Information Assurance Minimum Security Controls Checklist
INFORMATION ASSURANCE MINIMUM SECURITY CONTROL CHECKLIST
(Place a checkmark in front of each applicable SIN)
______ SIN 132-54, Commercial Satellite Communications (COMSATCOM) Transponded Capacity Services
______ SIN 132-55, Commercial Satellite Communications (COMSATCOM) Subscription Services
INSTRUCTIONS:
(i) Federal policy specifies Government customer compliance with the Federal Information Security Management Act of
2002 as implemented by Federal Information Processing Standards Publication 200 (FIPS 200), “Minimum Security Requirements for Federal Information and Information Systems.” This standard specifies minimum security requirements
Federal agencies must meet, defined through the use of security controls described in National Institute of Standards and
Technology (NIST) Special Publication (SP) 800-53, “Recommended Security Controls for Federal Information Systems
and Organizations,” DoD Instruction (DoDI) 8500.2, “Information Assurance Implementation,” and associated documents.
(ii) Complete the enclosed Information Assurance Checklist. For those items in [brackets] found within some of the
descriptions, please replace the [brackets] with information about how you currently execute or propose to implement
those items. A separate Information Assurance Checklist is required for each COMSATCOM SIN (SIN 132-54, SIN 132-
55) for which the Offeror is applying. However, if the Offeror's is applying for both COMSATCOM SINs, and the
responses to the Checklist are identical for both COMSATCOM SINs, the Offeror may provide copies of the same
Checklist for SIN 132-54 and for SIN 132-55.
(iii) The Government will evaluate the Information Assurance Checklist submitted as part of Offeror’s proposal to
determine whether the Offeror understands the minimum security controls, and has processes, personnel, and
infrastructure that currently complies or demonstrates a reasonable approach to becoming compliant with all the minimum
security controls for at least a low-impact information system or MAC III system.
1
Information Assurance Minimum Security Controls Checklist
Threshold Compliance References
Low-Impact Information System (FIPS 200 / NIST SP Explain Your Current Compliance OR Actions to CONTROL NAME DoDI 800-53) NIST Become Compliant 8500.2 MAC III (DoDI 8500.2) 800-53 (generally commercial best practices)
Access Control The organization develops, disseminates, and ECAN-1 AC-1 ACCESS reviews/updates [Assignment: organization-defined ECPA-1 CONTROL POLICY frequency]: PRAS-1 AND a. A formal, documented access control policy that DCAR-1 PROCEDURES addresses purpose, scope, roles, responsibilities,
management commitment, coordination among
organizational entities, and compliance; and b. Formal, documented procedures to facilitate the
implementation of the access control policy and
associated access controls.
The organization manages information system IAAC-1 AC-2 ACCOUNT accounts, including: MANAGEMENT a. Identifying account types (i.e., individual, group,
system, application, guest/anonymous, and temporary);
b. Establishing conditions for group membership; c. Identifying authorized users of the information system
and specifying access privileges;
d. Requiring appropriate approvals for requests to
establish accounts;
e. Establishing, activating, modifying, disabling, and
removing accounts;
f. Specifically authorizing and monitoring the use of
guest/anonymous and temporary accounts; g. Notifying account managers when temporary
accounts are no longer required and when information
system users are terminated, transferred, or information system usage or need-to-know/need-to-share changes;
h. Deactivating: (i) temporary accounts that are no
longer required; and (ii) accounts of terminated or
transferred users; 2 i. Granting access to the system based on: (i) a valid
access authorization; (ii) intended system usage; and
Information Assurance Minimum Security Controls Checklist
Threshold Compliance References
Low-Impact Information System (FIPS 200 / NIST SP Explain Your Current Compliance OR Actions to CONTROL NAME DoDI 800-53) NIST Become Compliant 8500.2 MAC III (DoDI 8500.2) 800-53 (generally commercial best practices)
(iii) other attributes as required by the organization or
associated missions/business functions; and
j. Reviewing accounts [Assignment: organization-
defined frequency].
The information system enforces approved DCFA-1 AC-3 ACCESS authorizations for logical access to the system in ENFORCEMENT ECAN-1 accordance with applicable policy.
