Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using {{ insert: param, cm-06_odp.01 }}; Implement the configuration settings; Identify, document, and approve any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} based on {{ insert: param, cm-06_odp.03 }} ; and Monitor and control changes to the configuration settings in accordance with organizational policies and procedures.
family CM
framework nist-800-53
Manage, apply, and verify configuration settings for {{ insert: param, cm-06.01_odp.01 }} using {{ insert: param, cm-6.1_prm_2 }}.
family CM
framework nist-800-53
Take the following actions in response to unauthorized changes to {{ insert: param, cm-06.02_odp.02 }}: {{ insert: param, cm-06.02_odp.01 }}.
family CM
framework nist-800-53
family CM
framework nist-800-53
family CM
framework nist-800-53
Configure the system to provide only {{ insert: param, cm-07_odp.01 }} ; and Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: {{ insert: param, cm-7_prm_2 }}.
family CM
framework nist-800-53
Review the system {{ insert: param, cm-07.01_odp.01 }} to identify unnecessary and/or nonsecure functions, ports, protocols, software, and services; and Disable or remove {{ insert: param, cm-7.1_prm_2 }}.
family CM
framework nist-800-53
Prevent program execution in accordance with {{ insert: param, cm-07.02_odp.01 }}.
family CM
framework nist-800-53
Ensure compliance with {{ insert: param, cm-07.03_odp }}.
family CM
framework nist-800-53
Identify {{ insert: param, cm-07.04_odp.01 }}; Employ an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the system; and Review and update the list of unauthorized software programs {{ insert: param, cm-07.04_odp.02 }}.
family CM
framework nist-800-53
Identify {{ insert: param, cm-07.05_odp.01 }}; Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and Review and update the list of authorized software programs {{ insert: param, cm-07.05_odp.02 }}.
family CM
framework nist-800-53
Require that the following user-installed software execute in a confined physical or virtual machine environment with limited privileges: {{ insert: param, cm-07.06_odp }}.
family CM
framework nist-800-53
Allow execution of binary or machine-executable code only in confined physical or virtual machine environments and with the explicit approval of {{ insert: param, cm-07.07_odp }} when such code is: Obtained from sources with limited or no warranty; and/or Without the provision of source code.
family CM
framework nist-800-53
Prohibit the use of binary or machine-executable code from sources with limited or no warranty or without the provision of source code; and Allow exceptions only for compelling mission or operational requirements and with the approval of the authorizing official.
family CM
framework nist-800-53
Identify {{ insert: param, cm-07.09_odp.01 }}; Prohibit the use or connection of unauthorized hardware components; Review and update the list of authorized hardware components {{ insert: param, cm-07.09_odp.02 }}.
family CM
framework nist-800-53
Develop and document an inventory of system components that: Accurately reflects the system; Includes all components within the system; Does not include duplicate accounting of components or components assigned to any other system; Is at the level of granularity deemed necessary for tracking and reporting; and Includes the following information to achieve system component accountability: {{ insert: param, cm-08_odp.01 }} ; and Review and update the system component inventory {{ insert: param, cm-08_odp.02 }}.
family CM
framework nist-800-53
Update the inventory of system components as part of component installations, removals, and system updates.
family CM
framework nist-800-53
Maintain the currency, completeness, accuracy, and availability of the inventory of system components using {{ insert: param, cm-8.2_prm_1 }}.
family CM
framework nist-800-53
Detect the presence of unauthorized hardware, software, and firmware components within the system using {{ insert: param, cm-8.3_prm_1 }} {{ insert: param, cm-08.03_odp.04 }} ; and Take the following actions when unauthorized components are detected: {{ insert: param, cm-08.03_odp.05 }}.
family CM
framework nist-800-53
Include in the system component inventory information, a means for identifying by {{ insert: param, cm-08.04_odp }} , individuals responsible and accountable for administering those components.
family CM
framework nist-800-53
family CM
framework nist-800-53
Include assessed component configurations and any approved deviations to current deployed configurations in the system component inventory.
family CM
framework nist-800-53
Provide a centralized repository for the inventory of system components.
family CM
framework nist-800-53
Support the tracking of system components by geographic location using {{ insert: param, cm-08.08_odp }}.
