cloud.gov inherits the control from the GovCloud package for the ELB SSL termination. See https://d0.awsstatic.com/whitepapers/compliance/AWS_Risk_and_Compliance_Whitepaper.pdf for further details. + parameters: + - key: SC-13 + text: | + N/A + standard_key: NIST-800-53 +- control_key: SC-15 + covered_by: [] + implementation_status: complete + narrative: + - key: a + text: | + cloud.gov doesn't allow remote activation of collaborative computing devices, thus not applicable. + - key: b + text: | + Explicit indication of use to users physically present at the devices is not applicable to cloud.gov. + parameters: + - key: SC-15 + text: N/A + standard_key: NIST-800-53 +- control_key: SC-17 + covered_by: [] + implementation_status: complete + narrative: + - text: | + cloud.gov obtains public key certificates from COMODO, an approved service provider. + standard_key: NIST-800-53 +- control_key: SC-18 + covered_by: [] + implementation_status: complete + narrative: + - key: a + text: | + This is not an applicable control for cloud.gov. It doesn't depend on any mobile code such as Flash, Java, ActiveX, etc. + - key: b + text: | + This is not an applicable control for cloud.gov. It doesn't depend on any mobile code such as Flash, Java, ActiveX, etc. + - key: c + text: | + This is not an applicable control for cloud.gov. It doesn't depend on any mobile code such as Flash, Java, ActiveX, etc. + standard_key: NIST-800-53 +- control_key: SC-19 + covered_by: [] + implementation_status: complete + narrative: + - key: a + text: | + This is not an applicable control for cloud.gov. It doesn't depend on any VoIP technologies. + - key: b + text: | + This is not an applicable control for cloud.gov. It doesn't depend on any VoIP technologies. + standard_key: NIST-800-53 +- control_key: SC-20 + covered_by: [] + implementation_status: complete + narrative: + - key: a + text: | + cloud.gov inherits from AWS CSP Route 53 the ability to use DNS with HTTP Strict Transport Security (HSTS) to achieve data origin authentication and integrity verification artifacts, along with the authoritative name resolution data the system returns in response to external name/address resolution queries. + - key: b + text: | + By allowing endpoints to use Public Key Infrastructure (PKI) certificates containing unique domain identifiers that map with top-level registered domain, cloud.gov provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace. + standard_key: NIST-800-53 +- control_key: SC-21 + covered_by: [] + implementation_status: complete + narrative: + - text: | + It is a customer's responsibility to manage DNS according to FedRAMP standards. + standard_key: NIST-800-53 +- control_key: SC-22 + covered_by: [] + implementation_status: complete + narrative: + - text: | + It is a customer's responsibility to manage DNS according to FedRAMP standards. + standard_key: NIST-800-53 +- control_key: SC-23 + covered_by: [] + implementation_status: complete + narrative: + - text: | + cloud.gov protects the authenticity of sessions by exclusively using HTTPS. + standard_key: NIST-800-53 +- control_key: SC-28 + covered_by: [] + implementation_status: complete + narrative: + - text: | + cloud.gov protects the confidentiality and integrity of all information by using at-rest encryption. + parameters: + - key: a + text: | + confidentiality; integrity + key: b + text: | + Administrative and policy information for Cloud Foundry UAA in the database + parameters: + - key: a + text: | + confidentiality; integrity + key: b + text: | + Administrative and policy information for Cloud Foundry UAA in the database + standard_key: NIST-800-53 +- control_key: SC-28 (1) + covered_by: [] + implementation_status: complete + narrative: + - text: | + cloud.gov implements cryptographic mechanisms to prevent unauthorized disclosure and modification of all blobs created by BOSH and Cloud Foundry by implementing at-rest encryption and by checking file signatures. + parameters: + - key: a + text: | + Administrative and policy information + key: b + text: | + database + parameters: + - key: a + text: | + Administrative and policy information + key: b + text: | + database + standard_key: NIST-800-53 +- control_key: SC-39 + covered_by: [] + implementation_status: complete + narrative: + - text: | + cloud.gov maintains a separate execution domain for each executing process by running within its own self-contained environment, a Warden/Garden container that isolates processes, memory, and the file system. + standard_key: NIST-800-53 +system: 18F +verifications: +- key: KEY_ROTATION + name: Key Rotation Policy + path: https://github.com/18F/cg-docs/blob/master/content/ops/key-rotation.md + type: URL +- key: POLICY_DOC + name: policy document + path: https://github.com/18f/compliance-docs/blob/master/SC-Policy.md + type: url +- description: | + GIVEN the github link - THEN the policy has been updated within the last 180 days + key: Policy_Update_Test + last_run: 2016-04-07 13:25:17.749496 + name: 18F Policies Update + path: BDD/policies.feature + test_passed: false + type: TEST diff --git a/opencontrols/components/SI_Policy/component.yaml b/opencontrols/components/SI_Policy/component.yaml new file mode 100644 index 00000000..e028e509 --- /dev/null +++ b/opencontrols/components/SI_Policy/component.yaml @@ -0,0 +1,394 @@ +--- +schema_version: 3.1.0 +documentation_complete: false +name: System and Information Integrity Policy for 18F +satisfies: +- control_key: SI-1 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: | + 18F Policy + standard_key: NIST-800-53 +- control_key: SI-2 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - key: a + text: | + 18F identifies all system flaws related to cloud.gov, reports system flaws to information system owners, Authorizing officials, cloud.gov operators, and corrects information system flaws that affect cloud.gov. + - key: b + text: | + 18F tests software updates against a staging environment for any updates, including those related to flaw remediation, for effectiveness and potential side effects before deploying the updates to production environment. + Cloud Foundry manages software vulnerability using releases and BOSH stemcells. + New Cloud Foundry releases are created with updates to address code issues, while new + stemcells are created with patches for the latest security fixes to address + any underlying operating system issues. New Cloud Foundry releases are located + at https://github.com/cloudfoundry/cf-release. + - key: c + text: | + Installs security-relevant software and firmware updates within [FedRAMP Assignment: Within 30 days of release of updates] of the release of the updates + - key: d + text: | + 18F incorporates flaw remediation into the organizational configuration management process. + + 18F implements the release of Cloud Foundry and (or the software + developer/vendor in the case of software developed and maintained by a + vendor/contractor) promptly installs newly released security relevant + patches and tests patches, for effectiveness and potential + side effects on information systems before installation. + parameters: + # [FedRAMP Assignment: Within 30 days of release of updates] + - key: SI-2 + text: | + promptly installs newly released + standard_key: NIST-800-53 +- control_key: SI-2 (2) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: | + cloud.gov operators employ automated mechanisms daily to determine the state of information system components with regard to flaw remediation. + parameters: + # [Assignment: organization-defined frequency] + - key: SI-2 (2) + text: | + [Assignment: organization-defined frequency] + standard_key: NIST-800-53 +- control_key: SI-2 (3) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - key: a + text: | + cloud.gov operators measure the time between flaw identification + and flaw remediation + - key: b + text: | + cloud.gov operators teams establish an incident response plan for taking corrective actions. The cloud.gov incident response plan is documented at https://docs.cloud.gov/ops/security-ir/ + parameters: + # [Assignment: organization-defined benchmarks] + - key: SI-2 (3) + text: | + [Assignment: organization-defined benchmarks] + standard_key: NIST-800-53 +- control_key: SI-3 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - key: a + text: | + cloud.gov employs ClamAV at information system entry and exit points to detect and eradicate malicious code + - key: b + text: | + 18F updates ClamAV whenever new releases are available in accordance with organizational configuration management policy and procedures + - key: c + text: | + 18F configures ClamAV in cloud.gov to provide the following : + + 1. Real-time scans of cloud.gov applied on either a daily or weekly schedule for file reads and writes + + 2. Upon malicious code detection ClamAV identifies the virus in the file and quarantines it. Once the virus is quarantined, ClamAV sends a notification to cloud.gov operators through Riemann + + - key: d + text: | + cloud.gov addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system. + parameters: + # [Assignment: organization- defined frequency] and real-time scans of files + # from external sources at [Selection (one or more); endpoint; network + # entry/exit points] + - key: SI-3 + text: | + [Assignment: organization- defined frequency] and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points]] + # [Selection (one or more): block malicious code; quarantine malicious code; + # send alert to administrator; [Assignment: organization-defined action]] + - key: SI-3 + text: | + [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] + standard_key: NIST-800-53 +- control_key: SI-3 (1) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: | + 18F centrally manages malicious code protection mechanisms. + standard_key: NIST-800-53 +- control_key: SI-3 (2) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: | + cloud.gov automatically updates ClamAV + standard_key: NIST-800-53 +- control_key: SI-3 (7) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: | + cloud.gov implements nonsignature-based malicious code detection mechanisms. + standard_key: NIST-800-53 +- control_key: SI-4 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - key: a + text: | + cloud.gov operators monitor the cloud.gov information + system to detect potential attacks and intrusions from internal and external + sources in accordance with the 18F System Information and Integrity Policy section + 3 - Information System monitoring, the FedRAMP Incident communication procedures, + and GSA CIO-IT Security-08-39 section "System Monitoring / Audit Record + Review" for GSA specific information systems. + - key: b + text: | + 18F identifies un-authorized access to the cloud.gov information system using automated monitoring + tools within its virtual private cloud for monitoring, log management and + event analysis. 18F monitors for attacks and indicators of potential attacks, + unauthorized local, network, and remote connections. + - key: c + text: | + The infrastructure + that hosts cloud.gov provides monitoring and intrusion detcetion of unusual activity + at the physical and network layers. 18F is responsible for monitoring everything + related to its virtual infrastructure and has deployed monitoring and intrusion + detection tools within its virtual private cloud to log and detect malicious + activities to its information systems including cloud.gov. + - key: d + text: | + 18F ensures intrusion and monitoring tools are protected from unauthorized access + by only granting access to certain members from the cloud.gov operators. + All monitoring and intrusion information data is protected by limiting accounts + to authorized privileged users only and is maintained in secured repositories + for review by those members. + - key: e + text: | + Information system monitoring will + be heightened based on advisories from Pivotal, US-CERT Advisories, commercial + security communities, and other sources. + - key: f + text: | + Information system monitoring will be conducted in accordance and compliance + with 18F security policies and all applicable laws, Executive Orders, directives, + and regulations. + - key: g + text: | + 18F provides monitoring of all information system components. In the event + of an event or incident, information will be provided as it is available. Scheduled + reports will be provided for events such as after-hours administrative logins, + users being added to privileged groups, persistent malware detections, etc., + to designated members of the cloud.gov operators as needed. + standard_key: NIST-800-53 +- control_key: SI-4 (1) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: | + cloud.gov operators use BOSH to configure and deploy Tripwire. + standard_key: NIST-800-53 +- control_key: SI-4 (2) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: | + 18F uses BOSH to configure and deploy Riemann to support near real-time analysis of events. + standard_key: NIST-800-53 +- control_key: SI-4 (4) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + # Need to add how often we check for unusual traffic or conditions + - text: | + cloud.gov monitors inbound and outbound communications traffic [FedRAMP Assignment: continually] for unusual or unauthorized activities or conditions. + standard_key: NIST-800-53 +- control_key: SI-4 (5) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: | + cloud.gov alerts the cloud.gov operators when + the following indications of compromise or potential compromise occur: + malicious code, file integrity, and network traffic. + standard_key: NIST-800-53 +- control_key: SI-4 (14) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: | + This control is not applicable. cloud.gov does not contain any wireless system. + standard_key: NIST-800-53 +- control_key: SI-4 (16) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: | + 18F correlates information from Grafana employed throughout cloud.gov. + standard_key: NIST-800-53 +- control_key: SI-4 (23) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - key: a + text: | + 18F implements Riemann for host based monitoring and alerting. Riemann is utilized on cloud.gov to collect events from all the servers and applications. + Riemann sends an alert to cloud.gov operators if a system metric exceeds a defined threshold. + standard_key: NIST-800-53 +- control_key: SI-5 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - key: a + text: | + 18F receives information system security alerts, advisories, and directives from US-CERT on an ongoing basis; + - key: b + text: | + 18F generates internal security alerts, advisories, and directives as deemed necessary; + - key: c + text: | + 18F disseminates security alerts, advisories, and directives to: [Selection + (one or more): [Assignment: organization-defined personnel or roles]; + [Assignment: organization-defined elements within the organization]; + [Assignment: organization-defined external organizations]]; and + - key: d + text: | + 18F implements security directives in accordance with established time + frames, or notifies the issuing organization of the degree of noncompliance. + standard_key: NIST-800-53 +- control_key: SI-6 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - key: a + text: | + cloud.gov verifies the correct operation of services that detect malicious code, viruses, file integrity, network traffic, and security compliance of the OS using a contious integration tool called concourse. + concourse is a contious integration tool that auotmates the build of security services in cloud.gov. + - key: b + text: | + Performs this verification on daily basis using concourse pipelines + - key: c + text: | + concourse notifies cloud.gov operators of failed security verification tests + - key: d + text: | + In the event the a service does not operate correctly, monit will attempt to restart the service upon failure. If the system is unresponsive then Bosh will restart the server in order to correct the operation of the service. + standard_key: NIST-800-53 +- control_key: SI-7 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: | + 18F employs Tripwire to detect unauthorized changes to cloud.gov applications. + standard_key: NIST-800-53 +- control_key: SI-7 (1) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: | + cloud.gov performs an integrity check using Tripwire at startup and every hour. + standard_key: NIST-800-53 +- control_key: SI-7 (7) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: | + 18F incorporates the detection of unauthorized access to the cloud.gov infrastructure, leveraged services, and other components used to deliver cloud.gov products and services as documented in + organizational incident response capability. + standard_key: NIST-800-53 +- control_key: SI-8 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - key: a + text: | + This control is not applicable since clould.gov does not accept or process any messages for other information systems or external sources. Therefore spam protection is not necessary. + - key: b + text: | + This control is not applicable since clould.gov does not accept or process any messages for other information systems or external sources. Therefore spam protection is not necessary. + standard_key: NIST-800-53 +- control_key: SI-8 (1) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: | + This control is not applicable since clould.gov does not accept or process any messages for other information systems or external sources. Therefore spam protection is not necessary. + standard_key: NIST-800-53 +- control_key: SI-8 (2) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: | + This control is not applicable since clould.gov does not accept or process any messages for other information systems or external sources. Therefore spam protection is not necessary. + standard_key: NIST-800-53 +- control_key: SI-10 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: | + cloud.gov system monitors the integrity of system inputs using Tripwire. + standard_key: NIST-800-53 +- control_key: SI-11 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - key: a + text: | + cloud.gov generates errors through Riemann which then sends an alert to Pager Duty for action. + - key: b + text: | + Reveals error messages only to cloud.gov operators. + standard_key: NIST-800-53 +- control_key: SI-12 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: | + cloud.gov handles and retains information within cloud.gov system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. + standard_key: NIST-800-53 +- control_key: SI-16 + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: | + cloud.gov system implements ClamAV and Tripwire to protect its memory from unauthorized code execution. + standard_key: NIST-800-53 +system: 18F +verifications: +- key: POLICY_DOC + name: policy document + path: https://github.com/18f/compliance-docs/blob/master/SI-Policy.md + type: url +- description: "GIVEN the github link - THEN the policy has been updated\ + \ within the last 180 days \n" + key: Policy_Update_Test + last_run: 2016-04-07 13:25:17.764795 + name: 18F Policies Update + path: BDD/policies.feature + test_passed: false + type: TEST diff --git a/opencontrols/components/SecureProxy/component.yaml b/opencontrols/components/SecureProxy/component.yaml new file mode 100644 index 00000000..a6f77bb5 --- /dev/null +++ b/opencontrols/components/SecureProxy/component.yaml @@ -0,0 +1,31 @@ +documentation_complete: false +name: SecureProxy +references: +- name: Reference Name + path: https://github.com/18F/cg-secureproxy-boshrelease + type: URL +satisfies: +- control_key: SC-13 + covered_by: [] + implementation_status: none + narrative: + - text: | + cloud.gov forces https using SecureProxy: + + Applications running on Cloud Foundry receive requests through the URLs configured + for the application. HTTP requests arrive on ports 80 and 443. Additionally, Cloud + Foundry requires a channel for TCP/WebSocket traffic. The default cf-release manifest + assigns port 4443 for TCP/WebSocket communications. + + All traffic from the public internet to the Cloud Controller and UAA happens over + HTTPS. Inside the boundary of the system, components communicate over publish-subscribe + (pub-sub) message bus, NATs on port 4222. + + To combat spoofing Cloud Foundry network traffic rules help prevent the attack + from accessing application containers. Cloud Foundry uses application isolation, + operating system restrictions, and encrypted connections to further mitigate risk. + + Application developers push their code using the Cloud Foundry API. Cloud Foundry + secures each call to the CF API using the UAA and SSL + standard_key: NIST-800-53 +schema_version: 3.1.0 diff --git a/opencontrols/components/UAA/component.yaml b/opencontrols/components/UAA/component.yaml new file mode 100644 index 00000000..d532b7f9 --- /dev/null +++ b/opencontrols/components/UAA/component.yaml @@ -0,0 +1,260 @@ +--- +documentation_complete: false +name: User Account and Authentication (UAA) Server +references: +- name: User Account and Authentication (UAA) Server + path: http://docs.pivotal.io/pivotalcf/concepts/architecture/uaa.html + type: URL +- name: Creating and Managing Users with the UAA CLI (UAAC) + path: http://docs.pivotal.io/pivotalcf/adminguide/uaa-user-management.html + type: URL +- name: UAA Roles + path: https://cf-p1-docs-prod.cfapps.io/pivotalcf/concepts/roles.html + type: URL +- name: Cloud Foundry Org Access + path: https://github.com/cloudfoundry/cloud_controller_ng/blob/master/spec/unit/access/organization_access_spec.rb + type: URL +- name: Cloud Foundry Space Access + path: https://github.com/cloudfoundry/cloud_controller_ng/blob/master/spec/unit/access/space_access_spec.rb + type: URL +satisfies: +- control_key: AC-2 + covered_by: [] + implementation_status: none + narrative: + - key: j + text: User accounts will be monitored monthly and accounts + will be disabled after 90 days of inactivity; this will be a manual review process + every 30 days, but the disablement will be automatic. + A manual review of all + user accounts will be conducted on an annual basis + - key: k + text: Cloud Foundry utilizes role based access controls (RBAC) for group membership within the platform + and does not issue shared/group account credentials. + standard_key: NIST-800-53 +- control_key: AC-2 (1) + covered_by: [] + implementation_status: complete + narrative: + - text: UAA CLI is a semi-automated command line based + account management system that enables operators to create, modify and deleted + user accounts and roles within the platform. https://docs.cloudfoundry.org/adminguide/uaa-user-management.html + standard_key: NIST-800-53 +- control_key: AC-2 (2) + covered_by: [] + implementation_status: none + narrative: + - text: Not Applicable. UAA does not contain any guest/anonymous, group, or + temporary user accounts. Administrators only creates individual user accounts and grants + role based access to users within UAA. There are no guest/anonymous, group, + or temporary user accounts. + standard_key: NIST-800-53 +- control_key: AC-2 (4) + covered_by: + - verification_key: POLICY_DOC + implementation_status: none + narrative: + - text: All account activity is logged using the UAA system which can be reviewed for auditing purposes. + standard_key: NIST-800-53 +- control_key: AC-2 (7) + covered_by: [] + implementation_status: none + narrative: + - key: b + text: | + UAA centralizes all role assignment and all user management activity is logged and monitored. + standard_key: NIST-800-53 +- control_key: IA-2 + covered_by: [] + implementation_status: none + narrative: + - text: |- + The UAA is the identity management service for Cloud Foundry. Its primary role is as an OAuth2 provider, issuing tokens for client applications to use when they act on behalf of Cloud Foundry users. In collaboration with the login server, it authenticates users with their Cloud Foundry credentials, and act as a Single Sign-On (SSO) service using those credentials (or others). It has endpoints for managing user accounts and for registering OAuth2 clients, as well as various other management functions. + All users have individually unique identifiers to access and authenticates to the environment. Shared or group authenticators are not utilized, with the exception of a root administrative account. There are only two authorized users from the DevOps team who has access to the root administrative account. + standard_key: NIST-800-53 + +- control_key: IA-2 (5) + covered_by: [] + implementation_status: none + narrative: + - text: This controls is not applicable. here are are no group accounts within the + Cloud.Gov platform. + standard_key: NIST-800-53 +- control_key: IA-2 (8) + covered_by: [] + implementation_status: none + narrative: + - text: |- + Cloud.gov a limit of 5 consecutive invalid logon attempts by a user during a 15 minute period + Automatically; locks the account/node for 20 minutes when the maximum number of unsuccessful attempts is exceeded + Account log out is set to 15 minutes of inactivity. + standard_key: NIST-800-53 +- control_key: IA-2 (12) + covered_by: [] + implementation_status: none + narrative: + - text: PIV card access is Not applicable for the Cloud Foundry PaaS + standard_key: NIST-800-53 +- control_key: IA-2 (1) + covered_by: [] + implementation_status: none + narrative: + - text: Cloud.Gov does not have MFA capabilities implemented. Cloud.Gov currently + utilizes username and password for identification and authentication of non-privileged + accounts. + standard_key: NIST-800-53 +- control_key: IA-2 (11) + covered_by: [] + implementation_status: none + narrative: + - text: Cloud.Gov does not have MFA capabilities implemented. Cloud.Gov currently + utilizes username and password for identification and authentication of non-privileged + accounts. + standard_key: NIST-800-53 +- control_key: AC-2 (9) + covered_by: [] + implementation_status: none + narrative: + - text: NA - This control is not applicable. Group accounts are not allowed within + the 18F VPC and the Cloud.Gov platform + standard_key: NIST-800-53 +- control_key: AC-2 (5) + covered_by: [] + implementation_status: none + narrative: + - text: Account log out is set to 15 minutes of inactivity. + standard_key: NIST-800-53 +- control_key: AC-2 (10) + covered_by: [] + implementation_status: none + narrative: + - text: This control is not applicable. Group accounts are not allowed within the + 18F VPC and the Cloud.Gov PaaS + standard_key: NIST-800-53 +- control_key: AC-3 + covered_by: [] + implementation_status: none + narrative: + - text: |- + 18F follows best practices by implementing the majority of the following: + - Use RBAC model to restrict users’ access to only what is necessary to complete their tasks. + - Use a strong passphrase for both Cloud.gov user account and SSH keys. + - Configure UAA clients and users using a BOSH manifest. Limit and manage these clients and users as you would any other kind of privileged account. + standard_key: NIST-800-53 +- control_key: IA-3 + covered_by: [] + implementation_status: none + narrative: + - text: Not Applicable to Cloud Foundry + standard_key: NIST-800-53 +- control_key: AC-4 + covered_by: [] + implementation_status: none + narrative: + - text: |- + The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on the 18F Access Control Policy Section 3 - Information Flow Enforcement which states: + - 18F enforces approved authorizations for controlling the flow of information within its information systems and between interconnected systems in accordance with applicable federal laws and 18F policies and procedures. + - 18F shall use flow control restrictions to include: keeping export controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization and not passing any web requests to the Internet that are not from the internal web proxy. + - 18F shall use boundary protection devices (e.g., proxies, gateways, guards, encrypted tunnels, firewalls, and routers) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message-filtering capability based on content (e.g., using key word searches or document characteristics. + standard_key: NIST-800-53 +- control_key: AC-7 + covered_by: + - verification_key: CLOUDGOV_LOGIN_PAGE + implementation_status: none + narrative: + - text: "#### a \nCloud.gov displays banner on the cloud.gov login page\n \n#### + b \nThe banner displays on the login page until the user is logged in\n \n#### + c \nThe banner displays all requirements" + standard_key: NIST-800-53 +- control_key: AC-10 + covered_by: [] + implementation_status: none + narrative: + - text: Cloud.gov does not support capability to limit active sessions and as a + cloud-based system it was not designed to limit the number of active sessions. + standard_key: NIST-800-53 +- control_key: SI-10 + covered_by: [] + implementation_status: complete + narrative: + - text: The UAA uses an api with set endpoint and parameters. Users depending on + thier authorized access can only make request to specific endpoint that activate + specific functions that take a limited and defined set of parameters. + standard_key: NIST-800-53 +- control_key: AC-11 (1) + covered_by: + - verification_key: CLOUDGOV_LOGIN_PAGE + implementation_status: none + narrative: + - text: The Cloud.gov login page hides user passwords using asterisks, the Cloud + Foundry along with the bosh cli also obfuscate user passwords. + standard_key: NIST-800-53 +- control_key: AC-11 + covered_by: [] + implementation_status: none + narrative: + - text: A session limit of 15 minutes is implemented on inactive accounts within + the Cloud.gov platform. All sessions are terminated after this period, but sesssion + are not locked. + standard_key: NIST-800-53 +- control_key: AC-12 + covered_by: [] + implementation_status: none + narrative: + - text: A session limit of 15 minutes is implemented on inactive accounts within + the Cloud.gov platform. + standard_key: NIST-800-53 +- control_key: SC-13 + covered_by: [] + implementation_status: none + narrative: + - text: |- + As for stored data the following cryptographic mechanisms are used to prevent unauthorized disclosure and modification of stored data. + Operators configure encryption of the identity store in the UAA. When users register an account with the Cloud Foundry platform, the UAA acts as the user store and stores user passwords in the UAA database using bcrypt, a blowfish encryption algorithm, which enables Cloud Foundry to store a secure hash of user passwords. + The Cloud Controller stores the configuration for an application in an encrypted database table. This configuration data includes user-specified environment variables and service credentials for any services bound to the app. + standard_key: NIST-800-53 +- control_key: AC-14 + covered_by: [] + implementation_status: none + narrative: + - text: "#### a \nThere are no permitted actions without identification and authentication + to Cloud.Gov. The Cloud Controller rejects any broker registration that does + not contain a username and password. The Cloud Controller authenticates every + request with the Service Broker API using HTTP or HTTPS, depending on which + protocol you specify during broker registration.\n \n#### b \nIt is not possible + for members of the 18F Devops and SecOps teams to aceess the 18F virtual private + cloud infrastructure without muitifactor authetication and identification. All + clinet users of Cloud.gov must login using authenticated credentials in order + to acess the system as stated in Part A above." + standard_key: NIST-800-53 +- control_key: SC-28 (1) + covered_by: [] + implementation_status: none + narrative: + - text: |- + The Cloud Foundry platform as a service does NOT create, store or process any personally identifiable information (PII) or sensitive information as identified by parameter requirement 1. + + Applications running on Cloud Foundry receive requests through the URLs configured for the application. HTTP requests arrive on ports 80 and 443. Additionally, Cloud Foundry requires a channel for TCP/WebSocket traffic. The default cf-release manifest assigns port: 4443 for TCP/WebSocket communications. + All traffic from the public internet to the Cloud Controller and UAA happens over HTTPS. Inside the boundary of the system, components communicate over a publish-subscribe (pub-sub) port: 4222 message bus, NATs + + For stored data identified by parameter 2, the following cryptographic mechanisms are used to prevent unauthorized disclosure and modification of stored data. + Operators configure encryption of the identity store in the UAA. When users register an account with the Cloud Foundry platform, the UAA, acts as the user store and stores user passwords in the UAA database using bcrypt. Bcrypt is a blowfish encryption algorithm, which enables cloud foundry to store a secure hash of your users' passwords. + The Cloud Controller stores the configuration for an application in an encrypted database table. This configuration data includes user-specified environment variables and service credentials for any services bound to the app. + Application developers push their code using the Cloud Foundry API. Cloud Foundry secures each call to the CF API using the UAA and SSL + To combat spoofing Cloud Foundry network traffic rules help prevents the attack from accessing application containers. Cloud Foundry uses application isolation, operating system restrictions, and encrypted connections to further mitigate risk. + standard_key: NIST-800-53 +schema_version: "3.0.0" +verifications: +- key: CLOUDGOV_LOGIN_PAGE + name: Cloud.gov Login Page + path: https://login.cloud.gov/login + type: URL +- description: "GIVEN I am a user that can login WHEN I attempt to login 3 times and + fail THEN I am not locked out \nGIVEN I am a user that can login WHEN I attempt + to login 6 times and fail THEN I am locked out \n" + key: Account_Lockout_Tests + last_run: 2016-04-08 09:18:44.795280000 -05:00 + name: CloudFoundry User Account and Authentication (UAA) Server Features + path: BDD/UAA.feature + test_passed: true + type: TEST diff --git a/opencontrols/components/VPC/component.yaml b/opencontrols/components/VPC/component.yaml new file mode 100644 index 00000000..27b66ea6 --- /dev/null +++ b/opencontrols/components/VPC/component.yaml @@ -0,0 +1,67 @@ +documentation_complete: false +name: Amazon Virtual Private Cloud +references: +- name: Amazon VPC + path: https://aws.amazon.com/vpc/ + type: URL +satisfies: +- control_key: AC-4 (21) + covered_by: [] + implementation_status: none + narrative: 'The virtual private cloud logically separates the hosted services from other information systems within its environment. Any service built using AWS VPC will reside within its + own virtual private network and may have its own dedicated elastic load balancers for incoming traffic. + + ' + standard_key: NIST-800-53 +- control_key: SC-7 + covered_by: [] + implementation_status: none + narrative: "#### a \nAWS Boundary Protection - Secure Network Architecture\n18F\ + \ utilizes the AWS provided virtual network devices, including firewall and other\ + \ boundary devices, in place to monitor and control communications at the external\ + \ boundary of the network and at key internal boundaries within the network. These\ + \ boundary devices employ rule sets, access control lists (ACL), and configurations\ + \ to enforce the flow of information to specific information system services.\n\ + ACLs, or traffic flow policies, are established on each managed interface, which\ + \ manage and enforce the flow of traffic.\n Designated privileged users(PU) connects to\ + \ an AWS access point via HTTP or HTTPS using Secure Sockets Layer (SSL), a cryptographic protocol\ + \ that is designed to protect against eavesdropping, tampering, and message forgery.\n\ + PU utilizes the AWS Virtual Private Cloud (VPC), which provides a private subnet\ + \ within the AWS cloud. Each VPC is configured to utilize Routing Rules, Subnet\ + \ Rules, and Security Group Rules. Each of these controls must have appropriate\ + \ rules and routes in-place before any external service is able to reach a host\ + \ within AWS.\n \n#### b \nEach VPC is configured to utilize Routing Tables,\ + \ and Security Groups. Each of these controls must have appropriate rules and\ + \ routes in-place before any external service is able to reach the host within the \ + \ information system boundry.\n \n#### c \nThe information system is internal to the defined\ + \ VPC and does not connect to external networks or information\ + \ systems outside the VPC.\n \n" + standard_key: NIST-800-53 +- control_key: AC-17 (4) + covered_by: [] + implementation_status: none + narrative: "Since the infromation system platform resides within the defined virtual infrastructure,\ + \ Privileged User (PU) must use SSH remote access method to troubleshoot issues and\ + \ update services that are only resolved by logging into a Bastion Host (BH).\ + \ The BH themselves are virtual machine deployed within the organization's\ + \ virtual private cloud. They are the only access points for designated PU\ + \ members to run privileged commnds that affect the entire platform. No other\ + \ privileged remote access is available to the information system.\n" + standard_key: NIST-800-53 +- control_key: AC-4 + covered_by: [] + implementation_status: none + narrative: "The organization incorporates security features within its vpc such as IAM security\ + \ groups, network ACLs, routing tables, and external gateways. Each of these items\ + \ is complementary to providing a secure, isolated network.\nNetwork Access control\ + \ lists (ACLs) are created to allow or deny traffic entering or exiting these\ + \ subnets. Each subnet has routing tables attached to them to direct the flow\ + \ of network traffic to Internet gateways, virtual private gateways, Network Address\ + \ Translation (NAT) for private subnets.\nThe organization's Virtual Private Cloud (VPC) infrastructure\ + \ has firewalls enabling filtering on both ingress and egress traffic from its\ + \ instances. The default group enables inbound communication from other members\ + \ of the same group and outbound communication to any destination.\nTraffic is\ + \ restricted by IP protocol, by service port, as well as source/destination IP\ + \ address (individual IP or Classless Inter-Domain Routing (CIDR) block).\n" + standard_key: NIST-800-53 +schema_version: 2.0 diff --git a/opencontrols/components/Warden/component.yaml b/opencontrols/components/Warden/component.yaml new file mode 100644 index 00000000..bac8f4f8 --- /dev/null +++ b/opencontrols/components/Warden/component.yaml @@ -0,0 +1,16 @@ +documentation_complete: false +name: Warden +satisfies: +- control_key: AC-4 (21) + covered_by: [] + implementation_status: none + narrative: 'Warden ALLOW rules: Any Warden Server configuration `allow` rules. Set + Warden Server configuration rules in the Droplet Execution Agent (DEA) configuration + section of your deployment manifest. + + Warden DENY rules: Any Warden Server configuration `deny` rules. Set Warden Server + configuration rules in the DEA configuration section of your deployment manifest. + + ' + standard_key: NIST-800-53 +schema_version: 2.0 diff --git a/opencontrols/components/compliance/component.yml b/opencontrols/components/compliance/component.yml new file mode 100644 index 00000000..0598e393 --- /dev/null +++ b/opencontrols/components/compliance/component.yml @@ -0,0 +1,251 @@ +schema_version: 3.0.0 +name: Micro-purchase +documentation_complete: false +references: +- name: New Relic Application Monitoring + path: https://newrelic.com/application-monitoring + type: URL +- name: Repository's Github + path: https://github.com/18F/micropurchase + type: URL +- name: User Provided Service Documentation + path: https://docs.cloudfoundry.org/devguide/services/user-provided.html + type: URL + type: URL +- name: OWASP's ZAP + path: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project + type: URL +satisfies: +- standard_key: NIST-800-53 + control_key: AC-2 # Account Management + narrative: + - text: > + Within our application (see cloud.gov for lower-level controls), + Contract Officer user accounts are created and managed by a data + administrator. Authentication is provided by cloud.gov's User + Account and Authentication (UAA) server, while authorization is + provided by the Django application; if a data administrator + hasn't explicitly created a user account for an individual and + associated it with the same government-issued email address that they + log in to cloud.gov with, the user is denied access to all parts + of the site requiring login. +- standard_key: NIST-800-53 + control_key: AC-3 # Access Enforcement + narrative: + - text: > + Information about approved price list data is meant to be accessed + by the general public. Submitted price lists that have not yet + been reviewed, or which have been rejected, are visible only to + data administrators and the Contract Officers who uploaded them. +- standard_key: NIST-800-53 + control_key: AC-6 # Least Privilege + narrative: + - text: > + At the application level (see cloud.gov for lower-level controls), + only data administrators have the ability to modify approved price + list data. Any data modifications made by Contract Officers must be + reviewed by a data administrator before they can be made available to + the general public. +- standard_key: NIST-800-53 + control_key: AU-2 # Audit Events + narrative: + - text: > + Cloud.gov logs requests, failures, warnings, etc. emitted by the + application. We also utilize New Relic, which registers Python-level + exceptions and periods of down-time. + covered_by: + - verification_key: new-relic +- standard_key: NIST-800-53 + control_key: AU-6 # Audit Review, Analysis, and Reporting + narrative: + - text: > + In addition to the low-level reporting provided by cloud.gov, New Relic + sends email alerts to the team after repeated errors or down-time. + covered_by: + - verification_key: new-relic +- standard_key: NIST-800-53 + control_key: CA-8 # Penetration Testing + narrative: + - text: No controls on top of cloud.gov's +- standard_key: NIST-800-53 + control_key: CM-2 # Baseline Configuration + narrative: + - text: No controls on top of cloud.gov's +- standard_key: NIST-800-53 + control_key: CM-3 # Configuration Change Control + narrative: + - text: > + In addition to cloud.gov controls, all code is reviewed on GitHub before + being merged into the "master" branch. These changes are tested + automatically via Travis CI (which runs unit, integration tests, and + static analysis) as well as manual testing for visual regressions. + Proposed changes have appropriate justification (describing problems + resolved or referencing further details in an issue tracker) in either + their commit history or as part of the GitHub Pull Request. Proposed + changes which fail automated tests are generally not merged. Only the + tested, "master" branch code is deployed, on an ad-hoc basis. + references: + - verification_key: github + - verification_key: travis +- standard_key: NIST-800-53 + control_key: CM-6 # Configuration Settings + narrative: + - text: > + As described in README.md and deploy.md, configurable settings are + defined in a handful of locations. Configuration for cloud.gov + environments is located in the manifests directory and + hourglass/settings.py. Configurations which are + specific to one cloud.gov environment (i.e. either the staging