EBRU-1
PRNK-1
ECCD-1
ECSD-2
Not Applicable Optional: (May be applicable for NIST Moderate or EBBD-1 AC-4 INFORMATION High Impact, or DoD MAC I or MAC II)) FLOW EBBD-2 ENFORCEMENT
Not Applicable Optional: (May be applicable for NIST Moderate or ECLP-1 AC-5 SEPARATION OF High Impact, or DoD MAC I or MAC II)) DUTIES
Not Applicable Optional: (May be applicable for NIST Moderate or ECLP-1 AC-6 LEAST PRIVILEGE High Impact, or DoD MAC I or MAC II))
The information system: ECLO-1 AC-7 UNSUCCESSFUL
LOGIN ATTEMPTS a. Enforces a limit of [Assignment: organization-defined
number] consecutive invalid access attempts by a user
during a [Assignment: organization-defined time period];
and
b. Automatically [Selection: locks the account/node for
an [Assignment: organization-defined time period]; locks
the account/node until released by an administrator;
delays next login prompt according to [Assignment:
organization-defined delay algorithm]] when the 3 maximum number of unsuccessful attempts is
exceeded. The control applies regardless of whether the
Information Assurance Minimum Security Controls Checklist
Threshold Compliance References
Low-Impact Information System (FIPS 200 / NIST SP Explain Your Current Compliance OR Actions to CONTROL NAME DoDI 800-53) NIST Become Compliant 8500.2 MAC III (DoDI 8500.2) 800-53 (generally commercial best practices) login occurs via a local or network connection. The information system: ECWM-1 AC-8 SYSTEM USE
NOTIFICATION a. Displays an approved system use notification
message or banner before granting access to the
system that provides privacy and security notices
consistent with applicable federal laws, Executive
Orders, directives, policies, regulations, standards, and guidance and states that: (i) users are accessing a U.S.
Government information system; (ii) system usage may be monitored, recorded, and subject to audit; (iii)
unauthorized use of the system is prohibited and subject
to criminal and civil penalties; and (iv) use of the system indicates consent to monitoring and recording; b. Retains the notification message or banner on the
screen until users take explicit actions to log on to or
further access the information system; and c. For publicly accessible systems: (i) displays the
system use information when appropriate, before
granting further access; (ii) displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that
generally prohibit those activities; and (iii) includes in the notice given to public users of the information system, a
description of the authorized uses of the system. Not Applicable Optional: (May be applicable for DoD MAC I or MAC II) AC-9 PREVIOUS LOGON
(ACCESS)
NOTIFICATION
Not Applicable Optional: (May be applicable for NIST Moderate or ECLO-1 AC-10 CONCURRENT High Impact, or DoD MAC I or MAC II) SESSION
CONTROL
Not Applicable Optional: (May be applicable for NIST Moderate or 4 PESL-1 AC-11 SESSION LOCK High Impact, or DoD MAC I or MAC II)
Information Assurance Minimum Security Controls Checklist
Threshold Compliance References
Low-Impact Information System (FIPS 200 / NIST SP Explain Your Current Compliance OR Actions to CONTROL NAME DoDI 800-53) NIST Become Compliant 8500.2 MAC III (DoDI 8500.2) 800-53 (generally commercial best practices)
Withdrawn: Incorporated into SC-10 Optional: (May be applicable for DoD MAC I or MAC II) --- AC-12 SESSION
TERMINATION
Withdrawn: Incorporated into AC-2 and AU-6. Optional: (May be applicable for DoD MAC I or MAC II) ECAT-1 AC-13 SUPERVISION AND
REVIEW — ECAT-2 ACCESS
CONTROL E3.3.9
The organization: --- AC-14 PERMITTED
ACTIONS a. Identifies specific user actions that can be performed
WITHOUT on the information system without identification or IDENTIFICATION authentication; and
OR b. Documents and provides supporting rationale in the AUTHENTICATION security plan for the information system, user actions not
requiring identification and authentication.