family CM
framework nist-800-53
Assign system components to a system; and Receive an acknowledgement from {{ insert: param, cm-08.09_odp }} of this assignment.
family CM
framework nist-800-53
Develop, document, and implement a configuration management plan for the system that: Addresses roles, responsibilities, and configuration management processes and procedures; Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items; Defines the configuration items for the system and places the configuration items under configuration management; Is reviewed and approved by {{ insert: param, cm-09_odp }} ; and Protects the configuration management plan from unauthorized disclosure and modification.
family CM
framework nist-800-53
Assign responsibility for developing the configuration management process to organizational personnel that are not directly involved in system development.
family CM
framework nist-800-53
family CP
framework nist-800-53
family CP
framework nist-800-53
family CP
framework nist-800-53
family CP
framework nist-800-53
Develop, document, and disseminate to {{ insert: param, cp-1_prm_1 }}: {{ insert: param, cp-01_odp.03 }} contingency planning policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls; Designate an {{ insert: param, cp-01_odp.04 }} to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and Review and update the current contingency planning: Policy {{ insert: param, cp-01_odp.05 }} and following {{ insert: param, cp-01_odp.06 }} ; and Procedures {{ insert: param, cp-01_odp.07 }} and following {{ insert: param, cp-01_odp.08 }}.
family CP
framework nist-800-53
Provide for the recovery and reconstitution of the system to a known state within {{ insert: param, cp-10_prm_1 }} after a disruption, compromise, or failure.
family CP
framework nist-800-53
family CP
framework nist-800-53
Implement transaction recovery for systems that are transaction-based.
family CP
framework nist-800-53
Addressed through tailoring.
family CP
framework nist-800-53
Provide the capability to restore system components within {{ insert: param, cp-10.04_odp }} from configuration-controlled and integrity-protected information representing a known, operational state for the components.
family CP
framework nist-800-53
family CP
framework nist-800-53
Protect system components used for recovery and reconstitution.
family CP
framework nist-800-53
Provide the capability to employ {{ insert: param, cp-11_odp }} in support of maintaining continuity of operations.
family CP
framework nist-800-53
When {{ insert: param, cp-12_odp.02 }} are detected, enter a safe mode of operation with {{ insert: param, cp-12_odp.01 }}.
family CP
framework nist-800-53
Employ {{ insert: param, cp-13_odp.01 }} for satisfying {{ insert: param, cp-13_odp.02 }} when the primary means of implementing the security function is unavailable or compromised.
family CP
framework nist-800-53
Develop a contingency plan for the system that: Identifies essential mission and business functions and associated contingency requirements; Provides recovery objectives, restoration priorities, and metrics; Addresses contingency roles, responsibilities, assigned individuals with contact information; Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure; Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented; Addresses the sharing of contingency information; and Is reviewed and approved by {{ insert: param, cp-2_prm_1 }}; Distribute copies of the contingency plan to {{ insert: param, cp-2_prm_2 }}; Coordinate contingency planning activities with incident handling activities; Review the contingency plan for the system {{ insert: param, cp-02_odp.05 }}; Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; Communicate contingency plan changes to {{ insert: param, cp-2_prm_4 }}; Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and Protect the contingency plan from unauthorized disclosure and modification.
family CP
framework nist-800-53
Coordinate contingency plan development with organizational elements responsible for related plans.
family CP
framework nist-800-53
Conduct capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations.
family CP
framework nist-800-53
Plan for the resumption of {{ insert: param, cp-02.03_odp.01 }} mission and business functions within {{ insert: param, cp-02.03_odp.02 }} of contingency plan activation.
family CP
framework nist-800-53
family CP
framework nist-800-53
Plan for the continuance of {{ insert: param, cp-02.05_odp }} mission and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restoration at primary processing and/or storage sites.
family CP
framework nist-800-53
Plan for the transfer of {{ insert: param, cp-02.06_odp }} mission and business functions to alternate processing and/or storage sites with minimal or no loss of operational continuity and sustain that continuity through system restoration to primary processing and/or storage sites.
