Information Assurance Minimum Security Controls Checklist

    INFORMATION ASSURANCE MINIMUM SECURITY CONTROL CHECKLIST

    (Place a checkmark in front of each applicable SIN)

    ______ SIN 132-54, Commercial Satellite Communications (COMSATCOM) Transponded Capacity Services

    ______ SIN 132-55, Commercial Satellite Communications (COMSATCOM) Subscription Services

INSTRUCTIONS:

(i) Federal policy specifies Government customer compliance with the Federal Information Security Management Act of

    2002 as implemented by Federal Information Processing Standards Publication 200 (FIPS 200), “Minimum Security Requirements for Federal Information and Information Systems.” This standard specifies minimum security requirements

    Federal agencies must meet, defined through the use of security controls described in National Institute of Standards and

    Technology (NIST) Special Publication (SP) 800-53, “Recommended Security Controls for Federal Information Systems

    and Organizations,” DoD Instruction (DoDI) 8500.2, “Information Assurance Implementation,” and associated documents.

(ii) Complete the enclosed Information Assurance Checklist. For those items in [brackets] found within some of the

    descriptions, please replace the [brackets] with information about how you currently execute or propose to implement

    those items. A separate Information Assurance Checklist is required for each COMSATCOM SIN (SIN 132-54, SIN 132-

    55) for which the Offeror is applying. However, if the Offeror's is applying for both COMSATCOM SINs, and the

    responses to the Checklist are identical for both COMSATCOM SINs, the Offeror may provide copies of the same

    Checklist for SIN 132-54 and for SIN 132-55.

(iii) The Government will evaluate the Information Assurance Checklist submitted as part of Offeror’s proposal to

    determine whether the Offeror understands the minimum security controls, and has processes, personnel, and

    infrastructure that currently complies or demonstrates a reasonable approach to becoming compliant with all the minimum

    security controls for at least a low-impact information system or MAC III system.

     1

    Information Assurance Minimum Security Controls Checklist

    Threshold Compliance References

    Low-Impact Information System (FIPS 200 / NIST SP Explain Your Current Compliance OR Actions to CONTROL NAME DoDI 800-53) NIST Become Compliant 8500.2 MAC III (DoDI 8500.2) 800-53 (generally commercial best practices)

    Access Control The organization develops, disseminates, and ECAN-1 AC-1 ACCESS reviews/updates [Assignment: organization-defined ECPA-1 CONTROL POLICY frequency]: PRAS-1 AND a. A formal, documented access control policy that DCAR-1 PROCEDURES addresses purpose, scope, roles, responsibilities,

    management commitment, coordination among

    organizational entities, and compliance; and b. Formal, documented procedures to facilitate the

    implementation of the access control policy and

    associated access controls.

    The organization manages information system IAAC-1 AC-2 ACCOUNT accounts, including: MANAGEMENT a. Identifying account types (i.e., individual, group,

    system, application, guest/anonymous, and temporary);

    b. Establishing conditions for group membership; c. Identifying authorized users of the information system

    and specifying access privileges;

    d. Requiring appropriate approvals for requests to

    establish accounts;

    e. Establishing, activating, modifying, disabling, and

    removing accounts;

    f. Specifically authorizing and monitoring the use of

    guest/anonymous and temporary accounts; g. Notifying account managers when temporary

    accounts are no longer required and when information

    system users are terminated, transferred, or information system usage or need-to-know/need-to-share changes;

    h. Deactivating: (i) temporary accounts that are no

    longer required; and (ii) accounts of terminated or

    transferred users; 2 i. Granting access to the system based on: (i) a valid

    access authorization; (ii) intended system usage; and

     Information Assurance Minimum Security Controls Checklist

    Threshold Compliance References

    Low-Impact Information System (FIPS 200 / NIST SP Explain Your Current Compliance OR Actions to CONTROL NAME DoDI 800-53) NIST Become Compliant 8500.2 MAC III (DoDI 8500.2) 800-53 (generally commercial best practices)

    (iii) other attributes as required by the organization or

    associated missions/business functions; and

    j. Reviewing accounts [Assignment: organization-

    defined frequency].

    The information system enforces approved DCFA-1 AC-3 ACCESS authorizations for logical access to the system in ENFORCEMENT ECAN-1 accordance with applicable policy.