or + production environment) are located in the appropriate manifest-*.yml + file or stored in and provided by a cloud.gov "user provided + service". + references: + - verification_key: ups +- standard_key: NIST-800-53 + control_key: CM-8 # Information System Component Inventory + narrative: + - text: > + In addition to the controls provided by cloud.gov, the application + tracks components through versioned library dependencies + (Gemfile), as well as a listing of relevant cloud.gov services + (mentioned in the README and docs/deployment.md) +- standard_key: NIST-800-53 + control_key: IA-2 # Identification and Authentication (Organizational + # Users) + narrative: + - text: > + Cloud.gov controls cover the majority, here. Authentication is + provided by cloud.gov's User Account and Authentication (UAA) server + using an OAuth2-based OpenID Connect handshake. +- standard_key: NIST-800-53 + control_key: IA-2 (1) # Identification and Authentication (Organizational + # Users) + # Network Access to Privileged Accounts + narrative: + - text: See cloud.gov controls. +- standard_key: NIST-800-53 + control_key: IA-2 (2) # Identification and Authentication (Organizational + # Users) + # Network Access to Non-Privileged Accounts + narrative: + - text: See cloud.gov controls. +- standard_key: NIST-800-53 + control_key: IA-2 (12) # Identification and Authentication (Organizational + # Users) + # Acceptance of PIV Credentials + narrative: + - text: See cloud.gov controls. +- standard_key: NIST-800-53 + control_key: PL-8 # Information Security Architecture + narrative: + - text: > + In addition to cloud.gov controls, all data in the system is public. +- standard_key: NIST-800-53 + control_key: RA-5 # Vulnerability Scanning + narrative: + - text: > + In addition to cloud.gov controls, the application layer is scanned with + both static and dynamic tooling. Before being merged into "develop" and + "master", all custom code is automatically analyzed by Brakeman + (static code analysis of Rails apps for known security vulnerabilities), + and a handful of custom, security-centric unit tests. + Code which does not meet these standards is generally not + merged. We also employ Gemnasium to track our dependencies and + Code Climate to warn of potentially concerning style. + + For static analysis, we've addressed all critical issues raised by + evaluating the application with OWASP ZAP. + references: + - verification_key: hakiri + - verification_key: gemnasium + - verification_key: brakeman + - verification_key: code-climate + - verification_key: owasp-zap +- standard_key: NIST-800-53 + control_key: SA-11 (1) # Developer Security Testing and Evaluation + # Static Code Analysis + narrative: + - text: > + In addition to cloud.gov controls, the application layer is scanned with + both static and dynamic tooling. Before being merged into "develop" and + "master", all custom code is automatically analyzed by Brakeman + (static code analysis of Rails apps for known security vulnerabilities), + and a handful of custom, security-centric unit tests. + Code which does not meet these standards is generally not + merged. We also employ Gemnasium to track our dependencies and + Code Climate to warn of potentially concerning style. + + For static analysis, we've addressed all critical issues raised by + evaluating the application with OWASP ZAP. + references: + - verification_key: hakiri + - verification_key: gemnasium + - verification_key: brakeman + - verification_key: code-climate + - verification_key: owasp-zap +- standard_key: NIST-800-53 + control_key: SA-22 (1) # Unsupported System Components + # Alternative Sources for Continued Support + narrative: + - text: > + At the application layer (see cloud.gov controls for lower), one + selection criteria for libraries was their support status. Should a + library fall in to an unsupported state, 18F has the capacity to + maintain it in-house. +- standard_key: NIST-800-53 + control_key: SC-7 # Boundary Protection + narrative: + - text: See cloud.gov controls. +- standard_key: NIST-800-53 + control_key: SC-12 (1) # Cryptographic Key Establishment and Management + # Availability + narrative: + - text: > + At the application layer (see cloud.gov controls for lower), all keys + are available to authorized users by querying cloud.gov's "services", + including "custom user provided services". +- standard_key: NIST-800-53 + control_key: SC-13 # Cryptographic Protection + narrative: + - text: See cloud.gov controls, which ensure HTTPS throughout. +- standard_key: NIST-800-53 + control_key: SC-28 (1) # Protection of Information at Rest + # Cryptographic Protection + narrative: + - text: See cloud.gov controls. +- standard_key: NIST-800-53 + control_key: SI-2 # Flaw Remediation + narrative: + - text: > + At the application layer (see cloud.gov controls for lower), all custom + code passes through a set of automated unit and integration tests via + Travis CI. Library dependencies are verified up to date via Gemnasium. + Production errors are captured via New Relic and emailed to + relevant parties. Further, code is first deployed (automatically) to + our staging environment, where we may discover errors before appearing + in production. + references: + - verification_key: travis + - verification_key: new-relic + - verification_key: gemnasium +- standard_key: NIST-800-53 + control_key: SI-4 # Information System Monitoring + narrative: + - text: See cloud.gov controls. +- standard_key: NIST-800-53 + control_key: SI-10 # Information Input Validation + narrative: + - text: See cloud.gov controls. +verifications: +- key: travis + name: Repository's Travis CI + path: https://travis-ci.org/18F/micropurchase + type: URL +- key: code-climate + name: Project's Code Climate Results + path: https://codeclimate.com/github/18F/micropurchase + type: URL +- key: gemnasium + name: Project's Gemnasium Results + path: https://gemnasium.com/github.com/18F/micropurchase + type: URL diff --git a/opencontrols/standards/NIST-800-53.yaml b/opencontrols/standards/NIST-800-53.yaml new file mode 100644 index 00000000..0b16ea09 --- /dev/null +++ b/opencontrols/standards/NIST-800-53.yaml @@ -0,0 +1,3111 @@ +AC-1: + family: AC + name: Access Control Policy and Procedures + description: | + 'The organization: + a. Develops, documents, and disseminates to [Assignment: + organization-defined personnel or roles]: + 1. An access control policy that addresses purpose, scope, roles, + responsibilities, management commitment, coordination among organizational + entities, and compliance; and + 2. Procedures to facilitate the + implementation of the access control policy and associated access + controls; and + b. Reviews and updates the current: + 1. Access control policy [Assignment: organization-defined frequency]; and + 2. Access control procedures [Assignment: organization-defined + frequency].' + +AC-2: + family: AC + name: Account Management + description: | + 'The organization: + a. Identifies and selects the following types of information system accounts + to support organizational missions/business functions: [Assignment: + organization-defined information system account types]; + b. Assigns account managers for information system accounts; + c. Establishes conditions for group and role membership; + d. Specifies authorized users of the information system, group and role + membership, and access authorizations (i.e., privileges) and other + attributes (as required) for each account; + e. Requires approvals by [Assignment: organization-defined personnel or + roles] for requests to create information system accounts; + f. Creates, enables, modifies, disables, and removes information system + accounts in accordance with [Assignment: organization-defined procedures or + conditions]; + g. Monitors the use of information system accounts; + h. Notifies account managers: + 1. When accounts are no longer required; + 2. When users are terminated or transferred; and + 3. When individual information system usage or need-to-know changes; + i. Authorizes access to the information system based on: + 1. A valid access authorization; + 2. Intended system usage; and + 3. Other attributes as required by the organization or associated missions/business functions; + j. Reviews accounts for compliance with account management requirements + [Assignment: organization-defined frequency]; and + k. Establishes a process for reissuing shared/group account credentials (if + deployed) when individuals are removed from the group.' + +AC-2 (1): + family: AC + name: Account Management | Automated System Account Management + description: | + 'The organization employs automated mechanisms to support the management of information system accounts.' + +AC-2 (2): + family: AC + name: Account Management | Removal of Temporary / Emergency Accounts + description: | + 'The information system automatically [Selection: removes; disables] + temporary and emergency accounts after [Assignment: organization-defined + time period for each type of account].' + +AC-2 (3): + family: AC + name: Account Management | Disable Inactive Accounts + description: | + 'The information system automatically disables inactive accounts after + [Assignment: organization-defined time period].' + +AC-2 (4): + family: AC + name: Account Management | Automated Audit Actions + description: | + 'The information system automatically audits account creation, modification, + enabling, disabling, and removal actions, and notifies [Assignment: + organization-defined personnel or roles].' + +AC-2 (5): + family: AC + name: Account Management | Inactivity Logout + description: | + 'The organization requires that users log out when [Assignment: + organization-defined time-period of expected inactivity or description of + when to log out].' + +AC-2 (7): + family: AC + name: Account Management | Role-Based Schemes + description: | + 'The organization: + AC-2 (7)(a) Establishes and administers privileged user accounts in + accordance with a role-based access scheme that organizes allowed + information system access and privileges into roles; + AC-2 (7)(b) Monitors privileged role assignments; and + AC-2 (7)(c) Takes [Assignment: organization-defined actions] when privileged + role assignments are no longer appropriate.' + +AC-2 (9): + family: AC + name: Account Management | Restrictions on Use of Shared Groups / Accounts + description: | + 'The organization only permits the use of shared/group accounts that meet + [Assignment: organization-defined conditions for establishing shared/group + accounts].' + +AC-2 (10): + family: AC + name: Account Management | Shared / Group Account Credential Termination + description: | + 'The information system terminates shared/group account credentials when + members leave the group.' + +AC-2 (12): + family: AC + name: Account Management | Account Monitoring / Atypical Usage + description: | + 'The organization: + AC-2 (12)(a) Monitors information system accounts for [Assignment: + organization-defined atypical usage]; and + AC-2 (12)(b) Reports atypical usage of information system accounts to + [Assignment: organization-defined personnel or roles].' + +AC-3: + family: AC + name: Access Enforcement + description: | + 'The information system enforces approved authorizations for logical access + to information and system resources in accordance with applicable access + control policies.' + +AC-4: + family: AC + name: Information Flow Enforcement + description: | + 'The information system enforces approved authorizations for controlling the + flow of information within the system and between interconnected systems + based on [Assignment: organization-defined information flow control + policies].' + +AC-4 (21): + family: AC + name: Information Flow Enforcement | Physical / Logical Separation of Information + Flows + description: | + 'The information system separates information flows logically or physically + using [Assignment: organization-defined mechanisms and/or techniques] to + accomplish [Assignment: organization-defined required separations by types + of information].' + +AC-5: + family: AC + name: Separation of Duties + description: | + 'The organization: + a. Separates [Assignment: organization-defined duties of individuals]; + b. Documents separation of duties of individuals; and + c. Defines information system access authorizations to support separation of + duties.' + +AC-6: + family: AC + name: Least Privilege + description: | + 'The organization employs the principle of least privilege, allowing only + authorized accesses for users (or processes acting on behalf of users) which + are necessary to accomplish assigned tasks in accordance with organizational + missions and business functions.' + +AC-6 (1): + family: AC + name: Least Privilege | Authorize Access to Security Functions + description: | + 'The organization explicitly authorizes access to [Assignment: + organization-defined security functions (deployed in hardware, software, and + firmware) and security-relevant information].' + +AC-6 (2): + family: AC + name: Least Privilege | Non-Privileged Access For No security Functions + description: | + 'The organization requires that users of information system accounts, or + roles, with access to [Assignment: organization-defined security functions + or security-relevant information], use non-privileged accounts or roles, + when accessing nonsecurity functions.' + +AC-6 (5): + family: AC + name: Least Privilege | Privileged Accounts + description: | + 'The organization restricts privileged accounts on the information system to + [Assignment: organization-defined personnel or roles].' + +AC-6 (9): + family: AC + name: Least Privilege | Auditing Use of Privileged Functions + description: | + 'The information system audits the execution of privileged functions.' + +AC-6 (10): + family: AC + name: Least Privilege | Prohibit Non-privileged Users from Executing Privileged + Functions + description: | + 'The information system prevents non-privileged users from executing + privileged functions to include disabling, circumventing, or altering + implemented security safeguards/countermeasures.' + +AC-7: + family: AC + name: Unsuccessful Logon Attempts + description: | + 'The information system: + a. Enforces a limit of [Assignment: organization-defined number] consecutive + invalid logon attempts by a user during a [Assignment: organization-defined + time period]; and + b. Automatically [Selection: locks the account/node for an [Assignment: + organization-defined time period]; locks the account/node until released by + an administrator; delays next logon prompt according to [Assignment: + organization-defined delay algorithm]] when the maximum number of + unsuccessful attempts is exceeded.' + +AC-8: + family: AC + name: System Use Notification + description: | + 'The information system: + a. Displays to users [Assignment: organization-defined system use + notification message or banner] before granting access to the system that + provides privacy and security notices consistent with applicable federal + laws, Executive Orders, directives, policies, regulations, standards, and + guidance and states that: + 1. Users are accessing a U.S. Government information system; + 2. Information system usage may be monitored, recorded, and subject to + audit; + 3. Unauthorized use of the information system is prohibited and subject to + criminal and civil penalties; and + 4. Use of the information system indicates consent to monitoring and + recording; + b. Retains the notification message or banner on the screen until users + acknowledge the usage conditions and take explicit actions to log on to or + further access the information system; and + c. For publicly accessible systems: + 1. Displays system use information [Assignment: organization-defined + conditions], before granting further access; + 2. Displays references, if any, to monitoring, recording, or auditing that + are consistent with privacy accommodations for such systems that generally + prohibit those activities; and + 3. Includes a description of the authorized uses of the system.' + +AC-10: + family: AC + name: Concurrent Session Control + description: | + 'The information system limits the number of concurrent sessions for each + [Assignment: organization-defined account and/or account type] to + [Assignment: organization-defined number].' + +AC-11: + family: AC + name: Session Lock + description: | + 'The information system: + a. Prevents further access to the system by initiating a session lock after + [Assignment: organization-defined time period] of inactivity or upon + receiving a request from a user; and + b. Retains the session lock until the user reestablishes access using + established identification and authentication procedures.' + +AC-11 (1): + family: AC + name: Session Lock | Pattern-Hiding Displays + description: | + 'The information system conceals, via the session lock, information + previously visible on the display with a publicly viewable image.' + +AC-12: + family: AC + name: Session Termination + description: | + 'The information system automatically terminates a user session after + [Assignment: organization-defined conditions or trigger events requiring + session disconnect].' + +AC-14: + family: AC + name: Permitted Actions Without Identification or Authentication + description: | + 'The organization: + a. Identifies [Assignment: organization-defined user actions] that can be + performed on the information system without identification or authentication + consistent with organizational missions/business functions; and + b. Documents and provides supporting rationale in the security plan for the + information system, user actions not requiring identification or + authentication.' + +AC-17: + family: AC + name: Remote Access + description: | + 'The organization: + a. Establishes and documents usage restrictions, configuration/connection + requirements, and implementation guidance for each type of remote access + allowed; and + b. Authorizes remote access to the information system prior to allowing such + connections.' + +AC-17 (1): + family: AC + name: Remote Access | Automated Monitoring / Control + description: | + 'The information system monitors and controls remote access methods.' + +AC-17 (2): + family: AC + name: Remote Access | Protection of Confidentiality / Integrity Using Encryption + description: | + 'The information system implements cryptographic mechanisms to protect the + confidentiality and integrity of remote access sessions.' + +AC-17 (3): + family: AC + name: Remote Access | Managed Access Control Points + description: | + 'The information system routes all remote accesses through [Assignment: + organization-defined number] managed network access control points.' + +AC-17 (4): + family: AC + name: Remote Access | Privileged Commands / Access + description: | + 'The organization: + AC-17 (4)(a) Authorizes the execution of privileged commands and access to + security-relevant information via remote access only for [Assignment: + organization-defined needs]; and + AC-17 (4)(b) Documents the rationale for such access in the security plan + for the information system.' + +AC-17 (9): + family: AC + name: Remote Access | Disconnect / Disable Access + description: | + 'The organization provides the capability to expeditiously disconnect or + disable remote access to the information system within [Assignment: + organization-defined time period].' + +AC-18: + family: AC + name: Wireless Access + description: | + 'The organization: + a. Establishes usage restrictions, configuration/connection requirements, + and implementation guidance for wireless access; and + b. Authorizes wireless access to the information system prior to allowing + such connections.' + +AC-18 (1): + family: AC + name: Wireless Access | Authentication and Encryption + description: | + 'The information system protects wireless access to the system using + authentication of [Selection (one or more): users; devices] and encryption.' + +AC-19: + family: AC + name: Access Control For Mobile Devices + description: | + 'The organization: + a. Establishes usage restrictions, configuration requirements, connection + requirements, and implementation guidance for organization-controlled mobile + devices; and + b. Authorizes the connection of mobile devices to organizational information + systems.' + +AC-19 (5): + family: AC + name: Access Control For Mobile Devices | Full Device / Container-Based Encryption + description: | + 'The organization employs [Selection: full-device encryption; container + encryption] to protect the confidentiality and integrity of information on + [Assignment: organization-defined mobile devices].' + +AC-20: + family: AC + name: Use of External Information Systems + description: | + 'The organization establishes terms and conditions, consistent with any + trust relationships established with other organizations owning, operating, + and/or maintaining external information systems, allowing authorized + individuals to: + a. Access the information system from external information systems; and + b. Process, store, or transmit organization-controlled information using + external information systems.' + +AC-20 (1): + family: AC + name: Use of External Information Systems | Limits on Authorized Use + description: | + 'The organization permits authorized individuals to use an external + information system to access the information system or to process, store, or + transmit organization-controlled information only when the organization: + AC-20 (1)(a) Verifies the implementation of required security controls on + the external system as specified in the organization's information security + policy and security plan; or + AC-20 (1)(b) Retains approved information system connection