family CP
framework nist-800-53
Coordinate the contingency plan with the contingency plans of external service providers to ensure that contingency requirements can be satisfied.
family CP
framework nist-800-53
Identify critical system assets supporting {{ insert: param, cp-02.08_odp }} mission and business functions.
family CP
framework nist-800-53
Provide contingency training to system users consistent with assigned roles and responsibilities: Within {{ insert: param, cp-03_odp.01 }} of assuming a contingency role or responsibility; When required by system changes; and {{ insert: param, cp-03_odp.02 }} thereafter; and Review and update contingency training content {{ insert: param, cp-03_odp.03 }} and following {{ insert: param, cp-03_odp.04 }}.
family CP
framework nist-800-53
Incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations.
family CP
framework nist-800-53
Employ mechanisms used in operations to provide a more thorough and realistic contingency training environment.
family CP
framework nist-800-53
Test the contingency plan for the system {{ insert: param, cp-04_odp.01 }} using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: {{ insert: param, cp-4_prm_2 }}. Review the contingency plan test results; and Initiate corrective actions, if needed.
family CP
framework nist-800-53
Coordinate contingency plan testing with organizational elements responsible for related plans.
family CP
framework nist-800-53
Test the contingency plan at the alternate processing site: To familiarize contingency personnel with the facility and available resources; and To evaluate the capabilities of the alternate processing site to support contingency operations.
family CP
framework nist-800-53
Test the contingency plan using {{ insert: param, cp-04.03_odp }}.
family CP
framework nist-800-53
Include a full recovery and reconstitution of the system to a known state as part of contingency plan testing.
family CP
framework nist-800-53
Employ {{ insert: param, cp-04.05_odp.01 }} to {{ insert: param, cp-04.05_odp.02 }} to disrupt and adversely affect the system or system component.
family CP
framework nist-800-53
family CP
framework nist-800-53
Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and Ensure that the alternate storage site provides controls equivalent to that of the primary site.
family CP
framework nist-800-53
Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats.
family CP
framework nist-800-53
Configure the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives.
family CP
framework nist-800-53
Identify potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outline explicit mitigation actions.
family CP
framework nist-800-53
Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of {{ insert: param, cp-07_odp.01 }} for essential mission and business functions within {{ insert: param, cp-07_odp.02 }} when the primary processing capabilities are unavailable; Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time period for transfer and resumption; and Provide controls at the alternate processing site that are equivalent to those at the primary site.
family CP
framework nist-800-53
Identify an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats.
family CP
framework nist-800-53
Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.
family CP
framework nist-800-53
Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives).
family CP
framework nist-800-53
Prepare the alternate processing site so that the site can serve as the operational site supporting essential mission and business functions.
family CP
framework nist-800-53
family CP
framework nist-800-53
Plan and prepare for circumstances that preclude returning to the primary processing site.
family CP
framework nist-800-53
Establish alternate telecommunications services, including necessary agreements to permit the resumption of {{ insert: param, cp-08_odp.01 }} for essential mission and business functions within {{ insert: param, cp-08_odp.02 }} when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.
family CP
framework nist-800-53
Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives); and Request Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier.
family CP
framework nist-800-53
Obtain alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services.
family CP
framework nist-800-53
Obtain alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats.
family CP
framework nist-800-53
Require primary and alternate telecommunications service providers to have contingency plans; Review provider contingency plans to ensure that the plans meet organizational contingency requirements; and Obtain evidence of contingency testing and training by providers {{ insert: param, cp-8.4_prm_1 }}.
family CP
framework nist-800-53
Test alternate telecommunication services {{ insert: param, cp-08.05_odp }}.
family CP
framework nist-800-53
Conduct backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} {{ insert: param, cp-09_odp.02 }}; Conduct backups of system-level information contained in the system {{ insert: param, cp-09_odp.03 }}; Conduct backups of system documentation, including security- and privacy-related documentation {{ insert: param, cp-09_odp.04 }} ; and Protect the confidentiality, integrity, and availability of backup information.
family CP
framework nist-800-53
Test backup information {{ insert: param, cp-9.1_prm_1 }} to verify media reliability and information integrity.
family CP
framework nist-800-53