    EBRU-1

    PRNK-1

    ECCD-1

    ECSD-2

    Not Applicable Optional: (May be applicable for NIST Moderate or EBBD-1 AC-4 INFORMATION High Impact, or DoD MAC I or MAC II)) FLOW EBBD-2 ENFORCEMENT

    Not Applicable Optional: (May be applicable for NIST Moderate or ECLP-1 AC-5 SEPARATION OF High Impact, or DoD MAC I or MAC II)) DUTIES

    Not Applicable Optional: (May be applicable for NIST Moderate or ECLP-1 AC-6 LEAST PRIVILEGE High Impact, or DoD MAC I or MAC II))

    The information system: ECLO-1 AC-7 UNSUCCESSFUL

    LOGIN ATTEMPTS a. Enforces a limit of [Assignment: organization-defined

    number] consecutive invalid access attempts by a user

    during a [Assignment: organization-defined time period];

    and

    b. Automatically [Selection: locks the account/node for

    an [Assignment: organization-defined time period]; locks

    the account/node until released by an administrator;

    delays next login prompt according to [Assignment:

    organization-defined delay algorithm]] when the 3 maximum number of unsuccessful attempts is

    exceeded. The control applies regardless of whether the

     Information Assurance Minimum Security Controls Checklist

    Threshold Compliance References

    Low-Impact Information System (FIPS 200 / NIST SP Explain Your Current Compliance OR Actions to CONTROL NAME DoDI 800-53) NIST Become Compliant 8500.2 MAC III (DoDI 8500.2) 800-53 (generally commercial best practices) login occurs via a local or network connection. The information system: ECWM-1 AC-8 SYSTEM USE

    NOTIFICATION a. Displays an approved system use notification

    message or banner before granting access to the

    system that provides privacy and security notices

    consistent with applicable federal laws, Executive

    Orders, directives, policies, regulations, standards, and guidance and states that: (i) users are accessing a U.S.

    Government information system; (ii) system usage may be monitored, recorded, and subject to audit; (iii)

    unauthorized use of the system is prohibited and subject

    to criminal and civil penalties; and (iv) use of the system indicates consent to monitoring and recording; b. Retains the notification message or banner on the

    screen until users take explicit actions to log on to or

    further access the information system; and c. For publicly accessible systems: (i) displays the

    system use information when appropriate, before

    granting further access; (ii) displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that

    generally prohibit those activities; and (iii) includes in the notice given to public users of the information system, a

    description of the authorized uses of the system. Not Applicable Optional: (May be applicable for DoD MAC I or MAC II) AC-9 PREVIOUS LOGON

    (ACCESS)

    NOTIFICATION

    Not Applicable Optional: (May be applicable for NIST Moderate or ECLO-1 AC-10 CONCURRENT High Impact, or DoD MAC I or MAC II) SESSION

    CONTROL

    Not Applicable Optional: (May be applicable for NIST Moderate or 4 PESL-1 AC-11 SESSION LOCK High Impact, or DoD MAC I or MAC II)

     Information Assurance Minimum Security Controls Checklist

    Threshold Compliance References

    Low-Impact Information System (FIPS 200 / NIST SP Explain Your Current Compliance OR Actions to CONTROL NAME DoDI 800-53) NIST Become Compliant 8500.2 MAC III (DoDI 8500.2) 800-53 (generally commercial best practices)

    Withdrawn: Incorporated into SC-10 Optional: (May be applicable for DoD MAC I or MAC II) --- AC-12 SESSION

    TERMINATION

    Withdrawn: Incorporated into AC-2 and AU-6. Optional: (May be applicable for DoD MAC I or MAC II) ECAT-1 AC-13 SUPERVISION AND

    REVIEW — ECAT-2 ACCESS

    CONTROL E3.3.9

    The organization: --- AC-14 PERMITTED

    ACTIONS a. Identifies specific user actions that can be performed

    WITHOUT on the information system without identification or IDENTIFICATION authentication; and

    OR b. Documents and provides supporting rationale in the AUTHENTICATION security plan for the information system, user actions not

    requiring identification and authentication.