Withdrawn: Incorporated into MP-3. Optional: (May be applicable for DoD MAC I or MAC II) ECML-1 AC-15 AUTOMATED
MARKING
Not Applicable Optional: (May be applicable for DoD MAC I or MAC II) AC-16 SECURITY
ATTRIBUTES
The organization: EBRP-1 AC-17 REMOTE ACCESS
a. Documents allowed methods of remote access to the EBRU-1 information system;
b. Establishes usage restrictions and implementation
guidance for each allowed remote access method;
c. Monitors for unauthorized remote access to the
information system;
d. Authorizes remote access to the information system
prior to connection; and
e. Enforces requirements for remote connections to the
information system. 5
Information Assurance Minimum Security Controls Checklist
Threshold Compliance References
Low-Impact Information System (FIPS 200 / NIST SP Explain Your Current Compliance OR Actions to CONTROL NAME DoDI 800-53) NIST Become Compliant 8500.2 MAC III (DoDI 8500.2) 800-53 (generally commercial best practices) The organization: ECCT-1 AC-18 WIRELESS
ACCESS a. Establishes usage restrictions and implementation ECWN-1 guidance for wireless access;
b. Monitors for unauthorized wireless access to the
information system;
c. Authorizes wireless access to the information system
prior to connection; and
d. Enforces requirements for wireless connections to the information system.
The organization: ECWN-1 AC-19 ACCESS
CONTROL FOR a. Establishes usage restrictions and implementation
MOBILE DEVICES guidance for organization-controlled mobile devices; b. Authorizes connection of mobile devices meeting
organizational usage restrictions and implementation
guidance to organizational information systems; c. Monitors for unauthorized connections of mobile
devices to organizational information systems; d. Enforces requirements for the connection of mobile
devices to organizational information systems; e. Disables information system functionality that provides the capability for automatic execution of code
on mobile devices without user direction; f. Issues specially configured mobile devices to
individuals traveling to locations that the organization
deems to be of significant risk in accordance with
organizational policies and procedures; and g. Applies [Assignment: organization-defined inspection and preventative measures] to mobile devices returning
from locations that the organization deems to be of
significant risk in accordance with organizational policies and procedures. 6 The organization establishes terms and conditions, --- AC-20 USE OF consistent with any trust relationships established with
Information Assurance Minimum Security Controls Checklist
Threshold Compliance References
Low-Impact Information System (FIPS 200 / NIST SP Explain Your Current Compliance OR Actions to CONTROL NAME DoDI 800-53) NIST Become Compliant 8500.2 MAC III (DoDI 8500.2) 800-53 (generally commercial best practices) EXTERNAL other organizations owning, operating, and/or INFORMATION maintaining external information systems, allowing
SYSTEMS authorized individuals to:
a. Access the information system from the external
information systems; and
b. Process, store, and/or transmit organization-
controlled information using the external information
systems.
Not Applicable Optional: (May be applicable for DoD MAC I or MAC II) AC-21 USER-BASED
COLLABORATION
AND
INFORMATION
SHARING
The organization: AC-22 PUBLICLY
ACCESSIBLE a. Designates individuals authorized to post information CONTENT onto an organizational information system that is publicly
accessible;
b. Trains authorized individuals to ensure that publicly
accessible information does not contain nonpublic
information;
c. Reviews the proposed content of publicly accessible
information for nonpublic information prior to posting
onto the organizational information system;
d. Reviews the content on the publicly accessible
organizational information system for nonpublic
information [Assignment: organization-defined
frequency]; and
e. Removes nonpublic information from the publicly
accessible organizational information system, if
discovered.
7 Awareness and Training
Information Assurance Minimum Security Controls Checklist
Threshold Compliance References
Low-Impact Information System (FIPS 200 / NIST SP Explain Your Current Compliance OR Actions to CONTROL NAME DoDI 800-53) NIST Become Compliant 8500.2 MAC III (DoDI 8500.2) 800-53 (generally commercial best practices) The organization develops, disseminates, and PRTN-1 AT-1 SECURITY reviews/updates [Assignment: organization-defined DCAR-1 AWARENESS AND frequency]: TRAINING POLICY a. A formal, documented security awareness and AND training policy that addresses purpose, scope, roles, PROCEDURES responsibilities, management commitment, coordination among organizational entities, and compliance; and
b. Formal, documented procedures to facilitate the
implementation of the security awareness and training
policy and associated security awareness and training controls.
The organization provides basic security awareness PRTN-1 AT-2 SECURITY training to all information system users (including AWARENESS managers, senior executives, and contractors) as part of
initial training for new users, when required by system
changes, and [Assignment: organization-defined frequency] thereafter.