or processing + agreements with the organizational entity hosting the external information + system.' + +AC-20 (2): + family: AC + name: Use of External Information Systems | Portable Storage Devices + description: | + 'The organization [Selection: restricts; prohibits] the use of + organization-controlled portable storage devices by authorized individuals + on external information systems.' + +AC-21: + family: AC + name: Information Sharing + description: | + 'The organization: + a. Facilitates information sharing by enabling authorized users to determine + whether access authorizations assigned to the sharing partner match the + access restrictions on the information for [Assignment: organization-defined + information sharing circumstances where user discretion is required]; and + b. Employs [Assignment: organization-defined automated mechanisms or manual + processes] to assist users in making information sharing/collaboration + decisions.' + +AC-22: + family: AC + name: Publicly Accessible Content + description: | + 'The organization: + a. Designates individuals authorized to post information onto a publicly + accessible information system; + b. Trains authorized individuals to ensure that publicly accessible + information does not contain nonpublic information; + c. Reviews the proposed content of information prior to posting onto the + publicly accessible information system to ensure that nonpublic information + is not included; and + d. Reviews the content on the publicly accessible information system for + nonpublic information [Assignment: organization-defined frequency] and + removes such information, if discovered.' + +AT-1: + family: AT + name: Security Awareness and Training Policy and Procedures + description: | + 'The organization: + a. Develops, documents, and disseminates to [Assignment: + organization-defined personnel or roles]: + 1. A security awareness and training policy that addresses purpose, scope, + roles, responsibilities, management commitment, coordination among + organizational entities, and compliance; and + 2. Procedures to facilitate the implementation of the security awareness + and training policy and associated security awareness and training + controls; and + b. Reviews and updates the current: + 1. Security awareness and training policy [Assignment: + organization-defined frequency]; and + 2. Security awareness and training procedures [Assignment: + organization-defined frequency].' + +AT-2: + family: AT + name: Security Awareness Training + description: | + 'The organization provides basic security awareness training to information + system users (including managers, senior executives, and contractors): + a. As part of initial training for new users; + b. When required by information system changes; and + c. [Assignment: organization-defined frequency] thereafter.' + +AT-2 (2): + family: AT + name: Security Awareness | Insider Threat + description: | + 'The organization includes security awareness training on recognizing and + reporting potential indicators of insider threat.' + +AT-3: + family: AT + name: Role-Based Security Training + description: | + 'The organization provides role-based security training to personnel with + assigned security roles and responsibilities: + a. Before authorizing access to the information system or performing + assigned duties; + b. When required by information system changes; and + c. [Assignment: organization-defined frequency] thereafter.' + +AT-4: + family: AT + name: Security Training Records + description: | + 'The organization: + a. Documents and monitors individual information system security training + activities including basic security awareness training and specific + information system security training; and + b. Retains individual training records for [Assignment: organization-defined + time period].' + +AU-1: + family: AU + name: Audit and Accountability Policy and Procedures + description: | + 'The organization: + a. Develops, documents, and disseminates to [Assignment: + organization-defined personnel or roles]: + 1. An audit and accountability policy that addresses purpose, scope, + roles, responsibilities, management commitment, coordination among + organizational entities, and compliance; and + 2. Procedures to facilitate the implementation of the audit and + accountability policy and associated audit and accountability controls; + and + b. Reviews and updates the current: + 1. Audit and accountability policy [Assignment: organization-defined + frequency]; and + 2. Audit and accountability procedures [Assignment: organization-defined + frequency].' + +AU-2: + family: AU + name: Audit Events + description: | + 'The organization: + a. Determines that the information system is capable of auditing the + following events: [Assignment: organization-defined auditable events]; + b. Coordinates the security audit function with other organizational + entities requiring audit-related information to enhance mutual support and + to help guide the selection of auditable events; + c. Provides a rationale for why the auditable events are deemed to be + adequate to support after-the-fact investigations of security incidents; and + d. Determines that the following events are to be audited within the + information system: [Assignment: organization-defined audited events (the + subset of the auditable events defined in AU-2 a.) along with the frequency + of (or situation requiring) auditing for each identified event].' + +AU-2 (3): + family: AU + name: Audit Events | Reviews and Updates + description: | + 'The organization reviews and updates the audited events [Assignment: organization-defined frequency].' + +AU-3: + family: AU + name: Content of Audit Records + description: | + 'The information system generates audit records containing information that + establishes what type of event occurred, when the event occurred, where the + event occurred, the source of the event, the outcome of the event, and the + identity of any individuals or subjects associated with the event.' + +AU-3 (1): + family: AU + name: Content of Audit Records | Additional Audit Information + description: | + 'The information system generates audit records containing the following + additional information: [Assignment: organization-defined additional, more + detailed information].' + +AU-4: + family: AU + name: Audit Storage Capacity + description: | + 'The organization allocates audit record storage capacity in accordance with + [Assignment: organization-defined audit record storage requirements].' + +AU-5: + family: AU + name: Response to Audit Processing Failures + description: | + 'The information system: + a. Alerts [Assignment: organization-defined personnel or roles] in the event + of an audit processing failure; and + b. Takes the following additional actions: [Assignment: organization-defined + actions to be taken (e.g., shut down information system, overwrite oldest + audit records, stop generating audit records)].' + +AU-6: + family: AU + name: Audit Review, Analysis, and Reporting + description: | + 'The organization: + a. Reviews and analyzes information system audit records [Assignment: + organization-defined frequency] for indications of [Assignment: + organization-defined inappropriate or unusual activity]; and + b. Reports findings to [Assignment: organization-defined personnel or + roles].' + +AU-6 (1): + family: AU + name: Audit Review, Analysis, and Reporting | Process Integration + description: | + 'The organization employs automated mechanisms to integrate audit review, + analysis, and reporting processes to support organizational processes for + investigation and response to suspicious activities.' + +AU-6 (3): + family: AU + name: Audit Review, Analysis, and Reporting | Correlate Audit Repositories + description: | + 'The organization analyzes and correlates audit records across different + repositories to gain organization-wide situational awareness.' + +AU-7: + family: AU + name: Audit Reduction and Report Generation + description: | + 'The information system provides an audit reduction and report generation + capability that: + a. Supports on-demand audit review, analysis, and reporting requirements and + after-the-fact investigations of security incidents; and + b. Does not alter the original content or time ordering of audit records.' + +AU-7 (1): + family: AU + name: Audit Reduction and Report Generation | Automatic Processing + description: | + 'The information system provides the capability to process audit records for + events of interest based on [Assignment: organization-defined audit fields + within audit records].' + +AU-8: + family: AU + name: Time Stamps + description: | + 'The information system: + a. Uses internal system clocks to generate time stamps for audit records; + and + b. Records time stamps for audit records that can be mapped to Coordinated + Universal Time (UTC) or Greenwich Mean Time (GMT) and meets [Assignment: + organization-defined granularity of time measurement].' + +AU-8 (1): + family: AU + name: Time Stamps | Synchronization With Authoritative Time Source + description: | + 'The information system: + AU-8 (1)(a) Compares the internal information system clocks [Assignment: + organization-defined frequency] with [Assignment: organization-defined + authoritative time source]; and + AU-8 (1)(b) Synchronizes the internal system clocks to the authoritative + time source when the time difference is greater than [Assignment: + organization-defined time period].' + +AU-9: + family: AU + name: Protection of Audit Information + description: | + 'The information system protects audit information and audit tools from + unauthorized access, modification, and deletion.' + +AU-9 (2): + family: AU + name: Protection of Audit Information | Audit Backup on Separate Physical Systems + / Components + description: | + 'The information system backs up audit records [Assignment: + organization-defined frequency] onto a physically different system or system + component than the system or component being audited.' + +AU-9 (4): + family: AU + name: Protection of Audit Information | Access by Subset of Privileged Users + description: | + 'The organization authorizes access to management of audit functionality to + only [Assignment: organization-defined subset of privileged users].' + +AU-11: + family: AU + name: Audit Record Retention + description: | + 'The organization retains audit records for [Assignment: + organization-defined time period consistent with records retention policy] + to provide support for after-the-fact investigations of security incidents + and to meet regulatory and organizational information retention + requirements.' + +AU-12: + family: AU + name: Audit Generation + description: | + 'The information system: + a. Provides audit record generation capability for the auditable events + defined in AU-2 a. at [Assignment: organization-defined information system + components]; + b. Allows [Assignment: organization-defined personnel or roles] to select + which auditable events are to be audited by specific components of the + information system; and + c. Generates audit records for the events defined in AU-2 d. with the + content defined in AU-3.' + +CA-1: + family: CA + name: Security Assessment and Authorization Policies and Procedures + description: | + 'The organization: + a. Develops, documents, and disseminates to [Assignment: + organization-defined personnel or roles]: + 1. A security assessment and authorization policy that addresses purpose, + scope, roles, responsibilities, management commitment, coordination among + organizational entities, and compliance; and + 2. Procedures to facilitate the implementation of the security assessment + and authorization policy and associated security assessment and + authorization controls; and + b. Reviews and updates the current: + 1. Security assessment and authorization policy [Assignment: + organization-defined frequency]; and + 2. Security assessment and authorization procedures [Assignment: + organization-defined frequency].' + +CA-2: + family: CA + name: Security Assessments + description: | + 'The organization: + a. Develops a security assessment plan that describes the scope of the + assessment including: + 1. Security controls and control enhancements under assessment; + 2. Assessment procedures to be used to determine security control + effectiveness; and + 3. Assessment environment, assessment team, and assessment roles and + responsibilities; + b. Assesses the security controls in the information system and its + environment of operation [Assignment: organization-defined frequency] to + determine the extent to which the controls are implemented correctly, + operating as intended, and producing the desired outcome with respect to + meeting established security requirements; + c. Produces a security assessment report that documents the results of the + assessment; and + d. Provides the results of the security control assessment to [Assignment: + organization-defined individuals or roles].' + +CA-2 (1): + family: CA + name: Security Assessments | Independent Assessors + description: | + 'The organization employs assessors or assessment teams with [Assignment: + organization-defined level of independence] to conduct security control + assessments.' + +CA-2 (2): + family: CA + name: Security Assessments | Specialized Assessments + description: | + 'The organization includes as part of security control assessments, + [Assignment: organization-defined frequency], [Selection: announced; + unannounced], [Selection (one or more): in-depth monitoring; vulnerability + scanning; malicious user testing; insider threat assessment; + performance/load testing; [Assignment: organization-defined other forms of + security assessment]].' + +CA-2 (3): + family: CA + name: Security Assessments | External Organizations + description: | + 'The organization accepts the results of an assessment of [Assignment: + organization-defined information system] performed by [Assignment: + organization-defined external organization] when the assessment meets + [Assignment: organization-defined requirements].' + +CA-3: + family: CA + name: System Interconnections + description: | + 'The organization: + a. Authorizes connections from the information system to other information + systems through the use of Interconnection Security Agreements; + b. Documents, for each interconnection, the interface characteristics, + security requirements, and the nature of the information communicated; and + c. Reviews and updates Interconnection Security Agreements [Assignment: + organization-defined frequency].' + +CA-3 (3): + family: CA + name: System Interconnections | Unclassified Non-National Security System Connections + description: | + 'The organization prohibits the direct connection of an [Assignment: + organization-defined unclassified, non-national security system] to an + external network without the use of [Assignment; organization-defined + boundary protection device].' + +CA-3 (5): + family: CA + name: System Interconnections | Restrictions on External Network Connections + description: | + 'The organization employs [Selection: allow-all, deny-by-exception; + deny-all, permit-by-exception] policy for allowing [Assignment: + organization-defined information systems] to connect to external information + systems.' + +CA-5: + family: CA + name: Plan of Action and Milestones + description: | + 'The organization: + a. Develops a plan of action and milestones for the information system to + document the organization''s planned remedial actions to correct weaknesses + or deficiencies noted during the assessment of the security controls and to + reduce or eliminate known vulnerabilities in the system; and + b. Updates existing plan of action and milestones [Assignment: + organization-defined frequency] based on the findings from security controls + assessments, security impact analyses, and continuous monitoring + activities.' + +CA-6: + family: CA + name: Security Authorization + description: | + 'The organization: + a. Assigns a senior-level executive or manager as the authorizing official + for the information system; + b. Ensures that the authorizing official authorizes the information system + for processing before commencing operations; and + c. Updates the security authorization [Assignment: organization-defined + frequency].' + +CA-7: + family: CA + name: Continuous Monitoring + description: | + 'The organization develops a continuous monitoring strategy and implements a + continuous monitoring program that includes: + a. Establishment of [Assignment: organization-defined metrics] to be + monitored; + b. Establishment of [Assignment: organization-defined frequencies] for + monitoring and [Assignment: organization-defined frequencies] for + assessments supporting such monitoring; + c. Ongoing security control assessments in accordance with the + organizational continuous monitoring strategy; + d. Ongoing security status monitoring of organization-defined metrics in + accordance with the organizational continuous monitoring strategy; + e. Correlation and analysis of security-related information generated by + assessments and monitoring; + f. Response actions to address results of the analysis of security-related + information; and + g. Reporting the security status of organization and the information system + to [Assignment: organization-defined personnel or roles] [Assignment: + organization-defined frequency].' + +CA-7 (1): + family: CA + name: Continuous Monitoring | Independent Assessment + description: | + 'The organization employs assessors or assessment teams with [Assignment: + organization-defined level of independence] to monitor the security controls + in the information system on an ongoing basis.' + +CA-8: + family: CA + name: Penetration Testing + description: | + 'The organization conducts penetration testing [Assignment: + organization-defined frequency] on [Assignment: organization-defined + information systems or system components].' + +CA-8 (1): + family: CA + name: Penetration Testing | Independent Penetration Agent or Team + description: | + 'The organization employs an independent penetration agent or penetration + team to perform penetration testing on the information system or system + components.' + +CA-9: + family: CA + name: Internal System Connections + description: | + 'The organization: + a. Authorizes internal connections of [Assignment: organization-defined + information system components or classes of components] to the information + system; and + b. Documents, for each internal connection, the interface characteristics, + security requirements, and the nature of the information communicated.' + +CM-1: + family: CM + name: Configuration Management Policy and Procedures + description: | + 'The organization: + a. Develops, documents, and disseminates to [Assignment: + organization-defined personnel or roles]: + 1. A configuration management policy that addresses purpose, scope, roles, + responsibilities, management commitment, coordination among organizational + entities, and compliance; and + 2. Procedures to facilitate the implementation of the configuration + management policy and associated configuration management controls; and + b. Reviews and updates the current: + 1. Configuration management policy [Assignment: organization-defined + frequency]; and + 2. Configuration management procedures [Assignment: organization-defined + frequency].' + +CM-2: + family: CM + name: Baseline Configuration + description: | + 'The organization develops, documents, and maintains under configuration + control, a current baseline configuration of the information system.' + +CM-2 (1): + family: CM + name: Baseline Configuration | Reviews and Updates + description: | + 'The organization reviews and updates the baseline configuration of the + information system: + CM-2 (1)(a) [Assignment: organization-defined frequency]; + CM-2 (1)(b) When required due to [Assignment organization-defined + circumstances]; and + CM-2 (1)(c) As an integral part of information system component + installations and upgrades.' + +CM-2(2): + family: CM + name: Baseline Configuration | Automation Support For Accuracy / Currency + description: | + 'The organization employs automated mechanisms to maintain an up-to-date, + complete, accurate, and readily available baseline configuration of the + information system.' + +CM-2 (3): + family: CM + name: Baseline Configuration | Retention of Previous Configurations + description: | + 'The organization retains [Assignment: organization-defined previous + versions of baseline configurations of the information system] to support + rollback.' + +CM-2 (7): + family: CM + name: Baseline Configuration | Configure Systems, Components, or Devices for High-Risk + Areas + description: | + 'The organization: + CM-2 (7)(a) Issues [Assignment: organization-defined information systems, + system components, or devices] with [Assignment: organization-defined + configurations] to individuals traveling to locations that the organization + deems to be of significant risk; and + CM-2 (7)(b) Applies [Assignment: organization-defined security safeguards] + to the devices when the individuals return.' + +CM-3: + family: CM + name: Configuration Change Control + description: | + 'The organization: + a. Determines the types of changes to the information system that are + configuration-controlled; + b. Reviews proposed configuration-controlled changes to the information + system and approves or disapproves such changes with explicit consideration + for security impact analyses; + c. Documents configuration change decisions associated with the information + system; + d. Implements approved configuration-controlled changes to the information + system; + e. Retains records of configuration-controlled changes to the information + system for [Assignment: organization-defined time period]; + f. Audits and reviews activities associated with configuration-controlled + changes to the information system; and + g. Coordinates and provides oversight for configuration change control + activities through [Assignment: organization-defined configuration change + control element (e.g., committee, board)] that convenes [Selection (one or + more): [Assignment: organization-defined frequency]; [Assignment: + organization-defined configuration change conditions]].' + +CM-4: + family: CM + name: Security Impact Analysis + description: | + 'The organization analyzes changes to the information system to determine + potential security impacts prior to change implementation.' + +CM-5: + family: CM + name: Access Restrictions For Change + description: | + 'The organization defines, documents, approves, and enforces physical and + logical access restrictions associated with changes to the information + system.' + +CM-5 (1): + family: CM + name: Access Restrictions For Change | Automated Access Enforcement / Auditing + description: | + 'The information system enforces access restrictions and supports auditing + of the enforcement actions.' + +CM-5 (3): + family: CM + name: Access Restrictions For Change | Signed Components + description: | + 'The information system prevents the installation of [Assignment: + organization-defined software and firmware components] without verification + that the component has been digitally signed using a certificate that is + recognized and approved by the organization.' + +CM-5 (5): + family: CM + name: Access Restrictions For Change | Limit Production / Operational Privileges + description: | + 'The organization: + CM-5 (5)(a) Limits privileges to change information system components and system-related information within a production or operational environment; and + CM-5 (5)(b) Reviews and reevaluates privileges [Assignment: organization-defined frequency].' +CM-6: + family: CM + name: Configuration Settings + description: | + 'The organization: + a. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements; + b. Implements the configuration settings; + c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization-defined information system components] based on [Assignment: organization-defined operational requirements]; and + d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.' + +CM-6 (1): + family: CM + name: Configuration Settings | Automated essential Management / Application / Verification + description: | + 'The organization employs automated mechanisms to centrally manage, apply, + and verify configuration settings for [Assignment: organization-defined + information system components].' + +CM-7: + family: CM + name: Least Functionality + description: | + 'The organization: + a. Configures the information system to provide only essential capabilities; and + b. Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services].' + +CM-7 (1): + family: CM + name: Least Functionality | Periodic Review + description: | + 'The organization: + CM-7 (1)(a) Reviews the information system [Assignment: organization-defined frequency] to identify unnecessary and/or nonsecure functions, ports, protocols, and services; and + CM-7 (1)(b) Disables [Assignment: organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure].' + +CM-7 (2): + family: CM + name: Least Functionality | Prevent Program Execution + description: | + 'The information system prevents program execution in accordance with + [Selection (one or more): [Assignment: organization-defined policies + regarding software program usage and restrictions]; rules authorizing the + terms and conditions of software program usage].' + +CM-7 (5): + family: CM + name: Least Functionality | Authorized Software / Whitelisting + description: | + 'The organization: + CM-7 (5)(a) Identifies [Assignment: organization-defined software programs authorized to execute on the information system]; + CM-7 (5)(b) Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and + CM-7 (5)(c) Reviews and updates the list of authorized software programs [Assignment: organization-defined frequency].' + +CM-8: + family: CM + name: Information System Component Inventory + description: | + 'The organization: + a. Develops and documents an inventory of information system components that: + 1. Accurately reflects the current information system; + 2. Includes all components within the authorization boundary of the information system; + 3. Is at the level of granularity deemed necessary for tracking and reporting; and + 4. Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and + b. Reviews and updates the information system component inventory [Assignment: organization-defined frequency].' + +CM-8 (1): + family: CM + name: Information System Component Inventory | Updates During Installations / Removals + description: | + 'The organization updates the inventory of information system components as + an integral part of component installations, removals, and information + system updates.' + +CM-8 (3): + family: CM + name: Information System Component Inventory | Automated Unauthorized Component + Detection + description: | + 'The organization: + CM-8 (3)(a) Employs automated mechanisms [Assignment: organization-defined frequency] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and + CM-8 (3)(b) Takes the following actions when unauthorized components are detected: [Selection (one or more): disables network access by such components; isolates the components; notifies [Assignment: organization-defined personnel or roles]].' + +CM-8 (5): + family: CM + name: Information System Component Inventory | No Duplicate Accounting of Components + description: | + 'The organization verifies that all components within the authorization + boundary of the information system are not duplicated in other information + system component inventories.' + +CM-9: + family: CM + name: Configuration Management Plan + description: | + 'The organization develops, documents, and implements a configuration management plan for the information system that: + a. Addresses roles, responsibilities, and configuration management processes and procedures; + b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items; + c. Defines the configuration items for the information system and places the configuration items under configuration management; and + d. Protects the configuration management plan from unauthorized disclosure and modification.' + +CM-10: + family: CM + name: Software Usage Restrictions + description: | + 'The organization: + a. Uses software and associated documentation in accordance with contract agreements and copyright laws; + b. Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and + c. Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.' + +CM-10 (1): + family: CM + name: Software Usage Restrictions | Open Source Software + description: | + 'The organization establishes the following restrictions on the use of open + source software: [Assignment: organization-defined restrictions].' + +CM-11: + family: CM + name: User-Installed Software + description: | + 'The organization: + a. Establishes [Assignment: organization-defined policies] governing the installation of software by users; + b. Enforces software installation policies through [Assignment: organization-defined methods]; and + c. Monitors policy compliance at [Assignment: organization-defined frequency].' + +CP-1: + family: CP + name: Contingency Planning Policy and Procedures + description: | + 'The organization: + a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: + 1. A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and + 2. Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and + b. Reviews and updates the current: + 1. Contingency planning policy [Assignment: organization-defined frequency]; and + 2. Contingency planning procedures [Assignment: organization-defined frequency].' + +CP-2: + family: CP + name: Contingency Plan + description: | + 'The organization: + a. Develops a contingency plan for the information system that: + 1. Identifies essential missions and business functions and associated contingency requirements; + 2. Provides recovery objectives, restoration priorities, and metrics; + 3. Addresses contingency roles, responsibilities, assigned individuals with contact information; + 4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; + 5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and + 6. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; + b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; + c. Coordinates contingency planning activities with incident handling activities; + d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; + e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; + f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and + g. Protects the contingency plan from unauthorized disclosure and modification.' + +CP-2 (1): + family: CP + name: Contingency Plan | Coordinate With Related Plans + description: | + 'The organization coordinates contingency plan development with + organizational elements responsible for related plans.' + +CP-2 (2): + family: CP + name: Contingency Plan | Capacity Planning + description: | + 'The organization conducts capacity planning so that necessary capacity for + information processing, telecommunications, and environmental support exists + during contingency operations.' + +CP-2 (3): + family: CP + name: Contingency Plan | Resume Essential Missions / Business Functions + description: | + 'The organization plans for the resumption of essential missions and + business functions within [Assignment: organization-defined time period] of + contingency plan activation.' + +CP-2 (8): + family: CP + name: Contingency Plan | Identify Critical Assets + description: | + 'The organization identifies critical information system assets supporting + essential missions and business functions.' + +CP-3: + family: CP + name: Contingency Training + description: | + 'The organization provides contingency training to information system users consistent with assigned roles and responsibilities: + a. Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility; + b. When required by information system changes; and + c. [Assignment: organization-defined frequency] thereafter.' + +CP-4: + family: CP + name: Contingency Plan Testing + description: | + 'The organization: + a. Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan; + b. Reviews the contingency plan test results; and + c. Initiates corrective actions, if needed.' + +CP-4 (1): + family: CP + name: Contingency Plan Testing | Coordinate With Related Plans + description: | + 'The organization coordinates contingency plan testing with organizational + elements responsible for related plans.' + +CP-6: + family: CP + name: Alternate Storage Site + description: | + 'The organization: + a. Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and + b. Ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site.' + +CP-6 (1): + family: CP + name: Alternate Storage Site | Separation From Primary Site + description: | + 'The organization identifies an alternate storage site that is separated + from the primary storage site to reduce susceptibility to the same threats.' + +CP-6 (3): + family: CP + name: Alternate Storage Site | Accessibility + description: | + 'The organization identifies potential accessibility problems to the + alternate storage site in the event of an area-wide disruption or disaster + and outlines explicit mitigation actions.' + +CP-7: + family: CP + name: Alternate Processing Site + description: | + 'The organization: + a. Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable; + b. Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and + c. Ensures that the alternate processing site provides information security safeguards equivalent to those of the primary site.' + +CP-7 (1): + family: CP + name: Alternate Processing Site | Separation From Primary Site + description: | + 'The organization identifies an alternate processing site that is separated + from the primary processing site to reduce susceptibility to the same + threats.' + +CP-7 (2): + family: CP + name: Alternate Processing Site | Accessibility + description: | + 'The organization identifies potential accessibility problems to the + alternate processing site in the event of an area-wide disruption or + disaster and outlines explicit mitigation actions.' + +CP-7 (3): + family: CP + name: Alternate Processing Site | Priority of Service + description: | + 'The organization develops alternate processing site agreements that contain + priority-of-service provisions in accordance with organizational + availability requirements (including recovery time objectives).' + +CP-8: + family: CP + name: Telecommunications Services + description: | + 'The organization establishes alternate telecommunications services + including necessary agreements to permit the resumption of [Assignment: + organization-defined information system operations] for essential missions + and business functions within [Assignment: organization-defined time period] + when the primary telecommunications capabilities are unavailable at either + the primary or alternate processing or storage sites.' + +CP-8 (1): + family: CP + name: Telecommunications Services | Priority of Service Provisions + description: | + 'The organization: + CP-8 (1)(a) Develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives); and + CP-8 (1)(b) Requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and/or alternate telecommunications services are provided by a common carrier.' + +CP-8 (2): + family: CP + name: Telecommunications Services | Single Points of Failure + description: | + 'The organization obtains alternate telecommunications services to reduce + the likelihood of sharing a single point of failure with primary + telecommunications services.' + +CP-9: + family: CP + name: Information System Backup + description: | + 'The organization: + a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; + b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; + c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and + d. Protects the confidentiality, integrity, and availability of backup information at storage locations.' + +CP-9 (1): + family: CP + name: Information System Backup | Testing For Reliability / Integrity + description: | + 'The organization tests backup information [Assignment: organization-defined + frequency] to verify media reliability and information integrity.' + +CP-9 (3): + family: CP + name: Information System Backup | Separate Storage for Critical Information + description: | + 'The organization stores backup copies of [Assignment: organization-defined + critical information system software and other security-related information] + in a separate facility or in a fire-rated container that is not collocated + with the operational system.' + +CP-10: + family: CP + name: Information System Recovery and Reconstitution + description: | + 'The organization provides for the recovery and reconstitution of the + information system to a known state after a disruption, compromise, or + failure.' + +CP-10 (2): + family: CP + name: Information System Recovery and Reconstitution | Transaction Recovery + description: | + 'The information system implements transaction recovery for systems that are + transaction-based.' + +IA-1: + family: IA + name: Identification and Authentication Policy and Procedures + description: | + 'The organization: + a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: + 1. An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and + 2. Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and + b. Reviews and updates the current: + 1. Identification and authentication policy [Assignment: organization-defined frequency]; and + 2. Identification and authentication procedures [Assignment: organization-defined frequency].' + +IA-2: + family: IA + name: Identification and Authentication (Organizational Users) + description: | + 'The information system uniquely identifies and authenticates organizational + users (or processes acting on behalf of organizational users).' + +IA-2 (1): + family: IA + name: Identification and Authentication (Organizational Users) | Network Access + to Privileged Accounts + description: | + 'The information system implements multifactor authentication for network + access to privileged accounts.' + +IA-2 (2): + family: IA + name: Identification and Authentication (Organizational Users) | Network Access + to Non-Privileged Accounts + description: | + 'The information system implements multifactor authentication for network + access to non-privileged accounts.' + +IA-2 (3): + family: IA + name: Identification and Authentication (Organizational Users) | Local Access to + Privileged Accounts + description: | + 'The information system implements multifactor authentication for local + access to privileged accounts.' + +IA-2 (5): + family: IA + name: Identification and Authentication (Organizational Users) | Group Authentication + description: | + 'The organization requires individuals to be authenticated with an + individual authenticator when a group authenticator is employed.' + +IA-2 (8): + family: IA + name: Identification and Authentication (Organizational Users) | Network Access + to Privileged Accounts - Replay Resistant + description: | + 'The information system implements replay-resistant authentication + mechanisms for network access to privileged accounts.' + +IA-2 (11): + family: IA + name: Identification and Authentication (Organizational Users) | Remote Access - + Separate Device + description: | + 'The information system implements multifactor authentication for remote + access to privileged and non-privileged accounts such that one of the + factors is provided by a device separate from the system gaining access and + the device meets [Assignment: organization-defined strength of mechanism + requirements].' + +IA-2 (12): + family: IA + name: Identification and Authentication (Organizational Users) | Acceptance of PIV + Credentials + description: | + 'The information system accepts and electronically verifies Personal + Identity Verification (PIV) credentials.' + +IA-3: + family: IA + name: Device Identification and Authentication + description: | + 'The information system uniquely identifies and authenticates [Assignment: + organization-defined specific and/or types of devices] before establishing a + [Selection (one or more): local; remote; network] connection.' + +IA-4: + family: IA + name: Identifier Management + description: | + 'The organization manages information system identifiers by: + a. Receiving authorization from [Assignment: organization-defined personnel or roles] to assign an individual, group, role, or device identifier; + b. Selecting an identifier that identifies an individual, group, role, or device; + c. Assigning the identifier to the intended individual, group, role, or device; + d. Preventing reuse of identifiers for [Assignment: organization-defined time period]; and + e. Disabling the identifier after [Assignment: organization-defined time period of inactivity].' + +IA-4 (4): + family: IA + name: Identifier Management | Identify User Status + description: | + 'The organization manages individual identifiers by uniquely identifying each individual as [Assignment: organization-defined characteristic identifying individual status].' + +IA-5: + family: IA + name: Authenticator Management + description: | + 'The organization manages information system authenticators by: + a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator; + b. Establishing initial authenticator content for authenticators defined by the organization; + c. Ensuring that authenticators have sufficient strength of mechanism for their intended use; + d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators; + e. Changing default content of authenticators prior to information system installation; + f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators; + g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type]; + h. Protecting authenticator content from unauthorized disclosure and modification; + i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and + j. Changing authenticators for group/role accounts when membership to those accounts changes.' + +IA-5 (1): + family: IA + name: Authenticator Management | Password-Based Authentication + description: | + 'The information system, for password-based authentication: + IA-5 (1)(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; + IA-5 (1)(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number]; + IA-5 (1)(c) Stores and transmits only cryptographically-protected passwords; + IA-5 (1)(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum]; + IA-5 (1)(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and + IA-5 (1)(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password.' + +IA-5 (2): + family: IA + name: Authenticator Management | PKI-Based Authentication + description: | + 'The information system, for PKI-based authentication: + IA-5 (2)(a) Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information; + IA-5 (2)(b) Enforces authorized access to the corresponding private key; + IA-5 (2)(c) Maps the authenticated identity to the account of the individual or group; and + IA-5 (2)(d) Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.' + +IA-5 (3): + family: IA + name: Authenticator Management | In-Person or Trusted Third-Party Registration + description: | + 'The organization requires that the registration process to receive + [Assignment: organization-defined