    Withdrawn: Incorporated into MP-3. Optional: (May be applicable for DoD MAC I or MAC II) ECML-1 AC-15 AUTOMATED

    MARKING

    Not Applicable Optional: (May be applicable for DoD MAC I or MAC II) AC-16 SECURITY

    ATTRIBUTES

    The organization: EBRP-1 AC-17 REMOTE ACCESS

    a. Documents allowed methods of remote access to the EBRU-1 information system;

    b. Establishes usage restrictions and implementation

    guidance for each allowed remote access method;

    c. Monitors for unauthorized remote access to the

    information system;

    d. Authorizes remote access to the information system

    prior to connection; and

    e. Enforces requirements for remote connections to the

    information system. 5

     Information Assurance Minimum Security Controls Checklist

    Threshold Compliance References

    Low-Impact Information System (FIPS 200 / NIST SP Explain Your Current Compliance OR Actions to CONTROL NAME DoDI 800-53) NIST Become Compliant 8500.2 MAC III (DoDI 8500.2) 800-53 (generally commercial best practices) The organization: ECCT-1 AC-18 WIRELESS

    ACCESS a. Establishes usage restrictions and implementation ECWN-1 guidance for wireless access;

    b. Monitors for unauthorized wireless access to the

    information system;

    c. Authorizes wireless access to the information system

    prior to connection; and

    d. Enforces requirements for wireless connections to the information system.

    The organization: ECWN-1 AC-19 ACCESS

    CONTROL FOR a. Establishes usage restrictions and implementation

    MOBILE DEVICES guidance for organization-controlled mobile devices; b. Authorizes connection of mobile devices meeting

    organizational usage restrictions and implementation

    guidance to organizational information systems; c. Monitors for unauthorized connections of mobile

    devices to organizational information systems; d. Enforces requirements for the connection of mobile

    devices to organizational information systems; e. Disables information system functionality that provides the capability for automatic execution of code

    on mobile devices without user direction; f. Issues specially configured mobile devices to

    individuals traveling to locations that the organization

    deems to be of significant risk in accordance with

    organizational policies and procedures; and g. Applies [Assignment: organization-defined inspection and preventative measures] to mobile devices returning

    from locations that the organization deems to be of

    significant risk in accordance with organizational policies and procedures. 6 The organization establishes terms and conditions, --- AC-20 USE OF consistent with any trust relationships established with

     Information Assurance Minimum Security Controls Checklist

    Threshold Compliance References

    Low-Impact Information System (FIPS 200 / NIST SP Explain Your Current Compliance OR Actions to CONTROL NAME DoDI 800-53) NIST Become Compliant 8500.2 MAC III (DoDI 8500.2) 800-53 (generally commercial best practices) EXTERNAL other organizations owning, operating, and/or INFORMATION maintaining external information systems, allowing

    SYSTEMS authorized individuals to:

    a. Access the information system from the external

    information systems; and

    b. Process, store, and/or transmit organization-

    controlled information using the external information

    systems.

    Not Applicable Optional: (May be applicable for DoD MAC I or MAC II) AC-21 USER-BASED

    COLLABORATION

    AND

    INFORMATION

    SHARING

    The organization: AC-22 PUBLICLY

    ACCESSIBLE a. Designates individuals authorized to post information CONTENT onto an organizational information system that is publicly

    accessible;

    b. Trains authorized individuals to ensure that publicly

    accessible information does not contain nonpublic

    information;

    c. Reviews the proposed content of publicly accessible

    information for nonpublic information prior to posting

    onto the organizational information system;

    d. Reviews the content on the publicly accessible

    organizational information system for nonpublic

    information [Assignment: organization-defined

    frequency]; and

    e. Removes nonpublic information from the publicly

    accessible organizational information system, if

    discovered.

     7 Awareness and Training

     Information Assurance Minimum Security Controls Checklist

    Threshold Compliance References

    Low-Impact Information System (FIPS 200 / NIST SP Explain Your Current Compliance OR Actions to CONTROL NAME DoDI 800-53) NIST Become Compliant 8500.2 MAC III (DoDI 8500.2) 800-53 (generally commercial best practices) The organization develops, disseminates, and PRTN-1 AT-1 SECURITY reviews/updates [Assignment: organization-defined DCAR-1 AWARENESS AND frequency]: TRAINING POLICY a. A formal, documented security awareness and AND training policy that addresses purpose, scope, roles, PROCEDURES responsibilities, management commitment, coordination among organizational entities, and compliance; and

    b. Formal, documented procedures to facilitate the

    implementation of the security awareness and training

    policy and associated security awareness and training controls.

    The organization provides basic security awareness PRTN-1 AT-2 SECURITY training to all information system users (including AWARENESS managers, senior executives, and contractors) as part of

    initial training for new users, when required by system

    changes, and [Assignment: organization-defined frequency] thereafter.