The organization provides role-based security-related PRTN-1 AT-3 SECURITY training: (i) before authorizing access to the system or TRAINING performing assigned duties; (ii) when required by
system changes; and (iii) [Assignment: organization-
defined frequency] thereafter.
The organization: --- AT-4 SECURITY
TRAINING a. Documents and monitors individual information
RECORDS system security training activities including basic
security awareness training and specific information
system security training; and
b. Retains individual training records for [Assignment: organization-defined time period]. Not Applicable Optional: (May be applicable for DoD MAC I or MAC II) AT-5 CONTACTS WITH
SECURITY 8 GROUPS AND
Information Assurance Minimum Security Controls Checklist
Threshold Compliance References
Low-Impact Information System (FIPS 200 / NIST SP Explain Your Current Compliance OR Actions to CONTROL NAME DoDI 800-53) NIST Become Compliant 8500.2 MAC III (DoDI 8500.2) 800-53 (generally commercial best practices)
ASSOCIATIONS
Audit and Accountability The organization develops, disseminates, and ECAT-1 AU-1 AUDIT AND reviews/updates [Assignment: organization-defined ACCOUNTABILITY frequency]: ECTB-1 POLICY AND a. A formal, documented audit and accountability policy PROCEDURES DCAR-1 that addresses purpose, scope, roles, responsibilities, management commitment, coordination among
organizational entities, and compliance; and b. Formal, documented procedures to facilitate the
implementation of the audit and accountability policy
and associated audit and accountability controls. The organization: ECAR-3 AU-2 AUDITABLE
EVENTS a. Determines, based on a risk assessment and
mission/business needs, that the information system
must be capable of auditing the following events:
[Assignment: organization-defined list of auditable
events];
b. Coordinates the security audit function with other
organizational entities requiring audit-related information to enhance mutual support and to help guide the
selection of auditable events;
c. Provides a rationale for why the list of auditable
events are deemed to be adequate to support after-the-fact investigations of security incidents; and d. Determines, based on current threat information and
ongoing assessment of risk, that the following events
are to be audited within the information system:
[Assignment: organization-defined subset of the
auditable events defined in AU-2 a. to be audited along
with the frequency of (or situation requiring) auditing for
9 each identified event].
Information Assurance Minimum Security Controls Checklist
Threshold Compliance References
Low-Impact Information System (FIPS 200 / NIST SP Explain Your Current Compliance OR Actions to CONTROL NAME DoDI 800-53) NIST Become Compliant 8500.2 MAC III (DoDI 8500.2) 800-53 (generally commercial best practices)
The information system produces audit records that ECAR-1 AU-3 CONTENT OF contain sufficient information to, at a minimum, establish AUDIT RECORDS ECAR-2 what type of event occurred, when (date and time) the
event occurred, where the event occurred, the source of ECAR-3 the event, the outcome (success or failure) of the event, ECLC-1 and the identity of any user/subject associated with the
event.
The organization allocates audit record storage capacity --- AU-4 AUDIT STORAGE and configures auditing to reduce the likelihood of such CAPACITY capacity being exceeded.
The information system: a. Alerts designated --- AU-5 RESPONSE TO organizational officials in the event of an audit AUDIT processing failure; and PROCESSING
FAILURES b. Takes the following additional actions: [Assignment:
organization-defined actions to be taken (e.g., shut
down information system, overwrite oldest audit records,
stop generating audit records)]. The organization: ECAT-1 AU-6 AUDIT REVIEW,
ANALYSIS, AND a. Reviews and analyzes information system audit E3.3.9 REPORTING records [Assignment: organization-defined frequency]
for indications of inappropriate or unusual activity, and
reports findings to designated organizational officials; and
b. Adjusts the level of audit review, analysis, and
reporting within the information system when there is a
change in risk to organizational operations, organizational assets, individuals, other organizations,
or the Nation based on law enforcement information,
intelligence information, or other credible sources of
information.
Not Applicable Optional: (May be applicable for NIST Moderate or ECRG-1 AU-7 AUDIT REDUCTION 10 High Impact, or DoD MAC I or MAC II) AND REPORT