types of and/or specific authenticators] + be conducted [Selection: in person; by a trusted third party] before + [Assignment: organization-defined registration authority] with authorization + by [Assignment: organization-defined personnel or roles].' + +IA-5 (4): + family: IA + name: Authenticator Management | Automated Support for Password Strength Determination + description: | + 'The organization employs automated tools to determine if password + authenticators are sufficiently strong to satisfy [Assignment: + organization-defined requirements].' + +IA-5 (6): + family: IA + name: Authenticator Management | Protection of Authenticators + description: | + 'The organization protects authenticators commensurate with the security + category of the information to which use of the authenticator permits + access.' + +IA-5 (7): + family: IA + name: Authenticator Management | No Embedded Unencrypted Static Authenticators + description: | + 'The organization ensures that unencrypted static authenticators are not + embedded in applications or access scripts or stored on function keys.' + +IA-5 (11): + family: IA + name: Authenticator Management | Hardware Token-Based Authentication + description: | + 'The information system, for hardware token-based authentication, employs + mechanisms that satisfy [Assignment: organization-defined token quality + requirements].' + +IA-6: + family: IA + name: Authenticator Feedback + description: | + 'The information system obscures feedback of authentication information + during the authentication process to protect the information from possible + exploitation/use by unauthorized individuals.' + +IA-7: + family: IA + name: Cryptographic Module Authentication + description: | + 'The information system implements mechanisms for authentication to a + cryptographic module that meet the requirements of applicable federal laws, + Executive Orders, directives, policies, regulations, standards, and guidance + for such authentication.' + +IA-8: + family: IA + name: Identification and Authentication (Non-Organizational Users) + description: | + 'The information system uniquely identifies and authenticates + non-organizational users (or processes acting on behalf of + non-organizational users).' + +IA-8 (1): + family: IA + name: Identification and Authentication (Non-Organizational Users) | Acceptance + of PIV Credentials from Other Agencies + description: | + 'The information system accepts and electronically verifies Personal + Identity Verification (PIV) credentials from other federal agencies.' + +IA-8 (2): + family: IA + name: Identification and Authentication (Non-Organizational Users) | Acceptance + of Third-Party Credentials + description: | + 'The information system accepts only FICAM-approved third-party + credentials.' + +IA-8 (3): + family: IA + name: Identification and Authentication (Non-Organizational Users) | Use of FICAM-Approved + Products + description: | + 'The organization employs only FICAM-approved information system components + in [Assignment: organization-defined information systems] to accept + third-party credentials.' + +IA-8 (4): + family: IA + name: Identification and Authentication (Non-Organizational Users) | Use of FICAM-Issued + Profiles + description: | + 'The information system conforms to FICAM-issued profiles.' + +IR-1: + family: IR + name: Incident Response Policy and Procedures + description: | + 'The organization: + a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: + 1. An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and + 2. Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and + b. Reviews and updates the current: + 1. Incident response policy [Assignment: organization-defined frequency]; and + 2. Incident response procedures [Assignment: organization-defined frequency].' + +IR-2: + family: IR + name: Incident Response Training + description: | + 'The organization provides incident response training to information system users consistent with assigned roles and responsibilities: + a. Within [Assignment: organization-defined time period] of assuming an incident response role or responsibility; + b. When required by information system changes; and + c. [Assignment: organization-defined frequency] thereafter.' + +IR-3: + family: IR + name: Incident Response Testing + description: | + 'The organization tests the incident response capability for the information + system [Assignment: organization-defined frequency] using [Assignment: + organization-defined tests] to determine the incident response effectiveness + and documents the results.' + +IR-3 (2): + family: IR + name: Incident Response Testing | Coordination With Related Plans + description: | + 'The organization coordinates incident response testing with organizational + elements responsible for related plans.' + +IR-4: + family: IR + name: Incident Handling + description: | + 'The organization: + a. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery; + b. Coordinates incident handling activities with contingency planning activities; and + c. Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly.' + +IR-4 (1): + family: IR + name: Incident Handling | Automated Incident Handling Processes + description: | + 'The organization employs automated mechanisms to support the incident + handling process.' + +IR-5: + family: IR + name: Incident Monitoring + description: | + 'The organization tracks and documents information system security + incidents.' + +IR-6: + family: IR + name: Incident Reporting + description: | + 'The organization: + a. Requires personnel to report suspected security incidents to the organizational incident response capability within [Assignment: organization-defined time period]; and + b. Reports security incident information to [Assignment: organization-defined authorities].' + +IR-6 (1): + family: IR + name: Incident Reporting | Automated Reporting + description: | + 'The organization employs automated mechanisms to assist in the reporting of + security incidents.' + +IR-7: + family: IR + name: Incident Response Assistance + description: | + 'The organization provides an incident response support resource, integral + to the organizational incident response capability that offers advice and + assistance to users of the information system for the handling and reporting + of security incidents.' + +IR-7 (1): + family: IR + name: Incident Response Assistance | Automation Support For Availability of Information + / Support + description: | + 'The organization employs automated mechanisms to increase the availability + of incident response-related information and support.' + +IR-7 (2): + family: IR + name: Incident Response Assistance | Coordination With External Providers + description: | + 'The organization: + IR-7 (2)(a) Establishes a direct, cooperative relationship between its incident response capability and external providers of information system protection capability; and + IR-7 (2)(b) Identifies organizational incident response team members to the external providers.' + +IR-8: + family: IR + name: Incident Response Plan + description: | + 'The organization: + a. Develops an incident response plan that: + 1. Provides the organization with a roadmap for implementing its incident response capability; + 2. Describes the structure and organization of the incident response capability; + 3. Provides a high-level approach for how the incident response capability fits into the overall organization; + 4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; + 5. Defines reportable incidents; + 6. Provides metrics for measuring the incident response capability within the organization; + 7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and + 8. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; + b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; + c. Reviews the incident response plan [Assignment: organization-defined frequency]; + d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing; + e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and + f. Protects the incident response plan from unauthorized disclosure and modification.' + +IR-9: + family: IR + name: Information Spillage Response + description: | + 'The organization responds to information spills by: + a. Identifying the specific information involved in the information system contamination; + b. Alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill; + c. Isolating the contaminated information system or system component; + d. Eradicating the information from the contaminated information system or component; + e. Identifying other information systems or system components that may have been subsequently contaminated; and + f. Performing other [Assignment: organization-defined actions].' + +IR-9 (1): + family: IR + name: Information Spillage Response | Responsible Personnel + description: | + 'The organization assigns [Assignment: organization-defined personnel or + roles] with responsibility for responding to information spills.' + +IR-9 (2): + family: IR + name: Information Spillage Response | Training + description: | + 'The organization provides information spillage response training + [Assignment: organization-defined frequency].' + +IR-9 (3): + family: IR + name: Information Spillage Response | Post-Spill Operations + description: | + 'The organization implements [Assignment: organization-defined procedures] + to ensure that organizational personnel impacted by information spills can + continue to carry out assigned tasks while contaminated systems are + undergoing corrective actions.' + +IR-9 (4): + family: IR + name: Information Spillage Response | Exposure to Unauthorized Personnel + description: | + 'The organization employs [Assignment: organization-defined security + safeguards] for personnel exposed to information not within assigned access + authorizations.' + +MA-1: + family: MA + name: System Maintenance Policy and Procedures + description: | + 'The organization: + a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: + 1. A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and + 2. Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and + b. Reviews and updates the current: + 1. System maintenance policy [Assignment: organization-defined frequency]; and + 2. System maintenance procedures [Assignment: organization-defined frequency].' + +MA-2: + family: MA + name: Controlled Maintenance + description: | + 'The organization: + a. Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements; + b. Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location; + c. Requires that [Assignment: organization-defined personnel or roles] explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs; + d. Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs; + e. Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and + f. Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records.' + +MA-3: + family: MA + name: Maintenance Tools + description: | + 'The organization approves, controls, and monitors information system + maintenance tools.' + +MA-3 (1): + family: MA + name: Maintenance Tools | Inspect Tools + description: | + 'The organization inspects the maintenance tools carried into a facility by + maintenance personnel for improper or unauthorized modifications.' + +MA-3 (2): + family: MA + name: Maintenance Tools | Inspect Media + description: | + 'The organization checks media containing diagnostic and test programs for + malicious code before the media are used in the information system.' + +MA-3 (3): + family: MA + name: Maintenance Tools | Prevent Unauthorized Removal + description: | + 'The organization prevents the unauthorized removal of maintenance equipment containing organizational information by: + MA-3 (3)(a) Verifying that there is no organizational information contained on the equipment; + MA-3 (3)(b) Sanitizing or destroying the equipment; + MA-3 (3)(c) Retaining the equipment within the facility; or + MA-3 (3)(d) Obtaining an exemption from [Assignment: organization-defined personnel or roles] explicitly authorizing removal of the equipment from the facility.' + +MA-4: + family: MA + name: Nonlocal Maintenance + description: | + 'The organization: + a. Approves and monitors nonlocal maintenance and diagnostic activities; + b. Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system; + c. Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions; + d. Maintains records for nonlocal maintenance and diagnostic activities; and + e. Terminates session and network connections when nonlocal maintenance is completed.' + +MA-4 (2): + family: MA + name: Nonlocal Maintenance | Document Nonlocal Maintenance + description: | + 'The organization documents in the security plan for the information system, + the policies and procedures for the establishment and use of nonlocal + maintenance and diagnostic connections.' + +MA-5: + family: MA + name: Maintenance Personnel + description: | + 'The organization: + a. Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel; + b. Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and + c. Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.' + +MA-5 (1): + family: MA + name: Maintenance Personnel | Individuals Without Appropriate Access + description: | + 'The organization: + MA-5 (1)(a) Implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements: + MA-5 (1)(b) Develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system.' + +MA-6: + family: MA + name: Timely Maintenance + description: | + 'The organization obtains maintenance support and/or spare parts for + [Assignment: organization-defined information system components] within + [Assignment: organization-defined time period] of failure.' + +MP-1: + family: MP + name: Media Protection Policy and Procedures + description: | + 'The organization: + a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: + 1. A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and + 2. Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and + b. Reviews and updates the current: + 1. Media protection policy [Assignment: organization-defined frequency]; and + 2. Media protection procedures [Assignment: organization-defined frequency].' + +MP-2: + family: MP + name: Media Access + description: | + 'The organization restricts access to [Assignment: organization-defined + types of digital and/or non-digital media] to [Assignment: + organization-defined personnel or roles].' + +MP-3: + family: MP + name: Media Marking + description: | + 'The organization: + a. Marks information system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and + b. Exempts [Assignment: organization-defined types of information system media] from marking as long as the media remain within [Assignment: organization-defined controlled areas].' + +MP-4: + family: MP + name: Media Storage + description: | + 'The organization: + a. Physically controls and securely stores [Assignment: organization-defined types of digital and/or non-digital media] within [Assignment: organization-defined controlled areas]; and + b. Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures.' + +MP-5: + family: MP + name: Media Transport + description: | + 'The organization: + a. Protects and controls [Assignment: organization-defined types of information system media] during transport outside of controlled areas using [Assignment: organization-defined security safeguards]; + b. Maintains accountability for information system media during transport outside of controlled areas; + c. Documents activities associated with the transport of information system media; and + d. Restricts the activities associated with the transport of information system media to authorized personnel.' + +MP-5 (4): + family: MP + name: Media Transport | Cryptographic Protection + description: | + 'The information system implements cryptographic mechanisms to protect the + confidentiality and integrity of information stored on digital media during + transport outside of controlled areas.' + +MP-6: + family: MP + name: Media Sanitization + description: | + 'The organization: + a. Sanitizes [Assignment: organization-defined information system media] prior to disposal, release out of organizational control, or release for reuse using [Assignment: organization-defined sanitization techniques and procedures] in accordance with applicable federal and organizational standards and policies; and + b. Employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.' + +MP-6 (2): + family: MP + name: Media Sanitization | Equipment Testing + description: | + 'The organization tests sanitization equipment and procedures [Assignment: + organization-defined frequency] to verify that the intended sanitization is + being achieved.' + +MP-7: + family: MP + name: Media Use + description: | + 'The organization [Selection: restricts; prohibits] the use of [Assignment: + organization-defined types of information system media] on [Assignment: + organization-defined information systems or system components] using + [Assignment: organization-defined security safeguards].' + +MP-7 (1): + family: MP + name: Media Use | Prohibit Use without Owner + description: | + 'The organization prohibits the use of portable storage devices in + organizational information systems when such devices have no identifiable + owner.' + +PE-1: + family: PE + name: Physical and Environmental Protection Policy and Procedures + description: | + 'The organization: + a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: + 1. A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and + 2. Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and + b. Reviews and updates the current: + 1. Physical and environmental protection policy [Assignment: organization-defined frequency]; and + 2. Physical and environmental protection procedures [Assignment: organization-defined frequency].' + +PE-2: + family: PE + name: Physical Access Authorizations + description: | + 'The organization: + a. Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides; + b. Issues authorization credentials for facility access; + c. Reviews the access list detailing authorized facility access by individuals [Assignment: organization-defined frequency]; and + d. Removes individuals from the facility access list when access is no longer required.' + +PE-3: + family: PE + name: Physical Access Control + description: | + 'The organization: + a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by; + 1. Verifying individual access authorizations before granting access to the facility; and + 2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards]; + b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points]; + c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible; + d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring]; + e. Secures keys, combinations, and other physical access devices; + f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and + g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated.' + +PE-4: + family: PE + name: Access Control For Transmission Medium + description: | + 'The organization controls physical access to [Assignment: + organization-defined information system distribution and transmission lines] + within organizational facilities using [Assignment: organization-defined + security safeguards].' + +PE-5: + family: PE + name: Access Control For Output Devices + description: | + 'The organization controls physical access to information system output + devices to prevent unauthorized individuals from obtaining the output.' + +PE-6: + family: PE + name: Monitoring Physical Access + description: | + 'The organization: + a. Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents; + b. Reviews physical access logs [Assignment: organization-defined frequency] and upon occurrence of [Assignment: organization-defined events or potential indications of events]; and + c. Coordinates results of reviews and investigations with the organizational incident response capability.' + +PE-6 (1): + family: PE + name: Monitoring Physical Access | Intrusion Alarms / Surveillance Equipment + description: | + 'The organization monitors physical intrusion alarms and surveillance + equipment.' + +PE-8: + family: PE + name: Visitor Access Records + description: | + 'The organization: + a. Maintains visitor access records to the facility where the information + system resides for [Assignment: organization-defined time period]; and + b. Reviews visitor access records [Assignment: organization-defined + frequency].' + +PE-9: + family: PE + name: Power Equipment and Cabling + description: | + 'The organization protects power equipment and power cabling for the + information system from damage and destruction.' + +PE-10: + family: PE + name: Emergency Shutoff + description: | + 'The organization: + a. Provides the capability of shutting off power to the information system or individual system components in emergency situations; + b. Places emergency shutoff switches or devices in [Assignment: organization-defined location by information system or system component] to facilitate safe and easy access for personnel; and + c. Protects emergency power shutoff capability from unauthorized activation.' + +PE-11: + family: PE + name: Emergency Power + description: | + 'The organization provides a short-term uninterruptible power supply to + facilitate [Selection (one or more): an orderly shutdown of the information + system; transition of the information system to long-term alternate power] + in the event of a primary power source loss.' + +PE-12: + family: PE + name: Emergency Lighting + description: | + 'The organization employs and maintains automatic emergency lighting for the + information system that activates in the event of a power outage or + disruption and that covers emergency exits and evacuation routes within the + facility.' + +PE-13: + family: PE + name: Fire Protection + description: | + 'The organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source.' + +PE-13 (2): + family: PE + name: Fire Protection | Suppression Devices / Systems + description: | + 'The organization employs fire suppression devices/systems for the + information system that provide automatic notification of any activation to + Assignment: organization-defined personnel or roles] and [Assignment: + organization-defined emergency responders].' + +PE-13 (3): + family: PE + name: Fire Protection | Automatic Fire Suppression + description: | + 'The organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis.' + +PE-14: + family: PE + name: Temperature and Humidity Controls + description: | + 'The organization: + a. Maintains temperature and humidity levels within the facility where the information system resides at [Assignment: organization-defined acceptable levels]; and + b. Monitors temperature and humidity levels [Assignment: organization-defined frequency].' + +PE-14 (2): + family: PE + name: Temperature and Humidity Controls | Monitoring With Alarms / Notifications + description: | + 'The organization employs temperature and humidity monitoring that provides + an alarm or notification of changes potentially harmful to personnel or + equipment.' + +PE-15: + family: PE + name: Water Damage Protection + description: | + 'The organization protects the information system from damage resulting from + water leakage by providing master shutoff or isolation valves that are + accessible, working properly, and known to key personnel.' + +PE-16: + family: PE + name: Delivery and Removal + description: | + 'The organization authorizes, monitors, and controls [Assignment: + organization-defined types of information system components] entering and + exiting the facility and maintains records of those items.' + +PE-17: + family: PE + name: Alternate Work Site + description: | + 'The organization: + a. Employs [Assignment: organization-defined security controls] at alternate work sites; + b. Assesses as feasible, the effectiveness of security controls at alternate work sites; and + c. Provides a means for employees to communicate with information security personnel in case of security incidents or problems.' + +PL-1: + family: PL + name: Security Planning Policy and Procedures + description: | + 'The organization: + a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: + 1. A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and + 2. Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and + b. Reviews and updates the current: + 1. Security planning policy [Assignment: organization-defined frequency]; and + 2. Security planning procedures [Assignment: organization-defined frequency].' + +PL-2: + family: PL + name: System Security Plan + description: | + 'The organization: + a. Develops a security plan for the information system that: + 1. Is consistent with the organization''s enterprise architecture; + 2. Explicitly defines the authorization boundary for the system; + 3. Describes the operational context of the information system in terms of missions and business processes; + 4. Provides the security categorization of the information system including supporting rationale; + 5. Describes the operational environment for the information system and relationships with or connections to other information systems; + 6. Provides an overview of the security requirements for the system; + 7. Identifies any relevant overlays, if applicable; + 8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and + 9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation; + b. Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles]; + c. Reviews the security plan for the information system [Assignment: organization-defined frequency]; + d. Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and + e. Protects the security plan from unauthorized disclosure and modification.' + +PL-2 (3): + family: PL + name: System Security Plan | Plan / Coordinate With Other Organizational Entities + description: | + 'The organization plans and coordinates security-related activities + affecting the information system with [Assignment: organization-defined + individuals or groups] before conducting such activities in order to reduce + the impact on other organizational entities.' + +PL-4: + family: PL + name: Rules of Behavior + description: | + 'The organization: + a. Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage; + b. Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system; + c. Reviews and updates the rules of behavior [Assignment: organization-defined frequency]; and + d. Requires individuals who have signed a previous version of the rules of behavior to read and re-sign when the rules of behavior are revised/updated.' + +PL-4 (1): + family: PL + name: Rules of Behavior | Social Media and Networking Restrictions + description: | + 'The organization includes in the rules of behavior, explicit restrictions + on the use of social media/networking sites and posting organizational + information on public websites.' + +PL-8: + family: PL + name: Information Security Architecture + description: | + 'The organization: + a. Develops an information security architecture for the information system that: + 1. Describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information; + 2. Describes how the information security architecture is integrated into and supports the enterprise architecture; and + 3. Describes any information security assumptions about, and dependencies on, external services; + b. Reviews and updates the information security architecture [Assignment: organization-defined frequency] to reflect updates in the enterprise architecture; and + c. Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements/acquisitions.' + +PS-1: + family: PS + name: Personnel Security Policy and Procedures + description: | + 'The organization: + a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: + 1. A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and + 2. Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and + b. Reviews and updates the current: + 1. Personnel security policy [Assignment: organization-defined frequency]; and + 2. Personnel security procedures [Assignment: organization-defined frequency].' + +PS-2: + family: PS + name: Position Risk Designation + description: | + 'The organization: + a. Assigns a risk designation to all organizational positions; + b. Establishes screening criteria for individuals filling those positions; and + c. Reviews and updates position risk designations [Assignment: organization-defined frequency].' + +PS-3: + family: PS + name: Personnel Screening + description: | + 'The organization: + a. Screens individuals prior to authorizing access to the information + system; and + b. Rescreens individuals according to [Assignment: organization-defined + conditions requiring rescreening and, where rescreening is so indicated, the + frequency of such rescreening].' + +PS-3 (3): + family: PS + name: Personnel Screening | Information With Special Protection Measures + description: | + 'The organization ensures that individuals accessing an information system processing, storing, or transmitting information requiring special protection: + PS-3 (3)(a) Have valid access authorizations that are demonstrated by assigned official government duties; and + PS-3 (3)(b) Satisfy [Assignment: organization-defined additional personnel screening criteria].' + +PS-4: + family: PS + name: Personnel Termination + description: | + 'The organization, upon termination of individual employment: + a. Disables information system access within [Assignment: organization-defined time period]; + b. Terminates/revokes any authenticators/credentials associated with the individual; + c. Conducts exit interviews that include a discussion of [Assignment: organization-defined information security topics]; + d. Retrieves all security-related organizational information system-related property; + e. Retains access to organizational information and information systems formerly controlled by terminated individual; and + f. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period].' + +PS-5: + family: PS + name: Personnel Transfer + description: | + 'The organization: + a. Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization; + b. Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action]; + c. Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and + d. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period].' + +PS-6: + family: PS + name: Access Agreements + description: | + 'The organization: + a. Develops and documents access agreements for organizational information systems; + b. Reviews and updates the access agreements [Assignment: organization-defined frequency]; and + c. Ensures that individuals requiring access to organizational information and information systems: + 1. Sign appropriate access agreements prior to being granted access; and + 2. Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or [Assignment: organization-defined frequency].' + +PS-7: + family: PS + name: Third-Party Personnel Security + description: | + 'The organization: + a. Establishes personnel security requirements including security roles and responsibilities for third-party providers; + b. Requires third-party providers to comply with personnel security policies and procedures established by the organization; + c. Documents personnel security requirements; + d. Requires third-party providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within [Assignment: organization-defined time period]; and + e. Monitors provider compliance.' + +PS-8: + family: PS + name: Personnel Sanctions + description: | + 'The organization: + a. Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and + b. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.' + +RA-1: + family: RA + name: Risk Assessment Policy and Procedures + description: | + 'The organization: + a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: + 1. A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and + 2. Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and + b. Reviews and updates the current: + 1. Risk assessment policy [Assignment: organization-defined frequency]; and + 2. Risk assessment procedures [Assignment: organization-defined frequency].' + +RA-2: + family: RA + name: Security Categorization + description: | + 'The organization: + a. Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; + b. Documents the security categorization results (including supporting rationale) in the security plan for the information system; and + c. Ensures that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.' + +RA-3: + family: RA + name: Risk Assessment + description: | + 'The organization: + a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits; + b. Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]]; + c. Reviews risk assessment results [Assignment: organization-defined frequency]; + d. Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and + e. Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.' + +RA-5: + family: RA + name: Vulnerability Scanning + description: | + 'The organization: + a. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported; + b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: + 1. Enumerating platforms, software flaws, and improper configurations; + 2. Formatting checklists and test procedures; and + 3. Measuring vulnerability impact; + c. Analyzes vulnerability scan reports and results from security control assessments; + d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and + e. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).' + +RA-5 (1): + family: RA + name: Vulnerability Scanning | Update Tool Capability + description: | + 'The organization employs vulnerability scanning tools that include the + capability to readily update the information system vulnerabilities to be + scanned.' + +RA-5 (2): + family: RA + name: Vulnerability Scanning | Update by Frequency / Prior to New Scan / When Identified + description: | + 'The organization updates the information system vulnerabilities scanned + [Selection (one or more): [Assignment: organization-defined frequency]; + prior to a new scan; when new vulnerabilities are identified and reported].' + +RA-5 (3): + family: RA + name: Vulnerability Scanning | Breadth / Depth of Coverage + description: | + 'The organization employs vulnerability scanning procedures that can + identify the breadth and depth of coverage (i.e., information system + components scanned and vulnerabilities checked).' + +RA-5 (5): + family: RA + name: Vulnerability Scanning | Privileged Access + description: | + 'The information system implements privileged access authorization to + [Assignment: organization-identified information system components] for + selected [Assignment: organization-defined vulnerability scanning + activities].' + +RA-5 (6): + family: RA + name: Vulnerability Scanning | Automated Trend Analyses + description: | + 'The organization employs automated mechanisms to compare the results of + vulnerability scans over time to determine trends in information system + vulnerabilities.' + +RA-5 (8): + family: RA + name: Vulnerability Scanning | Review Historic Audit Logs + description: | + 'The organization reviews historic audit logs to determine if a + vulnerability identified in the information system has been previously + exploited.' + +SA-1: + family: SA + name: System and Services Acquisition Policy and Procedures + description: | + 'The organization: + a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: + 1. A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and + 2. Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and + b. Reviews and updates the current: + 1. System and services acquisition policy [Assignment: organization-defined frequency]; and + 2. System and services acquisition procedures [Assignment: organization-defined frequency].' + +SA-2: + family: SA + name: Allocation of Resources + description: | + 'The organization: + a. Determines information security requirements for the information system or information system service in mission/business process planning; + b. Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and + c. Establishes a discrete line item for information security in organizational programming and budgeting documentation.' + +SA-3: + family: SA + name: System Development Life Cycle + description: | + 'The organization: + a. Manages the information system using [Assignment: organization-defined system development life cycle] that incorporates information security considerations; + b. Defines and documents information security roles and responsibilities throughout the system development life cycle; + c. Identifies individuals having information security roles and responsibilities; and + d. Integrates the organizational information security risk management process into system development life cycle activities.' + +SA-4: + family: SA + name: Acquisition Process + description: | + 'The organization includes the following requirements, descriptions, and + criteria, explicitly or by reference, in the acquisition contract for the + information system, system component, or information system service in + accordance with applicable federal laws, Executive Orders, directives, + policies, regulations, standards, guidelines, and organizational + mission/business needs: + a. Security functional requirements; + b. Security strength requirements; + c. Security assurance requirements; + d. Security-related documentation requirements; + e. Requirements for protecting security-related documentation; + f. Description of the information system development environment and + environment in which the system is intended to operate; and + g. Acceptance criteria.' + +SA-4 (1): + family: SA + name: Acquisition Process | Functional Properties of Security Controls + description: | + 'The organization requires the developer of the information system, system + component, or information system service to provide a description of the + functional properties of the security controls to be employed.' + +SA-4 (2): + family: SA + name: Acquisition Process | Design / Implementation Information for Security Controls + description: | + 'The organization requires the developer of the information system, system + component, or information system service to provide design and + implementation information for the security controls to be employed that + includes: [Selection (one or more): security-relevant external system + interfaces; high-level design; low-level design; source code or hardware + schematics; [Assignment: organization-defined design/implementation + information]] at [Assignment: organization-defined level of detail].' + +SA-4 (8): + family: SA + name: Acquisition Process | Continuous Monitoring Plan + description: | + 'The organization requires the developer of the information system, system + component, or information system service to produce a plan for the + continuous monitoring of security control effectiveness that contains + [Assignment: organization-defined level of detail].' + +SA-4 (9): + family: SA + name: Acquisition Process | Functions / Ports / Protocols / Services in Use + description: | + 'The organization requires the developer of the information system, system + component, or information system service to identify early in the system + development life cycle, the functions, ports, protocols, and services + intended for organizational use.' + +SA-4 (10): + family: SA + name: Acquisition Process | Use of Approved PIV Products + description: | + 'The organization employs only information technology products on the FIPS + 201-approved products list for Personal Identity Verification (PIV) + capability implemented within organizational information systems.' + +SA-5: + family: SA + name: Information System Documentation + description: | + 'The organization: + a. Obtains administrator documentation for the information system, system component, or information system service that describes: + 1. Secure configuration, installation, and operation of the system, component, or service; + 2. Effective use and maintenance of security functions/mechanisms; and + 3. Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions; + b. Obtains user documentation for the information system, system component, or information system service that describes: + 1. User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms; + 2. Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and + 3. User responsibilities in maintaining the security of the system, component, or service; + c. Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and takes [Assignment: organization-defined actions] in response; + d. Protects documentation as required, in accordance with the risk management strategy; and + e. Distributes documentation to [Assignment: organization-defined personnel or roles].' + +SA-8: + family: SA + name: Security Engineering Principles + description: | + 'The organization applies information system security engineering principles + in the specification, design, development, implementation, and modification + of the information system.' + +SA-9: + family: SA + name: External Information System Services + description: | + 'The organization: + a. Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; + b. Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and + c. Employs [Assignment: organization-defined processes, methods, and techniques] to monitor security control compliance by external service providers on an ongoing basis.' + +SA-9 (1): + family: SA + name: External Information Systems | Risk Assessments / Organizational Approvals + description: | + 'The organization: + SA-9 (1)(a) Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and + SA-9 (1)(b) Ensures that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles].' + +SA-9 (2): + family: SA + name: External Information Systems | Identification of Functions / Ports / Protocols + / Services + description: | + 'The organization requires providers of [Assignment: organization-defined + external information system services] to identify the functions, ports, + protocols, and other services required for the use of such services.' + +SA-9 (4): + family: SA + name: External Information Systems | Consistent Interests of Consumers and Providers + description: | + 'The organization employs [Assignment: organization-defined security + safeguards] to ensure that the interests of [Assignment: + organization-defined external service providers] are consistent with and + reflect organizational interests.' + +SA-9 (5): + family: SA + name: External Information Systems | Processing, Storage, and Service Location + description: | + 'The organization restricts the location of [Selection (one or more): + information processing; information/data; information system services] to + [Assignment: organization-defined locations] based on [Assignment: + organization-defined requirements or conditions].' + +SA-10: + family: SA + name: Developer Configuration Management + description: | + 'The organization requires the developer of the information system, system component, or information system service to: + a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation]; + b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; + c. Implement only organization-approved changes to the system, component, or service; + d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and + e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel].' + +SA-10 (1): + family: SA + name: Developer Configuration Management | Software / Firmware Integrity Verification + description: | + 'The organization requires the developer of the information system, system + component, or information system service to enable integrity verification of + software and firmware components.' + +SA-11: + family: SA + name: Developer Security Testing and Evaluation + description: | + 'The organization requires the developer of the information system, system component, or information system service to: + a. Create and implement a security assessment plan; + b. Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage]; + c. Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation; + d. Implement a verifiable flaw remediation process; and + e. Correct flaws identified during security testing/evaluation.' + +SA-11 (1): + family: SA + name: Developer Security Testing and Evaluation | Static Code Analysis + description: | + 'The organization requires the developer of the information system, system + component, or information system service to employ static code analysis + tools to identify common flaws and document the results of the analysis.' + +SA-11 (2): + family: SA + name: Developer Security Testing and Evaluation | Threat and Vulnerability Analyses + description: | + 'The organization requires the developer of the information system, system + component, or information system service to perform threat and vulnerability + analyses and subsequent testing/evaluation of the as-built system, + component, or service.' + +SA-11 (8): + family: SA + name: Developer Security Testing and Evaluation | Dynamic Code Analysis + description: | + 'The organization requires the developer of the information system, system + component, or information system service to employ dynamic code analysis + tools to identify common flaws and document the results of the analysis.' + +SA-22: + family: SA + name: Unsupported System Components + description: | + 'The organization: + a. Replaces information system components when support for the components is no longer available from the developer, vendor, or manufacturer; and + b. Provides justification and documents approval for the continued use of unsupported system components required to satisfy mission/business needs.' + +SA-22 (1): + family: SA + name: Unsupported System Components + description: | + 'The organization provides [Selection (one or more): in-house support; + [Assignment: organization-defined support from external providers]] for + unsupported information system components.' + +SC-1: + family: SC + name: System and Communications Protection Policy and Procedures + description: | + 'The organization: + a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: + 1. A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and + 2. Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and + b. Reviews and updates the current: + 1. System and communications protection policy [Assignment: organization-defined frequency]; and + 2. System and communications protection procedures [Assignment: organization-defined frequency].' + +SC-2: + family: SC + name: Application Partitioning + description: | + 'The information system separates user functionality (including user + interface services) from information system management functionality.' + +SC-4: + family: SC + name: Information In Shared Resources + description: | + 'The information system prevents unauthorized and unintended information + transfer via shared system resources.' + +SC-5: + family: SC + name: Denial of Service Protection + description: | + 'The information system protects against or limits the effects of the + following types of denial of service attacks: [Assignment: + organization-defined types of denial of service attacks or references to + sources for such information] by employing [Assignment: organization-defined + security safeguards].' + +SC-6: + family: SC + name: Resource Availability + description: | + 'The information system protects the availability of resources by allocating + [Assignment: organization-defined resources] by [Selection (one or more); + priority; quota; [Assignment: organization-defined security safeguards]].' + +SC-7: + family: SC + name: Boundary Protection + description: | + 'The information system: + a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; + b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and + c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.' + +SC-7 (3): + family: SC + name: Boundary Protection | Access Points + description: | + 'The organization limits the number of external network connections to the + information system.' + +SC-7 (4): + family: SC + name: Boundary Protection | External Telecommunications Services + description: | + 'The organization: + SC-7 (4)(a) Implements a managed interface for each external telecommunication service; + SC-7 (4)(b) Establishes a traffic flow policy for each managed interface; + SC-7 (4)(c) Protects the confidentiality and integrity of the information being transmitted across each interface; + SC-7 (4)(d) Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; and + SC-7 (4)(e) Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency] and removes exceptions that are no longer supported by an explicit mission/business need.' + +SC-7 (5): + family: SC + name: Boundary Protection | Deny by Default / Allow by Exception + description: | + 'The information system at managed interfaces denies network communications + traffic by default and allows network communications traffic by exception + (i.e., deny all, permit by exception).' + +SC-7 (7): + family: SC + name: Boundary Protection | Prevent Split Tunneling for Remote Devices + description: | + 'The information system, in conjunction with a remote device, prevents the + device from simultaneously establishing non-remote connections with the + system and communicating via some other connection to resources in external + networks.' + +SC-7 (8): + family: SC + name: Boundary Protection | Route Traffic to Authenticated Proxy Servers + description: | + 'The information system routes [Assignment: organization-defined internal + communications traffic] to [Assignment: organization-defined external + networks] through authenticated proxy servers at managed interfaces.' + +SC-7 (12): + family: SC + name: Boundary Protection | Host-Based Protection + description: | + 'The organization implements [Assignment: organization-defined host-based + boundary protection mechanisms] at [Assignment: organization-defined + information system components].' + +SC-7 (13): + family: SC + name: Boundary Protection | Isolation of Security Tools / Mechanisms / Support Components + description: | + 'The organization isolates [Assignment: organization-defined information + security tools, mechanisms, and support components] from other internal + information system components by implementing physically separate + subnetworks with managed interfaces to other components of the system.' + +SC-7 (18): + family: SC + name: Boundary Protection | Fail Secure + description: | + 'The information system fails securely in the event of an operational + failure of a boundary protection device.' + +SC-8: + family: SC + name: Transmission Confidentiality and Integrity + description: | + 'The information system protects the [Selection (one or more): + confidentiality; integrity] of transmitted information.' + +SC-8 (1): + family: SC + name: Transmission Confidentiality and Integrity | Cryptographic or Alternate Physical + Protection + description: | + 'The information system implements cryptographic mechanisms to [Selection + (one or more): prevent unauthorized disclosure of information; detect + changes to information] during transmission unless otherwise protected by + [Assignment: organization-defined alternative physical safeguards].' + +SC-10: + family: SC + name: Network Disconnect + description: | + 'The information system terminates the network connection associated with a + communications session at the end of the session or after [Assignment: + organization-defined time period] of inactivity.' + +SC-12: + family: SC + name: Cryptographic Key Establishment and Management + description: | + 'The organization establishes and manages cryptographic keys for required + cryptography employed within the information system in accordance with + [Assignment: organization-defined requirements for key generation, + distribution, storage, access, and destruction].' + +SC-12 (1): + family: SC + name: Cryptographic Key Establishment and Management | Availability + description: | + 'The organization maintains availability of information in the event of the + loss of cryptographic keys by users.' + +SC-12 (2): + family: SC + name: Cryptographic Key Establishment and Management | Symmetric Keys + description: | + 'The organization produces, controls, and distributes symmetric + cryptographic keys using [Selection: NIST FIPS-compliant; NSA-approved] key + management technology and processes.' + +SC-12 (3): + family: SC + name: Cryptographic Key Establishment and Management | Asymmetric Keys + description: | + 'The organization produces, controls, and distributes asymmetric + cryptographic keys using [Selection: NSA-approved key management technology + and processes; approved PKI Class 3 certificates or prepositioned keying + material; approved PKI Class 3 or Class 4 certificates and hardware security + tokens that protect the user''s private key].' + +SC-13: + family: SC + name: Cryptographic Protection + description: | + 'The information system implements [Assignment: organization-defined + cryptographic uses and type of cryptography required for each use] in + accordance with applicable federal laws, Executive Orders, directives, + policies, regulations, and standards.' + +SC-15: + family: SC + name: Collaborative Computing Devices + description: | + 'The information system: + a. Prohibits remote activation of collaborative computing devices with the following exceptions: [Assignment: organization-defined exceptions where remote activation is to be allowed]; and + b. Provides an explicit indication of use to users physically present at the devices.' + +SC-17: + family: SC + name: Public Key Infrastructure Certificates + description: | + 'The organization issues public key certificates under an [Assignment: + organization-defined certificate policy] or obtains public key certificates + from an approved service provider.' + +SC-18: + family: SC + name: Mobile Code + description: | + 'The organization: + a. Defines acceptable and unacceptable mobile code and mobile code technologies; + b. Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and + c. Authorizes, monitors, and controls the use of mobile code within the information system.' + +SC-19: + family: SC + name: Voice Over Internet Protocol + description: | + 'The organization: + a. Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and + b. Authorizes, monitors, and controls the use of VoIP within the information system.' + +SC-20: + family: SC + name: Secure Name / Address Resolution Service (Authoritative Source) + description: | + 'The information system: + a. Provides additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and + b. Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.' + +SC-21: + family: SC + name: Secure Name / Address Resolution Service (Recursive or Caching Resolver) + description: | + 'The information system requests and performs data origin authentication and + data integrity verification on the name/address resolution responses the + system receives from authoritative sources.' + +SC-22: + family: SC + name: Architecture and Provisioning for Name / Address Resolution Service + description: | + 'The information systems that collectively provide name/address resolution + service for an organization are fault-tolerant and implement + internal/external role separation.' + +SC-23: + family: SC + name: Session Authenticity + description: | + 'The information system protects the authenticity of communications sessions.' + +SC-28: + family: SC + name: Protection of Information At Rest + description: | + 'The information system protects the [Selection (one or more): + confidentiality; integrity] of [Assignment: organization-defined information + at rest].' + +SC-28 (1): + family: SC + name: Protection Of Information At Rest | Cryptographic Protection + description: | + 'The information system implements cryptographic mechanisms to prevent + unauthorized disclosure and modification of [Assignment: + organization-defined information] on [Assignment: organization-defined + information system components].' + +SC-39: + family: SC + name: Process Isolation + description: | + 'The information system maintains a separate execution domain for each + executing process.' + +SI-1: + family: SI + name: System and Information Integrity Policy and Procedures + description: | + 'The organization: + a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: + 1. A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and + 2. Procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls; and + b. Reviews and updates the current: + 1. System and information integrity policy [Assignment: organization-defined frequency]; and + 2. System and information integrity procedures [Assignment: organization-defined frequency].' + +SI-2: + family: SI + name: Flaw Remediation + description: | + 'The organization: + a. Identifies, reports, and corrects information system flaws; + b. Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; + c. Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and + d. Incorporates flaw remediation into the organizational configuration management process.' + +SI-2 (2): + family: SI + name: Flaw Remediation | Automated Flaw Remediation Status + description: | + 'The organization employs automated mechanisms [Assignment: + organization-defined frequency] to determine the state of information system + components with regard to flaw remediation.' + +SI-2 (3): + family: SI + name: Flaw Remediation | Time to Remediate Flaws / Benchmarks for Corrective Actions + description: | + 'The organization: + SI-2 (3)(a) Measures the time between flaw identification and flaw remediation; and + SI-2 (3)(b) Establishes [Assignment: organization-defined benchmarks] for taking corrective actions.' + +SI-3: + family: SI + name: Malicious Code Protection + description: | + 'The organization: + a. Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code; + b. Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures; + c. Configures malicious code protection mechanisms to: + 1. Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and + 2. [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and + d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system.' + +SI-3 (1): + family: SI + name: Malicious Code Protection | Central Management + description: | + 'The organization centrally manages malicious code protection mechanisms.' + +SI-3 (2): + family: SI + name: Malicious Code Protection | Automatic Updates + description: | + 'The information system automatically updates malicious code protection + mechanisms.' + +SI-3 (7): + family: SI + name: Malicious Code Protection | Nonsignature-Based Detection + description: | + 'The information system implements nonsignature-based malicious code + detection mechanisms.' + +SI-4: + family: SI + name: Information System Monitoring + description: | + 'The organization: + a. Monitors the information system to detect: + 1. Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and + 2. Unauthorized local, network, and remote connections; + b. Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods]; + c. Deploys monitoring devices: + 1. Strategically within the information system to collect organization-determined essential information; and + 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization; + d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion; + e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; + f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and + g. Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]].' + +SI-4 (1): + family: SI + name: Information System Monitoring | System-Wide Intrusion Detection System + description: | + 'The organization connects and configures individual intrusion detection + tools into an information system-wide intrusion detection system.' + +SI-4 (2): + family: SI + name: Information System Monitoring | Automated Tools For Real-Time Analysis + description: | + 'The organization employs automated tools to support near real-time analysis + of events.' + +SI-4 (4): + family: SI + name: Information System Monitoring | Inbound and Outbound Communications Traffic + description: | + 'The information system monitors inbound and outbound communications traffic + [Assignment: organization-defined frequency] for unusual or unauthorized + activities or conditions.' + +SI-4 (5): + family: SI + name: Information System Monitoring | System-Generated Alerts + description: | + 'The information system alerts [Assignment: organization-defined personnel + or roles] when the following indications of compromise or potential + compromise occur: [Assignment: organization-defined compromise indicators].' + +SI-4(14): + family: SI + name: Information System Monitoring | Wireless Intrusion Detection + description: | + 'The organization employs a wireless intrusion detection system to identify + rogue wireless devices and to detect attack attempts and potential + compromises/breaches to the information system.' + +SI-4 (16): + family: SI + name: Information System Monitoring | Correlate Monitoring Information + description: | + 'The organization correlates information from monitoring tools employed + throughout the information system.' + +SI-4 (23): + family: SI + name: Information System Monitoring | Host-Based Devices + description: | + 'The organization implements [Assignment: organization-defined host-based + monitoring mechanisms] at [Assignment: organization-defined information + system components].' + +SI-5: + family: SI + name: Security Alerts, Advisories, and Directives + description: | + 'The organization: + a. Receives information system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis; + b. Generates internal security alerts, advisories, and directives as deemed necessary; + c. Disseminates security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and + d. Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance.' + +SI-6: + family: SI + name: Security Function Verification + description: | + 'The information system: + a. Verifies the correct operation of [Assignment: organization-defined security functions]; + b. Performs this verification [Selection (one or more): [Assignment: organization-defined system transitional states]; upon command by user with appropriate privilege; [Assignment: organization-defined frequency]]; + c. Notifies [Assignment: organization-defined personnel or roles] of failed security verification tests; and + d. [Selection (one or more): shuts the information system down; restarts the information system; [Assignment: organization-defined alternative action(s)]] when anomalies are discovered.' + +SI-7: + family: SI + name: Software, Firmware, and Information Integrity + description: | + 'The organization employs integrity verification tools to detect + unauthorized changes to [Assignment: organization-defined software, + firmware, and information].' + +SI-7 (1): + family: SI + name: Software, Firmware, and Information Integrity | Integrity Checks + description: | + 'The information system performs an integrity check of [Assignment: + organization-defined software, firmware, and information] [Selection (one or + more): at startup; at [Assignment: organization-defined transitional states + or security-relevant events]; [Assignment: organization-defined + frequency]].' + +SI-7 (7): + family: SI + name: Software, Firmware, and Information Integrity | Integration of Detection and + Response + description: | + 'The organization incorporates the detection of unauthorized [Assignment: + organization-defined security-relevant changes to the information system] + into the organizational incident response capability.' + +SI-8: + family: SI + name: Spam Protection + description: | + 'The organization: + a. Employs spam protection mechanisms at information system entry and exit points to detect and take action on unsolicited messages; and + b. Updates spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures.' + +SI-8 (1): + family: SI + name: Spam Protection | essential Management + description: | + 'The organization centrally manages spam protection mechanisms.' + +SI-8 (2): + family: SI + name: Spam Protection | Automatic Updates + description: | + 'The information system automatically updates spam protection mechanisms.' + +SI-10: + family: SI + name: Information Input Validation + description: | + 'The information system checks the validity of [Assignment: + organization-defined information inputs].' + +SI-11: + family: SI + name: Error Handling + description: | + 'The information system: + a. Generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries; and + b. Reveals error messages only to [Assignment: organization-defined personnel or roles].' + +SI-12: + family: SI + name: Information Handling and Retention + description: | + 'The organization handles and retains information within the information + system and information output from the system in accordance with applicable + federal laws, Executive Orders, directives, policies, regulations, + standards, and operational requirements.' + +SI-16: + family: SI + name: Memory Protection + description: | + 'The information system implements [Assignment: organization-defined + security safeguards] to protect its memory from unauthorized code + execution.' + +name: NIST-800-53