    The organization provides role-based security-related PRTN-1 AT-3 SECURITY training: (i) before authorizing access to the system or TRAINING performing assigned duties; (ii) when required by

    system changes; and (iii) [Assignment: organization-

    defined frequency] thereafter.

    The organization: --- AT-4 SECURITY

    TRAINING a. Documents and monitors individual information

    RECORDS system security training activities including basic

    security awareness training and specific information

    system security training; and

    b. Retains individual training records for [Assignment: organization-defined time period]. Not Applicable Optional: (May be applicable for DoD MAC I or MAC II) AT-5 CONTACTS WITH

    SECURITY 8 GROUPS AND

     Information Assurance Minimum Security Controls Checklist

    Threshold Compliance References

    Low-Impact Information System (FIPS 200 / NIST SP Explain Your Current Compliance OR Actions to CONTROL NAME DoDI 800-53) NIST Become Compliant 8500.2 MAC III (DoDI 8500.2) 800-53 (generally commercial best practices)

    ASSOCIATIONS

    Audit and Accountability The organization develops, disseminates, and ECAT-1 AU-1 AUDIT AND reviews/updates [Assignment: organization-defined ACCOUNTABILITY frequency]: ECTB-1 POLICY AND a. A formal, documented audit and accountability policy PROCEDURES DCAR-1 that addresses purpose, scope, roles, responsibilities, management commitment, coordination among

    organizational entities, and compliance; and b. Formal, documented procedures to facilitate the

    implementation of the audit and accountability policy

    and associated audit and accountability controls. The organization: ECAR-3 AU-2 AUDITABLE

    EVENTS a. Determines, based on a risk assessment and

    mission/business needs, that the information system

    must be capable of auditing the following events:

    [Assignment: organization-defined list of auditable

    events];

    b. Coordinates the security audit function with other

    organizational entities requiring audit-related information to enhance mutual support and to help guide the

    selection of auditable events;

    c. Provides a rationale for why the list of auditable

    events are deemed to be adequate to support after-the-fact investigations of security incidents; and d. Determines, based on current threat information and

    ongoing assessment of risk, that the following events

    are to be audited within the information system:

    [Assignment: organization-defined subset of the

    auditable events defined in AU-2 a. to be audited along

    with the frequency of (or situation requiring) auditing for

     9 each identified event].

     Information Assurance Minimum Security Controls Checklist

    Threshold Compliance References

    Low-Impact Information System (FIPS 200 / NIST SP Explain Your Current Compliance OR Actions to CONTROL NAME DoDI 800-53) NIST Become Compliant 8500.2 MAC III (DoDI 8500.2) 800-53 (generally commercial best practices)

    The information system produces audit records that ECAR-1 AU-3 CONTENT OF contain sufficient information to, at a minimum, establish AUDIT RECORDS ECAR-2 what type of event occurred, when (date and time) the

    event occurred, where the event occurred, the source of ECAR-3 the event, the outcome (success or failure) of the event, ECLC-1 and the identity of any user/subject associated with the

    event.

    The organization allocates audit record storage capacity --- AU-4 AUDIT STORAGE and configures auditing to reduce the likelihood of such CAPACITY capacity being exceeded.

    The information system: a. Alerts designated --- AU-5 RESPONSE TO organizational officials in the event of an audit AUDIT processing failure; and PROCESSING

    FAILURES b. Takes the following additional actions: [Assignment:

    organization-defined actions to be taken (e.g., shut

    down information system, overwrite oldest audit records,

    stop generating audit records)]. The organization: ECAT-1 AU-6 AUDIT REVIEW,

    ANALYSIS, AND a. Reviews and analyzes information system audit E3.3.9 REPORTING records [Assignment: organization-defined frequency]

    for indications of inappropriate or unusual activity, and

    reports findings to designated organizational officials; and

    b. Adjusts the level of audit review, analysis, and

    reporting within the information system when there is a

    change in risk to organizational operations, organizational assets, individuals, other organizations,

    or the Nation based on law enforcement information,

    intelligence information, or other credible sources of

    information.

    Not Applicable Optional: (May be applicable for NIST Moderate or ECRG-1 AU-7 AUDIT REDUCTION 10 High Impact, or DoD MAC I or MAC II) AND REPORT